Archived NIST Technical Series Publication
`
`The attached publication has been archived (withdrawn), and is provided solely for historical purposes.
`It may have been superseded by another publication (indicated below).
`
`Archived Publication
`Series/Number:
`Title:
`
`Publication Date(s):
`Withdrawal Date:
`Withdrawal Note:
`
`NIST Special Publication 800-12
`An Introduction to Computer Security: the NIST Handbook
`
`October 1995
`June 21, 2017
`SP 800-12 is superseded in its entirety by the publication of SP
`800-12 Revision 1.
`
`Superseding Publication(s)
`The attached publication has been superseded by the following publication(s):
`
`Series/Number:
`Title:
`
`NIST Special Publication 800-12 Revision 1
`An Introduction to Information Security
`
`Author(s):
`
`Michael Nieles; Kelley Dempsey; Victoria Yan Pillitteri
`
`Publication Date(s):
`URL/DOI:
`
`June 2017
`https://doi.org/10.6028/NIST.SP.800-12r1
`
`Additional Information (if applicable)
`Contact:
`Computer Security Division (Information Technology Laboratory)
`Latest revision of the
`SP 800-12 Rev. 1 (as of June 21, 2017)
`attached publication:
`Related information:
`
`Withdrawal
`announcement (link):
`
`N/A
`
`Date updated: (cid:58)(cid:437)(cid:374)(cid:286)(cid:3)(cid:1006)(cid:1005)(cid:853)(cid:3)(cid:1006)(cid:1004)(cid:1005)(cid:1011)
`
`Roku EX1040 (Part 1 of 2)
`Roku v. Ancora
`IPR2021-01406
`
`

`

`PUBLICATIONS
`_Auiioa §2053
`NISTSpecial Publication 800-12
`
`U.S. DEPARTMENT OF
`COMMERCE
`
`Tec2eeogy AdministrationNational Institute of‘Standards
`
`and‘TeFinology
`
`An Introduction to Computer
`Security: The NIST Handbook
`
`Barbara Guttman and Edward A. Roback
`
`COMPUTER
`
`SECURITY
`
`
`
`acie
`
`.U57
`NO.800-12
`
`1995
`
`NIST
`
`

`

`j he National Institute of Standards and Technology was established in 1988 by Congress to ‘‘assist industry
`
`. needed to improve product quality, to modernize manufacturing processes,
`.
`in the developmentof technology .
`to ensure productreliability .
`.
`. and to facilitate rapid commercialization .
`.
`. of products based on new scientific
`discoveries.”
`NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry’s
`competitiveness; advance science and engineering; and improve public health, safety, and the environment. Oneofthe
`agency’s basic functions is to develop, maintain, and retain custody of the national standards of measurement, and
`provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce,
`industry, and education with the standards adopted or recognized by the Federal Government.
`As an agency of the U.S. Commerce Department’s Technology Administration, NIST conducts basic and applied
`research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and
`related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST’s
`rescarch facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303. Major technical operating units
`and their principal activities are listed below. For more information contact the Public Inquiries Desk, 301-975-3058.
`
`
`Office of the Director
`» Advanced Technology Program
`* Quality Programs
`* International and Academic Affairs
`
`Technology Services
`¢ Manufacturing Extension Partnership
`¢ Standards Services
`¢ Technology Commercialization
`¢ MeasurementServices
`¢ Technology Evaluation and Assessment
`¢ Information Services
`
`Materials Science and Engineering
`Laboratory
`¢ Intelligent Processing of Materials
`* Ceramics
`* Matcrials Reliability’
`« Polymers
`¢ Metallurgy
`¢ Reactor Radiation
`
`Chemical Science and Technology
`Laboratory
`¢ Biotechnology
`¢ Chemical Kinetics and Thermodynamics
`* Analytical Chemical Research
`* Process Measurements
`
`¢ Surface and Microanalysis Science
`* Thermophysics?
`
`Manufacturing Engineering Laboratory
`¢ Precision Engineering
`¢ Automated Production Technology
`¢ Intelligent Systems
`¢ Manufacturing Systems Integration
`¢ Fabrication Technology
`
`Electronics and Electrical Engineering
`Laboratory
`¢ Microelectronics
`* Law Enforcement Standards
`° Electricity
`¢ Semiconductor Electronics
`* Electromagnetic Fields’
`¢ Electromagnetic Technology!
`¢ Optoelectronics’
`
`Building and Fire Research Laboratory
`¢ Structures
`¢ Building Materials
`¢ Building Environment
`¢ Fire Safety
`¢ Fire Science
`
`Computer Systems Laboratory
`¢ Office of Enterprise Integration
`¢ Information Systems Engineering
`¢ Systems and Software Technology
`¢ Computer Security
`¢ Systems and Network Architecture
`¢« Advanced Systems
`
`Physics Laboratory
`Computing and Applied Mathematics
`* Electron and Optical Physics
`Laboratory
`e Atomic Physics
`¢ Applied and Computational Mathematics?
`¢ Molecular Physics
`* Statistical Enginecring?
`* Radiometric Physics
`* Scientific Computing Environments’
`* Quantum Metrology
`¢ Ionizing Radiation
`« Computer Services
`* Computer Systems and Communications’
`¢ Time and Frequency’
`¢ Quantum Physics!
`* Information Systems
`
`
`"At Boulder, CO 80303.
`7Some clements at Boulder, CO 80303.
`
`

