Page images
PDF
EPUB

APPENDIX 5

TAKEN FROM FIPS PUB 31-GUIDELINES FOR AUTOMATIC DATA PROCESSING PHYSICAL SECURITY AND RISK MANAGEMENT IN PUBLICATION BY NBS-ACTION SUMMARY

The essential recommendations from this publication are summarized here to show the scope of these guidelines and to provide a quick overview of action items in establishing, implementing and maintaining a physical security program in an ADP facility.

I. ORGANIZE THE ADP PHYSICAL SECURITY PROGRAM

Assign responsibility for ADP Physical Security and establish a task force to prepare a plan for the ADP security program.

Perform a preliminary risk analysis to identify major problem areas and select interim security measures as needed to correct major problem areas.

II. CONDUCT A RISK ANALYSIS

Estimate potential losses to the ADP facility and its users from (1) physical destruction or theft of physical assets; (2) loss or destruction of data and program files; (3) theft of information; (4) theft of indirect assets; and (5) delay or prevention of computer processing.

Estimate the probability of occurrence for potential threats and their effect on the ADP facility in terms of the five classes of loss potential.

Combine the estimates of loss potential and threat probability to develop an annual loss expectancy.

Select the array of remedial measures which effects the greatest reduction in the annual loss expectancy at the least total cost. Remedial measures will include: (1) changes in the environment to reduce exposure; (2) measures to reduce the effect of a threat; (3) improved control procedures; (4) early detection; and (5) contingency plans.

III. DETERMINE LOCAL NATURAL DISASTER PROBABILITIES

Evaluate the fire safety of the ADP facility (building location, construction, occupancy and housekeeping) and provide required fire detection and extinguishment, and possibly a trained fire fighting brigade.

Evaluate the exposure to flooding from internal and external sources. Where needed, provide flood protection for the building, relocate ADP hardware, reroute plumbing lines and provide water damage/flood-control equipment (pumps, tarpaulins, etc.)

Evaluate resistance of the building to wind and water damage if exposed to hurricanes, tornadoes or other high winds.

IV. INITIATE A SECURITY PROGRAM

Prepare a plan and a schedule for implementing selected remedial measures. Prepare and maintain a policy and plans handbook to include: (1) an ADP physical security policy statement; (2) mandatory security procedures; (3) security guidelines for system design, programming, testing, and maintenance; (4) contingency plans; (5) security indoctrination materials; and (6) a security audit program.

V. PROTECT SUPPORTING UTILITIES

Estimate the number and duration of electric power transients, undervoltage conditions and power interruptions and their annual loss expectancy. Install appropriate protective equipment such as: voltage regulating transformers, dual power feeders, uninterruptible power supplies, on-site power generators and ADP power isolation circuits.

Estimate annual loss expectancy from air conditioning failures considering required operation schedules, annual profiles of local temperature and humidity, and an estimated number and duration of air conditioning failures. Where necessary, increase reliability with redundant equipment, provide for emergency use of outside air and augment maintenance capability to decrease mean time to repair. Estimate the annual loss expectancy from teleprocessing circuit failures. Where cost is justified, increase reliability with redundant communications cir

cuits and augment repair facilities to decrease the duration of interruptions. Software should be designed to minimize the impact of errors caused by communications failures.

Determine if ADP operations could be interrupted by the failure of other supporting utilities such as water, natural gas, steam, elevators or mail conveyors. If necessary, take steps to increase reliability and decrease the mean time to repair.

VI. OPTIMIZE COMPUTER RELIABILITY

Perform a failure analysis to estimate the number and duration of significant hardware failures and their impact on ADP operations. Estimate the annual loss expectancy from delays in performing urgent ADP tasks. Where cost is justified, increase system reliability by adding peripherals, multiple configurations, etc. Review maintenance facilities. Record and analyze all hardware failures in order to identify failure trends promptly and optimize preventive maintenance.

