WPCL M5|7o#om;AcZEkBPoJxZ7g|iB'bE08@t*L9NxB#SJ ӗںQ$!։秇<,Y*|N.A`SثB%Hah =G;>1,wѸ×8 /DU{A>h3`gMLg4dHڡ&#js.{nxbb%.Z167L rh)=yh g(@䙝A;"KlI@/SL^^P29- 0~v 0x 0kl 0k 0B 0~ 0Z 0+ 0 0 0  0 01 0C 0VH 0 0m 0 0 0x! 04" 0" 0# 0k$UR4% %B% 0H% 0& 0[& 0k ' 0nx' 0' 0( 0W) 0) 0r* 0+ 0+ 0G, 0, 0- 0za. 0. 0v/-0 0O3E4 04 4 0 A4 0[PT85 0dch5 15 06 1`7 0 e8Uo9 09Ug: 0^: 0: 0z; 0c1< 0< 0O= 0Cm=n= 0]> 1>?n? 0 4DB BxBU*B4B 0B 0C 0^D 0-F 1i/G BG D/G CGG 0OH 0CI 0OVI ASIUJIU6BJU:xJU.J BJJkJU>h]]]]^ ^^/_ D35`h` 0B`*```aa a aa$b.b*b(c8c Tcntc6!dnWdng oo&7o&]oYop 1ppnq.y"y 1my<Nz*zz:zn{ B* Q5 AMӂ 0K D3 AK D3b B7 B7̄ C&C 0F  Oo$,ӆ 1.P 0O~n[͇U@(1h>"׏׏w@ 9&Jp# D+7 0Cb AMUNh@@@@# U<@ ԢԢԢԢԢoXV& 8Document[8]Document Style0..8` ..` V8Document[4]Document Style.. . V 8Document[6]Document Style8..V 8Document[5]Document Style0..V/8Document[2]Document Style 2A.3  Ԁ   V& 8Document[7]Document Style0..0` ..` zU :Right Par[1]Right-Aligned Paragraph Numbers..2I.3  Ԁ..0..zh :Right Par[2]Right-Aligned Paragraph Numbers..` ..2A.3  Ԁ..0` ..` V?8Document[3]Document Style.. 21.3  Ԁ   z{ :Right Par[3]Right-Aligned Paragraph Numbers..` ..`  ..P 21.3  Ԁ` ..` 0 .. z :Right Par[4]Right-Aligned Paragraph Numbers..` ..`  .. .. 2a.3  Ԁ .. 0..z :Right Par[5]Right-Aligned Paragraph Numbers..` ..`  .. ..h..2(1)3  Ԁ..0h..hz :Right Par[6]Right-Aligned Paragraph Numbers..` ..`  .. ..h..h..2(a)3  Ԁh..h0..z :Right Par[7]Right-Aligned Paragraph Numbers..` ..`  .. ..h..h....2i)3  Ԁ..0..z :Right Par[8]Right-Aligned Paragraph Numbers..` ..`  .. ..h..h....p..2a)3  Ԁ..0p..pVX8Document[1]Document Style  @..^  2I.3  Ԁ     Ԉ l2:Technical[5]Technical Document Style.. 2(1)3  Ԁ. l2:Technical[6]Technical Document Style.. 2(a)3  Ԁ. l/%:Technical[2]Technical Document Style 2A.3  Ԁ   .. l,!:Technical[3]Technical Document Style 21.3  Ԁ   .. l(!:Technical[4]Technical Document Style 2a.3  Ԁ   .. l:0:Technical[1]Technical Document Style  2I.3  Ԁ     .. l1:Technical[7]Technical Document Style.. 2i)3  Ԁ. l1:Technical[8]Technical Document Style.. 2a)3  Ԁ. '\  `TimesRomanX&4Heading 1Section/Chapter Heading (Level 1, Un-numbered)@..      z4Heading 2Subheading (Level 2 - Un-numbered)   $2"2I.3  .. H&H4Level 4 Numbered   󀄀N,TitleCover Page Title @..  A&H1Level 1 (Section/Chapter) Heading - Numbered@..    2I.3  Ԁ   Ԉz4Heading 3Subheading (Level 3 - Un-numbered)   x4Heading 4Subheading (Level 4 - Unnumbered)   󀄀f 2NotationItalicized Internal Notes >>><<< T&2AppendixAppendix Heading@..     Ԉx&:Part HeadingHeader for Major Document Part  @..    ԈZ+&H3Level 3 Paragraph Heading  21.3  Ԁ  Z@&H2Level 2 Paragraph Heading  2A.3  ..   PB0HeadingChapter Heading@..  2I.3  Ԁ   Ԉ tO 4Right ParRight-Aligned Paragraph Numbers.. 2I.3  Ԁ  0..R& 8BibliogrphyBibliography0.. ..L=6SubheadingSubheading 2A.3  ..    x?u2PleadingHeader for numbered pleading paper - z .(  KXXXXX6I/'*d66I/'*d6\\1\\2\\3\\4\\5\\6\\7\\8\\910111213141516171819202122232425262728  .+('2S$ HU!   fp2Doc InitInitialize Document Style1S 5    I. 1. A. a.(1)(a) i) a)S234(Vm$0   (,!$0  0` (#(#  (@$0  0` (#(#0 ` (#` (# `   A_ekqwDocumentDocument StyleI.1.A.a.(1)(a)i)a)jo4Tech InitInitialize Technical StyleS 7  1 .1 .1 .1 .1 .1 .1 .1 S CuyTechnicalTechnical Document Style11.11.1.11.1.1.11.1.1.1.11.1.1.1.1.11.1.1.1.1.1.11.1.1.1.1.1.1.1N^^2ComputerComputer Font    &&&-9<6X`(-    &&&-9<6X`(-<6X`(TFF4ReferenceReferences Font-;'\ `--;'\ `-'\ `B,BListList ItemsNFF2FootnoteFootnote Font-;'\ `--;'\ `-J(AckAcknowledgements `  ` `  ` F,AListOverall Listffff.\,ALT A&&&C\2^A`ArialTTC('2S$ HU!   ($    <6X9`(CourierXx6X@KX@(9!27L$ HU!   Ӏ  0    3sy1Right-Aligned Paragraph NumbersI.A.1.a.(1)(a)i)a)3|o%'\  `TimesRomanXo\  PCXP<6X`(sRoman&n6X@K&@'\ `sRomanS\  PCP'\ `sRomanX\  PCP( U$   d(cp ` Times#!' .dh,ALT C&&&KZ1:AArialBoldTTKXXXO[<6X9`("Courier NewTTO6dh4SOW PARTSKZ2:AArialBoldTTKXXXO[<6X9`("Courier NewTTOnxx,ALT BNEW CENTURY SCHOOLBOOK BOLD 20PT_Y.X 2Times NewRoman BoldTT__Y.X 2Times NewRoman BoldTT_vFF,ALT NNEW CENTURY SCHOOLBOOK ITALIC 10.1PT-;3e`--;3e`-$35;AGMU]c2I.A.1.a.(1)(a)i)a)K KdQQ' dxd d Level 1 Level 2 Level 3 Level 4 Level 5('2S$ HU!   ($     ('2S$ HU!   TWUVRSC<< c.X 2Times NewRoman BoldTT2:AArialBoldTT<6X9`("Courier NewTT2^A`ArialTT d a WS"   8@XX@  AuditandMonitoringTechniques   AuditTypes.Auditscanbeselfadministeredorindependent(eitherinternalorexternal).Bothtypescanprovideexcellentinformationabouttechnical,procedural,managerial,orotheraspectsofsecurity.Theessentialdifferencebetweenaselfauditandanindependentauditisobjectivity.k  k0 X   AutomatedTools.Automatedtoolscanbeusedtohelpfindavarietyofvulnerabilities,suchasimproper  accesscontrolsoraccesscontrolconfigurations,weakpasswords,lackofintegrityofthesystemsoftware,ornotusingallrelevantsoftwareupdatesandpatches.Therearetwotypesofautomatedtools:(1)activetools,whichfindvulnerabilitiesbytryingtoexploitthem,and(2)passivetests,whichonlyexaminethesystemandinfertheexistenceofproblemsfromthestateofthesystem.k݌ XPXP Ќ  k  kR0 X   InternalControlsAudit.Anauditorcanreviewcontrolsinplaceanddeterminewhethertheyareeffective. 4 4  Theauditorwilloftenanalyzebothcomputerandnoncomputerbasedcontrols.kRm݌ XPXP Ќ  k  k0 X   Security d Checklists.Checklistscanbedeveloped,whichincludenationalororganizationalsecuritypolicies   andpractices(oftenreferredtoasbaselines).k݌D D XPXP Ќ  k  k0 X   PenetrationTesting.Penetrationtestingcanusemanymethodstoattemptasystembreakin.Inaddition   tousingactiveautomatedtoolsasdescribedabove,penetrationtestingcanbedone"manually."Formanysystems,laxproceduresoralackofinternalcontrolsonapplicationsarecommonvulnerabilitiesthatpenetrationtestingcantarget.Penetrationtestingisaverypowerfultechnique;itshouldpreferablybeconductedwiththeknowledgeandconsentofsystemmanagement.k݌ XPXP Ќ  MonitoringTypes.Therearemanytypesandmethodsofmonitoringasystemoruser.Somemethodsaredeemedmoresociallyacceptableandsomeareillegal.Itiswisetocheckwithagencylegalcouncil.k  kF 0 X   ReviewofSystemLogs.Aperiodicreviewofsystemgeneratedlogscandetectsecurityproblems,  includingattemptstoexceedaccessauthorityorgainsystemaccessduringunusualhours.kF a ݌ XPXP Ќ  k  k 0 X   AutomatedTools.Severaltypesofautomatedtoolsmonitorasystemforsecurityproblems.Some  examplesarevirusscanners,checksumming,passwordcrackers,integrityverificationprograms,intrusiondetectors,andsystemperformancemonitoring.k ݌ XPXP Ќ  k  k* 0 X   ConfigurationManagement/ManagingChange.Fromasecuritypointofview,configurationmanagement " providesassurancethatthesysteminoperationisthecorrectversion(configuration)ofthesystemandthatanychangestobemadearereviewedforsecurityimplications.k* E ݌ XPXP Ќ  k  k0 X   TradeLiterature/Publications/ElectronicNews.Inadditiontomonitoringthesystem,itisusefultomonitor   & externalsourcesforinformation.k݌ XPXP Ќ  k  k0 X   PeriodicRe e accreditation.Periodically,itisusefultoformallyreexaminethesecurityofasystemfroma ll) widerperspective.Theanalysis,whichleadstoreaccreditation,shouldaddresssuchquestionsas:Isthesecuritystillsufficient?Aremajorchangesneeded?Thereaccreditationshouldaddresshighlevelsecurityandmanagementconcernsaswellastheimplementationofthesecurity.k݌ XPXP Ќ  ̀Figure2.AuditandMonitoringTechniques.* `&CG Times 10ptWPBenefits S'   ݛ  9(#8CXXPrinciplesandPractices  :(#forSecuringITSystemsAI/) xdE7xAChecklistsAccreditationOwners % HU!     8CXX`F8CԀ  2  OrganizationforEconomicCooperationandDevelopment,GuidelinesfortheSecurityofInformationSystems,  Paris,1992.'dxdconstraints2$Square0  program managementTestingMaintenanceLevel 1Level 2Level 3Level 4Level 5Level 1Level 2Level 3Level 4Level 5Least privilegePosition SensitivityAccount ManagementAuditTerminationBusiness plan<6X9`(CourierXx6X@KX@contingency plan testing'\  `TimesRomanXo\  PCXP<6X`(sRoman&n6X@K&@'\ `sRomanS\  PCP'\ `sRomanX\  PCP* `&CG Times 12ptWPXXw PS+GXP'\ `imes 12ptWPS\  PCP'\ `imes 12ptWPX\  PCP<6X`(imes 12ptWP&n6X@K&@2^A`ArialTTptWP&n^P)C&P1:AArialBoldTTWP&m:p7C&<6X9`("Courier NewTTPXx6X@KX@2:AArialBoldTTTP:p7C.X 2Times NewRoman BoldTTX pTC3e`s NewRoman BoldTTfe xzCX* `$CG Times 8ptWPldTTP P+GP* `&CG Times 10ptWPdTTd P[+GPHackerseducationPortable Systemslaptop computers O HU!   r^X` hp x (#%'0*,.8135@8:<H?AXr  8CXX`F8CԀ  6  Notalltypesofaccesscontrolrequireidentificationandauthentication.  3sy3Right-Aligned Paragraph NumbersI.A.1.a.(1)(a)i)a)* `&CG Times 12ptWPXXw PS+GXP'\ `imes 12ptWPS\  PCP'\ `imes 12ptWPX\  PCP<6X`(imes 12ptWP&n6X@K&@2^A`ArialTTptWP&n^P)C&P1:AArialBoldTTWP&m:p7C&<6X9`("Courier NewTTPXx6X@KX@2:AArialBoldTTTP:p7C.X 2Times NewRoman BoldTTX pTC3e`s NewRoman BoldTTfe xzCX* `$CG Times 8ptWPldTTP P+GP* `&CG Times 10ptWPdTTd P[+GPKeystroke monitoringAccess control# e37=CIQYag1.a.i.(1)(a)(i)1)a)Constrained User InterfacesGateways/FirewallsfirewallsHost-based Authentication * `&CG Times 12ptWPXXw PS+GXP'\ `imes 12ptWPS\  PCP'\ `imes 12ptWPX\  PCP<6X`(imes 12ptWP&n6X@K&@2^A`ArialTTptWP&n^P)C&P1:AArialBoldTTWP&m:p7C&<6X9`("Courier NewTTPXx6X@KX@2:AArialBoldTTTP:p7C* `&CG Times 10ptWPd P[+GP&0 d d G D7L$  Ӏ  1    8@XXTheeightprinciplesoriginallyappearedasthe"ElementsofComputerSecurity"intheNISTSpecialPublication800  12,AnIntroductiontoComputerSecurity:TheNISTHandbook.UA<< CLevel 1Level 2Level 3Level 4Level 5( $ Figure  1  IIII'dxdUA  C'dxd3+0 d d d3+0 d d dddrisk methodologyLevel 1Level 2Level 3Level 4Level 56k$Triangle0  risk analysisAssetsThreatsSafeguardsVulnerabilitiesLikelihood analysisAccreditation ' WS"   Uncertainty Analysis('2S$ HU!   ݫ* `(CG TimesScalableXXw P7XP) `(CG TimesScalableY P7P'\  `(Times NewRomanTTX\  PCP<6X9`("Courier NewTTTT&n6X@K&@2^A`ArialTTTTTT&n^P)C&P1:AArialBoldTTTTT&m:p7C&<6X9`("Courier NewTTTTXx6X@KX@2:AArialBoldTTTTT:p7C) `(CG TimesScalablec P7P) `(CG TimesScalable&&m P7&P< 9(*Courier 12cpiBoldd J;* `(CG TimesScalable ' WS"   cryptographic key managementKey Management DD D!"H#$%H234Responsibilities  HU!     8CXX`F8CԀ  3  Thedifferencebetweenresponsibilityandaccountabilityisnotalwaysclear.Ingeneral,responsibilityisabroader  term,definingobligationsandexpectedbehavior.Thetermimpliesaproactivestanceonthepartoftheresponsiblepartyandacausalrelationshipbetweentheresponsiblepartyandagivenoutcome.Thetermaccountabilitygenerally < referstotheabilitytoholdpeopleresponsiblefortheiractions.Therefore,peoplecouldberesponsiblefortheiractions T butnotheldaccountable.Forexample,ananonymoususeronasystemisresponsibleforbehavingaccordingtoacceptednormsbutcannotbeheldaccountableifacompromiseoccurssincetheactioncannotbetracedtoanindividual.  HU!     8CXX`F8CԀ  4  Thetermotherpartiesmayincludebutisnotlimitedto:executivemanagement;programmers;maintenance  providers;informationsystemmanagers(softwaremanagers,operationsmanagers,andnetworkmanagers);softwaredevelopmentmanagers;managerschargedwithsecurityofinformationsystems;andinternalandexternalinformationsystemauditors.'dxd($     rUA<< c(9 Z 6Times New Roman Regular ^ HU!     8CXX`F8CԀ  5  Thisprincipleimplicitlystatesthatpeopleandotherentities(suchascorporationsorgovernments)have  responsibilityandaccountabilityrelatedtoITsystemswhichmaybeshared.Apple LaserWriter II NTXPSCRIPT0   WS"     XXRԀOECD'sGuidelinesfortheSecurityofInformationSystems:  Accountability󀄀Theresponsibilitiesandaccountabilityofowners, 44 providersandusersofinformationsystemsandotherparties...shouldbeexplicit.Awareness󀄀Owners,providers,usersandotherpartiesshould  readilybeable,consistentwithmaintainingsecurity,togainappropriateknowledgeofandbeinformedabouttheexistenceandgeneralextentofmeasures...forthesecurityofinformationsystems.Ethics󀄀TheInformationsystemsandthesecurityofinformation   systemsshouldbeprovidedandusedinsuchamannerthattherightsandlegitimateinterestofothersarerespected.Multidisciplinary󀄀Measures,practicesandproceduresforthe  securityofinformationsystemsshouldtakeaccountofandaddressallrelevantconsiderationsandviewpoints....Proportionality󀄀Securitylevels,costs,measures,practicesand \ \  proceduresshouldbeappropriateandproportionatetothevalueofanddegreeofrelianceontheinformationsystemsandtotheseverity,probabilityandextentofpotentialharm....Integration󀄀Measures,practicesandproceduresforthesecurityof XX informationsystemsshouldbecoordinatedandintegratedwitheachotherandothermeasures,practicesandproceduresoftheorganizationsoastocreateacoherentsystemofsecurity.Timeliness󀄀Publicandprivateparties,atbothnationaland TT internationallevels,shouldactinatimelycoordinatedmannertopreventandtorespondtobreachesofsecurityofinformationsystems.Reassessment󀄀Thesecurityofinformationsystemsshouldbe ! reassessedperiodically,asinformationsystemsandtherequirementsfortheirsecurityvaryovertime.Democracy󀄀Thesecurityofinformationsystemsshouldbe % compatiblewiththelegitimateuseandflowofdataandinformationinademocraticsociety.Figure1.OECDGuidelines.