`

`NIST Special Publication 800-12.|An Introduction to Computer
`Security: The NIST Handbook
`
`Barbara Guttman and Edward Roback
`
`COMPUTER SECURIT Y
`
`Computer Systems Laboratory
`National Institute of Standards
`and Technology
`Gaithersburg, MD 20899-0001
`
`October 1995
`
`
`
`U.S. Department of Commerce
`Ronald H. Brown, Secretary
`
`Technology Administration
`Mary L. Good, Under Secretary for Technology
`
`National Institute of Standards and Technology
`Arati Prabhakar, Director
`
`

`

`Reports on Computer Systems Technology
`
`The National Institute of Standards and Technology (NIST) has a unique responsibility for computer
`systems technology within the Federal government. NIST’s Computer Systems Laboratory (CSL) devel-
`ops standards and guidelines, provides technical assistance, and conducts research for computers and
`related telecommunications systems to achieve more effective utilization of Federal information technol-
`ogy resources. CSL’s responsibilities include development of technical, management, physical, and ad-
`ministrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified
`information processed in Federal computers. CSL assists agencies in developing security plans and in
`improving computer security awareness training. This Special Publication 800 series reports CSL re-
`search and guidelines to Federal agencies as well as to organizations in industry, government, and
`academia.
`
`National Institute of Standards and Technology Special Publication 800-12
`Natl. Inst. Stand. Technol. Spec. Publ. 800-12, 272 pages (Oct. 1995)
`CODEN: NSPUE2
`
`U.S. GOVERNMENT PRINTING OFFICE
`WASHINGTON: 1995
`
`For sale by the Superintendent of Documents, U.S. GovernmentPrinting Office, Washington, DC 20402
`
`

`

`Table of Contents
`
`I, INTRODUCTION AND OVERVIEW
`
`Chapter 1
`
`INTRODUCTION
`
`3 3 4 5
`
`7
`
`DO8
`Intended Audience .................. 0.0 c cece ccc eee
`Organization ... 6... 0 66. nes
`Important Terminology .................. 0.00. cece eee eee
`Legal Foundation for Federal Computer Security
`PYOMrVamMs .... 0.0... eee teens
`
`Chapter 2
`
`ELEMENTS OF COMPUTER SECURITY
`
`the
`Computer Security Supports the Mission of
`Organization. ... 0.000.000 6 6.ccncenteneee
`Computer Security is an Integral Element of Sound
`Management, ............... 0. cc cece nee eens
`Computer Security Should Be Cost-Effective. ...............
`Computer Security Responsibilities and Accountability
`Should Be Made Explicit...............0..0.. 0.0.00... cee eee
`Systems Owners HaveSecurity Responsibilities Outside
`Their Own Organizations. ...............000 0.0000 cece ees
`Computer Security Requires a Comprehensive and
`Integrated Approach. ................. 0.000 ccc ccc cee eens
`Computer Security Should Be Periodically Reassessed.
`
`9
`
`10
`
`11
`
`12
`
`12
`
`13
`
`AL
`
`1.2
`
`1.3
`1.4
`
`1.5
`
`Dol
`
`2.2
`
`2.3
`2.4
`
`2.5
`
`2.6
`
`2.7
`
`2.8
`
`

