Background on General Procedures for Developing IS Security Requirements
Bruce Gabrielson

Deriving IS Security Requirements

Information System (IS) security is intended to address the problems which could develop if classified or unclassified sensitive data became compromised through exposure to any of a number of different threats (see Table I). To reduce the potential damage these threats represent, various IS security requirements exists within the Department of Defense. These requirements extend down from the national level through each of the individual Defense Agencies to a specific site's IS security instruction for its particular environment. Each site's final minimum security configuration is determined by applying site/usage specific information against general requirements based on overall risk.

List of Potential IS Security Problems
Table I

Environmental Hazards - damage from fire, flood, dust, static electricity, or electrical storms;

Hardware and Equipment Failure - mechanical or electrical failure of the computer, its storage capacity, or its communications devices

Software Errors - programming bugs to simple typos in spreadsheet formulas

Accidents, Errors, and Omissions - by anyone using computers or the information that they process

Intentional Acts - fraud, theft, sabotage, and misuse of information by competitors and employees

This paper provides a background on how requirements at individual organizations are applied for IS security in an environment where secret data will be processed. A typical equipment configuration could consist of an on-site IS with co-located COMSEC box.

General Overview of IS Security Requirements

Current IS Security requirements within the Department of Defense (DoD), although not always consistent between branches, generally can be traced to DOD 5200.28-STD,[1] commonly known as the Orange Book. This book outlines the criteria for evaluating the effectiveness of security protection used with automated data processing equipment. The equipment can be classified as having obtained a level of trust for processing data based on the security protection that has been incorporated into its operation, either manually or automatically.

The structure of the trust classification in the Orange Book is hierarchal. It ranges from Class D, being the lowest with basically security controls, through Class A, which is applied to systems providing the most comprehensive internal security controls.

Required Operational Safeguards for Trusted IS - C2 [2]

Controlled access protection is the designation applied to Class C2 systems which enforce more finely tuned security safeguards than simple discretionary (need-to-know), audit, and accountability protection. Enclosure 3 of DoD 5200.28 states that the following minimum mix of safeguards are mandatory for an IS that processes classified or sensitive unclassified information:

Accountability, access, security training and awareness, physical controls, marking, least privilege, data continuity, data integrity, contingency planning, accreditation, risk management program.

A manual or automated audit trail shall document user identity, time of access, user activity, activities that might negate security safeguards, actions associated with periods processing or changing security levels of processing

The minimal security requirements for systems with the formal C2 designation include:

Electrical Power controls, fire controls, housekeeping, temperature/humidity controls, water damage controls, marking, storage, destruction, accountability, encryption, protected distribution system, terminal identification, emanation security controls, access management controls, security documentation, training, physical security controls

C2 Functionality

While higher levels of trust are applied for increased security environments, some Defense Agencies, such as the Navy, have enforced a trust level that has been tailored to meet individual needs. IS Security Programs implement varying degrees of protection for lSs based on sensitivity, and by the complexity of the system. There are two basic levels of concern for data sensitivity:

Sensitive Unclassified data

All Classified data

A minimum "C2 functionality" level of trust is required for any IS operated by or for NRL regardless of data classification. C2 functionality (controlled access protection[3]) has four parts: discretionary access control, object reuse (memory clearing before reuse), authentification/identification (individual accountability), and audit. Therefore, to achieve the minimum "C2" level of trust requires an access control policy, passwords, individual accountability, audit capability, and clearing storage or memory prior to release to another user or program.

Manual trust procedures to meet class C2 functionality are allowable, and are the usual condition for the majority of stand alone systems. Some of the manual procedures per the DON IS Security Guidelines include:

user access approval

security training

standard operating procedures

access list

escort and visitor control

removable media/user authorization/single level storage

overwrite/degauss of storage media

passwords

log books/audit controls

system test & evaluation (ST&E) to verify controls

Control Measures to Reduce Potential Losses

The controls to be implemented include:

Administrative Controls - controls include establishing policies and procedures which assign management and individual responsibilities, and conducting computer security training

Physical and Environmental - controls include limiting physical access to information resources to only authorized personnel, and protecting computers from water and fire damage, power outages, and hazardous environmental conditions

Information and Data Controls - controls include authenticating users, establishing and enforcing authorization rules for what information and processes may be accessed, and maintaining a record of user actions

Software Development and Acquisition Controls - controls include purchasing off-the-shelf software from reputable vendors, establishing rigorous controls over the development and use of programs and data for sensitive applications, and applying caution when using public domain software

Backup and Contingency Planning Controls - controls include training employees to respond to emergency conditions, maintaining backup copies of information and programs, and assuring that alternative equipment and software are available for processing if the IS is considered mission critical.

Physical Access Control (Area Control)

Physical Access Control is shared by the users and security staff. While the user may believe that all of the physical security needs are being handled by resident lab security, this is not the case.

The user is responsible for personal area security. This may include matters such as locking your office door after business hours, ensuring that any visitors to your area go through a checking in process, even if it is only a line of sight procedure, or an actual written log. There may be instances where meeting the minimum requirement is not enough protection, but in general, the following physical requirements are evaluated to determine risk.

Access for Sensitive Unclassified Processing

Due to the physical barriers represented by the base perimeter fence and other access safeguards, a locked room is considered adequate physical security protection for unclassified at the lab. However, for systems that handle sensitive information, simple physical controlled access may not be adequate protection.