* `$CG Times 8ptWP,NISTLOGO.WPGWPCNN9513N`H %:} ?????????????????< ? > ? ? ? ?? ??? ?? ?? ?? ???????? ?? ??? ?? ?? ?? ??? ?? ?? ?? ?? ???????????????????? ??? |??? <?? ?? ? ? ? ? ? ? ? ? ? ??? ? ? ? HU!   ݛ  X:XXX  7XXXdd7}'G73z ( `N@@@E} (# (#(#(#XX: NationalInstituteofStandardsandTechnology@6  TechnologyAdministrationU.S.DepartmentofCommerce#X:XN# 8 #XXXXX:T# (#(# (# (#@, , XXXGenerallyAcceptedPrinciplesandPractices ` @&forSecuring@ InformationTechnologySystems#XXX#@%MarianneSwanson  BarbaraGuttman@<<&$September$%June%1996  -h(* Мb֛  2Vm  2VmW0     ݜN XXX TableofContents #XXX N#ԛ2VmWs݌(#(# Ќ  2Vm  2VmG0     1.Introduction#""P(#. (#(##12VmGc݌   Ќ  3!  3!0  0` (#(#    1.1Principles#""P(#. ` (#` (##13!"݌   Ќ  3!  3!0  0` (#(#    1.2Practices#""P(#.< < ` (#` (##13!݌   Ќ  3!  3!0  0` (#(#    1.3RelationshipofPrinciplesandPractices#""P(#.=` (#` (##23!݌   Ќ  3!  3!0  0` (#(#    1.4Background#""P(#.< < ` (#` (##23!݌   Ќ  3!  3!l 0  0` (#(#    1.5Audience#""P(#.h h ` (#` (##33!l ݌ t Ќ  3!  3!< 0  0` (#(#    1.6StructureofthisDocument#""P(#./` (#` (##33!< W ݌ k\  Ќ  3!  3! 0  0` (#(#    1.7Terminology#""P(#. ` (#` (##33! 9 ݌ SD  Ќ  2Vm  2Vm 0     2.GenerallyAcceptedSystemSecurityPrinciples#""P(#.<(#(##42Vm ݌ #  Ќ  3!  3! 0  0` (#(#    ݜ2.1.񛀀ComputerSecuritySupportstheMissionoftheOrganization#""P(#.O` (#` (##53! ݌    Ќ  3!  3! 0  0` (#(#    2.2ComputerSecurityisanIntegralElementofSoundManagement#""P(#.Q` (#` (##63! ݌   Ќ  3!  3!0  0` (#(#    2.3ComputerSecurityShouldBeCostEffective#""P(#.?` (#` (##63!݌   Ќ  3!  3!0  0` (#(#    2.4SystemsOwnersHaveSecurityResponsibilitiesOutsideTheirOwnOrganizations #""P(#.` ` ` (#` (##73!݌̌  3!  3!0  0` (#(#    ݜ2.5ComputerSecurityResponsibilitiesandAccountabilityShouldBeMadeExplicit#""P(#.!!b` (#` (##83!݌  Ќ  3!  3!0  0` (#(#    2.6ComputerSecurityRequiresaComprehensiveandIntegratedApproach#""P(#.W` (#` (##93!݌ {l Ќ  3!  3!0  0` (#(#    2.7ComputerSecurityShouldBePeriodicallyReassessed#""P(#.H` (#` (##93!#݌ cT Ќ  3!  3!0  0` (#(#    2.8ComputerSecurityisConstrainedbySocietalFactors#`"`"O(#.@@I` (#` (##103!݌ K< Ќ  2Vm  2Vm0     3.CommonITSecurityPractices#`"`"O(#.``*(#(##112Vm݌   Ќ  3!  3!0  0` (#(#    3.1Policy#`"`"O(#.l l ` (#` (##133!݌  Ќ  4  40  0` (#(#0 ` (#` (# `   3.1.1ProgramPolicy#`"`"O(#.DD* (# (##134݌  Ќ  4  40  0` (#(#0 ` (#` (# `   3.1.2IssueSpecificPolicy#`"`"O(#.1 (# (##144݌  Ќ  4  40  0` (#(#0 ` (#` (# `   3.1.3SystemSpecificPolicy#`"`"O(#.2 (# (##144݌  Ќ  4  40  0` (#(#0 ` (#` (# `   3.1.4AllPolicies#`"`"O(#.( (# (##154݌   Ќ  3!  3!n0  0` (#(#    3.2ProgramManagement#`"`"O(#.dd'` (#` (##163!n݌ !| Ќ  4  4I0  0` (#(#0 ` (#` (# `   3.2.1CentralSecurityProgram#`"`"O(#.``4 (# (##164Id݌ s"d Ќ  4  4@0  0` (#(#0 ` (#` (# `   3.2.2SystemLevelProgram#`"`"O(#.0 (# (##174@[݌ [#L Ќ  3!  3!30  0` (#(#    3.3RiskManagement#`"`"O(#.$` (#` (##193!3N݌ C$4  Ќ  4  4 0  0` (#(#0 ` (#` (# `   3.3.1RiskAssessment#`"`"O(#.+ (# (##194 &݌ +%! Ќ  4  40  0` (#(#0 ` (#` (# `   3.3.2RiskMitigation#`"`"O(#.HH+ (# (##204݌ &" Ќ  4  40  0` (#(#0 ` (#` (# `   3.3.3UncertaintyAnalysis#`"`"O(#.0 (# (##214 ݌ &# Ќ  3!  3! 0  0` (#(#    3.4LifeCyclePlanning#`"`"O(#.(` (#` (##223! ݌ ' $ Ќ  4  4!0  0` (#(#0 ` (#` (# `   3.4.1SecurityPlan#`"`"O(#.) (# (##224!!݌ (!% Ќ  4  4"0  0` (#(#0 ` (#` (# `   3.4.2InitiationPhase#`"`"O(#.@@, (# (##224""݌ )"& Ќ  4  4#0  0` (#(#0 ` (#` (# `   3.4.3Development/AcquisitionPhase#`"`"O(#.pp9 (# (##224##݌ *#' Ќ  4  4$0  0` (#(#0 ` (#` (# `   3.4.4ImplementationPhase#`"`"O(#.TT0 (# (##234$$݌ +t$( Ќ  4  4%0  0` (#(#0 ` (#` (# `   3.4.5Operation/MaintenancePhase#`"`"O(#.7 (# (##244%%݌  Ќ  ݜ   ` 3.4.6DisposalPhase`"`"O(#.*26  3!  3!&0  0` (#(#    3.5Personnel/UserIssues#`"`"O(#.HH*` (#` (##273!&'݌  Ќ  4  4'0  0` (#(#0 ` (#` (# `   3.5.1Staffing#`"`"O(#. $ (# (##274''݌   Ќ  4  4(0  0` (#(#0 ` (#` (# `   3.5.2UserAdministration#`"`"O(#./ (# (##284((݌   Ќ  3!  3!)0  0` (#(#    3.6PreparingforContingenciesandDisasters#`"`"O(#.>` (#` (##313!))݌   Ќ  4  4*0  0` (#(#0 ` (#` (# `   3.6.1BusinessPlan#`"`"O(#.) (# (##314**݌  p Ќ  4  4+0  0` (#(#0 ` (#` (# `   3.6.2IdentifyResources#`"`"O(#.<<. (# (##314++݌ g X Ќ  4  4z,0  0` (#(#0 ` (#` (# `   3.6.3DevelopScenarios#`"`"O(#.<<- (# (##324z,,݌ O@ Ќ  4  4j-0  0` (#(#0 ` (#` (# `   3.6.4DevelopStrategies#`"`"O(#.HH. (# (##324j--݌ 7(  Ќ  4  4[.0  0` (#(#0 ` (#` (# `   3.6.5TestandRevisePlan#`"`"O(#.0 (# (##334[.v.݌   Ќ  3!  3!N/0  0` (#(#    3.7ComputerSecurityIncidentHandling#`"`"O(#.<<8` (#` (##343!N/i/݌   Ќ  4  4:00  0` (#(#0 ` (#` (# `   3.7.1UsesofaCapability#`"`"O(#.0 (# (##344:0U0݌   Ќ  4  4-10  0` (#(#0 ` (#` (# `   3.7.2Characteristics#`"`"O(#.+ (# (##344-1H1݌   Ќ  3!  3!20  0` (#(#    3.8AwarenessandTraining#`"`"O(#.+` (#` (##373!262݌   Ќ  3!  3!20  0` (#(#    3.9SecurityConsiderationsinComputerSupportandOperations#`"`"O(#.O` (#` (##393!23݌   Ќ  3!  3!40  0` (#(#    3.10PhysicalandEnvironmentalSecurity#`"`"O(#.tt9` (#` (##413!44݌  Ќ  3!  3!40  0` (#(#    3.11IdentificationandAuthentication#`"`"O(#.447` (#` (##433!4 5݌ wh Ќ  4  450  0` (#(#0 ` (#` (# `   3.11.1Identification#`"`"O(#.+ (# (##43455݌ _P Ќ  4  460  0` (#(#0 ` (#` (# `   3.11.2Authentication#`"`"O(#.dd+ (# (##44466݌ G8 Ќ  4  470  0` (#(#0 ` (#` (# `   3.11.3Passwords#`"`"O(#.& (# (##45477݌ /  Ќ  4  480  0` (#(#0 ` (#` (# `   3.11.4AdvancedAuthentication#`"`"O(#.4 (# (##45488݌  Ќ  3!  3!90  0` (#(#    3.12LogicalAccessControl#`"`"O(#.00,` (#` (##463!99݌  Ќ  4  4:0  0` (#(#0 ` (#` (# `   3.12.1AccessCriteria#`"`"O(#., (# (##464::݌  Ќ  4  4t;0  0` (#(#0 ` (#` (# `   3.12.2AccessControlMechanisms#`"`"O(#.6 (# (##474t;;݌  Ќ  3!  3!o<0  0` (#(#    3.13AuditTrails#`"`"O(#. "` (#` (##503!o<<݌  Ќ  4  4G=0  0` (#(#0 ` (#` (# `   3.13.1ContentsofAuditTrailRecords#`"`"O(#.< (# (##504G=b=݌  Ќ  4  4H>0  0` (#(#0 ` (#` (# `   3.13.2AuditTrailSecurity#`"`"O(#.1 (# (##514H>c>݌ x Ќ  4  4>?0  0` (#(#0 ` (#` (# `   3.13.3AuditTrailReviews#`"`"O(#.$$0 (# (##514>?Y?݌ o ` Ќ  4  43@0  0` (#(#0 ` (#` (# `   3.13.4KeystrokeMonitoring#`"`"O(#.1 (# (##5243@N@݌ W!H Ќ  3!  3!)A0  0` (#(#    3.14Cryptography#`"`"O(#.( ( "` (#` (##543!)ADA݌ ?"0 Ќ  3!  3!B0  0` (#(#    4.References#`"`"O(#.| | ` (#` (##563!BB݌ '# Ќ  K  $  L JXXXXXXJXJXX  1.Introduction#JXXXJMC# lC   #XXXXJXX.C#  Asmoreorganizationsshareinformationelectronically,acommonunderstandingofwhatis  neededandexpectedinsecuringinformationtechnology(IT)resourcesisrequired.ThisdocumentprovidesabaselinethatorganizationscanusetoestablishandreviewtheirITsecurityprograms.Thedocumentgivesafoundationthatorganizationscanreferencewhenconductingmultiorganizationalbusinessaswellasinternalbusiness.Management,internalauditors,users,systemdevelopers,andsecuritypractionerscanusetheguidelinetogainanunderstandingofthebasicsecurityrequirementsmostITsystemsshouldcontain.ThefoundationbeginswithgenerallyacceptedsystemsecurityprinciplesandcontinueswithcommonpracticesthatareusedinsecuringITsystems. N XXX  1.1Principles AG#XXX N"G# vg   ManyapproachesandmethodscanbeusedtosecureITsystems;however,certainintrinsic   expectationsmustbemetwhetherthesystemissmallorlargeorownedbyagovernmentagencyorbyaprivatecorporation.Theintrinsicexpectationsaredescribedinthisdocumentasgenerallyacceptedsystemsecurityprinciples.Theprinciplesaddresscomputersecurityfromaveryhighlevelviewpoint.Theprinciplesaretobeusedwhendevelopingcomputersecurityprogramsandpolicyandwhencreatingnewsystems,practicesorpolicies.Principlesareexpressedatahighlevel,encompassingbroadareas,e.g.,accountability,costeffectiveness,andintegration. N XXX  1.2Practices wJ#XXX NXJ# | m  ThenextlevelinthefoundationisthecommonITsecuritypracticesthatareingeneraluse ! today.Thepracticesguideorganizationsonthetypesofcontrols,objectivesandproceduresthatcompriseaneffectiveITsecurityprogram.Thepracticesshowwhatshouldbedonetoenhanceormeasureanexistingcomputersecurityprogramortoaidinthedevelopmentofanewprogram.Thepracticesprovideacommongroundfordeterminingthesecurityofanorganizationandbuildconfidencewhenconductingmultiorganizationalbusiness.Thisdocumentprovidesthepracticesinachecklistformattoassistorganizationsinreviewingtheircurrentpoliciesandproceduresagainstthecommonpracticespresentedhere.Organizationsshouldusethepracticesasastartingpointinordertodevelopadditionalpracticesbasedontheir U+F$ ownorganizationalandsystemrequirements.Thecommonpracticesshouldbeaugmentedwithadditionalpracticesbasedoneachorganizationsuniqueneeds.ThepracticesdescribedinthispublicationcomefromNISTSpecialPublication80012,AnIntroductiontoComputer i Z Security:TheNISTHandbook.Theyarenotintendedtobedefinitive;astechnologychanges,   sowillthepractices. · XXX  1.3RelationshipofPrinciplesandPractices "P#XXX ·P#  ' Thisdocumentdescribeseightprinciplesandfourteenpractices.Eachoftheprinciplesappliestoeachofthepractices.Thenatureoftherelationshipbetweentheprinciplesandthepracticesvaries.Insomecases,practicesarederivedfromoneormoreprinciples;inothercasespracticesareconstrainedbyprinciples.Forexample,theRiskManagementPracticeisdirectlyderivedfromtheCostEffectivenessPrinciple.However,theComprehensiveandReassessmentPrinciplesplaceconstraintsontheRiskManagementPractice.Whileamappingcouldbemadetothespecificrelationshipsbetweentheprinciplesandthepractices,itisprobablynotuseful.Theimportantpointisthattheprinciplesprovidethefoundationforasoundcomputersecurityprogram.JXXXXXX  - J· XJXX  1.4Background T#·  J·S##XXX ·S#   TheNationalPerformanceReview(NPR)recommendedaspartoftheNationalInformation  Infrastructure(NII)thattheNationalInstituteofStandardsandTechnology(NIST)developgenerallyacceptedsystemsecurityprinciplesandpracticesforthefederalgovernment.Thesesecurityprinciplesandpracticesaretobeappliedintheuse,protection,anddesignofgovernmentinformationanddatasystems,particularlyfrontlinesystemsfordeliveringserviceselectronicallytocitizens.Theneedforrules,standards,conventionsandproceduresthatdefineacceptedsecuritypracticeswasoutlinedinthe1991NationalResearchCouncildocumentComputersAtRisk.Their p'a  recommendationcalledforthedevelopmentofacomprehensivesetofgenerallyacceptedsystemsecurityprinciples(GSSP)whichwouldclearlyarticulateessentialsecurityfeatures,assurances, andpractices.WorkbeganonimplementingtheComputersAtRiskrecommendationin1992 *# by!severalnationalandinternationalorganizationswithaninterestincomputersecurity.Thisdocumentdrawsupontheirongoingefforts.!"theInformationSystemsSecurityAssociation(ISSA).ISSAcontinuestoleadaninternationalgroupofsecurityexpertsindevelopingGSSPs." · XXXԀ  1.5Audience Z #XXX ·Y#   Thisdocumenthastwodistinctuses.Thechaptercoveringprinciplesistobeusedbyalllevelsofmanagementandbythoseindividualsresponsibleforcomputersecurityatthesystemlevelandorganizationlevel.Theprinciplesareintendedasaguidewhencreatingprogrampolicyorreviewingexistingpolicy.Thecommonpracticesareintendedasareferencedocumentandanauditingtool.Thegoalofthisdocumentistoprovideacommonbaselineofrequirementsthatcanbeusedwithinandoutsideorganizationsbyinternalauditors,managers,usersandcomputersecurityofficers.Theconceptspresentedaregenericandcanbeappliedtoorganizationsinprivateandpublicsectors. · XXX  1.6StructureofthisDocument #XXX ·7]# V]   Thisdocumentisorganizedasfollows:Chapter2presentstheprinciples.Chapter3containsthecommonITsecuritypractices.Chapter4providesreferencesusedinthedevelopmentofthisdocument. · XXX  1.7Terminology #XXX ·^# ^  Thisdocumentusesthetermsinformationtechnologysecurityandcomputersecurityinterchangeably.Thetermsrefertotheentirespectrumofinformationtechnologyincludingapplicationandsupportsystems.Computersecurityistheprotectionaffordedtoanautomatedinformationsysteminordertoattaintheapplicableobjectivesofpreservingtheintegrity,availability,andconfidentialityofinformationsystemresources(includinghardware,software,firmware,informationdata,andtelecommunications).  $  XXX  2.GenerallyAcceptedSystemSecurityPrinciples ]a#XXX>a#   М{XhC3/z p[ p @Es<DG {ߛAsthenameimplies,theprinciplesaregenerallyacceptedthatwhichismostcommonlybeingusedatthepresenttimetosecureITresources.Theprinciplesthatthisdocumentoffersarenotnewtothesecurityprofession.Theyarebasedonthepremisethat(most)everyoneappliesthese (#(#whendevelopingormaintainingasystemandtheyhavebecomegenerallyaccepted. h Y ThisdocumentusestheOrganizationfor  EconomicCooperationandDevelopment's(OECD)GuidelinesfortheSecurityof   InformationSystemsasthebaseforthe &  principles.TheOECDGuidelinesweredevelopedin1992byagroupofinternationalexpertstoprovideafoundationfromwhichgovernmentsandtheprivatesector,actingsinglyandinconcert,couldconstructaframeworkforsecuringITsystems.TheOECDGuidelinesarethe fW currentinternationalguidelineswhichhavebeenendorsedbytheUnitedStates.AbriefdescriptionofthenineOECDprinciplesisprovidedinFigure1.UsingthespiritoftheGuidelines,NISTdevelopedprinciples L = whichappliestofederalsystems. B  1      ׀In ~!o developingthissetofprinciples,NISTdrewupontheOECDGuidelines,addedmaterial,combinedsomeprinciples,andrewroteothers.Mostoftherewritingandcombiningwasdonetoprovideclarity.TheprinciplesaddedbyNISTareinkeeping(}! withtheOECDprinciplesbutnotdirectlystated.Forexample,NISTaddedtheprinciplethatComputerSecuritySupporttheMissionoftheOrganization.Priortodevelopingtheseprinciples,NISTthoroughlyreviewedwhatiscurrentlybeingaccomplishedintheITSecurityprinciplesarea.Withmuchconsideration,adeterminationwasmadethattheU.S.Governmentwouldbenefitfromitsownsetofprinciples.TheeightprinciplescontainedinthisdocumentprovideananchoronwhichtheFederalcommunityshouldbasetheirITsecurityprograms.Theseprinciplesareintendedtoguideagencypersonnelwhencreatingnewsystems,practices,orpolicies.Theyarenotdesignedtoproducespecificanswers.Theprinciplesshouldbeappliedasawhole,pragmaticallyandreasonably.Eachprincipleisexpressedasaonelinesectionheadingandexplainedintheparagraphsthatimmediatelyfollow.&  · XXX  2.1 . 񛀀ComputerSecuritySupportstheMissionoftheOrganization#XXX ·Sl# rl  XI  'XBlThepurposeofcomputersecurityistoprotectanorganization'svaluableresources,suchasinformation,hardware,andsoftware.Throughtheselectionandapplicationofappropriatesafeguards,securityhelpstheorganization'smissionbyprotectingitsphysicalandfinancialresources,reputation,legalposition,employees,andothertangibleandintangibleassets.Unfortunately,securityissometimesviewedasthwartingthemissionoftheorganizationbyimposingpoorlyselected,bothersomerulesandproceduresonusers,managers,andsystems.Onthecontrary,wellchosensecurityrulesandproceduresdonotexistfortheirownsaketheyareputinplacetoprotectimportantassetsandsupporttheoverallorganizationalmission.Security,therefore,isameanstoanendandnotanendinitself.Forexample,inaprivatesectorbusiness,havinggoodsecurityisusuallysecondarytotheneedtomakeaprofit.Security,then,oughttoincreasethefirm'sabilitytomakeaprofit.Inapublicsectoragency,securityis #| usuallysecondarytotheagency'sprovidingservicestocitizens.Security,then,oughttohelp $ improvetheserviceprovidedtothecitizen.Toactonthis,managersneedtounderstandboththeirorganizationalmissionandhoweachinformationsystemsupportsthatmission.Afterasystem'srolehasbeendefined,thesecurityrequirementsimplicitinthatrolecanbedefined.Securitycanthenbeexplicitlystatedintermsoftheorganization'smission. +$ ЇTherolesandfunctionsofasystemmaynotberestrictedtoasingleorganization.Inaninterorganizationalsystem,eachorganizationbenefitsfromsecuringthesystem.Forexample,forelectroniccommercetobesuccessful,eachparticipantrequiressecuritycontrolstoprotecttheirresources.However,goodsecurityonthebuyer'ssystemalsobenefitstheseller;thebuyer'ssystemislesslikelytobeusedforfraudortobeunavailableorotherwisenegativelyaffecttheseller.(Thereverseisalsotrue.)· XXX  2.2ComputerSecurityisanIntegralElementofSoundManagement u#XXX ·_u# te  InformationandITsystemsareoftencriticalassetsthatsupportthemissionofanorganization.   Protectingthemcanbeasimportantasprotectingotherorganizationalresources,suchasmoney,physicalassets,oremployees.However,includingsecurityconsiderationsinthemanagementofinformationandcomputersdoesnotcompletelyeliminatethepossibilitythattheseassetswillbeharmed.Ultimately,organizationmanagershavetodecidewhatlevelofrisktheyarewillingtoaccept,takingintoaccountthecostofsecuritycontrols.Aswithotherresources,themanagementofinformationandcomputersmaytranscendorganizationalboundaries.Whenanorganization'sinformationandITsystemsarelinkedwithexternalsystems,management'sresponsibilitiesextendbeyondtheorganization.Thisrequiresthatmanagement(1)knowwhatgenerallevelortypeofsecurityisemployedontheexternalsystem(s)or(2)seekassurancethattheexternalsystemprovidesadequatesecurityfortheirorganization'sneeds. · XXX  2.3&  ComputerSecurityShouldBeCostEffective Zz #XXX ·;z# # Thecos'#lztsandbenefitsofsecurityshouldbecarefullyexaminedinbothmonetaryandnon &% monetarytermstoensurethatthecostofcontrolsdoesnotexceedexpectedbenefits.Security X&I shouldbeappropriateandproportionatetothevalueofanddegreeofrelianceontheITsystemsandtotheseverity,probability,andextentofpotentialharm.Requirementsforsecurityvary,dependingupontheparticularITsystem.  +$ Ingeneral,securityisasmartbusinesspractice.Byinvestinginsecuritymeasures,an organizationcanreducethefrequencyandseverityofcomputersecurityrelatedlosses.Forexample,anorganizationmayestimatethatitisexperiencingsignificantlossesperyearininventorythroughfraudulentmanipulationofitsITsystem.Securitymeasures,suchasanimprovedaccesscontrolsystem,maysignificantlyreducetheloss.Moreover,asoundsecurityprogramcanthwarthackersandreducethefrequencyofviruses.Eliminationofthesekindsofthreatscanreduceunfavorablepublicityaswellasincreasemoraleandproductivity.Security a benefitsdohavebothdirectandindirectcosts.Directcostsincludepurchasing,installing,andadministeringsecuritymeasures,suchasaccesscontrolsoftwareorfiresuppressionsystems.Additionally,securitymeasurescansometimesaffectsystemperformance,employeemorale,orretrainingrequirements.Allofthesehavetobeconsideredinadditiontothebasiccostofthecontrolitself.Inmanycases,theseadditionalcostsmaywellexceedtheinitialcostofthecontrol(asisoftenseen,forexample,inthecostsofadministeringanaccesscontrolpackage).Solutionstosecurityproblemsshouldnotbechoseniftheycostmore,inmonetaryornonmonetaryterms,directlyorindirectly,thansimplytoleratingtheproblem. · XXX  2.4SystemsOwners f ԀHaveSecurityResponsibilitiesOutsideTheirOwn fW Organizations  #XXX ·#  Ifasystemhasexternalusers,itsownershavearesponsibilitytoshareappropriateknowledgeabouttheexistenceandgeneralextentofsecuritymeasuressothatotheruserscanbeconfident u!f thatthesystemisadequatelysecure.Thisdoesnotimplythatallsystemsmustmeetanyminimumlevelofsecurity,butdoesimplythatsystemownersshouldinformtheirclientsorusersaboutthenatureofthesecurity.  .& Inadditiontosharinginformationaboutsecurity,organizationmanagers"shouldactinatimely,coordinatedmannertopreventandtorespondtobreachesofsecurity"tohelppreventdamagetoothers.g B  2      ׀However,takingsuchactionshouldnotjeopardizethesecurityofsystems. i Z  · XXX  2.5ComputerSecurityResponsibilitiesandAccountabilityShouldBeMadeExplicit   } n #XXX ·ن#The  responsibilityandaccountability B  3      ׀ofowners,providers,andusersofITsystemsandother  partiesL  B  4      ׀concernedwiththesecurityofITsystemsshouldbeexplicit.(  B  5      ׀Theassignmentof   responsibilitiesmaybeinternaltoanorganizationormayextendacrossorganizationalboundaries.Dependingonthesizeoftheorganization,thecomputersecurityprogrammaybelargeorsmall,evenacollateraldutyofanothermanagementofficial.However,evensmallorganizationscanprepareadocumentthatstatesorganizationpolicyandmakesexplicitcomputersecurityresponsibilities.Thiselementdoesnotspecifythatindividualaccountabilitymustbeprovided )  foronallsystems.Forexample,manyinformationdisseminationsystemsdonotrequireuseridentificationoruseothertechnicalmeansofuseridentificationand,therefore,cannotholdusersaccountable.   · XXX  2.6&  ComputerSecurityRequiresaComprehensiveandIntegratedApproach  #XXX ·#  Providi'ngeffectivecomputersecurityrequiresacomprehensiveapproachthatconsidersavarietyofareasbothwithinandoutsideofthecomputersecurityfield.Thiscomprehensiveapproachextendsthroughouttheentireinformationlifecycle.Toworkeffectively,securitycontrolsoftendependupontheproperfunctioningofothercontrols.Manysuchinterdependenciesexist.Ifappropriatelychosen,managerial,operational,andtechnicalcontrolscanworktogethersynergistically.Ontheotherhand,withoutafirmunderstandingoftheinterdependenciesofsecuritycontrols,theycanactuallyundermineoneanother.Forexample,withoutpropertrainingonhowandwhentouseavirusdetectionpackage,theusermayapplythepackageincorrectlyand,therefore,ineffectively.Asaresult,theusermaymistakenlybelievethatiftheirsystemhasbeencheckedonce,thatitwillalwaysbevirusfreeandmayinadvertentlyspreadavirus.Inreality,theseinterdependenciesareusuallymorecomplicatedanddifficulttoascertain.Theeffectivenessofsecuritycontrolsalsodependsonsuchfactorsassystemmanagement,legalissues,qualityassurance,andinternalandmanagementcontrols.Computersecurityneedstoworkwithtraditionalsecuritydisciplinesincludingphysicalandpersonnelsecurity.Manyotherimportantinterdependenciesexistthatareoftenuniquetotheorganizationorsystemenvironment.Managersshouldrecognizehowcomputersecurityrelatestootherareasofsystemsandorganizationalmanagement. · XXX  2.7ComputerSecurityShouldBePeriodicallyReassessed #XXX ·t#  1!" Computersandtheenvironmentsinwhichtheyoperatearedynamic.Systemtechnologyandusers,dataandinformationinthesystems,risksassociatedwiththesystem,andsecurityrequirementsareeverchanging.Manytypesofchangesaffectsystemsecurity:technologicaldevelopments(whetheradoptedbythesystemowneroravailableforusebyothers);connectiontoexternalnetworks;achangeinthevalueoruseofinformation;ortheemergenceofanewthreat.Inaddition,securityisneverperfectwhenasystemisimplemented.Systemusersandoperators *# discovernewwaystointentionallyorunintentionallybypassorsubvertsecurity.Changesinthe ,% systemortheenvironmentcancreatenewvulnerabilities.Strictadherencetoproceduresisrareandproceduresbecomeoutdatedovertime.TheseissuesmakeitnecessarytoreassessperiodicallythesecurityofITsystems. · XXX  2.8&  ComputerSecurityisConstrainedbySocietalFactors #XXX ·ԗ#     i Theabi' lityofsecuritytosupportthemissionofanorganizationmaybelimitedbyvariousfactors,suchassocialissues.Forexample,securityandworkplaceprivacycanconflict.Commonly,securityisimplementedonanITsystembyidentifyingusersandtrackingtheiractions.However,expectationsofprivacyvaryandcanbeviolatedbysomesecuritymeasures.(Insomecases,privacymaybemandatedbylaw.)Althoughprivacyisanextremelyimportantsocietalissue,itisnottheonlyone.Theflowofinformation,especiallybetweenagovernmentanditscitizens,isanothersituationwheresecuritymayneedtobemodifiedtosupportasocietalgoal.Inaddition,someauthenticationmeasuresmaybeconsideredinvasiveinsomeenvironmentsandcultures.Securitymeasuresshouldbeselectedandimplementedwitharecognitionoftherightsandlegitimateinterestsofothers.Thismayinvolvebalancingthesecurityneedsofinformationownersanduserswithsocietalgoals.However,rulesandexpectationschangewithregardtotheappropriateuseofsecuritycontrols.Thesechangesmayeitherincreaseordecreasesecurity.Therelationshipbetweensecurityandsocietalnormsisnotnecessarilyantagonistic.Securitycanenhancetheaccessandflowofdataandinformationbyprovidingmoreaccurateandreliableinformationandgreateravailabilityofsystems.Securitycanalsoincreasetheprivacyaffordedtoanindividualorhelpachieveothergoalssetbysociety.  $  XXX  3.CommonITSecurityPractices ƞ #XXX#  Thegoalofthischapteristoassistthetimeconstrainedsecuritymanagerinreviewingtheircurrentpoliciesandproceduresagainstthecommonpracticespresentedhere.Thelistisnotexhaustive;agenciesshouldconsiderthemastheminimumset.Thesepracticesaretheonescurrentlyemployedinaneffectivecomputersecurityprogram.Theydonottakeintoaccountenvironmentalortechnologicalconstraints,noraretheyrelevanttoeverysituation.Thischaptershouldbeaugmentedwithadditionalpracticesbasedoneachagencies'uniquerequirements.ThepracticesserveasacompaniontotheNISTSpecialPublication,80012,AnIntroductionto   ComputerSecurity:TheNISTHandbook.TheNISTHandbookcontainsover200pagesof !  assistanceinsecuringcomputerbasedresources.Thedocumentexplainsimportantconcepts,costconsiderations,andinterrelationshipsofsecuritycontrols.Itprovidesabroadoverviewofcomputersecurityandisanexcellentprimerforanyoneinterestedincomputersecurity.The   NISTHandbookprovidesthe"whyto"andservedasthetemplateforderivingthepractices.   