`

`Chapter3
`
`ROLES AND RESPONSIBILITIES
`
`3.1
`3.2
`3.3
`
`Senior Management ................ 00... cece cece 16
`Computer Security Management ...........................
`16
`Program and Functional Managers/Application Owners
`cee eee eee eee ee eee ae MM cymes oo. Gig G) ee aeOe 16
`Technology Providers .................... 0c cee eeee eee eens
`16
`3.4
`Supporting Functions .................... 0.0. e cece eee ees
`18
`3.5
`|OoeI ON 19
`3.6
`
`Chapter 4
`
`COMMON THREATS: A BRIEF OVERVIEW
`
`4.1
`
`4.2
`
`4.3
`
`4.4
`
`4.5
`
`4.6
`
`4.7
`
`4.8
`
`4.9
`
`Errors and Omissions .....................00 0 ccc cece 22
`Fraud and Theft ............00. 0.0.0 cc ccc ccc cece eens 23
`Employee Sabotage ................ 0... c cece eee eee eee 24
`Loss of Physical and Infrastructure Support ................ 24
`Malicious Hackers .................. 0.00.0. cece eee eens 24
`Industrial Espionage ...................0. 0... cece cece eee eens
`26
`Malicious Code ............... 0.0... c ccc eect eee eens 27
`Foreign Government Espionage .........................05- 27
`Threats to Personal Privacy ..................... 0.0 eee eee 28
`
`Il. MANAGEMENT CONTROLS
`
`Chapter 5
`
`COMPUTER SECURITY POLICY
`
`5.1
`
`5.2
`
`5.3
`
`35
`Program Policy ............... 0c ccc cece cee eee eee ees
`Issue-Specific Policy ................ 0.00 cece eee eee ees 37
`System-Specific Policy ................. 0... c cece eee e eee eee 40
`
`

`

`5.4
`
`aes)
`
`Interdependencies.................. 00.0. cece eee eee eee 42
`Cost Considerations ................ 00... cee cece cence eeeee 43
`
`Chapter 6
`
`COMPUTER SECURITY PROGRAM MANAGEMENT
`
`Structure of a Computer Security Program ................ 45
`Central Computer Security Programs ...................... 47
`Elements of an Effective Central Computer Security
`PiOCLalive ae eee eee.. ).. 51
`System-Level Computer Security Programs ................. 53
`Elements of Effective System-Level Programs .............. 53
`Central and System-Level Program Interactions ............ 56
`Interdependencies................... 0... c cece eee ees 56
`Cost Considerations ..........................0205eee... 56
`
`Chapter 7
`
`COMPUTER SECURITY RISK MANAGEMENT
`
`Risk Assessment .............. 0.00. cece cece eee eens 59
`Risk Mitigation ..........0.0..0.0.. 00 0c ccc cece eens 63
`Uncertainty Analysis ................. 0... c eee 67
`Interdependencies.................. 0... c cece ee eee eee 68
`Cost Considerations ............... 0.0.0... 0c cece cee eee eee 68
`
`6.1
`
`6.2
`
`6.3
`
`6.4
`
`6.5
`
`6.6
`
`6.7
`
`6.8
`
`vel
`
`ae
`
`as
`
`7.4
`
`i.5
`
`Chapter8
`
`SECURITY AND PLANNING
`IN THE COMPUTERSYSTEM LIFE CYCLE
`
`8.1
`8.2
`
`8.3
`
`Computer Security Act Issues for Federal Systems .......... 71
`Benefits of Integrating Security in the Computer
`System Life Cycle ...........00.0.0.0.0 000 ccc ees 72
`Overview of the Computer System Life Cycle ............... 73
`
`

