Background on General Procedures for Developing
IS Security Requirements
Bruce Gabrielson
Deriving IS Security Requirements
Information System (IS) security is intended to address the
problems which could develop if classified or unclassified
sensitive data became compromised through exposure to any of a
number of different threats (see Table I). To reduce the
potential damage these threats represent, various IS security
requirements exists within the Department of Defense. These
requirements extend down from the national level through each of
the individual Defense Agencies to a specific site's IS security
instruction for its particular environment. Each site's final
minimum security configuration is determined by applying
site/usage specific information against general requirements
based on overall risk.
List of Potential IS Security Problems
Table I
- Environmental Hazards - damage from fire, flood,
dust, static electricity, or electrical storms;
- Hardware and Equipment Failure - mechanical or
electrical failure of the computer, its storage capacity, or its
communications devices
- Software Errors - programming bugs to simple
typos in spreadsheet formulas
- Accidents, Errors, and Omissions - by anyone
using computers or the information that they process
- Intentional Acts - fraud, theft, sabotage, and
misuse of information by competitors and employees
This paper provides a background on how requirements at individual
organizations are
applied for IS security in an environment where secret data will
be processed. A typical equipment configuration could consist of
an on-site IS with co-located COMSEC box.
General Overview of IS Security Requirements
Current IS Security requirements within the Department of Defense
(DoD), although not always consistent between branches, generally can be traced to
DOD 5200.28-STD,[1] commonly known as the Orange Book. This book
outlines the criteria for evaluating the effectiveness of
security protection used with automated data processing
equipment. The equipment can be classified as having obtained a
level of trust for processing data based on the security
protection that has been incorporated into its operation, either
manually or automatically.
The structure of the trust classification in the Orange Book is hierarchal. It
ranges from Class D, being the lowest with basically security controls,
through Class A, which is applied to systems providing the most
comprehensive internal security controls.
Required Operational Safeguards for Trusted IS - C2 [2]
Controlled access protection is the designation applied to Class
C2 systems which enforce more finely tuned security safeguards
than simple discretionary (need-to-know), audit, and
accountability protection. Enclosure 3 of DoD 5200.28 states
that the following minimum mix of safeguards are mandatory for an
IS that processes classified or sensitive unclassified
information:
- Accountability, access, security training and awareness,
physical controls, marking, least privilege, data continuity,
data integrity, contingency planning, accreditation, risk
management program.
- A manual or automated audit trail shall document user
identity, time of access, user activity, activities that might
negate security safeguards, actions associated with periods
processing or changing security levels of processing
The minimal security requirements for systems with the formal C2
designation include:
- Electrical Power controls, fire controls, housekeeping,
temperature/humidity controls, water damage controls, marking,
storage, destruction, accountability, encryption, protected
distribution system, terminal identification, emanation security
controls, access management controls, security documentation,
training, physical security controls
C2 Functionality
While higher levels of trust are applied for increased security
environments, some Defense Agencies, such as the Navy, have
enforced a trust level that has been tailored to meet individual
needs. IS Security Programs implement varying degrees of
protection for lSs based on sensitivity, and by the complexity of
the system. There are two basic levels of concern for data
sensitivity:
- Sensitive Unclassified data
- All Classified data
A minimum "C2 functionality" level of trust is required for any
IS operated by or for NRL regardless of data classification.
C2 functionality (controlled access
protection[3]) has four parts: discretionary access control,
object reuse (memory clearing before reuse),
authentification/identification (individual accountability), and
audit. Therefore, to achieve the minimum "C2" level of trust
requires an access control policy, passwords, individual
accountability, audit capability, and clearing storage or memory
prior to release to another user or program.