VII. PROVIDE PHYSICAL PROTECTION

Identify critical ADP areas including the computer room, data control and conversion area, data file storage area, programmer's area, forms storage area, maintenance area, and mechanical equipment room, and then provide adequate physical protection and access control.

Protect against theft, vandalism, sabotage, espionage, civil disorder and other forced intrusions with improved lighting and intrusion detection systems, with physical barriers at doors, windows, and other openings, and with guards as required.

Control access to critical areas and ADP facilities with conventional or electronic door locks; supervision by guards or receptionists over movement of people and materials; administrative procedures (sign-in logs, identification cards or badges, property passes and shipping/receiving forms); and other regulations.

VIII. ADD INTERNAL PROCEDURAL SECURITY

Determine potential targets for fraud, theft or misuse of resources by analyzing the work flow and the nature of ADP tasks performed. Incorporate proce lures which will minimize exposure to loss. Such procedures may include (1) requiring cooperation between two individuals to perform critical tasks; (2) performing additional checks and bounds comparisons; (3) formalizing standards for high risk operations; and (4) independent quality control checks.

Designate critical positions in ADP management, system programming, program library control, input/output control, exception processing, applications programming, data base management, quality control, internal audit and hardware maintenance and require appropriate pre-employment screening.

Train and supervise all ADP personnel to assure understanding of, and compliance with, internal controls.

Implement control and record keeping procedures for job initiation, scheduling and distribution of output to prevent unauthorized processing.

Control access to physical data files to assure that data integrity is maintained, storage media are protected, custody of data files is traceable and their unauthorized use is prevented. Manual and automatic audit trails should be utilized.

Establish policy and procedures for program and data file retention to satisfy requirements for (1) backup operation; (2) compliance with applicable statutes and regulation; (3) audit and management review of operation; (4) statistical analysis of operations; and (5) resolution of data integrity problems.

Implement programming, testing and documentation standards which satisfy requirements for (1) audit capability; (2) automated acceptance testing; (3) control of program maintenance; (4) quality controls on input data; and (5) non-dependence on an individual's knowledge of systems and programs.

IX. PLAN FOR CONTINGENCIES

Compile a set of back-up plans which accommodate the expected range of emergency events requiring back-up operation. The objective of such contingency plans is to protect users of the ADP facility against unacceptable loss. Document performance specifications, operation instructions and technical requirements (system hardware and software, program and data files, and preprinted forms) for each emergency operation.

Select and periodically use an emergency backup off-site ADP facility. Participate in establishing their security program.

Provide protection for the source documents, input and output data and programs while using the off-site facility and in transit.

Establish procedures to assure that (1) current copies of needed back-up materials are retained at a secure off-site location; (2) adequate time is available from compatible off-site ADP facilities; and (3) back-up personnel will be available if needed.

Plan for reconstruction of the ADP facility following destruction including specifications of (1) floor space (quantity, live load rating, location, etc. by functional use); (2) partitions, electric power service, air conditioning, communications, security, fire safety, etc.; and (3) ADP hardware, office equipment and supplies.

Coordinate ADP emergency plans for fire, flood, civil disorders, etc. with the facility self-protection plan to ensure life safety, limit damage, minimize disruption to ADP operations, and expedite repair.

X. DEVELOP SECURITY AWARENESS

Determine the security training requirements for the ADP staff, senior management, building staff, etc.

Select and implement appropriate security awareness techniques such as (1) training lectures and seminars; (2) posters; (3) orientation booklets; (4) amendments to job descriptions making employees responsible for security; (5) publicity for local security incidents, as well as others occurring at similar installations; and (6) rewards for employees who prevent breaches in security. Establish and publicize punitive measures.

XI. AUDIT PHYSICAL SECURITY

Establish an internal audit team with representatives from the agency's audit, building safety and security, ADP, and users' organizations.

Develop an audit plan and schedule which systematically validates all critical security and emergency measures.

