Tải bản đầy đủ

Computer security

2
NATL

INST. OF

STAND & TECH

R.I.C.

REFERENCI

PUBLICATIONS
A

11 10 3 S2D52Q

nist

An

special Publication 800-12


Security:
U.S.

Computer
The NIST Handbook

Introduction to

DEPARTMENT OF

COMMERCE
Technology Administration
Barbara Guttman and Edward A. Roback

National Institute of Standards

and Technology

COMPUTER

Assurance

^ User r

~)
,

) Issues

V~

SECURITY

Planning

Personnel

Access
Controls



C

Support/—-'
Physical
Security

QC

100
.U57
NO. 800-1

1995

icy

&

Operations

nist

Management


of Standards and Technology was
The National
development of technology
needed
improve product

established in 1988

Institute

in the

.

to ensure product reliability

.

.

.

and

.

to

.

quality, to

to facilitate rapid commercialization

by Congress

to "assist industry

modernize manufacturing processes,

... of products based on new

scientific

discoveries."

NIST, originally founded as the National Bureau of Standards

in

1901, works to strengthen U.S. industry's

competitiveness; advance science and engineering; and improve public health, safety, and the environment.

One of the

and retain custody of the national standards of measurement, and
provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce,
agency's basic functions

industry,

is

to develop, maintain,

and education with the standards adopted or recognized by the Federal Government.

As an agency of the U.S. Commerce Department's Technology

Administration,

NIST conducts

research in the physical sciences and engineering, and develops measurement techniques,

The

related services.

Institute

their principal activities are listed below.

Office of the Director





Advanced Technology Program
Quality Programs
International and Academic Affairs

Technology Services


basic and applied

methods, standards, and

does generic and precompetitive work on new and advanced technologies. NIST's

research facilities are located at Gaithersburg,

and

test

MD 20899, and at Boulder, CO 80303. Major technical operating units

For more information contact the Public Inquiries Desk, 301-975-3058.

Manufacturing Engineering Laboratory


Precision Engineering



Automated Production Technology



Intelligent



Manufacturing Systems Integration



Fabrication Technology

Systems

Manufacturing Extension Partnership

and



Standards Services

Electronics



Technology Commercialization

Laboratory



Measurement Services



Microelectronics



Technology Evaluation and Assessment



Law Enforcement



Information Services



Electricity

Electrical Engineering

Standards



Semiconductor Electronics

Materials Science and Engineering



Electromagnetic Fields'

Laboratory



Electromagnetic Technology'



Optoelectronics'



Intelligent Processing of Materials



Ceramics



Materials Reliability



Polymers





Metallurgy



Building Materials



Reactor Radiation



Building Environment



Fire Safety



Fire Science

Building and Fire Research Laboratory

1

Chemical Science and Technology
Laboratory

Structures



Biotechnology

Computer Systems Laboratory



Chemical Kinetics and Thermodynamics



Office of Enterprise Integration



Analytical Chemical Research



Information Systems Engineering



Process Measurements



Systems and Software Technology



Surface and Microanalysis Science





Thermophysics

Computer Security
Systems and Network Architecture
Advanced Systems

2




Physics Laboratory

Computing and Applied Mathematics



Electron and Optical Physics



Atomic Physics

Laboratory



Molecular Physics



Applied and Computational Mathematics

2

2



Radiometric Physics



Statistical

Engineering



Quantum Metrology



Scientific

2
Computing Environments



Ionizing Radiation





Time and Frequency'
Quantum Physics'



Computer Services
2
Computer Systems and Communications



Information Systems



'

2

At Boulder,

Some

CO

elements

80303.
at

Boulder,

CO

80303.


nist

special Publication 8oo-i2

An

Computer
The NIST Handbook

Introduction to

Security:

Barbara Guttman and Edward Roback

COMPUTER

SECURITY

Computer Systems Laboratory
National Institute of Standards

and Technology
Gaithersburg,

MD

20899-0001

October 1995

^ATES

O*

*

U.S. Department of Commerce
Ronald H. Brown, Secretary

Technology Administration

Mary

L. Good, Under Secretary for Technology

National Institute of Standards and Technology
Arati Prabhakar, Director


Reports on Computer Systems Technology
The National Institute of Standards and Technology (NIST) has a unique responsibility for computer
systems technology within the Federal government. NIST's Computer Systems Laboratory (CSL) develops standards and guidelines, provides technical assistance, and conducts research for computers and
related telecommunications systems to achieve more effective utilization of Federal information technology resources. CSL's responsibilities include development of technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified
information processed in Federal computers. CSL assists agencies in developing security plans and in
improving computer security awareness training. This Special Publication 800 series reports CSL research and guidelines to Federal agencies as well as to organizations in industry, government, and
academia.

National Institute of Standards and Technology Special Publication 800-12
Natl. Inst. Stand. Technol. Spec. Publ. 800-12, 272 pages (Oct. 1995)

CODEN: NSPUE2

U.S.

GOVERNMENT PRINTING OFFICE
WASHINGTON: 1995

For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington,

DC 20402


Table of Contents

I.

INTRODUCTION AND OVERVIEW
Chapter

1

INTRODUCTION
1.1

1.2
1.3
1.4
1.5

Purpose
Intended Audience
Organization
Important Terminology
Legal Foundation for Federal Computer Security

4

Programs

7

3
3

5

Chapter 2

ELEMENTS OF COMPUTER SECURITY
2.1

Computer Security Supports

the

Mission of the

Organization
2.2

2.3

2.4

2.5

Computer Security is an Integral Element of Sound
Management
Computer Security Should Be Cost-Effective
Computer Security Responsibilities and Accountability
Should Be Made Explicit
Systems Owners Have Security Responsibilities Outside
Their

2.6

2.7

9

Own Organizations

Computer Security Requires a Comprehensive and
Integrated Approach
Computer Security Should Be Periodically Reassessed.

10
11

12

12

13

13

2.8

Computer Security

is

Constrained by Societal Factors.
14

in


Chapter 3

ROLES AND RESPONSIBILITIES
3.1

3.2
3.3

Management
Computer Security Management
Program and Functional Managers/Application Owners
Senior

16
16

16

3.4
3.5

3.6

Technology Providers
Supporting Functions
Users

16
18

19

Chapter 4

COMMON THREATS: A BRIEF OVERVIEW
4.1

Errors and Omissions

22

4.2

23

4.5

Fraud and Theft
Employee Sabotage
Loss of Physical and Infrastructure Support
Malicious Hackers

4.6

Industrial Espionage

26

4.7

Malicious Code

27

4.8

Foreign Government Espionage

27

4.9

Threats to Personal Privacy

28

4.3
4.4

24

24
24

MANAGEMENT CONTROLS

II.

Chapter 5

COMPUTER SECURITY POLICY
5.1

Program

5.2

Issue-Specific Policy

37

5.3

System-Specific Policy

40

Policy

35

IV


5.4

Interdependencies

42

5.5

Cost Considerations

43

Chapter 6

COMPUTER SECURITY PROGRAM MANAGEMENT
6.1

Structure of a Computer Security Program

45

6.2

Central Computer Security Programs

47

6.3

Elements of an Effective Central Computer Security

Program

51

6.4

System-Level Computer Security Programs

53

6.5

53

6.6

Elements of Effective System-Level Programs
Central and System-Level Program Interactions