EachchapteroftheNISTHandbookwascarefullyreviewedtodeterminewhichsectionsdenoted >/ apracticeandwhichpartswereexplanation,detail,orexample.Thekeypointsofeachchapteralongwithashortexplanationwereplacedintoapracticeformat.Somedisparityexists,however,inthewaythepracticesarepresented.Insomesections,itwaseasytoprovideachecklistofwhatshouldbeconsideredwhen,forexample,anagencyisdevelopingacontingencyplan.Itwasmuchmoredifficulttodesignachecklistofpracticesfortypesoftechnicalcontrols,suchasaudittrails.Intheaudittrailsection,thereaderwillfindmoreofalaundrylistofwhatshouldbeconsidered.Whetherthesectionisatechnicalcontroloranoperationalormanagementcontrol,eachsectionisformattedasapractice.Eachsectionbeginswithabriefexplanationofthecontrolandasynopsisofthepractice.Thecontrolsarethendividedintosubsectionswithpracticeslistedbelow.Eachpracticeappearswithasmallboxplacedtotheleftofit.Inmostcases,thepracticeisfollowedwithabriefexplanationorexample.Thissectionprovidesthe"what"shouldbedone,notthe"why"orthe"how."Severaldocumentsshouldbereferencedforfurtherinformation.TheNISTHandbook )" shouldbeusedtoobtainadditionaldetailonanyofthepracticeslisted.TheNISTHandbook *# willeasilymaptothischaptersincethechaptersareplacedinthesameorderasthesubsections. ,% Thehandbookalsoprovidesmanyreferencesforfurtherstudy.ThisdocumentandtheNIST  Handbookareavailableelectronicallyasfollows: A2 Anonymousftp:csrc.nist.gov(129.6.54.11)inthedirectorynistpubs/80012URL:http://csrc.nist.gov/nistpubs/80012Dialupwithmodem:3019485717Intheearlydevelopmentofthischapter,NISTconsideredobtainingacopyrightreleaseforanexcellentpracticesdocumentthatoriginatedintheUnitedKingdom.Copyrightwasnotobtainable;however,thedocumentwasreferencedwhilepreparingthischapter.TheCodeof   PracticeforInformationSecurityManagementiswritteninasimilarstyleandoffersshort   concisepracticesinITsecurity.Itishighlyrecommendedthatthisdocumentbeobtainedasanexcellentsourceforadditionalinformation.ThedocumentistheBritishStandard7799,ACode ?0  ofPracticeforInformationSecurityManagement.Fororderinginformation,contactBSI qb  Standardsatthefollowing:BSIStandards389CheswickHighRoadLondonW44ALUnitedKingdom441819969000    · XXX  3.1Policy #XXX ·# 3 <- Thetermcomputersecuritypolicyhasmorethanonemeaning.Policyisseniormanagement's   directivestocreateacomputersecurityprogram,establishitsgoals,andassignresponsibilities.Thetermpolicyisalsousedtorefertothespecificsecurityrulesforparticularsystems.Additionally,policymayrefertoentirelydifferentmatters,suchasthespecificmanagerialdecisionssettinganorganization'semailprivacypolicyorfaxsecuritypolicy.Organizationsshouldhavethefollowingthreedifferenttypesofpolicy:Program,IssueSpecific,andSystemSpecific.(Someorganizationsmayrefertothesetypeswithothernamessuchasdirectives,procedures,orplans.)  3.1.1ProgramPolicy i te  Anorganization'sprogrampolicyshould:   r^X` hp x (#%'0*,.8135@8:<H?AXrFE00HF0  CreateandDefineaComputerSecurityProgram. Programpolicyshouldbeclearas  towhichresources-includingfacilities,hardware,andsoftware,information,andpersonnel-thecomputersecurityprogramcovers.p(#(# FE00F0  SetOrganizationalStrategicDirections. Thismayincludedefiningthegoalsofthe  program.Forinstance,inanorganizationresponsibleformaintaininglargemissioncriticaldatabases,reductioninerrors,dataloss,datacorruption,andrecoverymightbespecificallystressed.!p(#(# FE#00#F0  AssignResponsibilities. Responsibilitiesshouldbeassignedtothecomputersecurity # organizationfordirectprogramimplementationandotherresponsibilitiesshouldbeassignedtorelatedoffices(suchastheInformationResourcesManagementorganization). (#(# FE)00)F0  AddressComplianceIssues. Programpolicytypicallyaddressestwocompliance )"  issues:1)meetingtherequirementstoestablishaprogramandtheresponsibilities  +# assignedthereintovariousorganizationalcomponents,and2)theuseofspecifiedpenaltiesanddisciplinaryactions.A2(#(#   3.1.2IssueSpecificPolicy    Anorganization'sissuespecificpoliciesshould:   FE<00t F0  AddressSpecificAreas. Topicsofcurrentrelevanceandconcerntotheorganization <- shouldbeaddressed.Managementmayfinditappropriate,forexample,toissueapolicyonhowtheorganizationwillapproachemailprivacyorInternetconnectivity. (#(# FE 00BF0  BeUpdatedFrequently. Morefrequentmodificationisrequiredaschangesin    technologyandrelatedfactorstakeplace.Ifapolicywasissued,forexample,ontheappropriateuseofacuttingedgetechnology(whosesecurityvulnerabilitiesarestilllargelyunknown)withintheorganization,itcouldrequireupdating. (#(# FE 00BF0  ContainanIssueStatement. Theorganization'spositionstatement,applicability,roles   andresponsibilities,compliance,andpointofcontactshouldbeclear.G8(#(#   3.1.3SystemSpecificPolicy   Anorganization'ssystemspecificpoliciesshould:  FEB 00z F0  FocusonDecisions. 󀀀Thedecisionstakenbymanagementtoprotectaparticularsystem, B 3 suchasdefiningtheextenttowhichindividualswillbeheldaccountablefortheiractionsonthesystem,shouldbeexplicitlystated."(#(# FE%00H$ F0  BeMadebyManagementOfficial. 󀀀Thedecisionsmanagementmakesshouldbebased % onatechnicalanalysis.M&>(#(# FE(00' F0  VaryFromSystemtoSystem. Varianceswilloccurbecauseeachsystemneedsdefined (!  securityobjectivesbasedonthesystem'soperationalrequirements,environment,andthe )" manager'sacceptanceofrisk.Inaddition,policieswillvarybasedondifferingneedsfordetail.A2(#(#  FE 00  F0  BeExpressedasRules .Who(byjobcategory,organizationplacement,orname)can   dowhat(e.g.,modify,delete)towhichspecificclassesandrecordsofdata,andunderwhatconditions. (#(#   3.1.4AllPolicies G n_ Allthreetypesofpolicyshouldbe:F E00= F0  Supplemented. Becausepolicymaybewrittenatabroadlevel,organizationsalso   developstandards,guidelines,andproceduresthatofferusers,managers,andothersaclearerapproachtoimplementingpolicyandmeetingorganizationalgoals.Standards,guidelines,andproceduresmaybedisseminatedthroughoutanorganizationviahandbooks,regulations,ormanuals. (#(# F E700oF0  Visible. Visibilityaidsimplementationofpolicybyhelpingtoensurepolicyisfully 7( communicatedthroughouttheorganization.te(#(# FE00 F0  S upportedbyManagement. Withoutmanagementsupport,thepolicywillbecomean  emptytokenofmanagement's"commitment"tosecurity.(#(# FEo!00 F0  Consistent. 󀀀Otherdirectives,laws,organizationalculture,guidelines,procedures,and o!` organizationalmissionshouldbeconsidered. "(#(#  · XXX  3.2ProgramManagement #XXX ·#    k Managingcomputersecurityatmultiplelevelsbringsmanybenefits.Eachlevelcontributestotheoverallcomputersecurityprogramwithdifferenttypesofexpertise,authority,andresources.Ingeneral,executivemanagers(suchasthoseattheheadquarterslevel)betterunderstandtheorganizationasawholeandhavemoreauthority.Ontheotherhand,frontlinemanagers(atthecomputerfacilityandapplicationslevels)aremorefamiliarwiththespecificrequirements,bothtechnicalandprocedural,andproblemsofthesystemsandtheusers.Thelevelsofcomputersecurityprogrammanagementshouldbecomplementary;eachcanhelptheotherbemoreeffective.Manyorganizationshaveatleasttwolevelsofcomputersecuritymanagement;thecentrallevelandthesystemlevel.     3.2.1CentralSecurityProgram   G8  Acentralsecurityprogramshouldprovidedistincttypesofbenefits:increasedefficiencyand u  economyofsecuritythroughouttheorganizationandtheabilitytoprovidecentralizedenforcementandoversight.Itshouldhavethefollowing:FE=00uF0  StableProgramManagementFunction. Theprogrammanagementfunctionshouldbe =. stableandrecognizedwithintheorganizationasafocalpointforcomputersecurity.Howevercomplexorsimpletheprogrammanagementfunctionis,itrequiresastablebase,includingresources,toperformitsactivities.(#(# FE= 00uF0  ExistenceofPolicy. Aprogramshouldbebasedonorganizationalpolicyandshould = . createpolicy,standards,andprocedures,asappropriatetoaddressthecomputersecurityneedsoftheorganization."(#(# FE %00C$F0  PublishedMissionandFunctionsStatement .Thestatementshouldclearlyestablish  % thefunctionofthecomputersecurityprogramanddefineresponsibilitiesforthecomputersecurityprogramandotherrelatedprogramsandentities.Itisoftenapartoforganizationalpolicy.(!(#(#   )" FE00GF0  LongTermComputerSecurityStrategies. Aprogramshouldexploreanddevelop   longtermstrategiestoincorporatecomputersecurityintothenextgenerationofinformationtechnology.~ o(#(# FE 00 F0  ComplianceProgram. Acentralcomputersecurityprogramneedstoaddress   compliancewithnationalpoliciesandrequirements,aswellasorganizationspecificrequirements.L=(#(# FE00F0  IntraorganizationalLiaison. Computersecurityoftenoverlapswithotheroffices,such   assafety,reliabilityandqualityassurance,internalcontrol,physicalsecurity,ortheOfficeoftheInspectorGeneral.Aneffectiveprogramshouldhaveestablishedrelationshipswiththesegroupsinordertointegratecomputersecurityintotheorganization'smanagement.~o (#(# FE00F0  LiaisonwithExternalGroups. Anestablishedprogramshouldbeknowledgeableof  andtakeadvantageofexternalsourcesofinformation.Itshouldalsoprovideinformation,asappropriate,toexternalgroups. (#(#   3.2.2SystemLevelProgram   Whilethecentralprogramaddressestheentirespectrumofcomputersecurityforanorganization,systemlevelcomputersecurityprogramsensureappropriateandcosteffective  securityforeachsystem.Systemlevelcomputersecurityprogramsmayaddress,forexample,thecomputingresourceswithinanoperationalelement,amajorapplication,oragroupofsimilarsystems(eithertechnologicallyorfunctionally).Theyshouldhavethefollowing:FE$003$F0  SystemSpecificSecurityPolicy. Thesystempolicyshoulddocumentthesystem $ securityrulesforoperatingordevelopingthesystem,suchasdefiningauthorizedandunauthorizedmodifications.j'[ (#(# FE)00)F0  LifeCycleManagement. Systemsshouldbemanagedtoensureappropriateandcost )"  effectivesecurity.Thisspecificallyincludesensuringthatsecurityisauthorizedby +# appropriatemanagementandthatchangestothesystemaremadewithattentiontosecurity(alsoseeSection3.4).A2(#(#  FE 00 F0  AppropriateIntegrationwithSystemOperations. Thepeoplewhorunthesystem   securityprogramshouldunderstandthesystem,itsmission,itstechnology,anditsoperatingenvironment.Effectivesecuritymanagementneedstobeintegratedintothemanagementofthesystem.However,ifacomputersecurityprogramlacksappropriateindependence,itmayhaveminimalauthority,receivelittlemanagementattention,andhavefewresources.  (#(#  · XXX  3.3RiskManagement #XXX ·#   Riskisthepossibilityofsomethingadversehappening.Riskmanagementistheprocessofassessingrisk,takingstepstoreducerisktoanacceptablelevelandmaintainingthatlevelofrisk.Riskmanagementrequirestheanalysisofrisk,relativetopotentialbenefits,considerationofalternatives,and,finally,implementationofwhatmanagementdeterminestobethebestcourseofaction.Riskmanagementconsistsoftwoprimaryandoneunderlyingactivity;riskassessmentandriskmitigationaretheprimaryactivitiesanduncertaintyanalysisistheunderlyingone.Anorganizationshouldconsiderthefollowingwhenassessingrisks.  3.3.1& j RiskAssessment     Risk'jassessment,theprocessofanalyzingandinterpretingrisk,iscomprisedofthreebasic %  activities:FE00F0  DeterminetheAssessment'sScopeandMethodology.   Thefirststepinassessingrisk   istoidentifythesystemunderconsideration,thepartofthesystemthatwillbeanalyzed,andtheanalyticalmethodincludingitslevelofdetailandformality. (#(#  FEz00F & = 0  CollectingandAnalyzingData.   '=zThemanydifferentcomponentsofriskshouldbe zk examined.Thisexaminationnormallyincludesgatheringdataaboutthethreatenedareaandsynthesizingandanalyzingtheinformationtomakeituseful.Thetypesofareasare: (#(# 0    0(#(#AssetValuation.Theseincludetheinformation,software,personnel,hardware,and !p physicalassets(suchasthecomputerfacility).Thevalueofanassetconsistsofitsintrinsicvalueandtheneartermimpactsandlongtermconsequencesofitscompromise. (#(#     0  ConsequenceAssessment.Theconsequenceassessmentestimatesthedegreeofharm y'j  orlossthatcouldoccur. (#(#   0  ThreatIdentification.Athreatisanentityoreventwiththepotentialtoharmthe +$ system.Typicalthreatsareerrors,fraud,disgruntledemployees,fires,waterdamage, A,2% hackers,andviruses.Threatsshouldbeidentifiedandanalyzedtodeterminethelikelihoodoftheiroccurrenceandtheirpotentialtoharmassets. (#(# Ѐ  0    SafeguardAnalysis.Safeguardanalysisshouldincludeanexaminationofthe   effectivenessoftheexistingsecuritymeasures. (#(#     0  VulnerabilityAnalysis.Avulnerabilityisaconditionorweaknessin(orabsenceof) ;, securityprocedures,technicalcontrols,physicalcontrols,orothercontrolsthatcouldbeexploitedbyathreat. (#(#     0  LikelihoodAssessment.Likelihoodisanestimationofthefrequencyorchanceofa   threathappening.Alikelihoodassessmentconsidersthepresence,tenacity,andstrengthsofthreatsaswellastheeffectivenessofsafeguards(orpresenceofvulnerabilities). (#(# FE000F߀& = 0  In'=JterpretingRiskAssessmentResults. Theriskassessmentmustproducea  meaningfuloutputthatreflectswhatistrulyimportanttotheorganization.Theriskassessmentisusedtosupporttworelatedfunctions:theacceptanceofriskandtheselectionofcosteffectivecontrols. (#(#   3.3.2& j RiskMitigation   Riskmi'jtigationinvolvestheselectionandimplementationofsecuritycontrolstoreducerisktoalevelacceptabletomanagement.Althoughthereisflexibilityinhowriskassessmentisconducted,theprocessofriskmitigationhasgreaterflexibilitythanthesequenceofeventsconductedinariskassessment.Thefollowingactivitiesarediscussedinaspecificsequence;however,theyneednotbeperformedinthatsequence.FEC'00{&F& = 0  SelectSafeguards. Theidentificationofappropriatecontrolsisaprim'=C'.aryfunctionof C'4  computersecurityriskmanagement.Inselectingappropriatecontrols,thefollowingfactorsshouldbeconsidered: (#(#   0  organizationalpolicy,legislation,andregulation;,%(#(# 0  0(#(#safety,reliability,andqualityrequirements;(#(# 0  0(#(#systemperformancerequirements;A2(#(# 0  0(#(#timeliness,accuracy,andcompletenessrequirements;s d(#(#   0  thelifecyclecostsofsecuritymeasures; (#(# 0  0(#(#technicalrequirements;and (#(# 0  0(#(#culturalconstraints. (#(# & = FEh00F0  AcceptResidualRisk. '=hManagementneedstodecideiftheoperationoftheITsystemis hY acceptable,giventhekindandseverityofremainingrisks.TheacceptanceofriskiscloselylinkedwiththeauthorizationtouseaITsystem,oftencalledaccreditation.