State in the audit report which measures require improvement or replacement. Use a check sheet (problem description, responsibility for action, action required and follow-up) for each major deficiency to assure prompt resolution.

37-583 74 - pt. 2 - 49

[graphic][subsumed][subsumed][subsumed][subsumed][subsumed][subsumed][subsumed][subsumed][subsumed][subsumed]

NATIONAL BUREAU OF STANDARDS

[ocr errors]

The National Bureau of Standards' was established by an act of Congress March 3, 1901. The Bureau's overall goal is to strengthen and advance the Nation's science and technology and facilitate their effective application for public benefit. To this end, the Bureau conducts research and provides: (1) a basis for the Nation's physical measurement system, (2) scientific and technological services for industry and government, (3) a technical basis for equity in trade, and (4) technical services to promote public safety. The Bureau consists of the Institute for Basic Standards, the Institute for Materials Research, the Institute for Applied Technology, the Institute for Computer Sciences and Technology, and the Office for Information Programs. THE INSTITUTE FOR BASIC STANDARDS provides the central basis within the United States of a complete and consistent system of physical measurement; coordinates that system with measurement systems of other nations; and furnishes essential services leading to accurate and uniform physical measurements throughout the Nation's scientific community, industry, and commerce. The Institute consists of a Center for Radiation Research, an Office of Measurement Services and the following divisions: Electricity Mechanics Applied Mathematics Heat Sciences" Applied Radiation — Quantum Electronics " and Frequency - Laboratory Astrophysics — Cryogenics".

3

Optical Physics Nuclear
Electromagnetics' — Time

THE INSTITUTE FOR MATERIALS RESEARCH conducts materials research leading to improved methods of measurement, standards, and data on the properties of well-characterized materials needed by industry, commerce, educational institutions, and Government; provides advisory and research services to other Government agencies; and develops, produces, and distributes standard reference materials. The Institute consists of the Office of Standard Reference Materials and the following divisions:

Analytical Chemistry Polymers
Radiation Physical Chemistry.

Metallurgy

Inorganic Materials

Reactor

THE INSTITUTE FOR APPLIED TECHNOLOGY provides technical services to promote the use of available technology and to facilitate technological innovation in industry and Government; cooperates with public and private organizations leading to the development of technological standards (including mandatory safety standards), codes and methods of test; and provides technical advice and services to Government agencies upon request. The Institute consists of a Center for Building Technology and the following divisions and offices: Engineering and Product Standards — Weights and Measures · Invention and Innovation Product Evaluation Technology - Electronic Technology Technical Analysis Measurement Engineering Structures, Materials, and Life Safety' Building Environment Technical Evaluation and Application' Fire Technology.

THE INSTITUTE FOR COMPUTER SCIENCES AND TECHNOLOGY conducts research and provides technical services designed to aid Government agencies in improving cost effectiveness in the conduct of their programs through the selection, acquisition, and effective utilization of automatic data processing equipment; and serves as the principal focus within the executive branch for the development of Federal standards for automatic data processing equipment, techniques, and computer languages. The Institute consists of the following divisions:

Computer Services tion Technology.

Systems and Software Computer Systems Engineering - Informa

THE OFFICE FOR INFORMATION PROGRAMS promotes optimum dissemination and accessibility of scientific information generated within NBS and other agencies of the Federal Government; promotes the development of the National Standard Reference Data System and a system of information analysis centers dealing with the broader aspects of the National Measurement System; provides appropriate services to ensure that the NBS staff has optimum accessibility to the scientific information of the world. The Office consists of the following organizational units:

1

[blocks in formation]

Office of Information Activities Office of Technical Publications Library Office of International Relations.

Headquarters and Laboratories at Gaithersburg, Maryland, unless otherwise noted; mailing address Washington, D.C. 20234.

Part of the Center for Radiation Research.

Located at Boulder, Colorado 80302.

Part of the Center for Building Technology.

« PreviousContinue »