Manual trust procedures to meet class C2 functionality are
allowable, and are the usual condition for the majority of stand
alone systems. Some of the manual procedures per the DON IS
Security Guidelines include:
- user access approval
- security training
- standard operating procedures
- access list
- escort and visitor control
- removable media/user authorization/single level storage
- overwrite/degauss of storage media
- passwords
- log books/audit controls
- system test & evaluation (ST&E) to verify controls
Control Measures to Reduce Potential Losses
The controls to be implemented
include:
- Administrative Controls - controls include
establishing policies and procedures which assign management
and individual responsibilities, and conducting computer
security training
- Physical and Environmental - controls include
limiting physical access to information resources to only
authorized personnel, and protecting computers from water
and fire damage, power outages, and hazardous environmental
conditions
- Information and Data Controls - controls include
authenticating users, establishing and enforcing
authorization rules for what information and processes may
be accessed, and maintaining a record of user actions
- Software Development and Acquisition Controls -
controls include purchasing off-the-shelf software from
reputable vendors, establishing rigorous controls over the
development and use of programs and data for sensitive
applications, and applying caution when using public domain
software
- Backup and Contingency Planning Controls -
controls include training employees to respond to emergency
conditions, maintaining backup copies of information and
programs, and assuring that alternative equipment and
software are available for processing if the IS is considered
mission critical.
Physical Access Control (Area Control)
Physical Access Control is
shared by the users and security staff. While the user may believe
that all
of the physical security needs are being handled by resident
lab security, this is not the case.
The user is responsible for personal area security. This may
include matters such as locking your office door after business
hours, ensuring that any visitors to your area go through a
checking in process, even if it is only a line of sight
procedure, or an actual written log. There may be instances
where meeting the minimum requirement is not enough protection,
but in general, the following physical requirements are evaluated
to determine risk.
Access for Sensitive Unclassified Processing
Due to the physical barriers represented by the base perimeter
fence and other access safeguards, a locked room is considered
adequate physical security protection for unclassified at the
lab. However, for systems that handle sensitive information,
simple physical controlled access may not be adequate protection.
Such systems require the following additional vulnerabilities be
addressed during the accreditation process.
- a. Temperature and humidity
- b. Lighting and electrical service
- c. Cleanliness
- d. Precautionary measures against water damage
- e. Fire safety
Access for Classified Processing
When classified is processed, more enhanced security requirements
are applicable:
- a. For PCs and microcomputers: PCs and
microcomputers that contain internal hard disks cannot be used to
process, handle or store classified information unless they are
physically protected to the highest level of information ever
handled by the system. This level of protection must continue
throughout the system's life. This protection must continue when
relocating the equipment outside its secured room and during
maintenance. No medium that has ever contained classified data
may leave a facility until it has been declassified by an approved
method. Therefore, removable media to be replaced or surplussed
must be stored at the proper classification level prior to
disposition.
- b. For minicomputers and mainframes: Either a
secured facility, providing the same physical protection as an
equivalent level security container, or all media must be
removable and stored in a security container when not under the
supervision of a cleared person.
- c. TEMPEST: Requirements must be strictly
adhered to. However, certain flexibility exists as to how the
requirements will be met. A TEMPEST vulnerability assessment is
required regardless of where the equipment will be located. If
located on-site, each building has been individually
assessed for emanation control. Therefore, no protected
distribution system (PDS) is required for co-located COMSEC and
IS equipment. A PDS is necessary when the equipment is located
in separate locations.
- d. Facility: When the requirement exists to
operate a system that cannot have removable media, or one that
operates without the direct supervision of security personnel, a
secured facility must be created to house and protect the system
and information from unauthorized access, disclosure and
modification.
How Tailoring Works? (What We are Trying to Do)
The final requirements for a specific IS Security Plan are
dependent on a number of circumstances. Basically, an overall
risk assessment is performed to determine the current equipment
configuration, location, and existing capabilities in relation to
the minimum C2 requirements during accreditation as
listed in Table II. Once evaluated
for a specific system, a recommendation is make regarding the
steps necessary to achieve full compliance with overall security
requirements.