Such systems require the following additional vulnerabilities be addressed during the accreditation process.

a. Temperature and humidity

b. Lighting and electrical service

c. Cleanliness

d. Precautionary measures against water damage

e. Fire safety

Access for Classified Processing

When classified is processed, more enhanced security requirements are applicable:

a. For PCs and microcomputers: PCs and microcomputers that contain internal hard disks cannot be used to process, handle or store classified information unless they are physically protected to the highest level of information ever handled by the system. This level of protection must continue throughout the system's life. This protection must continue when relocating the equipment outside its secured room and during maintenance. No medium that has ever contained classified data may leave a facility until it has been declassified by an approved method. Therefore, removable media to be replaced or surplussed must be stored at the proper classification level prior to disposition.

b. For minicomputers and mainframes: Either a secured facility, providing the same physical protection as an equivalent level security container, or all media must be removable and stored in a security container when not under the supervision of a cleared person.

c. TEMPEST: Requirements must be strictly adhered to. However, certain flexibility exists as to how the requirements will be met. A TEMPEST vulnerability assessment is required regardless of where the equipment will be located. If located on-site, each building has been individually assessed for emanation control. Therefore, no protected distribution system (PDS) is required for co-located COMSEC and IS equipment. A PDS is necessary when the equipment is located in separate locations.

d. Facility: When the requirement exists to operate a system that cannot have removable media, or one that operates without the direct supervision of security personnel, a secured facility must be created to house and protect the system and information from unauthorized access, disclosure and modification.

How Tailoring Works? (What We are Trying to Do)

The final requirements for a specific IS Security Plan are dependent on a number of circumstances. Basically, an overall risk assessment is performed to determine the current equipment configuration, location, and existing capabilities in relation to the minimum C2 requirements during accreditation as listed in Table II. Once evaluated for a specific system, a recommendation is make regarding the steps necessary to achieve full compliance with overall security requirements.

Listing of IS Security Accreditation Requirements
Table II

surge protector for power

fire extinguisher (protection system)

enforced cleaning schedule

maintain normal heating and air conditioning

periodically check ceilings and pipes for leaks

operating procedure

classified media clearly and properly marked

removable hard drive

lock up all disks & output

run three sheets through printer after printing

declassify media by degaussing prior to replacing

accountability (equipment and audit) controls in place

power down after processing

PDS for non-collocated equipment

terminal ID established (our accreditation?)

TVAR performed

escort enforcement/personal recognition & challenge

personal clearance

access list

key control

security check sheet

physical access control

contingency plan (only for mission critical IS)

control signs posted

regular inspection

regular awareness training

General System Security Requirements For Processing Classified Data

Based on the on-site risk assessment and formal security requirements, a final set of security requirements can be derived for any configuration at a facility. This list is provided below.

1. Physical Security of the area is commensurate with highest classification level of data being handled/stored.

2. Remote terminal areas secured commensurate with highest classification level of data being processed.

3. Each terminal identified and afforded required security control and protection.

4. Remote subscribers follow security requirements prescribed by host ISSO.

5. Disconnect unsecured remotes when system is processing Level I data.

6. All data transmitted over networks or communications lines must be encrypted or the lines physically protected.

7. Any alteration of facility, security procedures, or change in hardware/software/configuration/operating mode requires re-accreditation.

8. 5-digit alphanumeric passwords must be used and protected to the highest level of the classified processed, changed when compromised, and deleted when the user is no longer authorized access.

9. An audit trail is maintained for 120 days.

10. User/operator privileges (i.e., read, write, change, add, delete) are assigned based on need.

11. Level I data is cleared or made inaccessible during periods when the required protection measures are not in place.

12. All data within the system is identified to its classification level and dissemination restrictions.

13. All output is appropriately marked and controlled.

14. All media is marked and protected at highest classification level ever recorded (until degaussed).

15. All output waste is destroyed promptly and appropriately.

16. Repair personnel are escorted and controlled when working on the system.

17. Printer ribbons are protected and destroyed appropriately.

18. Removable media are secured when not in use or unattended and the system is not in a secured area.

19. Remote unencrypted access ports are disconnected when the system is storing or processing Level I data.

20. Memory and on-line storage media are cleared/purged at the end of work or when system is unattended and is located in an unsecured area.

21. System displays are positioned or covered to protect against visual access by unauthorized persons.

22. Storage media no longer used for classified applications is to be degaussed or destroyed.

23. IS protected from physical access by unauthorized persons (securing room/area).

24. IS protected from damage as a result of poor housekeeping (dust, lint, food, beverages, staples, paper clips, poor ventilation, combustibles).

25. Use power conditioners, surge suppressors, or provide for disconnecting the power supply when not in use or during electrical storms to prevent alteration or damage to system or data.

26. Provide capability to suppress fire in the system or area (know location of nearest C02 or dry chemical extinguisher.

27. Protection of the system from damage from temperature/humidity extremes (shut off system at end of day, when not in use, or when these extremes are possible).

28. Protect against water damage (use protective cover, do not place system in low areas where rising water could do damage).

29. All personnel with access to data will have appropriate clearance and need-to-know.

30. TEMPEST posture, where required, is maintained.

31. Annual computer security awareness training is necessary.

References

[1] DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, National Computer Security Center, December 1985.

[2] Dept. of Navy IS Security (DONISS) Guidelines and DoD 5200.28 STD

[3] DoD 5200.28 STD

[4] SECNAVINST 5239.3 [5] In some cases, software protection such as PROTECT.COM is allowed depending on if the potential risk is acceptable.