(  Accreditationistheacceptanceofriskbymanagementresultinginaformalapprovalforthesystemtobecomeoperationalorremainso.) (#(# U! `E0 U0  ImplementingControlsandMonitoringEffectiveness. Thesafeguardsselectedneed   tobeeffectivelyimplemented.Tocontinuetobeeffective,riskmanagementneedstobeanongoingprocess.Thisrequiresaperiodicassessmentandimprovementofsafeguardsandreanalysisofrisks. (#(#   3.3.3& j   UncertaintyAnalysis   Riskman'j+agementmustoftenrelyonspeculation,bestguesses,incompletedata,andmanyunprovenassumptions.Anuncertaintyanalysisshouldbeperformedanddocumentedsothattheriskmanagementresultscanbeusedknowledgeably.Therearetwoprimarysourcesofuncertaintyintheriskmanagementprocess:(1)alackofconfidenceorprecisionintheriskmanagementmodelormethodology,and(2)alackofsufficientinformationtodeterminetheexactvalueoftheelementsoftheriskmodel,suchasthreatfrequency,safeguardeffectiveness,orconsequences.̀  )"  · XXX  3.4LifeCyclePlanning  #XXX ·#  Security,likeotheraspectsofanITsystem,isbestmanagedifplannedforthroughouttheIT q systemlifecycle.TherearemanymodelsfortheITsystemlifecyclebutmostcontainfivebasicphases:initiation,development/acquisition,implementation,operation,anddisposal.  3.4.1SecurityPlan   9 * Organizationsshouldensurethatsecurityactivitiesareaccomplishedduringeachofthephases.F E00!F0  PrepareaSecurityPlan. Asecurityplanshouldbeusedtoensurethatsecurityis   consideredduringallphasesoftheITsystemlifecycle.  (#(#   3.4.2InitiationPhase ~  l]  ЀDuringtheinitiationphase,theneedforasystemisexpressedandthepurposeofthesystemisdocumented.F E000h"F0  ConductaSensitivityAssessment. Asensitivityassessmentlooksatthesensitivityof 0! theinformationtobeprocessedandthesystemitself.m^(#(#   3.4.3Development/AcquisitionPhase aԀ   ЀDuringthisphase,thesystemisdesigned,purchased,programmed,developed,orotherwiseconstructed.Thisphaseoftenconsistsofotherdefinedcycles,suchasthesystemdevelopmentcycleortheacquisitioncycle.Thefollowingstepsshouldbeconsideredduringthisphase:J!@E"00!#J0  DetermineSecurityRequirements. Duringthefirstpartofthedevelopment/ " acquisitionphase,securityrequirementsshouldbedevelopedatthesametimesystemplannersdefinetherequirementsofthesystem.Theserequirementscanbeexpressedastechnicalfeatures(e.g.,accesscontrols),assurances(e.g.,backgroundchecksforsystemdevelopers),oroperationalpractices(e.g.,awarenessandtraining). (#(# FE)00')$F0  IncorporateSecurityRequirementsIntoSpecifications. Determiningsecurity )" features,assurances,andoperationalpracticescanyieldsignificantsecurityinformation ,+$ andoftenvoluminousrequirements.Thisinformationneedstobevalidated,updated,andorganizedintothedetailedsecurityprotectionrequirementsandspecificationsusedbysystemsdesignersorpurchasers.s d(#(# FE 00 %F0  ObtaintheSystemandRelatedSecurityActivities. Ifthesystemisbeingbuilt,   securityactivitiesmayincludedevelopingthesystem'ssecurityfeatures,monitoringthedevelopmentprocessitselfforsecurityproblems,respondingtochanges,andmonitoringthreats.ThreatsorvulnerabilitiesthatmayariseduringthedevelopmentphaseincludeTrojanhorses,incorrectcode,poorlyfunctioningdevelopmenttools,manipulationofcode,andmaliciousinsiders. (#(# 0  0(#(#0` (#(#Ifthesystemisbeingacquiredofftheshelf,securityactivitiesmayinclude 6'  monitoringtoensuresecurityisapartofmarketsurveys,contractsolicitationdocuments,andevaluationofproposedsystems.Manysystemsuseacombinationofdevelopmentandacquisition.Inthiscase,securityactivitiesincludebothsets. ` (#` (# 0  0(#(#0` (#(#Inadditiontoobtainingthesystem,operationalpracticesneedtobedeveloped. 0! Theserefertohumanactivitiesthattakeplacearoundthesystemsuchascontingencyplanning,awarenessandtraining,andpreparingdocumentation. ` (#` (#   3.4.4ImplementationPhase xԀ   Duringimplementation,thesystemistestedandinstalledorfielded.Thefollowingitemsshouldbeconsideredduringthisphase:FE#00"&F0  Install/TurnOnControls. Whileobvious,thisactivityisoftenoverlooked.When # acquired,asystemoftencomeswithsecurityfeaturesdisabled.Theseneedtobeenabledandconfigured.&&(#(# & = FE(00''F0  Security m Testing. Sys'=(temsecuritytestingincludesboththetestingoftheparticularparts (v! ofthesystemthathavebeendevelopedoracquiredandthetestingoftheentiresystem.Securitymanagement,physicalfacilities,personnel,procedures,theuseofcommercialorinhouseservices(suchasnetworkingservices),andcontingencyplanningare &,% examplesofareasthataffectthesecurityoftheentiresystem,butmayhavebeenspecifiedoutsideofthedevelopmentoracquisitioncycle.A2(#(# F E 00 (F0  Accreditation. Systemsecurityaccreditationistheformalauthorizationbythe   accrediting(management)officialforsystemoperationandanexplicitacceptanceofrisk.Itisusuallysupportedbyareviewofthesystem,includingitsmanagement,operational,andtechnicalcontrols. (#(#   3.4.5Operation/ n MaintenancePhase   󀀀   Duringthisphase,thesystemperformsitswork.Thesystemisalmostalwaysbeingcontinuouslymodifiedbytheadditionofhardwareandsoftwareandbynumerousotherevents.Thefollowinghighlevelitemsshouldbeconsideredduringthisphase:& = F!E00)F0  SecurityOperationsandAdministration. Ope'=mrationofasysteminvolvesmany   securityactivitiesdiscussedinthispublication.Performingbackups,holdingtrainingclasses,managingcryptographickeys,keepingupwithuseradministrationandaccessprivileges,andupdatingsecuritysoftwarearesomeexamples.2#(#(# F"E00*F0  OperationalAssurance. Operationalassuranceexamineswhetherasystemisoperated  accordingtoitscurrentsecurityrequirements.Thisincludesboththeactionsofpeoplewhooperateorusethesystemandthefunctioningoftechnicalcontrols.(#(# F#E_!00 +F0  AuditsandMonitoring. Tomaintainoperationalassurance,organizationsusetwo _!P basicmethods:systemauditsandmonitoring.Thesetermsareusedlooselywithinthe " computersecuritycommunityandoftenoverlap.Asystemauditisaonetimeorperiodiceventtoevaluatesecurity.Monitoringreferstoanongoingactivitythatexamineseitherthesystemortheusers.Ingeneral,themore"realtime"anactivityis,themoreitfallsintothecategoryofmonitoring.Figure2describesthevariousformsofauditingandmonitoring.(!(#(#   *# М  qX_h;,+'h|~92 [' `E.Hx!& P$f ',q (#(#                               5,&% 3.4.6DisposalPhase ԛ   ThedisposalphaseoftheITsystemlifecycleinvolvesthedispositionofinformation,hardware,andsoftware.Thefollowingitemsshouldbeconsideredduringthisphase:F$E 00 -F0  Information. Informationmaybemovedtoanothersystem,archived,discarded,or   destroyed.Whenarchivinginformation,considerthemethodforretrievingtheinformationinthefuture.Whileelectronicinformationisgenerallyeasiertoretrieveandstore,thetechnologyusedtocreatetherecordsmaynotbereadilyavailableinthefuture.Measuresmayalsohavetobetakenforthefutureuseofdatathathasbeenencrypted,suchastakingappropriatestepstoensurethesecurelongtermstorageofcryptographickeys.ItisimportanttoconsiderlegalrequirementsforrecordsretentionwhendisposingofITsystems.Forfederalsystems,systemmanagementofficialsshouldconsultwiththeiragencyofficeresponsibleforretainingandarchivingfederalrecords. (#(# F%E00.F0  MediaSanitization. Theremovalofinformationfromastoragemedium(suchasahard  diskortape)iscalledsanitization.Differentkindsofsanitizationprovidedifferentlevelsofprotection.Adistinctioncanbemadebetweenclearinginformation(renderingitunrecoverablebykeyboardattack)andpurging(renderinginformationunrecoverableagainstlaboratoryattack).Therearethreegeneralmethodsofpurgingmedia:overwriting,degaussing(formagneticmediaonly),anddestruction. (#(# · XXX  3.5Personnel/UserIssues ) #XXX ·)#  Manyimportantissuesincomputersecurityinvolveusers,designers,implementors,andmanagers.Abroadrangeofsecurityissuesrelatetohowtheseindividualsinteractwithcomputersandtheaccessandauthoritiestheyneedtodotheirjob.NoITsystemcanbesecuredwithoutproperlyaddressingthesesecurityissues.  3.5.1Staffing +  aR Anorganization'sstaffingprocessshouldgenerallyinvolveatleastthefollowingfourstepswhichapplyequallytogeneralusersaswellastoapplicationmanagers,systemmanagementpersonnel,andsecuritypersonnel:F'ER00/F0  PositionDefinition. Earlyintheprocessofdefiningaposition,securityissuesshould RC  beidentifiedandaddressed.Onceapositionhasbeenbroadlydefined,theresponsiblesupervisorshoulddeterminethetypeofcomputeraccessneededfortheposition.Therearetwogeneralsecurityrulestoapplywhengrantingaccess:separationofdutiesand s leastprivilege. (#(# 0  0(#(#0` (#(# Separationofduties referstodividingrolesandresponsibilitiessothatasingle z individualcannotsubvertacriticalprocess.Forexample,infinancialsystems,nosingleindividualshouldnormallybegivenauthoritytoissuechecks.Rather,onepersoninitiatesarequestforapaymentandanotherauthorizesthatsamepayment. ` (#` (# 0  0(#(#0` (#(# Leastprivilege referstothesecurityobjectiveofgrantingusersonlythose " accessestheyneedtoperformtheirofficialduties.Dataentryclerks,forexample,maynothaveanyneedtorunanalysisreportsoftheirdatabase. ` (#` (# F(Ex'00&0F0  & o Determining t PositionSensitivity. Theresponsiblemanagershoulddeterminethe x'i  positionsensitivity,based'ox'72onthedutiesandaccesslevels,sothatappropriatecosteffectivescreeningcanbecompleted.)"(#(#   + $ F)E00G1F0  Screening. Backgroundscreeninghelpsdeterminewhetheraparticularindividualis   suitableforagivenposition.Ingeneral,itismoreeffectivetouseseparationofdutiesandleastprivilegetolimitthesensitivityoftheposition,ratherthanrelyingonscreeningtoreducetherisktotheorganization. (#(# F*E 00G 2F0  EmployeeTrainingandAwareness. Employeesshouldbetrainedinthecomputer   securityresponsibilitiesanddutiesassociatedwiththeirjobs.L=(#(#   3.5.2UserAdministration 6    Organizationsshouldensureeffectiveadministrationofusers'computeraccesstomaintainsystemsecurity,includinguseraccountmanagement,auditingandthetimelymodificationorremovalofaccess.Thefollowingshouldbeconsidered:F+E003F0  0(#(#User u AccountManagement. Organizationsshouldhaveaprocessfor(1)   requesting,establishing,issuing,andclosinguseraccounts;(2)trackingusersandtheirrespectiveaccessauthorizations;and(3)managingthesefunctions. (#(# F,Ej004F0  0(#(# v AuditandManagementReviews. Itisnecessarytoperiodicallyreviewuser j[ accountmanagementonasystem.Reviewsshouldexaminethelevelsofaccesseachindividualhas,conformitywiththeconceptofleastprivilege,whetherallaccountsarestillactive,whethermanagementauthorizationsareuptodate,whetherrequiredtraininghasbeencompleted,andsoforth.Thesereviewscanbeconductedonatleasttwolevels:(1)onanapplicationbyapplicationbasis,or(2)onasystemwidebasis."(#(# F-E%008$5F0  0(#(# DetectingUnauthorized/IllegalActivities. Mechanismsbesidesauditingand % analysisofaudittrailsshouldbeusedtodetectunauthorizedandillegalacts.Rotatingemployeesinsensitivepositions,whichcouldexposeascamthatrequiredanemployeespresence,orperiodicrescreeningofpersonnelaremethodsthatcanbeused.)"