`

`3.4
`
`8.5
`8.6
`
`9.1
`9.2.
`9.3.
`9.4
`9.5
`9.6
`
`Security Activities in the Computer System Life Cycle
`Se eee eee ee ie te eet ad > he). as 74
`Interdependencies...................... 00... ec e ce ee 86
`Cost Considerations ..................6.0.. 0000s 86
`
`Chapter 9
`
`ASSURANCE
`
`Accreditation and Assurance ......................000000005 90
`Planning and Assurance...........................00000 eee 92
`Design and Implementation Assurance ...................... 92
`Operational Assurance ..................0....0 0 ccc cece eee 96
`Interdependencies.............0..00.0 0.000 c cece ees 101
`Cost Considerations ...............0... 00. c cece eee eee ees 101
`
`Il. OPERATIONAL CONTROLS
`
`Chapter 10
`
`PERSONNEL/USER ISSUES
`
`10.1 Staffing...........n924........4......5 eee 107
`10.2 User Administration .....................00 00. c eee ee eee 110
`
`10.3 Contractor Access Considerations .......................... 116
`
`Public Access Considerations ............................... 116
`10.4
`Interdependencies.................. 0. ccc cece eee 7
`10.5
`10.6 Cost Considerations ............0..0 0.00. ccc 117
`
`Chapter 11
`
`PREPARING FOR CONTINGENCIES AND DISASTERS
`
`11.1
`
`Step 1: Identifying the Mission- or Business-Critical
`Functions ........00. 00. ccc ccc eees 120
`
`vi
`
`

`

`11.2
`
`11.3
`
`11.4
`
`11.5
`
`11.6
`11.7
`
`11.8
`
`Step 2: Identifying the Resources That SupportCritical
`Functions ........0.0.0.00.0.0.0.0 000 teen nets 120
`Step 3: Anticipating Potential Contingencies or
`Disasters . 00.0.0... cette tenet nnn nes 122
`Step 4: Selecting Contingency Planning Strategies .......... 123
`Step 5: Implementing the Contingency Strategies ........... 126
`Step 6: Testing and Revising ...........................00--. 128
`Interdependencies.................. cece cece eee eens 129
`Cost Considerations ................. 0000 c cece eee eens 130
`
`Chapter 12
`
`COMPUTER SECURITY INCIDENT HANDLING
`
`12.1
`
`12.2
`
`12.3
`
`12.4
`
`12.5
`
`Benefits of an Incident Handling Capability ................. 134
`Characteristics of a Successful Incident Handling
`Capability ......0000 0.00000es 137
`Technical Support for Incident Handling ................... 139
`Interdependencies ................. 0. 0c ccc eee ees 140
`Cost Considerations ................. 0.00000 e cece eens 141
`
`Chapter 13
`
`AWARENESS, TRAINING, AND EDUCATION
`
`13.1
`
`13.2
`13.3
`
`13.4
`
`13.5
`
`13.6
`
`13.7
`13.8
`
`Behavior .... 10.0.0...000s 143
`Accountability ...0... 0.00 cee nee 144
`ARWareness .......0..5. Seen... 144
`CANINe ee ee ay)ce. 146
`Education ..........0 00.000 eee eees 147
`Implementation ........0.0..... 0.00 eee 148
`Interdependencies.................. 0... c ccc 152
`Cost Considerations ..........0...0000 00.0 ccc ccc ccc eens 152
`
`Vil
`
`

`

`Chapter 14
`
`SECURITY CONSIDERATIONS
`IN
`COMPUTER SUPPORT AND OPERATIONS
`
`14.1
`14.2
`14.3
`14.4
`14.5
`14.6
`
`14.7
`14.8
`14.9
`
`User Support 2.0.0.0... 0. ccc ent e nee ens 156
`Software Support .......... 0.0... ccc cece cece cent eens 157
`Configuration Management .............. 0.0.0. c cece ees 157
`Backups ............: 000 cece ce cece eee eeeoe 158
`Media Controls ..........0. 0... cee eee eee 158
`Documentation....... Pele eee Pew leneesceene ese itp 161
`Maintenance ......... 0... ccc ccc cece ene e neces 161
`Interdependencies ................ 0.0 c ccc ccc eens 162
`Cost Considerations ......0....0 0.0.00. cc ccc cece eee eens 163
`
`Chapter 15
`
`PHYSICAL AND ENVIRONMENTAL SECURITY
`
`15.1
`15.2
`
`15.3
`15.4
`
`15.5
`15.6
`
`15.7
`15.8
`
`15.9
`
`15.10
`
`Physical Access Controls .............. 0.0.0 ccc eee eee 167
`Fire Safety Factors .......00.... 00.0 ccc cece eects 168
`Failure of Supporting Utilities ...........................05. 170
`Structural Collapse .............. 0.0... c ccc cee eee nes 170
`Plumbing Leaks ................. 00000 c ccc ccc cee enn eee 171
`Interception of Data... ......0.....0 0.00 ccs i
`Mobile and Portable Systems ...........................0405. 172
`Approach to Implementation .........................00000. 172
`Interdependencies...................eee Se ee 174
`Cost Considerations .............0..... 000 cece cee eee ees 174
`
`Vill
`
`

