-Educational and motivational posters. -Dissemination of some (but obviously not all) of the security measures in force at your facility. -Publicity for selected cases of computer abuse at other installations when the penalties imposed were severe. Details of perpetration should be omitted, however. 33. WHAT IS SECURITY "CERTIFICATION"? Certification is a managerial declaration that the security features of a computer system comply with the specifications which, in turn, satisfy the security requirements. The details of technical analysis leading to security certification are not well specified at this time and there is no certifying agency, as such. However, some prerequisite actions necessary to this process are: -Modeling of the system and the analysis of the model. -Formalization of the access controls. -Prediction of system security degradation and its effect. Certification should take place at discrete points during the design, implementation, and operation of a system, viz. -To check that the design is complete. -To confirm that the implementation is correct. -To determine that the installation meets all design standards and requirements. -To establish that a system is secure after system modification, failure or penetration (either detected or suspected). 34. WHAT STEPS SHOULD BE TAKEN AFTER A PENETRATION IS DETECTED? The status of the system's security must be analyzed to determine which portions have been affected and what has been lost. The unaffected portions may then be restarted, but it is crucial not to overlook any program modifications the penetrator may have left behind which permit easy re-entry at a later time. An important factor in computer system recovery is the existence of a reference point. A reference point is a backup set of key programs and data bases— certified to be correct and unmodified-stored at another secure location. With such a reference point and using operations logs and files, the step-by-step recovery and recertification of other programs and data bases can begin. Care should be taken that the access point through which penetration occurred is fully covered in the restored system. 35. WHAT ARE THE COSTS OF PROVIDING COMPUTER SECURITY? The costs of providing computer security may be broken into three areas: initial cost, operational cost, and overhead cost. The importance of information processing in the business and governmental communities makes the assumption of these costs mandatory at a level commensurate with the risks to the system. At a minimum, this risk is equivalent to the value of the computer equipment. Initial costs include: -Physical security equipment controlling personnel access to the ADP facilities. -Physical security equipment protecting data in storage. -Additional equipment for identification, data encryption, program isolation, and security auditing. -Operating system modifications and additional software needed to utilize this equipment. Operational costs include: -Salaries of security personnel. -Maintenance of security equipment. -Creating and updating user authorization lists, data file descriptions, data encryption keys, and data access records. -Security training for operations personnel. -Certifying and auditing system security. Overhead costs include: -Impact on computer system efficiency and flexibility. -Impact on personnel attitudes. 36. WHAT BENEFITS MAY BE DERIVED FROM COMPUTER SECURITY? The costs incurred in providing computer security must be placed in perspective to the benefits gained by providing it. These benefits include: -Protection of individual privacy by compliance with security requirements of Federal and state legislation, management policy, and user confidentiality agreements. -Protection of the physical assets of the computer facility. -Protection of the financial investment in programs and data. -Protection of the assets represented by data. -Better system and data integrity. -Better reliability and timeliness of data processing. -Better accounting of data and resource usage. -Better employee awareness of their importance to the organization. SUMMARY 37. WHAT PRIORITY SHOULD BE ACCORDED THE VARIOUS MEASURES SUGGESTED FOR IMPROVING COMPUTER SECURITY? The first step in computer security is simply controlling personnel access to the computer facility. Creating and maintaining a “security environment" will let both employees and outsiders know that safeguards exist. Next come some administrative measures: -List hardware and software resources (including data bases) in order of value. -Perform a risk analysis. -Formulate the goals of the security program. -Determine the investment required to counter the estimated threats. -Create a security organization, assigning it full responsibility for security. -Plan a security program and implement it. The order of priority for the next steps depends upon the cost/benefit studies. A common pattern might be: -Upgrade the initial physical security measures. -Establish personal identification systems and other controlled-accessibility procedures. -Control the flow of data throughout the processes of collection, entry, storage, processing and dissemination. -Make individual users personally accountable for control of, and access to, data. -Implement software security to the degree indicated by the cost-benefit analysis. -Shield the facility against electromagnetic leakage. SUGGESTED READING Davis, Ruth M., "Privacy and Security in Computer Systems: An Overview", CBEMA Privacy Series 2, Computer and Business Equipment Manufacturers Association, Washington, D.C., February 1974, 21 p. Geller, Sydney B., "The Effects of Magnetic Fields on Magnetic Storage Media Used in Computers," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 735, July 1972, 30 p. Parker, Donn B., Susan Nycum and S. Stephen Oüra, "Computer Abuse," Stanford Research Institute, Menlo Park, California, 1973, 131 p. "Records, Computers and the Rights of Citizens, Report of the Secretary's Advisory Committee on Automated Personal Data Systems." U.S. Department of Health, Education and Welfare, Washington, D.C., July 1973, 346 p. Reed, Susan K. and Dennis K. Branstad, “Controlled Accessibility Workshop Report," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 827, May 1974, 82 p. Reed, Susan K. and Martha M. Gray, "Controlled Accessibility Bibliography," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 780, June 1973, 11 p. Renninger, Clark R. and Dennis K. Branstad, "Government Looks at Privacy and Security in Computer Systems," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 809, February 1974, 37 p. PARTICIPANTS NBS/ACM Workshop on Controlled Accessibility Rancho Santa Fe, California Robert P. Abbott Alfred L. Basinger Howard H. Campaigne Robert H. Courtney, Jr. Robert M. Daly Ruth M. Davis Albert S. Dean, Jr. December, 1972 David K. Hsiao William M. Inglis S. Jeffery John D. Joyce E. Rex Krueger Richard Leibler Steven B. Lipner Ralph L. London Peter G. Lykos Clair G. Maple Richard G. Mills M. Granger Morgan William H. Murray Eldred C. Nelson A. Michael Noll Donn B. Parker Bruce Peters C. J. Purcell Francis J. Quirk Anthony Ralston Susan K. Reed Roger R. Schell Robert H. Scott Kenneth C. Sevcik Walter E. Simonson Irving L. Solomon Selden Stewart Douglas W. Tompson James Tippett Rein Turn Frederick Way, III Clark Weissman This booklet was prepared by Dennis K. Branstad and Susan K. Reed, Systems and Software Division, Institute for Computer Sciences and Technology, National Bureau of Standards, Washington, D.C. 20234. |