(#(#   +# F.E00G6F0  0(#(# FriendlyTermination. Friendlyterminationsshouldbeaccomplishedby   implementingastandardsetofproceduresforoutgoingortransferringemployees.Thisnormallyincludes: (#(# 0  0(#(#0` (#(#removalofaccessprivileges,computeraccounts,authenticationtokens, ` (#` (# 0  0(#(#0` (#(#thecontrolofkeys,F7` (#` (# 0  0(#(#0` (#(#thebriefingonthecontinuingresponsibilitiesforconfidentialityandprivacy, ` (#` (# 0  0(#(#0` (#(#returnofproperty,and ` (#` (# 0  0(#(#0` (#(#continuedavailabilityofdata.Inboththemanualandtheelectronicworlds,this rc  mayinvolvedocumentingproceduresorfilingschemes,suchashowdocumentsarestoredontheharddisk,andhowaretheybackedup.Employeesshouldbeinstructedwhetherornotto"cleanup"theirPCbeforeleaving.Ifcryptographyisusedtoprotectdata,theavailabilityofcryptographickeystomanagementpersonnelmustbeensured.l]` (#` (# F/E007F0  0(#(# Unfriendly w Termination. Giventhepotentialforadverseconsequences,  organizationsshoulddothefollowing:(#(# 0  0(#(#0` (#(#Systemaccessshouldbeterminatedasquicklyaspossiblewhenanemployeeis g!X leavingapositionunderlessthanfriendlyterms.Ifemployeesaretobefired,systemaccessshouldberemovedatthesametime(orjustbefore)theemployeesarenotifiedoftheirdismissal. ` (#` (# 0  0(#(#0` (#(#Whenanemployeenotifiesanorganizationofaresignationanditcanbe a'R  reasonablyexpectedthatitisonunfriendlyterms,systemaccessshouldbeimmediatelyterminated. ` (#` (#   *# 0  0(#(#0` (#(#Duringthe"noticeoftermination"period,itmaybenecessarytoassignthe   individualtoarestrictedareaandfunction.Thismaybeparticularlytrueforemployeescapableofchangingprogramsormodifyingthesystemorapplications. ` (#` (# 0  0(#(#0` (#(#Insomecases,physicalremovalfromtheofficesmaybenecessary.  ` (#` (# Ѐ · XXX  3.6PreparingforContingenciesandDisasters tI #XXX ·UI#  Contingencyplanningdirectlysupportsanorganization'sgoalofcontinuedoperations.Organizationsshouldpracticecontingencyplanningbecauseitmakesgoodbusinesssense.Contingencyplanningaddresseshowtokeepanorganization'scriticalfunctionsoperatingintheeventofdisruptions,bothlargeandsmall.Thisbroadperspectiveoncontingencyplanningisbasedonthedistributionofcomputersupportthroughoutanorganization.Thefollowingsixstepsdescribethebasicfunctionsanorganizationshouldemploywhendevelopingcontingencyplans.  3.6.1BusinessPlan 5L    Anorganizationshouldidentifymissionorbusinesscriticalfunctions.Theidentificationofcriticalfunctionsisoftencalleda x businessplan. RC  F0E008F0  IdentifyFunctionsandPriorities. Thebusinessplanshouldidentifyfunctionsandset   prioritiesforthem.Intheeventofadisaster,certainfunctionswillnotbeperformed.Ifappropriateprioritieshavebeenset(andapprovedbyseniormanagement),itcouldmeanthedifferenceintheorganization'sabilitytosurviveadisaster.RC(#(#   3.6.2IdentifyResources &O   Anorganizationshouldidentifytheresourcesthatsupportcriticalfunctions.Contingency  planningshouldaddressalltheresourcesneededtoperformafunction.F1Eu!00 9F0  AnalyzeResourcesNeeded. Theanalysisofneededresourcesshouldbeconductedby u!f thosewhounderstandhowthefunctionisperformedandtheinterdependenciesamongvariousresources.Thisallowsanorganizationtoassignprioritiestoresourcessincenotallelementsarecrucialtothecriticalfunctions. (#(# ̀F2Eu'00&:F߀0  OverlapofAreas. Theidentificationofresourcesshouldcrossmanagers'areasof u'f  responsibility.(!(#(#   )" F3E00G;F0  CommonResourcesUsed .Thefollowingisalistofresourcesusedbymost   organizations: (#(# 0  0(#(# ` People (#(# 0  0(#(# ` ProcessingCapability(e.g.,mainframes,personalcomputers) (#(# 0  0(#(# ` ComputerBasedServices(e.g.,telecommunications,worldwideweb) (#(# 0  0(#(# ` DataandApplications (#(# 0  0(#(# ` PhysicalInfrastructure (#(# 0  0(#(# ` DocumentsandPapers(e.g.,documentation,blankforms,legaldocuments) (#(# F4E 00A<F0  TimeFrameNeeded. Inaddition,anorganizationshouldidentifythetimeframesin    whicheachresourceisused(e.g.,istheresourceneededconstantlyoronlyattheendofthemonth?),andtheeffectonthemissionorbusinessofthecontinuedunavailabilityoftheresource. (#(#   3.6.3DevelopScenarios (X    Anorganizationshouldanticipatepotentialcontingenciesordisasters.Thedevelopmentofscenariosshouldhelpanorganizationdevelopaplantoaddressthewiderangeofthingsthatcangowrong.Thefollowingitemsshouldbeconsidered:F5E 00B=F0  0(#(# IdentifyPossibleScenarios. Althoughitisimpossibletothinkofallthethingsthat   cangowrong,anorganizationshouldidentifyalikelyrangeofproblems.Scenariosshouldincludesmallandlargecontingencies.Whilesomegeneralclassesofcontingencyscenariosareobvious,imaginationandcreativity,aswellasresearch,canpointtootherpossible,butlessobvious,contingencies.#(#(# F6E<&00t%>F0  0(#(# AddressEachResource. Thecontingencyscenariosshouldaddresseachofthe <&- resourceslistedabove.y'j (#(#   3.6.4DevelopStrategies \ )"  Theselectionofacontingencyplanningstrategyshouldbebasedonpracticalconsiderations, +$ includingfeasibilityandcost.Riskassessmentcanbeusedtohelpestimatethecostofoptions B,3% todecideonanoptimalstrategy.Forexample,isitmoreexpensivetopurchaseandmaintainageneratorortomoveprocessingtoanalternatesite,consideringthelikelihoodoflosingelectricalpowerforvariouslengthsoftime?Whetherthestrategyisonsiteoroffsite,acontingencyplanningstrategynormallyconsistsofthreeparts:emergencyresponse,recovery,andresumption.F7E00U ?F0  EmergencyResponse. Documenttheinitialactionstakentoprotectlivesandlimit  damage.ZK(#(# F8E00@F0  Recovery. Planthestepsthataretakentocontinuesupportforcriticalfunctions. (#(# F9E#00[AF0  Resumption. Determinewhatisrequiredinordertoreturntonormaloperations.The #  relationshipbetweenrecoveryandresumptionisimportant.Thelongerittakestoresumenormaloperations,thelongertheorganizationwillhavetooperateintherecoverymode.(#(# F:E#00[BF0  Implementation. & = Implementthecontingencyplan.Onceth'=#9cecontingencyplanning # strategieshavebeenselected,itisnecessarytomakeappropriatepreparations,documenttheprocedures,andtrainemployees.Manyofthesetasksareongoing. (#(#   3.6.5TestandRevisePlan id Anorganizationshouldtestandrevisethecontingencyplan. z Acontingencyplanshouldbe > / testedperiodicallybecausetherewillundoubtedlybeflawsintheplananditsimplementation.Thefollowingitemsshouldbeconsidered:̀F;E$00*$CF0  KeepCurrent. Responsibilityforkeepingthecontingencyplancurrentshouldbe $ specificallyassigned.Updatetheplansinceitwillbecomeoutdatedastimepassesandastheresourcesusedtosupportcriticalfunctionschange.a'R (#(# F<E)00(DF0  Test. Theextentandfrequencyoftestingwillvarybetweenorganizationsandamong )" systems.*#(#(#  /, % 7XXXdXXd7 · XXX  3.7ComputerSecurityIncidentHandling #XXX ·fh# h  Acomputersecurityincidentcanresultfromacomputervirus,othermaliciouscode,orasystemintruder,eitheraninsideroranoutsider.Thedefinitionofacomputersecurityincidentissomewhatflexibleandmayvarybyorganizationandcomputingenvironment.Anincidenthandlingcapabilitymaybeviewedasacomponentofcontingencyplanning,becauseitprovidestheabilitytoreactquicklyandefficientlytodisruptionsinnormalprocessing.Incidenthandlingcanbeconsideredthatportionofcontingencyplanningthatrespondstomalicioustechnicalthreats.  3.7.1UsesofaCapability Lk    Anorganizationshouldaddresscomputersecurityincidentsbydevelopinganincidenthandlingcapability.Theincidenthandlingcapabilityshouldbeusedto:FE00EF0  ProvideAbilitytoRespondQuicklyandEffectively.  (#(# FE00NFF0  ContainandRepairDamageFromIncidents. Whenleftunchecked,malicious  softwarecansignificantlyharmanorganization'scomputing,dependingonthetechnologyanditsconnectivity.Containingtheincidentshouldincludeanassessmentofwhethertheincidentispartofatargetedattackontheorganizationoranisolatedincident.(#(# & = FEH 00GF0  PreventFutureDamage. Aninci'=H ndenthandlingcapabilityshouldassistanorganization H 9 inpreventing(oratleastminimizing)damagefromfutureincidents.Incidentscanbestudiedinternallytogainabetterunderstandingoftheorganization'sthreatsandvulnerabilities. (#(#   3.7.2Characteristics p  H&9 Anincidenthandlingcapabilityshouldhavethefollowingcharacteristics:FE)00)HF 0  UnderstandingoftheConstituencyItWillServe. Theconstituencymaybeexternalas )" wellasinternal.Anincidentthataffectsanorganizationmayalsoaffectitstrading + $ partners,contractors,orclients.Inaddition,anorganization'scomputersecurityincidenthandlingcapabilitymaybeabletohelpotherorganizationsand,therefore,helpprotectthecommunityasawhole.s d(#(# FE 00 IF0  EducatedConstituency. Usersneedtoknowabout,accept,andtrusttheincident   handlingcapabilityoritwillnotbeused.Throughtrainingandawarenessprograms,userscanbecomeknowledgeableabouttheexistenceofthecapabilityandhowtorecognizeandreportincidents.Userstrustinthevalueoftheservicewillbuildwithreliableperformance. (#(# FE00<JF0  CentralizedCommunications. Successfulincidenthandlingrequiresthatusersbeable   toreportincidentstotheincidenthandlingteaminaconvenient,straightforwardfashionwithoutthefearofattribution.Anincidenthandlingcapabilityshouldprovideawayforuserstoreportincidents.Acentralizedcommunicationspointisveryusefulforaccessingordistributinginformationrelevanttotheincidenthandlingeffort.Forexample,ifusersarelinkedtogetherviaanetwork,theincidenthandlingcapabilitycanthenusethenetworktosendouttimelyannouncementsandotherinformation.;,(#(# FE00KF0  ExpertiseintheRequisiteTechnologies. Thetechnicalstaffmemberswhocomprise  theincidenthandlingcapabilityneedspecificknowledge.Technicalcapabilities(e.g.,trainedpersonnelandvirusidentificationsoftware)shouldbeprepositioned,readytobeusedasnecessary.; ,(#(# FE"00!LF0  AbilitytoCommunicateEffectively. Thisincludescommunicatingwithdifferenttypes " ofusers,whorangefromsystemadministratorstounskilleduserstomanagementtolawenforcementofficials. %(#(# FEh'00&MF0  LinkstoOtherGroups. Othergroupsassistinincidenthandling(asneeded).The h'Y  organizationshouldhavealreadymadeimportantcontacts,bothexternalandinternalwithothersupportivesources(e.g.,publicaffairs,legal,technical,managerialandstateandlocallawenforcement)toaidincontainmentandrecoveryefforts.Intruderactivity,whether } hackersormaliciouscode,canoftenaffectmanysystemslocatedatmany ;,,% differentnetworksites;handlingtheincidentscanbelogisticallycomplexandcanrequireinformationfromoutsidetheorganization.Byplanningahead,suchcontactscanbepreestablishedandthespeedofresponseimproved,therebycontainingandminimizingdamage.  (#(# · XXX  3.8AwarenessandTraining ~ #XXX ·~#   ~ Aneffectivecomputersecurityawarenessandtrainingprogramrequiresproperplanning,implementation,maintenance,andperiodicevaluation.Ingeneral,acomputersecurityawarenessandtrainingprogramshouldencompassthefollowingsevensteps:F E4 00l NF0  IdentifyProgramScope,Goals,andObjectives. Thescopeoftheprogramshould 4 % providetrainingtoalltypesofpeoplewhointeractwithITsystems.Sinceusersneedtrainingwhichrelatesdirectlytotheiruseofparticularsystems,alargeorganizationwideprogramneedstobesupplementedbymoresystemspecificprograms. (#(# F E400lOF0  IdentifyTrainingStaff .Itisimportantthattrainershavesufficientknowledgeof 4%  computersecurityissues,principles,andtechniques.Itisalsovitalthattheyknowhowtocommunicateinformationandideaseffectively. (#(# F E00:PF0  IdentifyTargetAudiences. Noteveryoneneedsthesamedegreeortypeofcomputer  securityinformationtodotheirjobs.Acomputersecurityawarenessandtrainingprogramthatdistinguishesbetweengroupsofpeople,presentsonlytheinformationneededbytheparticularaudience,andomitsirrelevantinformationwillhavethebest  results.(#(# F E400lQF0  MotivateManagementandEmployees. Tosuccessfullyimplementanawarenessand 4% trainingprogram,itisimportanttogainthesupportofmanagementandemployees.Considerusingmotivationaltechniquestoshowmanagementandemployeeshowtheirparticipationinacomputersecurityandawarenessprogramwillbenefittheorganization.$(#(# F Ef&00%RF0  AdministertheProgram. Severalimportantconsiderationsforadministeringthe f&W programincludevisibility,selectionofappropriatetrainingmethods,topics,materials,andpresentationtechniques.(!(#(#   *" FE00GSF0  MaintaintheProgram. Effortsshouldbemadetokeepabreastofchangesincomputer   technologyandsecurityrequirements.Atrainingprogramthatmeetsanorganization'sneedstodaymaybecomeineffectivewhentheorganizationstartstouseanewapplicationorchangesitsenvironment,suchasbyconnectingtotheInternet. (#(# FE 00G TF0  EvaluatetheProgram. Anevaluationshouldattempttoascertainhowmuch   informationisretained,towhatextentcomputersecurityproceduresarebeingfollowed,andgeneralattitudestowardcomputersecurity.