`

`IV. TECHNICAL CONTROLS
`
`Chapter 16
`
`IDENTIFICATION AND AUTHENTICATION
`
`16.1
`
`16.2
`16.3
`16.4
`
`16.5
`
`16.6
`
`I&A Based on Something the User Knows .................. 180
`I&A Based on Something the User Possesses ................ 182
`I&A Based on Something the User Is ....................... 186
`Implementing I&A Systems ..................... 0000002005. 187
`Interdependencies...................0 000 e cece 189
`Cost Considerations ............... 0.0000 c cece eens 189
`
`Chapter 17
`
`LOGICAL ACCESS CONTROL
`
`17.1
`
`17.2
`
`17.3
`17.4
`17.5
`
`17.6
`
`17.7
`
`Access Criteria ..........0 00. ect e cee eenen es 194
`
`Policy: The Impetus for Access Controls ee eee ae 197
`Technical Implementation Mechanisms ..................... 198
`Administration of Access Controls .......................... 204
`Coordinating Access Controls ......................0.-2005. 206
`Interdependencies................... 0. ccc ec ees 206
`Cost Considerations ...................00 000000 e eee ees 207
`
`Chapter 18
`
`AUDIT TRAILS
`
`18.1
`
`18.2
`18.3
`18.4
`
`18.5
`
`Benefits and Objectives .................0.0..00 00. c cee cece 211
`Audit Trails and Logs .................00. 0000 c cece eee eee 214
`Implementation Issues .................0.0..000 000 c cee tees 217
`Interdependencies .................... 00. cece eens 220
`Cost Considerations ..............0...00 00000. e cece eee ee 221
`
`

`

`Chapter 19
`
`CRYPTOGRAPHY
`
`Basic Cryptographic Technologies .......................... 223
`19.1
`19.2 Uses of Cryptography ....................0...0 0c cece eee 226
`19.3.
`Implementation Issues..................... 0.000. cece eens 230
`19.4
`Imterdependencies.................... 000... c cee cece nes 233
`19.5 Cost Considerations ................. 0.0000. 234
`
`V. EXAMPLE
`
`Chapter 20
`
`ASSESSING AND MITIGATING THE RISKS
`TO A HYPOTHETICAL COMPUTER SYSTEM
`
`Initiating the Risk Assessment ...............5...........05. 241
`20.1
`20.2 HGA's Computer System.........................000. 020 ee. 242
`20.3 Threats to HGA's Assets ............0.0..0.0 0.00. 245
`20.4 Current Security Measures ...........................0005- 248
`20.5 Vulnerabilities Reported by the Risk Assessment Team
`we ete be ecw ec eee eee tee ee ee te eee ee: «ae 257
`20.6 Recommendations
`for Mitigating the
`Identified
`Vulnerabilities .........0...0.0.00 0... eens 262
`Summary ...............2.....-0:---0-+-- ee ee 266
`
`20.7
`
`Cross Reference and General Index ......................00 0000 e eee eee 269
`
`