6.7

Interdependencies

56

6.8

Cost Considerations

56

56

Chapter 7

COMPUTER SECURITY RISK MANAGEMENT
7.1

Risk Assessment

59

7.2

Risk Mitigation

63

7.3

Uncertainty Analysis

67

7.4

Interdependencies

68

7.5

Cost Considerations

68

Chapter 8

SECURITY AND PLANNING
IN

THE COMPUTER SYSTEM LIFE CYCLE

8.1

Computer Security Act

8.2

Benefits of Integrating Security in the

8.3

System Life Cycle
Overview of the Computer System Life Cycle

Issues for Federal Systems

71

Computer
72
73


Security Activities in the

8.4

Computer System

Life Cycle
74

8.5

Interdependencies

86

8.6

Cost Considerations

86

Chapter 9

ASSURANCE
9.1

Accreditation and Assurance

90

9.2

Planning and Assurance

92

9.3

Design and Implementation Assurance

92

9.4

Operational Assurance

96

9.5

Interdependencies

101

9.6

Cost Considerations

101

III.

OPERATIONAL CONTROLS
Chapter 10

PERSONNEL/USER ISSUES
10.1

Staffing

107

10.2

110
116

10.4

User Administration
Contractor Access Considerations
Public Access Considerations

10.5

Interdependencies

117

10.6

Cost Considerations

117

10.3

116

Chapter 11

PREPARING FOR CONTINGENCIES AND DISASTERS
11.1

Step

1:

Identifying the Mission- or Business-Critical

Functions

120

VI


11.2

Step 2: Identifying the Resources That Support Critical

Functions
11.3

Step

3:

120

Anticipating

Potential

Contingencies

or

Disasters

122

11.4

Step

4: Selecting

123

11.5

Step

5:

Contingency Planning Strategies
Implementing the Contingency Strategies

126

11.6

Step

6:

Testing and Revising

128

11.7

Interdependencies

129

11.8

Cost Considerations

130

Chapter 12

COMPUTER SECURITY INCIDENT HANDLING
12.1

Benefits of an Incident Handling Capability

12.2

Characteristics of a Successful

134

Incident Handling

Capability

137

12.3

Technical Support for Incident Handling

139

12.4

Interdependencies

140

12.5

Cost Considerations

141

Chapter 13

AWARENESS, TRAINING, AND EDUCATION
13.1

Behavior

143

13.2

Accountability

144

13.3

Awareness

144

13.4

Training

146

13.5

147

13.6

Education
Implementation

13.7

Interdependencies

152

13.8

Cost Considerations

152

148

Vll


Chapter 14

SECURITY CONSIDERATIONS
IN

COMPUTER SUPPORT AND OPERATIONS
14.2

User Support
Software Support

14.3

Configuration

14.4

Backups

158

14.5

Media Controls

158

14.6

161

14.7

Documentation
Maintenance

14.8

Interdependencies

162

14.9

Cost Considerations

163

14.1

156
157

Management

157

161

Chapter 15

PHYSICAL AND ENVIRONMENTAL SECURITY
15.1

Physical Access Controls

167

15.2

Fire Safety Factors

168

15.3

Failure of Supporting Utilities

170

15.4

Structural Collapse

170

15.5

171

15.8

Plumbing Leaks
Interception of Data
Mobile and Portable Systems
Approach to Implementation

15.9

Interdependencies

174

15.10

Cost Considerations

174

15.6
15.7

Vlll

171

172
172


IV.

TECHNICAL CONTROLS
Chapter 16

IDENTIFICATION AND AUTHENTICATION
180

16.4

I&A Based on Something the User Knows
I&A Based on Something the User Possesses
I&A Based on Something the User Is
Implementing I&A Systems

16.5

Interdependencies

189

16.6

Cost Considerations

189

16.1

16.2
16.3

182
186
187

Chapter 17

LOGICAL ACCESS CONTROL
17.1

Access Criteria

17.2

Policy:

17.3

Technical Implementation Mechanisms

198

17.4

Administration of Access Controls

204

17.5

Coordinating Access Controls

206

17.6

Interdependencies

206

17.7

Cost Considerations

207

194

The Impetus

for Access Controls

197

Chapter 18

AUDIT TRAILS
18.1

18.2
18.3
18.4
18.5

and Objectives
Audit Trails and Logs

211

Implementation Issues
Interdependencies
Cost Considerations

217

Benefits

214

220
221

IX


Chapter 19

CRYPTOGRAPHY
19.1

Basic Cryptographic Technologies

223

19.2

226

19.4

Uses of Cryptography
Implementation Issues
Interdependences

19.5

Cost Considerations

234

19.3

V.