~o(#(#      · XXX  3.9SecurityConsiderationsinComputerSupportandOperations ` #XXX ·A#  Computersupportandoperationsreferstosystemadministrationandtasksexternaltothesystemthatsupportitsoperation(e.g.,maintainingdocumentation).FailuretoconsidersecurityaspartofthesupportandoperationsofITsystemsis,formanyorganizations,asignificantweakness.Computersecuritysystemliteratureincludesmanyexamplesofhoworganizationsunderminedtheiroftenexpensivesecuritymeasuresbecauseofpoordocumentation,nocontrolofmaintenanceaccounts,orothershoddypractices.Thefollowingpracticesarewhatanorganization'ssupportandoperationshouldinclude:FE00 UF0  UserSupport. Ingeneral,systemsupportandoperationsstaffshouldprovideassistance   touserssuchaswithahelpdesk.Supportstaffneedtobeabletoidentifysecurityproblems,respondappropriately,andinformappropriateindividuals.WH (#(# FE00VF0  SoftwareSupport. Controlsshouldbeplacedonsystemsoftwarecommensuratewith   therisk.Thecontrolsshouldinclude: (#(# 0  0(#(#0` (#(#policiesforloadingandexecutingnewsoftwareonasystem.Executingnew WH softwarecanleadtoviruses,unexpectedsoftwareinteractions,orsoftwarethatmaysubvertorbypasssecuritycontrols. ` (#` (# 0  0(#(# (#(# 0  0(#(#0` (#(#useofpowerfulsystemutilities.Systemutilitiescancompromisetheintegrityof  operatingsystemsandlogicalaccesscontrols. ` (#` (# 0  0(#(#0` (#(#authorizationofsystemchanges.Thisinvolvestheprotectionofsoftwareand " backupcopiesandcanbedonewithacombinationoflogicalandphysicalaccesscontrols. ` (#` (# 0  0(#(#0` (#(#licensemanagement.Softwareshouldbeproperlylicensedandorganizations }'n  shouldtakestepstoensurethatnoillegalsoftwareisbeingused.Forexample,anorganizationmayauditsystemsforillegalcopiesofcopyrightedsoftware.)"` (#` (#   +$ FE00GWF0  ConfigurationManagement. Configurationmanagementshouldensurethatchangesto   thesystemdonotunintentionallyorunknowinglydiminishsecurity.Thegoalistoknowhowchangeswillaffectsystemsecurity.~ o(#(# FE 00 XF0  Backups. Itiscriticaltobackupsoftwareanddata.Frequencyofbackupswilldepend   uponhowoftendatachangesandhowimportantthosechangesare.Programmanagersshouldbeconsultedtodeterminewhatbackupscheduleisappropriate.Backupcopiesshouldbetestedtoensuretheyareusable.Backupsshouldbestoredsecurely.~o(#(# FE00YF0  MediaControls. Avarietyofmeasuressuchasmarkingandlogging,shouldbeusedto   providephysicalandenvironmentalprotectionandaccountabilityfortapes,diskettes,printouts,andothermedia.Theextentofmediacontroldependsuponmanyfactors,includingthetypeofdata,thequantityofmedia,andthenatureoftheuserenvironment. (#(# FE00ZF0  Documentation. Allaspectsofcomputersupportandoperationsshouldbedocumented  toensurecontinuityandconsistency.Securitydocumentationshouldbedesignedtofulfilltheneedsofthedifferenttypesofpeoplewhouseit.Thesecurityofasystemalsoneedstobedocumented,includingsecurityplans,contingencyplans,andsecuritypoliciesandprocedures.(#(# FE00G[F0  Maintenance. Ifsomeonewhodoesnotnormallyhaveaccesstothesystemperforms  maintenance,thenasecurityvulnerabilityisintroduced.Proceduresshouldbedevelopedtoensurethatonlyauthorizedpersonnelperformmaintenance.Ifasystemhasamaintenanceaccount,itiscriticaltochangefactorysetpasswordsorotherwisedisabletheaccountsuntiltheyareneeded.Ifmaintenanceistobeperformedremotely,authenticationofthemaintenanceprovidershouldbemade. (#(# FEs'00&\F0  StandardizedLogonBanner. Priortouserauthentication,thesystemshoulddisplaya s'd  bannerwarningthatuseofthesystemisrestrictedtoauthorizedpeople. (#(#   )"  · XXX  3.10PhysicalandEnvironmentalSecurity  #XXX ·#  Physicalandenvironmentalsecuritycontrolsareimplementedtoprotectthefacilityhousingsystemresources,thesystemresourcesthemselves,andthefacilitiesusedtosupporttheiroperation.Anorganization'sphysicalandenvironmentalsecurityprogramshouldaddressthefollowingseventopics.Indoingso,itcanhelppreventinterruptionsincomputerservices,physicaldamage,unauthorizeddisclosureofinformation,lossofcontroloversystemintegrity,andtheft.FE00]F0  PhysicalAccessControls. Physicalaccesscontrolsrestricttheentryandexitof   personnel(andoftenequipmentandmedia)fromanarea,suchasanofficebuilding,suite,datacenter,orroomcontainingalocalareanetwork(LAN)server. (#(# 0  0(#(#0` (#(#Physicalaccesscontrolsshouldaddressnotonlytheareacontainingsystem   hardware,butalsolocationsofwiringusedtoconnectelementsofthesystem,supportingservices(suchaselectricpower),backupmedia,andanyotherelementsrequiredforthesystem'soperation. ` (#` (# 0  0(#(#0` (#(#Itisimportanttoreviewtheeffectivenessofphysicalaccesscontrolsineacharea, y bothduringnormalbusinesshoursandatothertimesparticularlywhenanareamaybeunoccupied. ` (#` (# FEK 00^F 0  FireSafetyFactors. Buildingfiresareaparticularlyimportantsecuritythreatbecause K < ofthepotentialforcompletedestructionofbothhardwareanddata,therisktohumanlife,andthepervasivenessofthedamage.Smoke,corrosivegases,andhighhumidityfromalocalizedfirecandamagesystemsthroughoutanentirebuilding.Consequently,itisimportanttoevaluatethefiresafetyofbuildingsthathousesystems.%(#(# FE}'00&_F0  FailureofSupportingUtilities. Systemsandthepeoplewhooperatethemneedtohave }'n  areasonablywellcontrolledoperatingenvironment.Consequently,failuresofelectric power,heatingandairconditioningsystems,water,sewage,andotherutilitieswill )" usuallycauseaserviceinterruptionandmaydamagehardware.Organizationsshouldensurethattheseutilities,includingtheirmanyelements,functionproperly.A2(#(#  FE 00 `F0  StructuralCollapse. Organizationsshouldbeawarethatabuildingmaybesubjected   toaloadgreaterthanitcansupport.Mostcommonlythisisaresultofanearthquake,asnowloadontheroofbeyonddesigncriteria,anexplosionthatdisplacesorcutsstructuralmembers,orafirethatweakensstructuralmembers.A2(#(# FE00aF0  PlumbingLeaks. Whileplumbingleaksdonotoccureveryday,theycanbeseriously   disruptive.Anorganizationshouldknowthelocationofplumbinglinesthatmightendangersystemhardwareandtakestepstoreducerisk(e.g.,movinghardware,relocatingplumbinglines,andidentifyingshutoffvalves).A2 (#(# FE00bF0  InterceptionofData. Dependingonthetypeofdataasystemprocesses,theremaybea   significantriskifthedataisintercepted.Organizationsshouldbeawarethattherearethreeroutesofdatainterception:directobservation,interceptionofdatatransmission,andelectromagneticinterception.A2(#(# FE00cF0  Mobileand    PortableSystems. Theanalysisandmanagementofriskusuallyhastobe  modifiedifasystemisinstalledinavehicleorisportable,suchasalaptopcomputer.Thesysteminavehiclewillsharetherisksofthevehicle,includingaccidentsandtheft,aswellasregionalandlocalrisks.Organizationsshoulduse: (#(# 0  0(#(#0` (#(#Securestorageoflaptopcomputerswhentheyarenotinuse."` (#` (# 0  0(#(#0` (#(#Encryptdatafilesonstoredmedia,whencosteffective,asaprecautionagainst  % disclosureofinformationifalaptopcomputerislostorstolen.;&,` (#` (#   (!  · XXX  3.11IdentificationandAuthentication ۵ #XXX ·#  IdentificationandAuthenticationisacriticalbuildingblockofcomputersecuritysinceitisthebasisformosttypesofaccesscontrolandforestablishinguseraccountability. B  6      ׀Identification   andAuthenticationisatechnicalmeasurethatpreventsunauthorizedpeople(orunauthorizedprocesses)fromenteringanITsystem.Accesscontrolusuallyrequiresthatthesystembeabletoidentifyanddifferentiateamongusers.Forexample,accesscontrolisoftenbasedonleast 4 % privilege,whichreferstothegrantingtousersofonlythoseaccessesminimallyrequiredto fW performtheirduties.UseraccountabilityrequiresthelinkingofactivitiesonanITsystemtospecificindividualsand,therefore,requiresthesystemtoidentifyusers.  3.11.1Identification     Identificationisthemeansbywhichauserprovidesaclaimedidentitytothesystem.Themost \M  commonformofidentificationistheuserID.ThefollowingshouldbeconsideredwhenusinguserIDs:FE00MdF0  UniqueIdentification. Anorganizationshouldrequireuserstoidentifythemselves  uniquelybeforebeingallowedtoperformanyactionsonthesystemunlessuseranonymityorotherfactorsdictateotherwise. (#(# F E00eF0  CorrelateActionstoUsers. Thesystemshouldinternallymaintaintheidentityofall  activeusersandbeabletolinkactionstospecificusers.(Seeaudittrailsbelow.) (#(# F!E!00 fF0  MaintenanceofUserIDs. AnorganizationshouldensurethatalluserIDsbelongto !p currentlyauthorizedusers.Identificationdatamustbekeptcurrentbyaddingnewusersanddeletingformerusers.#(#(# F"EM&00%gF0  InactiveUserIDs. UserIDsthatareinactiveonthesystemforaspecificperiodoftime M&> (e.g.,3months)shouldbedisabled. (#(#   (!   3.11.2Authentication .    Authenticationisthemeansofestablishingthevalidityofthisclaim.Therearethreemeansof L= authenticatingauser'sidentitywhichcanbeusedaloneorincombination:somethingthe ~ o individualknows(asecrete.g.,apassword,PersonalIdentificationNumber(PIN),or   cryptographickey);somethingtheindividualpossesses(atokene.g.,anATMcardorasmart   card);andsomethingtheindividualis(abiometrice.g.,characteristicssuchasavoicepattern,   handwritingdynamics,orafingerprint).Thefollowingshouldbeconsidered:F#E00hF0  RequireUserstoAuthenticate. 󀀀Anorganizationshouldrequireuserstoauthenticate   theirclaimedidentitiesonITsystems.Itmaybedesirableforuserstoauthenticatethemselveswithasinglelogin.Thisrequirestheusertoauthenticatethemselvesonlyonceandthenbeabletoaccessawidevarietyofapplicationsanddataavailableonlocalandremotesystems.sd (#(# F$E00 iF0  RestrictAccesstoAuthenticationData. Anorganizationshouldrestrictaccessto  authenticationdata.Authenticationdatashouldbeprotectedwithaccesscontrolsandonewayencryptiontopreventunauthorizedindividuals,includingsystemadministrators,orhackersfromobtainingthedata. (#(# F%E00 jF0  SecureTransmissionofAuthenticationData. Anorganizationshouldprotect  authenticationdatatransmittedoverpublicorshareddatanetworks.Whenauthenticationdata,suchasapassword,istransmittedtoanITsystem,itcanbeelectronicallymonitored.ThiscanhappenonthenetworkusedtotransmitthepasswordorontheITsystemitself.Simpleencryptionofapasswordthatwillbeusedagaindoesnotsolvethisproblembecauseencryptingthesamepasswordwillcreatethesameciphertext;theciphertextbecomesthepassword. %(#(# F&Eh'00&kF0  LimitLogonAttempts. Organizationsshouldlimitthenumberoflogonattempts. h'Y  ManyoperatingsystemscanbeconfiguredtolockauserIDafterasetnumberoffailedlogonattempts.Thishelpstopreventguessingofauthenticationdata.)"(#(#    +# F'E00GlF0  SecureAuthenticationDataasitisEntered. Organizationsshouldprotect   authenticationdataasitisenteredintotheITsystem,includingsuppressingthedisplayofthepasswordasitisenteredandorientingkeyboardsawayfromview.~ o(#(# F(E 00 mF0  AdministerDataProperly. Organizationsshouldcarefullyadministerauthentication   dataandtokensincludingprocedurestodisablelostorstolenpasswordsortokensandmonitoringsystemstolookforstolenorsharedaccounts. (#(#   3.11.3Passwords :    Ifpasswordsareusedforauthentication,organizationsshould:F)EB00znF0  SpecifyRequiredAttributes. Securepasswordattributessuchasaminimumlengthof B3  six,inclusionofspecialcharacters,notbeinginanonlinedictionary,andbeingunrelatedtotheuserIDshouldbespecifiedandrequired. (#(# F*E00HoF0  ChangeFrequently. Passwordsshouldbechangedperiodically.(#(# F+Ez00pF0  TrainUsers. Teachusersnottouseeasytoguesspasswords,nottodivulgetheir zk passwords,andnottostorepasswordswhereotherscanfindthem.(#(#   3.11.4AdvancedAuthentication    Advancedauthentication,suchasachallengeresponsesystem,generallyrequiresmoreadministrativeoverheadthanpasswords.Ifused,organizationsshouldtrainusersinthefollowing:F,E%00?$qF0  HowtoUse. IntheuseoftheauthenticationsystemincludingsecrecyofPINs, % passwords,orcryptographickeys,physicalprotectionoftokensisalsorequired. (#(# F-E(00'rF0  WhyitisUsed. Tohelpdecreasepossibleuserdissatisfaction,usersshouldbetoldwhy (! thistypeofauthenticationisbeingused. )"(#(# М · XXX  3.12LogicalAccessControl  #XXX ·t#  Accessistheabilitytodosomethingwithacomputerresource(e.g.,use,change,orview).  Logicalaccesscontrolsarethesystembasedmeansbywhichtheabilityisexplicitlyenabledorrestrictedinsomeway.Logicalaccesscontrolscanprescribenotonlywhoorwhat(e.g.,inthecaseofaprocess)istohaveaccesstoaspecificsystemresourcebutalsothetypeofaccessthatispermitted.Organizationsshouldimplementlogicalaccesscontrolbasedonpolicymadebyamanagementofficialresponsibleforaparticularsystem,application,subsystem,orgroupofsystems.Thepolicyshouldbalancetheoftencompetinginterestsofsecurity,operationalrequirements,anduserfriendliness.Ingeneral,organizationsshouldbaseaccesscontrolpolicyontheprincipleofleastprivilege,whichstatesthatusersshouldbegrantedaccessonlytotheresourcestheyneedtoperformtheirofficialfunctions.  3.12.1AccessCriteria    Organizationsshouldcontrolaccesstoresourcesbasedonthefollowingaccesscriteria,as  appropriate:& = F.E00sF0  Identity(userID). '=Theidentityisusuallyuniqueinordertosupportindividual ~ accountability,butitcanbeagroupidentificationorevenanonymous. (#(# F/E) 00atF0  Roles. Accesstoinformationmayalsobecontrolledbythejobassignmentorfunction )  (i.e.,therole)oftheuserwhoisseekingaccess.Theprocessofdefiningrolesshouldbebasedonathoroughanalysisofhowanorganizationoperatesandshouldincludeinputfromawidespectrumofusersinanorganization. (#(# F0E)&00a%uF0  Location. Accesstoparticularsystemresourcesmaybebaseduponphysicalorlogical )& location.Similarly,userscanberestrictedbaseduponnetworkaddresses(e.g.,usersfromsiteswithinagivenorganizationmaybepermittedgreateraccessthanthosefromoutside).)"