Listing of IS Security
Accreditation Requirements
Table II
- surge protector for power
- fire extinguisher (protection system)
- enforced cleaning schedule
- maintain normal heating and air conditioning
- periodically check ceilings and pipes for leaks
- operating procedure
- classified media clearly and properly marked
- removable hard drive
- lock up all disks & output
- run three sheets through printer after printing
- declassify media by degaussing prior to replacing
- accountability (equipment and audit) controls in
place
- power down after processing
- PDS for non-collocated equipment
- terminal ID established (our accreditation?)
- TVAR performed
- escort enforcement/personal recognition & challenge
- personal clearance
- access list
- key control
- security check sheet
- physical access control
- contingency plan (only for mission critical IS)
- control signs posted
- regular inspection
- regular awareness training
General System Security Requirements For Processing
Classified Data
Based on the on-site risk assessment and formal security
requirements, a final set of security requirements can be derived
for any configuration at a facility. This list is provided below.
- 1. Physical Security of the area is commensurate with
highest classification level of data being handled/stored.
- 2. Remote terminal areas secured commensurate with
highest classification level of data being processed.
- 3. Each terminal identified and afforded required
security control and protection.
- 4. Remote subscribers follow security requirements
prescribed by host ISSO.
- 5. Disconnect unsecured remotes when system is
processing Level I data.
- 6. All data transmitted over networks or
communications lines must be encrypted or the lines physically
protected.
- 7. Any alteration of facility, security procedures,
or change in hardware/software/configuration/operating mode
requires re-accreditation.
- 8. 5-digit alphanumeric passwords must be used and
protected to the highest level of the classified processed,
changed when compromised, and deleted when the user is no longer
authorized access.
- 9. An audit trail is maintained for 120 days.
- 10. User/operator privileges (i.e., read, write,
change, add, delete) are assigned based on need.
- 11. Level I data is cleared or made inaccessible
during periods when the required protection measures are not in
place.
- 12. All data within the system is identified to its
classification level and dissemination restrictions.
- 13. All output is appropriately marked and controlled.
- 14. All media is marked and protected at highest
classification level ever recorded (until degaussed).
- 15. All output waste is destroyed promptly and
appropriately.
- 16. Repair personnel are escorted and controlled when
working on the system.
- 17. Printer ribbons are protected and destroyed
appropriately.
- 18. Removable media are secured when not in use or
unattended and the system is not in a secured area.
- 19. Remote unencrypted access ports are disconnected
when the system is storing or processing Level I data.
- 20. Memory and on-line storage media are
cleared/purged at the end of work or when system is unattended
and is located in an unsecured area.
- 21. System displays are positioned or covered to
protect against visual access by unauthorized persons.
- 22. Storage media no longer used for classified
applications is to be degaussed or destroyed.
- 23. IS protected from physical access by unauthorized
persons (securing room/area).
- 24. IS protected from damage as a result of poor
housekeeping (dust, lint, food, beverages, staples, paper clips,
poor ventilation, combustibles).
- 25. Use power conditioners, surge suppressors, or
provide for disconnecting the power supply when not in use or
during electrical storms to prevent alteration or damage to
system or data.
- 26. Provide capability to suppress fire in the system
or area (know location of nearest C02 or dry chemical
extinguisher.
- 27. Protection of the system from damage from
temperature/humidity extremes (shut off system at end of day,
when not in use, or when these extremes are possible).
- 28. Protect against water damage (use protective
cover, do not place system in low areas where rising water could
do damage).
- 29. All personnel with access to data will have
appropriate clearance and need-to-know.
- 30. TEMPEST posture, where required, is maintained.
- 31. Annual computer security awareness training is
necessary.
References
[1] DoD Trusted Computer System Evaluation Criteria, DoD
5200.28-STD, National Computer Security Center, December 1985.
[2] Dept. of Navy IS Security (DONISS) Guidelines and DoD
5200.28 STD
[3] DoD 5200.28 STD
[4] SECNAVINST 5239.3
[5] In some cases, software protection such as PROTECT.COM is
allowed depending on if the potential risk is acceptable.