ebook img

Computer security PDF

68 Pages·1996·3.3 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Computer security

NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information U.S. DEPARTMENT OF COMMERCE Technology Systems Technology Administration National Institute of Standards and Technology Marianne Swanson and Barbara Guttman i I COMPUTER SECURITY rhe National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in the development of technology needed to improve product quality, . . . to modernize manufacturing processes, to ensure product reliability and to facilitate rapid . . . commercialization ... of products based on new scientific discoveries." NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's competitiveness; advance science and engineering; and improve public health, safety, and the environment. One ofthe agency's basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal Government. As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and applied research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303. For more information contact the Public Inquiries Desk, 301-975-3058. NisT Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems Marianne Swanson and Barbara Guttman COMPUTER SECURITY Computer Systems Laboratory National Institute of Standards and Technology MD Gaithersburg, 20899-0001 September 1996 U.S. Department ofCommerce Michael Kantor, Secretary Technology Administration Mary L. Good, Under Secretary for Technology National Institute ofStandards and Technology Arati Prabhakar, Director Reports on Computer Systems Technology The National Institute of Standards and Technology (NIST) has a unique responsibility for computer systems technology within the Federal government. NIST's Computer Systems Laboratory (CSL) devel- ops standards and guidelines, provides technical assistance, and conducts research for computers and related telecommunications systems to achieve more effective utilization of Federal information technol- ogy resources. CSL's responsibilities include development of technical, management, physical, and ad- ministrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified information processed in Federal computers. CSL assists agencies in developing security plans and in improving computer security awareness training. This Special Publication 800 series reports CSL re- search and guidelines to Federal agencies as well as to organizations in industry, government, and academia. National Institute of Standards and Technology Special Publication 800-14 Natl. Inst. Stand. Technoi. Spec. Publ. 800-14, 61 pages (Sept. 1996) CODEN: NSPUE2 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 1996 For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402 Principles and Practices for Securing IT Systems Table of Contents 1. Introduction 1 1.1 Principles 1 1.2 Practices 1 1.3 Relationship ofPrinciples and Practices 2 1.4 Background 2 1.5 Audience 3 1.6 Structure ofthis Document 3 1.7 Terminology 3 2. Generally Accepted System Security Principles 4 2.1 Computer Security Supports the Mission ofthe Organization 5 2.2 Computer Security is an Integral Element ofSound Management 6 2.3 Computer Security Should Be Cost-Effective 6 2.4 Systems Owners Have Security Responsibilities Outside Their Own Organizations 7 2.5 Computer Security Responsibilities and Accountability Should Be Made Explicit 8 . 2.6 Computer Security Requires a Comprehensive and Integrated Approach 9 2.7 Computer Security Should Be Periodically Reassessed 9 2.8 Computer Security is Constrained by Societal Factors 10 3. Common IT Security Practices 11 3.1 Policy 13 3.1.1 Program Policy 13 3.1.2 Issue-Specific Policy 14 3.1.3 System-Specific Policy 14 3.1.4 All Policies 15 3.2 Program Management 16 3.2.1 Central Security Program 16 3.2.2 System-Level Program 17 3.3 Risk Management 19 3.3.1 Risk Assessment 19 3.3.2 Risk Mitigation 20 3.3.3 Uncertainty Analysis 21 3.4 Life Cycle Planning 22 3.4.1 Security Plan 22 3.4.2 Initiation Phase 22 3.4.3 Development/Acquisition Phase 22 3.4.4 Implementation Phase 23 iii Principles andPractices for Securing ITSystems 3.4.5 Operation/Maintenance Phase 24 3.4.6 Disposal Phase 26 3.5 Personnel/User Issues 27 3.5.1 Staffing 27 3.5.2 User Administration 28 3.6 Preparing for Contingencies and Disasters 31 3.6.1 Business Plan 31 3.6.2 Identify Resources 31 3.6.3 Develop Scenarios 32 3.6.4 Develop Strategies 32 3.6.5 Test and Revise Plan 33 3.7 Computer Security Incident Handling 34 3.7.1 Uses ofa Capability 34 3.7.2 Characteristics 34 3.8 Awareness and Training 37 3.9 Security Considerations in Computer Support and Operations 39 3.10 Physical and Environmental Security 41 3.11 Identification and Authentication 43 3.11.1 Identification 43 3.11.2 Authentication 44 3.1 1.3 Passwords 45 3.11.4 Advanced Authentication 45 3.12 