`

`Acknowledgments
`
`NIST would like to thank the many people whoassisted with the developmentof this handbook. Fortheir
`initial recommendation that NIST produce a handbook, we thank the members of the Computer System
`Security and Privacy Advisory Board, in particular, Robert Courtney, Jr. NIST managementofficials who
`supported this effort include: James Burrows, F. Lynn McNulty, Stuart Katzke, Irene Gilbert, and Dennis
`Steinauer.
`
`In addition, special thanks is due those contractors whohelped craft the handbook, preparedrafts, teach
`classes, and review material:
`
`Daniel F. Sterne of Trusted Information Systems (TIS, Glenwood, Maryland) served as Project
`Managerfor Trusted Information Systems on this project. In addition, many TIS employees
`contributed to the handbook,including: David M. Balenson, Martha A. Branstad, Lisa M. Jaworski,
`Theodore M.P. Lee, Charles P. Pfleeger, Sharon P. Osuna, Diann K. Vechery, Kenneth M. Walker,
`and Thomas J. Winkler-Parenty.
`
`Additional drafters of handbook chapters include:
`
`Lawrence BasshamIII (NIST), Robert V. Jacobson, International Security Technology, Inc. (New
`York, NY) and John Wack (NIST).
`
`Significant assistance was also received from:
`
`Lisa Carnahan (NIST), James Dray (NIST), Donna Dodson (NIST), the Department of Energy,Irene
`Gilbert (NIST), Elizabeth Greer (NIST), Lawrence Keys (NIST), Elizabeth Lennon (NIST), Joan
`O'Callaghan (Bethesda, Maryland), Dennis Steinauer (NIST), Kibbie Streetman (Oak Ridge National
`Laboratory), and the Tennessee Valley Authority.
`
`Moreover, thanks is extended to the reviewers of draft chapters. While many people assisted, the following
`two individuals were especially tireless:
`
`Robert Courtney, Jr. (RCD and Steve Lipner (MITRE and TIS).
`
`Other important contributions and comments werereceived from:
`
`Members of the Computer System Security and Privacy Advisory Board, and the
`Steering Committee of the Federal Computer Security Program Managers’ Forum.
`
`Finally, although space does not allow specific acknowledgementofall the individuals who contributed to
`this effort, their assistance wascritical to the preparation of this document.
`
`Note that references to specific products or brandsis for explanatory purposes only; no
`Disclaimer:
`endorsement, explicit or implicit, is intended or implied.
`
`x1
`
`

`

`
`
`

`

`I. INTRODUCTION AND OVERVIEW
`
`

`

`
`
`

`

`Chapter 1
`
`INTRODUCTION
`
`1.1
`
`Purpose
`
`This handbook provides assistance in securing computer-based resources (including hardware,
`software, and information) by explaining important concepts, cost considerations, and
`interrelationships of security controls. It illustrates the benefits of security controls, the major
`techniques or approachesfor each control, and importantrelated considerations.’
`
`The handbookprovides a broad overview of computer security to help readers understand their
`computersecurity needs and develop a sound approachto the selection of appropriate security
`controls.
`It does not describe detailed steps necessary to implement a computersecurity program,
`provide detailed implementation procedures for security controls, or give guidance for auditing
`the security of specific systems. General references are provided at the end ofthis chapter, and
`references of “how-to" booksand articles are provided at the end of each chapterin Parts II, II
`and IV.
`
`The purpose ofthis handbookis not to specify requirements but, rather, to discuss the benefits of
`various computer security controls and situations in which their application may be appropriate.
`Some requirements for federal systems” are noted in the text. This document provides advice and
`guidance; no penalties are stipulated.
`
`1.2
`
`Intended Audience
`
`The handbook was written primarily for those who have computersecurity responsibilities and
`need assistance understanding basic concepts and techniques. Within the federal government,’
`this includes those who have computersecurity responsibilities for sensitive systems.
`
`‘
`
`‘It is recognized that the computer security field continues to evolve. To address changes and new issues, NIST's
`Computer Systems Laboratory publishes the CSL Bulletin series. Those bulletins which deal with security issues can be
`thought of as supplements to this publication.
`
`? Note that these requirements do not arise from this handbook, but from other sources, such as the Computer
`Security Act of 1987.
`
`* In the Computer Security Act of 1987, Congress assigned responsibility to NIST for the preparation of standards
`and guidelinesfor the security of sensitivefederal systems, excluding classified and "Warner Amendment" systems
`(unclassified intelligence-related), as specified in 10 USC 2315 and 44 USC 3502(2).
`
`3
`
`