230
233

EXAMPLE

Chapter 20

ASSESSING AND MITIGATING THE RISKS

TO A HYPOTHETICAL COMPUTER SYSTEM
20.1

20.2
20.3
20.4
20.5

Assessment
HGA's Computer System
Threats to HGA's Assets

241

Current Security Measures
Vulnerabilities Reported by the Risk Assessment

248

Initiating the Risk

242
245

Team
257

20.6

20.7

Recommendations

for

Mitigating

the

Identified

Vulnerabilities

262

Summary

266

Cross Reference and General Index

269


Acknowledgments

many people who assisted with the development of this handbook. For their
initial recommendation that NIST produce a handbook, we thank the members of the Computer System
Security and Privacy Advisory Board, in particular, Robert Courtney, Jr. NIST management officials who

NIST would

supported

like to

thank the

this effort include:

James Burrows,

F.

Lynn McNulty,

Stuart Katzke, Irene Gilbert, and Dennis

Steinauer.

In addition, special thanks
classes,

due those contractors who helped

is

craft the

handbook, prepare

drafts, teach

and review material:
Daniel F. Sterne of Trusted Information Systems (TIS, Glenwood, Maryland) served as Project

Manager for Trusted Information Systems on this project. In addition, many TIS employees
contributed to the handbook, including: David M. Balenson, Martha A. Branstad, Lisa M. Jaworski,
Theodore M.P. Lee, Charles P. Pfleeger, Sharon P. Osuna, Diann K. Vechery, Kenneth M. Walker,
and Thomas J. Winkler-Parenty.
Additional drafters of handbook chapters include:

Lawrence Bassham
York,

JJI

(NIST), Robert V. Jacobson, International Security Technology, Inc.

NY) and John Wack

Significant assistance

(New

(NIST).

was also received from:

Lisa Carnahan (NIST), James Dray (NIST),
Gilbert (NIST), Elizabeth Greer (NIST),

Donna Dodson (NIST),

the Department of Energy, Irene

Lawrence Keys (NIST), Elizabeth Lennon (NIST), Joan

O'Callaghan (Bethesda, Maryland), Dennis Steinauer (NIST), Kibbie Streetman (Oak Ridge National
Laboratory), and the Tennessee Valley Authority.

Moreover, thanks

is

extended to the reviewers of draft chapters. While

two individuals were especially
Robert Courtney,

Jr.

many people

assisted, the following

tireless:

(RCI) and Steve Lipner

(MITRE and

TIS).

Other important contributions and comments were received from:

Members of the Computer System

Security and Privacy Advisory Board, and the

Steering Committee of the Federal

Computer Security Program Managers' Forum.

Finally, although space does not allow specific
this effort, their assistance

Disclaimer:

Note

was

critical to the

acknowledgement of

that references to specific products or brands

endorsement, explicit or implicit,

is

all

the individuals

who

contributed to

preparation of this document.

intended or implied.

XI

is

for explanatory purposes only;

no



I.

INTRODUCTION AND OVERVIEW



Chapter

1

INTRODUCTION
Purpose

1.1

This handbook provides assistance

in

securing computer-based resources (including hardware,

software, and information) by explaining important concepts, cost considerations, and
interrelationships of security controls.

It

illustrates the benefits

of security controls, the major

techniques or approaches for each control, and important related considerations.

1

The handbook provides

a broad overview of computer security to help readers understand their
computer security needs and develop a sound approach to the selection of appropriate security
controls.

