35. WHAT ARE THE COSTS OF PROVIDING COMPUTER SECURITY? The costs of providing computer security may be broken into three areas: initial cost, operational cost, and overhead cost. The importance of information processing in the business and governmental communities makes the assumption of these costs mandatory at a level commensurate with the risks to the system. At a minimum, this risk is equivalent to the value of the computer equipment. Initial costs include: -Physical security equipment controlling personnel access to the ADP facilities. -Physical security equipment protecting data in storage. -Additional equipment for identification, data encryption, program isolation, and security auditing. -Operating system modifications and additional software needed to utilize this equipment. Operational costs include: -Salaries of security personnel. -Maintenance of security equipment. -Creating and updating user authorization lists, data file descriptions, data encryption keys, and data access records. -Security training for operations personnel. -Certifying and auditing system security. Overhead costs include: -Impact on computer system efficiency and flexibility. -Impact on personnel attitudes. 36. WHAT BENEFITS MAY BE DERIVED FROM COMPUTER SECURITY? The costs incurred in providing computer security must be placed in perspective to the benefits gained by providing it. These benefits include: -Protection of individual privacy by compliance with security requirements of Federal and state legislation, management policy, and user confidentiality agreements. -Protection of the physical assets of the computer facility. -Protection of the financial investment in programs and data. -Protection of the assets represented by data. -Better system and data integrity. -Better reliability and timeliness of data processing. -Better accounting of data and resource usage. -Better employee awareness of their importance to the organization. SUMMARY 37. WHAT PRIORITY SHOULD BE ACCORDED THE VARIOUS MEASURES SUGGESTED FOR IMPROVING COMPUTER SECURITY? The first step in computer security is simply controlling personnel access to the computer facility. Creating and maintaining a "security environment" will let both employees and outsiders know that safeguards exist. Next come some administrative measures: -List hardware and software resources (including data bases) in order of value. -Perform a risk analysis. -Formulate the goals of the security program. -Determine the investment required to counter the estimated threats. -Create a security organization, assigning it full responsibility for security. -Plan a security program and implement it. The order of priority for the next steps depends upon the cost/benefit studies. A common pattern might be: -Upgrade the initial physical security measures. -Establish personal identification systems and other controlled-accessibility procedures. -Control the flow of data throughout the processes of collection, entry, storage, processing and dissemination. -Make individual users personally accountable for control of, and access to, data. -Implement software security to the degree indicated by the cost-benefit analysis. -Shield the facility against electromagnetic leakage. SUGGESTED READING Davis, Ruth M., "Privacy and Security in Computer Systems: An Overview", CBEMA Privacy Series 2, Computer and Business Equipment Manufacturers Association, Washington, D.C., February 1974, 21 p. Geller, Sydney B., "The Effects of Magnetic Fields on Magnetic Storage Media Used in Computers," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 735, July 1972, 30 p. Parker, Donn B., Susan Nycum and S. Stephen Oüra, "Computer Abuse," Stanford Research Institute, Menlo Park, California, 1973, 131 p. "Records, Computers and the Rights of Citizens, Report of the Secretary's Advisory Committee on Automated Personal Data Systems." U.S. Department of Health, Education and Welfare, Washington, D.C., July 1973, 346 p. Reed, Susan K. and Dennis K. Branstad, “Controlled Accessibility Workshop Report," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 827, May 1974, 82 p. Reed, Susan K. and Martha M. Gray, "Controlled Accessibility Bibliography," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 780, June 1973, 11 p. Renninger, Clark R. and Dennis K. Branstad, "Government Looks at Privacy and Security in Computer Systems," U.S. Department of Commerce, National Bureau of Standards, Washington, D.C., NBS Technical Note 809, February 1974, 37 p. PARTICIPANTS NBS/ACM Workshop on Controlled Accessibility Rancho Santa Fe, California Robert P. Abbott Alfred L. Basinger Howard H. Campaigne Walter M. Carlson Michael A. Casteel Robert H. Courtney, Jr. December, 1972 David K. Hsiao Rein Turn Frederick Way, III Clark Weissman This booklet was prepared by Dennis K. Branstad and Susan K. Reed, Systems and Software Division, Institute for Computer Sciences and Technology, National Bureau of Standards, Washington, D.C. 20234. |