`

`I. Introduction and Overview |
`
`For the most part, the concepts presented in
`the handbookare also applicable to the private
`sector.* While there are differences between
`federal and private-sector computing,
`especially in terms ofpriorities and legal
`constraints, the underlying principles of
`computersecurity and the available safeguards
`— managerial, operational, and technical — are
`the same. The handbookis therefore useful to
`anyone who needsto learn the basics of
`computer security or wants a broad overview
`of the subject. However,it is probably too
`detailed to be employed as a user awareness
`guide, and is not intended to be used as an
`audit guide.
`
`1.3 Organization
`
`Definition of Sensitive Information
`
`Manypeople think that sensitive information only
`tequires protection from unauthorized disclosure.
`However, the Computer Security Act provides a
`much broaderdefinition of the term "sensitive"
`information:
`
`any information, the loss, misuse, or unauthorized
`access to or modification of which could adversely
`affect the nationalinterest or the conductof.
`federal programs, or the privacy to which
`individuals are entitled under section 552a oftitle
`5, United States Code (the Privacy Act), but
`which has not been specifically authorized under
`criteria established by an Executive Order or an
`Act of Congress to be kept secret in the interest of.
`national defense or foreign policy.
`
`The first section of the handbook contains
`background and overview material, briefly
`discusses of threats, and explains the roles and
`responsibilities of individuals and
`organizations involved in computersecurity.
`It explains the executive principles of
`computer security that are used throughout
`the handbook. For example, one important
`principle that is repeatedly stressed is that only
`security measuresthat are cost-effective
`should be implemented. A familiarity with the principles is fundamental to understanding the
`handbook's philosophical approachto the issue of security.
`
`The above definition can be contrasted with the long--
`standing confidentiality-based information
`classification system for national security information
`(i.€., CONFIDENTIAL,SECRET, and TOP SECRET). This
`systemis based only upon the need to protect
`classified information fram unauthorized disclosure;
`the U.S. Government does not have a similarsystem.
`for unclassified information. No governmentwide
`schemes (for either classified or unclassified
`information) exist which are based on the.need to
`protect the integrity or availability ofinformation.
`
`The next three majorsections deal with security controls: Management Controls’ (II), Operational
`Controls (IID), and Technical Controls (IV). Most controls cross the boundaries between
`management, operational, and technical. Each chapter in the three sections provides a basic
`explanation of the control; approaches to implementing the control, some cost considerations in
`selecting, implementing, and using the control; and selected interdependencies that may exist with
`
`* As necessary, issues that are specific to the federal environment are noted as such.
`
`° The term management controls is used in a broad sense and encompassesareas that do notfit neatly into
`operational or technical controls.
`
`

`

`1. Introduction
`
`other controls. Each chapterin this portion of the handbookalso provides references that may be
`useful in actual implementation.
`
`@
`
`@
`
`@
`
`The Management Controls section addresses security topics that can be characterized as
`managerial. They are techniques and concernsthat are normally addressed by managementin
`the organization's computer security program. In general, they focus on the managementof
`the computer security program and the managementofrisk within the organization.
`
`The Operational Controls section addresses security controls that focus on controls that are,
`broadly speaking, implemented and executed by people (as opposed to systems). These
`controls are put in place to improvethe security of a particular system (or group of systems).
`They often require technical or specialized expertise — and often rely upon management
`activities as well as technical controls.
`
`The Technical Controls section focuses on security controls that the computer system
`executes. These controls are dependent upon the proper functioning of the system for their
`effectiveness. The implementation of technical controls, however, always requires significant
`operational considerations — and should be consistent with the managementof security within
`the organization.
`
`Finally, an example is presented to aid the readerin correlating some of the major topics discussed
`in the handbook.
`It describes a hypothetical system and discusses some of the controls that have
`been implementedto protect it. This section helps the reader better understand the decisions that
`must be madein securing a system, andillustrates the interrelationships among controls.
`
`1.4 Important Terminology
`
`To understand the rest of the handbook,the reader must be familiar with the following key terms
`and definitions as used in this handbook.
`In the handbook, the terms computers and computer
`systems are used to refer to the entire spectrum of information technology,including application
`and support systems. Other key terms include:
`
`Computer Security: The protection afforded to an automated information system in order to attain
`the applicable objectives of preserving the integrity, availability and confidentiality of information
`system resources (includes hardware, software, firmware, information/data, and
`telecommunications).
`
`Integrity: In lay usage, information has integrity whenit is timely, accurate, complete, and
`consistent. However, computers are unable to provide or protect all of these qualities.
`Therefore, in the computersecurity field, integrity is often discussed more narrowly as having two
`
`