Logical Access Control 46 3.12.1 Access Criteria 46 3.12.2 Access Control Mechanisms 47 3.13 Audit Trails 50 3.13.1 Contents ofAudit Trail Records 50 3.13.2 Audit Trail Security 51 3.13.3 Audit Trail Reviews 51 3.13.4 Keystroke Monitoring 52 3.14 Cryptography 54 4. References 56 iv Principles and Practices for Securing IT Systems 1. Introduction As more organizations share information electronically, a common understanding ofwhat is needed and expected in securing information technology (IT) resources is required. This document provides a basehne that organizations can use to establish and review their IT security programs. The document gives a foundation that organizations can reference when conducting multi-organizational business as well as internal business. Management, internal auditors, users, system developers, and security practioners can use the guideline to gain an understanding ofthe basic security requirements most IT systems should contain. The foundation begins with generally accepted system security principles and continues with common practices that are used in securing IT systems. 1.1 Principles Many approaches and methods can be used to secure IT systems; however, certain intrinsic expectations must be met whether the system is small or large or owned by a government agency orby a private corporation. The intrinsic expectations are described in this document as generally accepted system security principles. The principles address computer security from a very high-level viewpoint. The principles are to be used when developing computer security programs and policy and when creating new systems, practices or policies. Principles are expressed at a high level, encompassing broad areas, e.g., accountability, cost effectiveness, and integration. 1.2 Practices The next level in the foundation is the common IT security practices that are in general use today. The practices guide organizations on the types ofcontrols, objectives and procedures that comprise an effective IT security program. The practices show what should be done to enhance or measure an existing computer security program or to aid in the development ofa new program. The practices provide a common ground for determining the security of an organization and build confidence when conducting multi-organizational business. This document provides the practices in a checklist format to assist organizations in reviewing their current policies and procedures against the common practices presented here. Organizations should use the practices as a starting point in order to develop additional practices based on their 1 Principles andPractices for Securing ITSystems own organizational and system requirements. The common practices should be augmented with additional practices based on each organization's unique needs. The practices described in this publication come from NIST Special Publication 800-12, An Introduction to Computer Security: The NISTHandbook. They are not intended to be definitive; as technology changes, so will the practices. 1.3 Relationship of Principles and Practices This document describes eight principles and fourteen practices. Each ofthe principles applies to each ofthe practices. The nature ofthe relationship between the principles and the practices varies. In some cases, practices are derived from one or more principles; in other cases practices are constrained by principles. For example, the Risk Management Practice is directly derived from the Cost-Effectiveness Principle. However, the Comprehensive and Reassessment Principles place constraints on the Risk Management Practice. While a mapping could be made to the specific relationships between the principles and the practices, it is probably not useful. The important point is that the principles provide the foundation for a sound computer security program. 1.4 Background The National Performance Review (NPR) recommended as part ofthe National Information Infrastructure (Nil) that the National Institute ofStandards and Technology (NIST) develop generally accepted system security principles and practices for the federal government. These security principles and practices are to be applied in the use, protection, and design of government information and data systems, particularly front-line systems for delivering services electronically to citizens. The need for rules, standards, conventions and procedures that define accepted security practices was outlined in the 1991 National Research Council document ComputersAtRisk. Their recommendation called for the development ofa comprehensive set ofgenerally accepted system security principles (GSSP) which would clearly articulate essential security features, assurances, and practices. Work began on implementing the ComputersAtRisk recommendation in 1992 2 Principles andPractices for Securing IT Systems by several national and international organizations with an interest in computer security. This document draws upon their ongoing efforts. 