(#(#   *# F1E00GvF0  & =  Time. Timeof'=Ԅdayanddayofweek/monthrestrictionsareanothertypeoflimitationon  access.Forexample,useofconfidentialpersonnelfilesmaybeallowedonlyduringnormalworkinghours. (#(# F2E 00 wF0  & = Transaction. Another'= Ԁcriteriacanbeusedbyorganizationshandlingtransactions.For   example,accesstoaparticularaccountcouldbegrantedonlyforthedurationofatransaction,e.g.,inanaccountinquiryacallerwouldenteranaccountnumberandpin.Aservicerepresentativewouldbegivenreadaccesstothataccount.Whencompleted,theaccessauthorizationisterminated.Thismeansthatusershavenochoiceintheaccountstowhichtheyhaveaccess. (#(# F3EA00yxF0  & = ServiceConstraints. Service'=AԀconstraintsrefertothoserestrictionsthatdependuponthe A2  parametersthatmayariseduringuseoftheapplicationorthatarepreestablishedbytheresourceowner/manager.Forexample,aparticularsoftwarepackagemaybelicensedbytheorganizationforonlyfiveusersatatime.Accesswouldbedeniedforasixthuser,eveniftheuserwereotherwiseauthorizedtousetheapplication.Anothertypeofserviceconstraintisbaseduponapplicationcontentornumericalthresholds.Forexample,anATMmachinemayrestricttransfersofmoneybetweenaccountstocertaindollarlimitsormaylimitmaximumATMwithdrawalsto$500perday. (#(# FxE 00AyF0  AccessModes. Organizationsshouldconsiderthetypesofaccess,oraccessmodes.The   conceptofaccessmodesisfundamentaltoaccesscontrol.Commonaccessmodes,whichcanbeusedinbothoperatingorapplicationsystems,includeread,write,execute,anddelete.Otherspecializedaccessmodes(moreoftenfoundinapplications)includecreateorsearch.Ofcourse,thesecriteriacanbeusedinconjunctionwithoneanother.#(#(# Ѐ  3.12.2AccessControlMechanisms   ;&, Anorganizationshouldconsiderbothinternalandexternalaccesscontrolmechanisms.Internal x'i  accesscontrolsarealogicalmeansofseparatingwhatdefinedusers(orusergroups)canorcannotdowithsystemresources.Externalaccesscontrolsareameansofcontrolling )" interactionsbetweenthesystemandoutsidepeople,systems,andservices.Whensettingupaccesscontrols,organizationsshouldconsiderthefollowingmechanisms: 6,'% ЇF4E00GzF0  Accesscontrollists(ACLs). ACLsarearegisterofusers(includinggroups,machines,  processes)whohavebeengivenpermissiontouseaparticularsystemresourceandthetypesofaccesstheyhavebeenpermitted.~ o(#(# F5E 00 {F0    ConstrainedUserInterfaces. Accesstospecificfunctionsarerestrictedbynever   allowinguserstorequestinformation,functions,orotherresourcesforwhichtheydonothaveaccess.Threemajortypesexist:menus,databaseviews,andphysicallyconstraineduserinterface,e.g.,anATM. (#(# F6E00|F0  Encryption. Encryptedinformationcanonlybedecrypted,andthereforeread,bythose   possessingtheappropriatecryptographickey.Whileencryptioncanprovidestrongaccesscontrol,itisaccompaniedbytheneedforstrongkeymanagement. (#(# F7E00}F0  PortProtectionDevices. Fittedtoacommunicationsportofahostcomputer,aport   protectiondevice(PPD)authorizesaccesstotheportitself,oftenbasedonaseparateauthentication(suchasadialbackmodem)independentofthecomputer'sownaccesscontrolfunctions.L=(#(# F8E00~F0  Secure  Gateways/  Firewalls. Securegatewaysblockorfilteraccessbetweentwo  networks,oftenbetweenaprivatenetworkandalarger,morepublicnetworksuchastheInternet.Securegatewaysallowinternaluserstoconnecttoexternalnetworkswhileprotectinginternalsystemsfromcompromise. (#(# F9E"00!F0  & =   HostBasedAuthentication. '="Hostbasedauthenticationgrantsaccessbaseduponthe " identityofthehostoriginatingtherequest,insteadoftheidentityoftheusermakingtherequest.Manynetworkapplicationsinusetodayusehostbasedauthenticationtodeterminewhetheraccessisallowed.Undercertaincircumstances,itisfairlyeasytomasqueradeasthelegitimatehost,especiallyifthemasqueradinghostisphysicallylocatedclosetothehostbeingimpersonated. (#(# Organizationsshouldcarefullyadministeraccesscontrol.Thisincludesimplementing,monitoring,modifying,testing,andterminatinguseraccessesonthesystem. <,-% ЇOrganizationsshouldavoidusingpasswordsasameansofaccesscontrolwhichcanresultinaproliferationofpasswordsthatcanreduceoverallsecurity.Passwordbasedaccesscontrolisofteninexpensivebecauseitisalreadyincludedinalargevarietyofapplications.However,usersmayfinditdifficulttorememberadditionalapplicationpasswords,which,ifwrittendownorpoorlychosen,canleadtotheircompromise.PasswordbasedaccesscontrolsforPCapplicationsareofteneasytocircumventiftheuserhasaccesstotheoperatingsystem(andknowledgeofwhattodo).  wh   · XXX  3.13AuditTrails  #XXX ·#  Audittrailsmaintainarecordofsystemactivitybysystemorapplicationprocessesandbyuseractivity.Inconjunctionwithappropriatetoolsandprocedures,audittrailscanprovideameanstohelpaccomplishseveralsecurityrelatedobjectives,includingindividualaccountability,   reconstructionofevents,intrusiondetection,andproblemidentification.Audittrailsshouldbeusedforthefollowing:F:E00F0  IndividualAccountability. Theaudittrailsupportsaccountabilitybyprovidingatrace  ofuseractions.Whileuserscannotbepreventedfromusingresourcestowhichtheyhavelegitimateaccessauthorization,audittrailanalysiscanbeusedtoexaminetheiractions.4% (#(# F;E00F0  ReconstructionofEvents. Anorganizationshoulduseaudittrailstosupportafterthe   factinvestigationsofhow,when,andwhynormaloperationsceased. (#(# F<E/00gF0  IntrusionDetection. Ifaudittrailshavebeendesignedandimplementedtorecord /  appropriateinformation,theycanassistinintrusiondetection.Intrusionscanbedetectedinrealtime,byexaminingauditrecordsastheyarecreatedorafterthefact,byexaminingauditrecordsinabatchprocess.(#(# F=E/00gF0  ProblemIdentification. Audittrailsmayalsobeusedasonlinetoolstohelpidentify /  problemsotherthanintrusionsastheyoccur.Thisisoftenreferredtoasrealtimeauditingormonitoring. (#(#   3.13.1ContentsofAuditTrailRecords $  # Anaudittrailshouldincludesufficientinformationtoestablishwhateventsoccurredandwho(orwhat)causedthem.Definingthescopeandcontentsoftheaudittrailshouldbedonecarefullytobalancesecurityneedswithpossibleperformance,privacy,orothercosts.Ingeneral,aneventrecordshouldspecify:  )" F>E00GF0  TypeofEvent. Thetypeofeventanditsresult,suchasfaileduserauthentication   attempts,changestousers'securityinformation,andorganizationandapplicationspecificsecurityrelevantevents. (#(# F?E 00 F0  WhentheEventOccurred. Thetimeanddaytheeventoccurredshouldbelisted. (#(# F@EG00 F0  UserIDAssociatedWiththeEvent. G8(#(# FAE00F  ProgramorCommandUsedtoInitiatetheEvent.      3.13.2AuditTrailSecurity D    Organizationsshouldprotecttheaudittrailfromunauthorizedaccess.Thefollowingprecautionsshouldbetaken:FBE00F0  ControlOnlineAuditLogs. Accesstoonlineauditlogsshouldbestrictlycontrolled.(#(# FCEI00F0  SeparationofDuties. Organizationsshouldstriveforseparationofdutiesbetween I: securitypersonnelwhoadministertheaccesscontrolfunctionandthosewhoadministertheaudittrail.(#(# FDE00OF0  ProtectConfidentiality. Theconfidentialityofaudittrailinformationalsoneedstobe  protectedif,forexample,itrecordspersonalinformationaboutusers. (#(#   3.13.3AuditTrailReviews \   " Audittrailsshouldbereviewedperiodically.Thefollowingshouldbeconsideredwhenreviewingaudittrails:FEEw'00&F0  RecognizeNormalActivity. Reviewersshouldknowwhattolookfortobeeffectivein w'h  spottingunusualactivity.Theyneedtounderstandwhatnormalactivitylookslike.(!(#(#   )" FFE00GF0  ContainaSearchCapability. Audittrailreviewcanbeeasieriftheaudittrailfunction   canbequeriedbyuserID,terminalID,applicationname,dateandtime,orsomeothersetofparameterstorunreportsofselectedinformation. (#(# FGE 00 F0  FollowupReviews. Theappropriatesystemlevelorapplicationleveladministrator   shouldreviewtheaudittrailsfollowingaknownsystemorapplicationsoftwareproblem,aknownviolationofexistingrequirementsbyauser,orsomeunexplainedsystemoruserproblem. (#(# FHE00F0  DevelopReviewGuidelines. Applicationowners,dataowners,systemadministrators,   dataprocessingfunctionmanagers,andcomputersecuritymanagersshoulddeterminehowmuchreviewofaudittrailrecordsisnecessary,basedontheimportanceofidentifyingunauthorizedactivities.~o (#(# FIE00F0  AutomatedTools. Traditionally,audittrailsareanalyzedinabatchmodeatregular  intervals(e.g.,daily).Auditanalysistools,suchasthosebasedonauditreduction,attacksignature,andvariancetechniques,canbeusedinarealtime,ornearrealtimefashion.Organizationsshouldusethemanytypesoftoolsthathavebeendevelopedtohelpreducetheamountofinformationcontainedinauditrecords,aswellastodistillusefulinformationfromtherawdata.(#(#   3.13.4KeystrokeMonitoring   A 2 & - Keystro'-~!kemonitoringistheprocessusedtovieworrecordboththekeystrokesenteredbyacomputeruserandthecomputer'sresponseduringaninteractivesession.& Z Keystrokemonitoring'Z"  isusuallyconsideredaspecialcaseofaudittrails.TheDepartmentofJusticehasadvisedthatanambiguityinU.S.lawmakesitunclearwhetherkeystrokemonitoringisconsideredequivalenttoanunauthorizedtelephonewiretap.Ifkeystrokemonitoringisusedinaudittrails,organizationsshould:F>E)00(F0  HaveWrittenPolicy. Apolicy,inconcertwithappropriatelegalcounsel,shouldbe )" developed.*#(#(#  (,% F?E00GF0  NotifyUsers. Informusersifkeystrokemonitoringmaytakeplace.(#(#   L= 7:XXdXXd7 · XXX  3.14Cryptography mԀ #XXX ·N#  Cryptographyisabranchofmathematicsbasedonthetransformationofdata.Itprovidesanimportanttoolforprotectinginformationandisusedinmanyaspectsofcomputersecurity.Cryptographyistraditionallyassociatedonlywithkeepingdatasecret.However,moderncryptographycanbeusedtoprovidemanysecurityservices,suchaselectronicsignaturesandensuringthatdatahasnotbeenmodified.Severalimportantissuesshouldbeconsideredwhendesigning,implementing,andintegratingcryptographyinanITsystem.W#` `E0W0  SelectDesignandImplementationStandards. ManagersandusersofITsystems   mustselectamongvariousstandardswhendecidingtousecryptography.Theirselectionshouldbebasedoncosteffectivenessanalysis,trendsinthestandard'sacceptance,andinteroperabilityrequirements.Inaddition,eachstandardshouldbecarefullyanalyzedtodetermineifitisapplicabletotheorganizationandthedesiredapplication. (#(# & = FE00%F߀0  DecideonHardwarevs.SoftwareImplementations. '=9Thetradeoffsamongsecurity,  cost,simplicity,efficiency,andeaseofimplementationneedtobestudiedbymanagersacquiringvarioussecurityproducts.Cryptographycanbeimplementedineitherhardwareorsoftware;eachhasrelatedcostsandbenefits.(#(# FE00%F    0  M& = anageKeys. '=Allkeysneedtobeprotectedagainstmodification,andsecretkeysand  privatekeysneedprotectionagainstunauthorizeddisclosure.Keymanagementinvolvestheproceduresandprotocols,bothmanualandautomated,usedthroughouttheentirelifecycleofthekeys.Thisincludesthegeneration,distribution,storage,entry,use,destruction,andarchivingofcryptographickeys."(#(# &  FE%00W$F0  SecureCryptographicModules. Theproperfunctioningofcryptographyrequiresthe % securedesign,implementation,anduseofthecryptographicmodule.Thisincludesprotectingthemoduleagainsttampering.'%{!Cryptographyistypicallyimplementedinamoduleofsoftware,firmware,hardware,orsomecombinationthereof.Thismodulecontainsthecryptographicalgorithm(s),certaincontrolparameters,andtemporarystoragefacilitiesforthekey(s)beingusedbythealgorithm(s).$+$(#(# Ї& = FE00GF0  ComplywithExportRules. Usersmustbeawarethat'=$theU.S.Governmentcontrols  theexportofcryptographicimplementations.Therulesgoverningexportcanbequitecomplex,sincetheyconsidermultiplefactors.Inaddition,cryptographyisarapidlychangingfield,andrulesmaychangefromtimetotime.Questionsconcerningtheexportofaparticularimplementationshouldbeaddressedtoappropriatelegalcounsel. (#(#       XXX4.References#XXX&# }&   BritishStandardsInstitution.BritishStandard7799,ACodeofPracticeforInformation  Security.1995   Datapro.TheQuestforGenerallyAcceptedSystemSecurityPrinciples(GSSP).DelranNJ, E 6 October1994NationalInstituteofStandardsandTechnology.AnIntroductiontoComputerSecurity:The  NISTHandbook.SpecialPublication80012.1995.   NationalInstituteofStandardsandTechnology.MinimumSecurityRequirementsforMulti bS  UserOperatingSystems.NISTIR5153.March1993.   NationalResearchCouncil.ComputersatRisk:SafeComputingintheInformationAge.   Washington,DC,NationalAcademyPress,1991OrganizationforEconomicCooperationandDevelopment.GuidelinesfortheSecurityof p InformationSystems.Paris,1992  PrivacyWorkingGroup,InformationPolicyCommittee,InformationInfrastructureTaskForce.PrivacyandtheNationalInformationInfrastructure:PrinciplesforProvidingandUsing =. PersonalInformation.June6,1995 o `   !