It

does not describe detailed steps necessary to implement a computer security program,

provide detailed implementation procedures for security controls, or give guidance for auditing
the security of specific systems. General references are provided at the end of this chapter, and

references of "how-to" books and articles are provided at the end of each chapter in Parts

II, III

and IV.

The purpose of this handbook

is

not to specify requirements but, rather, to discuss the benefits of

various computer security controls and situations in which their application

Some

2

requirements for federal systems are noted

in the text.

may be

appropriate.

This document provides advice and

guidance; no penalties are stipulated.

Intended Audience

1.2

The handbook was

written primarily for those

who have computer

security responsibilities and

need assistance understanding basic concepts and techniques. Within the federal government, 3
this includes

those

who have computer

security responsibilities for sensitive systems.

It is recognized that the computer security field continues to evolve. To address changes and new issues, NIST's
Computer Systems Laboratory publishes the CSL Bulletin series. Those bulletins which deal with security issues can be
1

thought of as supplements to this publication.
2

Note

that these

requirements do not arise from

this

handbook, but from other sources, such as the Computer

Security Act of 1987.

3

In the

Computer Security Act of 1987, Congress assigned

and guidelines

responsibility to

for the security of sensitive federal systems, excluding classified

(unclassified intelligence-related), as specified in 10

USC

2315 and 44

USC

NIST for

the preparation of standards

and "Warner Amendment" systems

3502(2).


/.

Introduction

For the most
the

part, the

handbook

sector.

4

and Overview

concepts presented

in

are also applicable to the private

Definition of Sensitive Information

While there are differences between

Many people think that sensitive

federal and private-sector computing,

information only

requires protection from unauthorized disclosure.

especially in terms of priorities and legal

However, the Computer Security Act provides a

constraints, the underlying principles of

much broader definition of the term

computer security and the

information:

available safeguards

- managerial, operational, and technical - are
the same. The handbook is therefore useful to
anyone who needs to learn the basics of
computer security or wants a broad overview
of the subject. However, it is probably too
detailed to be

guide, and

is

employed

as a user awareness

not intended to be used as an

audit guide.

any information, the

loss,

"sensitive"

misuse, or unauthorized

access to or modification of which could adversely
affect the national interest or the

conduct of

federal programs, or the privacy to which

individuals are entitled under section 552a of title

United States Code (the Privacy Act), but
which has not been specifically authorized under
criteria established by an Executive Order or an
Act of Congress to be kept secret in the interest of
5,

national defense or foreign policy.

1.3

Organization
The above

definition

can be contrasted with the long-

standing confidentiality-based information

The

first

section of the

handbook contains

background and overview

material, briefly

discusses of threats, and explains the roles and

(i.e.,

organizations involved in computer security.

^
system

explains the executive principles of

computer security

that are

principle that

is

one important

repeatedly stressed

is

that only

security measures that are cost-effective

should be implemented.

based only upon the need to protect

from unauthorized disclosure;
Government does not have a similar system
unclassified information. No governmentwide

schemes

used throughout

the handbook. For example,

is

the U.S.
for

It

system for national security information

CONFIDENTIAL, SECRET, and TOP SECRET). This

classified information

of individuals and

responsibilities

classification

A familiarity with the

(for either classified or unclassified

information) exist which are based on the need to

protect the integrity or availability of information.

^^m—BiBB|wm^^^^^^^

principles

is

fundamental to understanding the

handbook's philosophical approach to the issue of security.

The next

three major sections deal with security controls:

Controls

(III),

Management Controls 5

(II),

Operational

and Technical Controls (IV). Most controls cross the boundaries between

management, operational, and

technical.

Each chapter

in the three sections

explanation of the control; approaches to implementing the control,
selecting, implementing,

some

provides a basic

cost considerations in

and using the control; and selected interdependencies that may

4

As

5

The term management controls

exist

necessary, issues that are specific to the federal environment are noted as such.

operational or technical controls.

is

used

in a

broad sense and encompasses areas that do not

fit

neatly into

with


1.

