mined by task forces of economists, technologists and management.

Cost determination is an essential and early ingredient of any plan for achieving individual privacy and its attendant confidentiality conditions and security safeguards.

CONCLUDING COMMENTS

The privacy problem has already introduced serious stresses between society and technology. The best that can be striven for now is to allay present tensions and reduce the follow-on problems of the future. The visible assumption of relevant responsibilities by government and service industries and correlative progress in protection of individual privacy by the courts, Congress and legislative bodies in the country is perhaps the only first step that will permit subsequent resolution of the privacy problem.

That first step is what we are all striving for today.

REFERENCES

(1) Bell, Daniel, "The Management of Information and Knowledge" The Management of Information and Knowledge, Committee on Science and Astronautics, U.S. House of Representatives, 1970, pg. 13-15.

APPENDIX 5

TAKEN FROM FIPS PUB 31-GUIDELINES FOR AUTOMATIC DATA PROCESSING PHYSICAL SECURITY AND RISK MANAGEMENT IN PUBLICATION BY NBS-ACTION SUMMARY

The essential recommendations from this publication are summarized here to show the scope of these guidelines and to provide a quick overview of action items in establishing, implementing and maintaining a physical security program in an ADP facility.

I. ORGANIZE THE ADP PHYSICAL SECURITY PROGRAM

Assign responsibility for ADP Physical Security and establish a task force to prepare a plan for the ADP security program.

Perform a preliminary risk analysis to identify major problem areas and select interim security measures as needed to correct major problem areas.

II. CONDUCT A RISK ANALYSIS

Estimate potential losses to the ADP facility and its users from (1) physical destruction or theft of physical assets; (2) loss or destruction of data and program files; (3) theft of information; (4) theft of indirect assets; and (5) delay or prevention of computer processing.

Estimate the probability of occurrence for potential threats and their effect on the ADP facility in terms of the five classes of loss potential.

Combine the estimates of loss potential and threat probability to develop an annual loss expectancy.

Select the array of remedial measures which effects the greatest reduction in the annual loss expectancy at the least total cost. Remedial measures will include: (1) changes in the environment to reduce exposure; (2) measures to reduce the effect of a threat; (3) improved control procedures; (4) early detection; and (5) contingency plans.

III. DETERMINE LOCAL NATURAL DISASTER PROBABILITIES

Evaluate the fire safety of the ADP facility (building location, construction, occupancy and housekeeping) and provide required fire detection and extinguishment, and possibly a trained fire fighting brigade.

Evaluate the exposure to flooding from internal and external sources. Where needed, provide flood protection for the building, relocate ADP hardware, reroute plumbing lines and provide water damage/flood-control equipment (pumps, tarpaulins, etc.)

Evaluate resistance of the building to wind and water damage if exposed to hurricanes, tornadoes or other high winds.

IV. INITIATE A SECURITY PROGRAM

Prepare a plan and a schedule for implementing selected remedial measures. Prepare and maintain a policy and plans handbook to include: (1) an ADP physical security policy statement; (2) mandatory security procedures; (3) security guidelines for system design, programming, testing, and maintenance; (4) contingency plans; (5) security indoctrination materials; and (6) a security audit program.

V. PROTECT SUPPORTING UTILITIES

Estimate the number and duration of electric power transients, undervoltage conditions and power interruptions and their annual loss expectancy. Install appropriate protective equipment such as: voltage regulating transformers, dual power feeders, uninterruptible power supplies, on-site power generators and ADP power isolation circuits.

Estimate annual loss expectancy from air conditioning failures considering required operation schedules, annual profiles of local temperature and humidity, and an estimated number and duration of air conditioning failures. Where necessary, increase reliability with redundant equipment, provide for emergency use of outside air and augment maintenance capability to decrease mean time to repair. Estimate the annual loss expectancy from teleprocessing circuit failures. Where cost is justified, increase reliability with redundant communications cir

cuits and augment repair facilities to decrease the duration of interruptions. Software should be designed to minimize the impact of errors caused by communications failures.

Determine if ADP operations could be interrupted by the failure of other supporting utilities such as water, natural gas, steam, elevators or mail conveyors. If necessary, take steps to increase reliability and decrease the mean time to repair.

