4.2.6.3 Reconciliation of Security Variances: The auditor should satisfy himself that variances from security rules are being recognized and appropriate corrective action taken. Such variances may represent user errors caused by poor system design or inadequate user training. They may further represent a casual or systematic attempt to penetrate the system. Management failure to take prompt corrective action may result in waste and may encourage further attempts to breach the controls of the system.

4.2.6.4 Reconciliation of Property: The auditor may wish to satisfy himself that management systematically reconciles the controls over physical resources such as terminals and the media. In the absence of reports of such reconcilations the auditor may wish to make a physical inventory of his own. Failure to reconcile such controls may encourage casual or systematic conversion on the part of employees.

4.2.6.5 Tests of Contingency Plans: Finally, the auditor will wish to examine evidence that contingency plans are in place and are being tested in a systematic way on a regular frequency. Such evidence may include records and reports of drills and tests. Failure to conduct such drills and tests reduces the probability that the plans will work as written.

From left to right:

David A. Rubin, Milton Lieberman, P. J. Corum, Jerry FitzGerald,

Dennis K. Branstad, Steve Kent, Aileen MacGahan.

Note:

Titles and addresses of attendees can be found in Appendix B.

EDITOR'S NOTES

JERRY FITZGERALD

Dr. Jerry FitzGerald is the principal in Jerry FitzGerald and Associates, a manageconsulting firm located in Redwood City, California. He has extensive experience in data communications, data processing security, and EDP auditing.

ment

As a consultant, he has been active in numerous EDP audit reviews, management development/reviews of the internal EDP audit function, EDP security assurance reviews, and data commmunications/ teleprocessing projects (especially those involved with on-line distributed networks). In addition to consulting in EDP auditing, data processing security, and data communicatins, Dr. FitzGerald has developed state-of-the-art training seminars in these three areas.

Prior to establishing his own firm, Dr. FitzGerald was a Senior Management Consultant with SRI International (formerly Stanford Research Institute), an associate professor of data processing/ accounting in the California State University and Colleges System, and has held various other senior positions within private industry and governmental organizations.

an

Dr. FitzGerald's educational background includes a Ph.D. in business administration, M.B.A., and a Bachelor's Degree in industrial engineering. He has written extensively on data communications, EDP auditing, and data processing security. His current books are Internal Controls for Computerized Systems, Fundamentals of Data Communications, and Fundamentals of Systems Analysis.

THE CHARGE GIVEN TO THE GROUP

All modes of data transmission were to be considered.

safeguards,

Specific vulnerabilities were e.g., interception of microwave [See PART I, Section 2

to be identified along with appropriate
transmissions, with encryption serving as the countering control.
for the complete charge given to this group.]

The report that follows is the consensus view of this session.

This paper is a follow-on to the first National Bureau of Standards (NBS) invitational workshop on audit and evaluation of computer security. The earlier paper was published in NBS Special Publication 500-19 (Part X).

In this second paper, the committee presents a set of guidelines that can be used when conducting a review of administrative and technical controls pertaining to a multiple user teleprocessing environment. The committee intends that this paper form the basis upon which auditors or security experts might review the degree of adequacy contained in the controls within a teleprocessing network.

In order to better understand what is meant by a teleprocessing environment, the preceding figure (Figure 1) was developed to show examples of the alternative teleprocessing network configurations that might be available. These networks are among those that might be faced when conducting a security review in today's teleprocessing environment. It should be noted that there might be combinations of networks, where for example a multidrop configuration might have a local loop at each of the drops. Also, where this figure depicts "transmission lines" the audit and control expert reviewing the network might find various transmission media, such as satellite circuits, microwave transmission, fiberoptics, or copper wire pairs.

DEFINITION OF THE COMMUNICATION COMPONENT SECURITY AUDIT

For the purpose of this paper a computer security audit is defined as an independent evaluation of the controls employed to ensure the accuracy and reliability of the data maintained on or generated by a teleprocessing network, the appropriate protection of the organization's information assets (including hardware, software, and data) from all significant anticipated threats or hazards, and the operational reliability and performance assurance of all components of the automated data processing system.

With regard to the communication component, all modes of data transmission and associated equipment should be considered. Specific vulnerabilities should be identified along with appropriate safeguards, e.g., interception of microwave transmissions, with encryption serving as the countering control.

THE CONTROL MATRIX

This paper presents a matrix that relates the various vulnerabilities to the specific controls that might be available to mitigate them (see Figure II, The Control Matrix). The vulnerabilities are listed across the top of the matrix and are defined in a later section of this paper. The controls are listed down the left vertical axis of the matrix and are also defined in a later section of this paper. Within the cells of the matrix there is either an X or an O whenever the control is an appropriate countermeasure to a specific vulnerability. An X indicates a primary control that can be used to mitigate the specific vulnerability; an 0 indicates a secondary control that might be useful in mitigating the specific vulnerability. To apply the matrix, first identify the vulnerability that may be present in your teleprocessing network. Next, proceed down the column of the specific vulnerability and identify whether the controls in the left vertical column are applicable.

The control matrix can be used in two other ways to assist the auditor. The first is to determine the exposures that will be faced by the organization whenever one of the vulnerabilities does, in fact, occur. These exposures are listed at the bottom of the matrix, below each vulnerability column. For example, if the vulnerability "Message Lost" occurred, then the organization would be subjected to exposures A, E, F, and G. exposures are defined in Table I.

The second use to which the matrix can be put is to specifically identify the various components of the network where the controls might be most effectively located. To do this, the auditor would choose a specific control such as "Sequence Number Checking" and follow across that row to the right-hand side of the matrix, where there are some numbers, such as 9, 10, 17. These numbers indicate those specific components of a data communication network where the controls might be located. These 17 components are defined at the end of this report.

INTERRELATIONS OF SECURITY CONTROLS

The auditor should recognize that the security controls shown in the matrix have complex interrelations in solving certain security problems. There are no linear equations that show how these controls add to or subtract from one another. The security controls required in a worst case analysis of an intentional assault on a communication system constitute a highly structured set of interrelationships.