Each chapter

other controls.

in this

Introduction

portion of the handbook also provides references that

may be

useful in actual implementation.



The Management Controls section addresses security topics that can be characterized as
managerial. They are techniques and concerns that are normally addressed by management in
the organization's computer security program. In general, they focus on the management of
the computer security program and the management of risk within the organization.



The Operational Controls

section addresses security controls that focus

on controls

that are,

broadly speaking, implemented and executed by people (as opposed to systems). These
controls are put in place to improve the security of a particular system (or group of systems).

They often

require technical or specialized expertise

- and

often rely

upon management

activities as well as technical controls.



The Technical Controls

section focuses

executes. These controls are dependent

on security controls that the computer system
upon the proper functioning of the system for

their

The implementation of technical controls, however, always requires significant
operational considerations - and should be consistent with the management of security within

effectiveness.

the organization.

Finally,
in the

an example

handbook.

It

is

presented to aid the reader in correlating some of the major topics discussed

describes a hypothetical system and discusses

been implemented to protect

must be made

1.4

To

in

it.

some of the

controls that have

This section helps the reader better understand the decisions that

securing a system, and illustrates the interrelationships

among

controls.

Important Terminology

understand the rest of the handbook, the reader must be familiar with the following key terms

and definitions as used

in this

handbook. In the handbook, the terms computers and computer

systems are used to refer to the entire spectrum of information technology, including application

and support systems. Other key terms include:

Computer

Security:

The protection afforded

to an

automated information system

in

order to attain

the applicable objectives of preserving the integrity, availability and confidentiality of information

system resources (includes hardware, software, firmware, information/data, and
telecommunications).

Integrity: In lay usage, information has integrity

when

it

is

timely, accurate, complete,

and

However, computers are unable to provide or protect all of these qualities.
Therefore, in the computer security field, integrity is often discussed more narrowly as having two
consistent.


/.

Introduction

and Overview

Location of Selected Security Topics

Because this handbook
topics that the reader

is

structured to focus

may have

on computer security controls, there may be several security
For example, no separate section is devoted to mainframe or

trouble locating.

personal computer security, since the controls discussed in the handbook can be applied (albeit in different

ways) to various processing platforms and systems. The following

may help the

reader locate areas of interest

not readily found in the table of contents:

Topic

Chapter

Accreditation

8.

Life Cycle

9.

Assurance
Logical Access Controls

Firewalls

1

Security Plans

8.

Life Cycle

Trusted Systems

9.

Assurance

7.

Security features, including those incorporated into trusted systems, are discussed

throughout.

Viruses

&

Other Malicious

9.

Assurance (Operational Assurance section)

12.

Incident Handling

Code
Network Security Network
In

security uses the

same basic

many of the handbook chapters,

set

of controls as mainframe security or

considerations for using the control

is

PC security.

a networked

environment are addressed, as appropriate. For example, secure gateways are discussed as a
part of Access Control; transmitting authentication data over insecure networks
in the Identification and Authentication chapter;

is

discussed

and the Contingency Planning chapter

talks

about data communications contracts.

For the same reason, there

mainframe

facets:

is

not a separate chapter for PC,

data integrity and system integrity. "Data integrity

programs are changed only

in a specified

requirement that a system "performs

LAN,

minicomputer, or

security.

its

is

a requirement that information and

and authorized manner."

6

System

integrity

is

a

intended function in an unimpaired manner, free from

deliberate or inadvertent unauthorized manipulation of the system."

6

National Research Council, Computers at Risk, (Washington,

7

National Computer Security Center, Pub.

NCSC-TG-004-88.

6

7

The

DC: National Academy

definition of integrity

Press, 1991), p. 54.


1.

has been, and continues to be, the subject of much debate

Availability:

A "requirement

denied to authorized users."

Confidentiality:

among computer

intended to assure that systems

Introduction

security experts.

work promptly and

service

is

not

8

A requirement that private or confidential information not be disclosed to

unauthorized individuals.