VI. OPTIMIZE COMPUTER RELIABILITY

Perform a failure analysis to estimate the number and duration of significant hardware failures and their impact on ADP operations. Estimate the annual loss expectancy from delays in performing urgent ADP tasks. Where cost is justified, increase system reliability by adding peripherals, multiple configurations, etc. Review maintenance facilities. Record and analyze all hardware failures in order to identify failure trends promptly and optimize preventive maintenance.

VII. PROVIDE PHYSICAL PROTECTION

Identify critical ADP areas including the computer room, data control and conversion area, data file storage area, programmer's area, forms storage area, maintenance area, and mechanical equipment room, and then provide adequate physical protection and access control.

Protect against theft, vandalism, sabotage, espionage, civil disorder and other forced intrusions with improved lighting and intrusion detection systems, with physical barriers at doors, windows, and other openings, and with guards as required.

Control access to critical areas and ADP facilities with conventional or electronic door locks; supervision by guards or receptionists over movement of people and materials; administrative procedures (sign-in logs, identification cards or badges, property passes and shipping/receiving forms); and other regulations.

VIII. ADD INTERNAL PROCEDURAL SECURITY

Determine potential targets for fraud, theft or misuse of resources by analyzing the work flow and the nature of ADP tasks performed. Incorporate procedures which will minimize exposure to loss. Such procedures may include (1) requiring cooperation between two individuals to perform critical tasks; (2) performing additional checks and bounds comparisons; (3) formalizing standards for high risk operations; and (4) independent quality control checks.

Designate critical positions in ADP management, system programming, program library control, input/output control, exception processing, applications programming, data base management, quality control, internal audit and hardware maintenance and require appropriate pre-employment screening.

Train and supervise all ADP personnel to assure understanding of, and compliance with, internal controls.

Implement control and record keeping procedures for job initiation, scheduling and distribution of output to prevent unauthorized processing.

Control access to physical data files to assure that data integrity is maintained, storage media are protected, custody of data files is traceable and their unauthorized use is prevented. Manual and automatic audit trails should be utilized.

Establish policy and procedures for program and data file retention to satisfy requirements for (1) backup operation; (2) compliance with applicable statutes and regulation; (3) audit and management review of operation; (4) statistical analysis of operations; and (5) resolution of data integrity problems.

Implement programming, testing and documentation standards which satisfy requirements for (1) audit capability; (2) automated acceptance testing; (3) control of program maintenance; (4) quality controls on input data; and (5) non-dependence on an individual's knowledge of systems and programs.

IX. PLAN FOR CONTINGENCIES

Compile a set of back-up plans which accommodate the expected range of emergency events requiring back-up operation. The objective of such contingency plans is to protect users of the ADP facility against unacceptable loss. Document performance specifications, operation instructions and technical requirements (system hardware and software, program and data files, and preprinted forms) for each emergency operation.

Select and periodically use an emergency backup off-site ADP facility. Participate in establishing their security program.

Provide protection for the source documents, input and output data and programs while using the off-site facility and in transit.

Establish procedures to assure that (1) current copies of needed back-up materials are retained at a secure off-site location; (2) adequate time is available from compatible off-site ADP facilities; and (3) back-up personnel will be available if needed.

Plan for reconstruction of the ADP facility following destruction including specifications of (1) floor space (quantity, live load rating, location, etc. by functional use); (2) partitions, electric power service, air conditioning, communications, security, fire safety, etc.; and (3) ADP hardware, office equipment and supplies.

Coordinate ADP emergency plans for fire, flood, civil disorders, etc. with the facility self-protection plan to ensure life safety, limit damage, minimize disruption to ADP operations, and expedite repair.

X. DEVELOP SECURITY AWARENESS

Determine the security training requirements for the ADP staff, senior management, building staff, etc.

Select and implement appropriate security awareness techniques such as (1) training lectures and seminars; (2) posters; (3) orientation booklets; (4) amendments to job descriptions making employees responsible for security; (5) publicity for local security incidents, as well as others occurring at similar installations; and (6) rewards for employees who prevent breaches in security. Establish and publicize punitive measures.

XI. AUDIT PHYSICAL SECURITY

Establish an internal audit team with representatives from the agency's audit, building safety and security, ADP, and users' organizations.

Develop an audit plan and schedule which systematically validates all critical security and emergency measures.

State in the audit report which measures require improvement or replacement. Use a check sheet (problem description, responsibility for action, action required and follow-up) for each major deficiency to assure prompt resolution.

37-583 74 - pt. 2 49