1.5 Audience This document has two distinct uses. The chapter covering principles is to be used by all levels ofmanagement and by those individuals responsible for computer security at the system level and organization level. The principles are intended as a guide when creating program policy or reviewing existing policy. The common practices are intended as a reference document and an auditing tool. The goal ofthis document is to provide a common baseline ofrequirements that can be used within and outside organizations by internal auditors, managers, users and computer security officers. The concepts presented are generic and can be applied to organizations in private and public sectors. 1.6 Structure of this Document This document is organized as follows: Chapter 2 presents the principles. Chapter 3 contains the common IT security practices. Chapter4 provides references used in the development ofthis document. 1.7 Terminology This document uses the terms information technology security and computer security interchangeably. The terms refer to the entire spectrum ofinformation technology including application and support systems. Computer security is the protection afforded to an automated information system in order to attain the applicable objectives ofpreserving the integrity, availability, and confidentiality ofinformation system resources (including hardware, software, firmware, information data, and telecommunications). Principles and Practices for Securing ITSystems 2. Generally Accepted System Security Principles As the name implies, the principles are generally accepted ~ that which is most commonly being used at the present time to secure IT resources. The principles that this document offers are not new to the security profession. They are based on the premise that (most) everyone applies these when developing or maintaining a system and they have become generally accepted. This document uses the Organization for OBCD'sGuidelinesfortheSecurityofInformationSystems: Economic Co-operation and Development's Accountability-Theresponsibilitiesandaccountabilityofowners, providersandusersofinformationsystemsandotherparties...should (OECD) Guidelinesfor the Security of beexplicit. Information Systems as the base for the Awareness-Owners,providers,usersandotherpartiesshould readUybeable,consistentwithmaintainingsecurity,togain principles. The OECD Guidelines were appropriateknowledgeofandbeinformedabouttheexistenceand pneralextentofmeasures...forthesecurityofinformationsystems. developed in 1992 by a group of Ethics'TheInformationsystemsandthesecurityofinformation international experts to provide a foundation systemsshouldbeprovidedandusedinsuchamannerthattherights andlegitimateinterestofothersarerespected. from which governments and the private Muhidisciplinary-Measures,practicesandproceduresforthe sector, acting singly and in concert, could securityofinformationsystemsshouldtakeaccountofandaddress allrelevantconsiderationsandviewpoints.... construct a framework for securing IT systems. The OECD Guidelines are the Pprroopcoerdtuiroensaslhiotuyl-dSbeecuarpiptryoplerviealtse,aconsdtsp,rompeoarstuiroensa,teprtaocttihceesvaalnudeof anddegreeofrelianceontheinfomiationsystemsandtotheseverity, current international guidelines which have probabilityandextentofpotentialharm.,.. A been endorsed by the United States. brief Integration-Measures,practicesandproceduresforthesecurityof informationsystemsshouldbecoordinatedandintegratedwitheach OECD description ofthe nine principles is otherandothermeasures,practicesandproceduresofthe organizationsoastocreateacoherentsystemofsecurity. provided in Figure 1. Using the spirit of Timeliness-Publicandprivateparties,atbothnationaland the Guidelines, NIST developed principles internationallevels,shouldactinatimelycoordinatedmannerto preventandtorespondtobreachesofsecurityofinformationsystems. which applies to federal systems.' In Reassessment-Thesecurityofinformationsystemsshouldbe developing this set ofprinciples, NIST drew reassessedperiodically,asinformationsystemsandtherequirements upon the OECD Guidelines, added material, fortheirsecurityvaryovertime. Democracy-Thesecurityofinformationsystemsshouldbe combined some principles, and rewrote compatiblewiththelegitimateuseandflowofdataandinformation inademocraticsociety. others. Most ofthe rewriting and combining was done to provide clarity. The Figure1. OECDGuidelines. principles added by NIST are in keeping Theeightprinciplesoriginallyappearedasthe"ElementsofComputer Security" in theNISTSpecial Publication 800- 12, An Introduction to ComputerSecurity: TheNISTHandbook. 4

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.