`

`I. Introduction and Overview
`
`Location of Selected Security Topics
`
`Because this handbookis structured to focus on computer security controls, there may be several security
`topics that the reader may have trouble locating. For example, no separate section is.devotedto mainframeor
`personal computer security, since the controls discussed in the handbook can be applied(albeitiindifferent
`ways) to various processingplatforms and‘systems. The following mayhelp the reader locate-areasofiinterest
`not readily found in the table of contents:
`
`Topic
`
`Chapter
`
`Accreditation
`
`Firewalls
`Sectitity Plans
`‘Trusted Systems
`
`Life Cycle
`8.
`9. - Assurance y
`17.
`Logical ree Controls
`8
`Life Cycle
`9.
`Assurance
`
`Security features,including those incorporatedinto trusted systems, are discussed
`throughout.
`
`Viruses &
`Other Malicious
`Cade
`
`9.
`12.
`
`Assurance (Operational Assurance section)
`Incident Handling -
`
`Network Security Networksecurityuses thesame basic set ofcontrols as mainframe security or PC security.
`In many of the handbookchapters, considerations for using the controlis a networked
`environmentare addressed, as appropriate. For example, secure gateways are discussed as a
`part of Access Control; transmitting authentication data over insecure networksis discussed
`in the Identification and Authentication chapter; and the Contingency Planning chaptertalks
`about data communications contracts.
`
`For the samereason,there is not a separate chapter for PC, LAN, minicomputer, or
`mainframe security.
`
`facets: data integrity and system integrity. "Data integrity is a requirement that information and
`programs are changedonly in a specified and authorized manner."® System integrity is a
`requirement that a system "performs its intended function in an unimpaired manner, free from
`deliberate or inadvertent unauthorized manipulation ofthe system.’ The definition of integrity
`
`
`
`* National Research Council, Computers at Risk, (Washington, DC: National AcademyPress, 1991), p. 54.
`
`7 National ComputerSecurity Center, Pub. NCSC-TG-004-88.
`
`6
`
`

`

`I. Introduction
`
`has been, and continues to be, the subject of much debate among computersecurity experts.
`
`Availability: A "requirement intended to assure that systems work promptly and service is not
`denied to authorized users."®
`
`Confidentiality: A requirement that private or confidential information not be disclosed to
`unauthorized individuals.
`
`1.5 Legai Foundation for Federal Computer Security Programs
`
`The executive principles discussed in the next chapter explain the need for computersecurity. In
`addition, within the federal government, a numberof laws and regulations mandate that agencies
`protect their computers, the information they process, and related technologyresources(e.g.,
`telecommunications).” The most importantarelisted below.
`
`e@
`
`@
`
`®
`
`The Computer Security Act of 1987 requires agenciesto identify sensitive systems, conduct
`computersecurity training, and develop computersecurity plans.
`
`The Federal Information Resources Management Regulation (FIRMR)is the primary
`regulation for the use, management, and acquisition of computerresourcesin the federal
`government.
`
`OMBCircular A-130 (specifically Appendix III) requires that federal agencies establish
`security programs containing specified elements.
`
`Note that many more specific requirements, many of which are agencyspecific, also exist.
`
`Federa! managers are responsible for familiarity and compliance with applicable legal
`requirements. However, laws and regulations do not normally provide detailed instructions for
`protecting computer-related assets. Instead, they specify requirements — suchasrestricting the
`availability of personal data to authorized users. This handbookaids the reader in developing an
`effective, overall security approach andin selecting cost-effective controls to meet such
`requirements.
`
`* Computers at Risk, p. 54.
`
`* Although notlisted, readers should be awarethat laws also exist that may affect nongovernmentorganizations.
`
`Wl
`
`

`

`ee
`
`I. Introduction and Overview
`
`References
`
`Auerbach Publishers (a division of Warren Gorham & Lamont). Data Security Management.
`Boston, MA. 1995.
`
`British StandardsInstitute. A Code of Practice for Information Security Management, 1993.
`
`Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York,
`NY: Stockton Press, 1991.
`
`Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York,
`NY: Van Nostrand Reinhold, 1993.
`
`Garfinkel, S., and G. Spafford. Practical UNIX Security. Sebastopol, CA: O'Riley & Associates,
`Inc., 1991.
`
`Institute of Internal Auditors Research Foundation. System Auditability and Control Report.
`Altamonte Springs, FL: The Institute of Internal Auditors, 1991.
`
`National Research Council. Computers at Risk: Safe Computing in the Information Age.
`Washington, DC: National Academy Press, 1991.
`
`Pfleeger, Charlies P. Security in Computing. EnglewoodCliffs, NJ: Prentice Hall, 1989.
`
`Russell, Deborah, and G.T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O'Reilly &
`Associates, Inc., 1991.
`
`Ruthberg, Z., and T