1.5

Legal Foundation for Federal Computer Security Programs

The executive

need for computer security. In
number of laws and regulations mandate that agencies

principles discussed in the next chapter explain the

addition, within the federal government, a

protect their computers, the information they process, and related technology resources (e.g.,

telecommunications).



9

The most important

are listed below.

The Computer Security Act of 1987 requires agencies
computer security



training,

to identify sensitive systems, conduct

and develop computer security plans.

The Federal Information Resources Management Regulation (FIRMR)

is

the primary

regulation for the use, management, and acquisition of computer resources in the federal

government.

OMB Circular A- 130 (specifically Appendix III) requires that federal agencies establish



security

Note

that

programs containing specified elements.

many more

specific requirements,

many of which

are agency specific, also exist.

Federal managers are responsible for familiarity and compliance with applicable legal
requirements. However, laws and regulations do not normally provide detailed instructions for
protecting computer-related assets. Instead, they specify requirements
availability

- such

as restricting the

of personal data to authorized users. This handbook aids the reader

effective, overall security

approach and

in selecting cost-effective controls to

in

developing an

meet such

requirements.

8

Computers at

9

Although not

Risk, p. 54.

listed,

readers should be aware that laws also exist that

may

affect

nongovernment organizations.


/.

Introduction

and Overview

References
Auerbach Publishers
Boston,

MA.

British Standards Institute.

Caelli, William,

NY: Stockton
Fites, P.,

Warren Gorham

(a division of

A Code

of Practice for Information Security Management, 1993.

Dennis Longley, and Michael Shain. Information Security Handbook.

New

York,

Press, 1991.

and M. Kratz. Information Systems Security:

NY: Van Nostrand

A

Practitioner's Reference.

New

York,

Reinhold, 1993.

Garfinkel, S., and G. Spafford. Practical
Inc.,

& Lamont). Data Security Management.

1995.

UNIX Security.

Sebastopol,

CA: O'Riley

& Associates,

1991.

Institute

of Internal Auditors Research Foundation. System Auditability and Control Report.

Altamonte Springs, FL: The

Institute

of Internal Auditors, 1991.

National Research Council. Computers at Risk: Safe Computing in the Information Age.

Washington, DC: National Academy Press, 1991.
Pfleeger, Charles P. Security in

Russell, Deborah,

Computing. Englewood

and G.T. Gangemi,

Sr.

Cliffs,

Computer Security

NJ: Prentice Hall, 1989.

Basics. Sebastopol,

CA:

O'Reilly

&

Associates, Inc., 1991.

Ruthberg, Z., and Tipton, H., eds.

Auerbach Press, 1993.

Handbook of Information

Security

Management. Boston, MA:


Chapter 2

ELEMENTS OF COMPUTER SECURITY
This handbook's general approach to computer security

is

based on eight major elements:

1

Computer

security should support the mission of the organization.

2.

Computer

security

3.

Computer

security should be cost-effective.

4.

Computer

security responsibilities and accountability should be

5.

System owners have computer

is

an integral element of sound management.

made

security responsibilities outside their

explicit.

own

organizations.

6.

Computer

security requires a comprehensive and integrated approach.

7.

Computer

security should be periodically reassessed.

8.

Computer

security

is

constrained by societal factors.

Familiarity with these elements will aid the reader in better understanding

how

controls (discussed in later sections) support the overall computer security

2.1

Computer Security Supports the Mission

The purpose of computer

security

is

the security

program

goals.

of the Organization.

to protect an organization's valuable resources, such as

information, hardware, and software.

Through

the selection and application of appropriate

safeguards, security helps the organization's mission by protecting

its

physical and financial

resources, reputation, legal position, employees, and other tangible and intangible assets.

Unfortunately, security

is

sometimes viewed as thwarting the mission of the organization by

imposing poorly selected, bothersome rules and procedures on users, managers, and systems.

On

- they

are

the contrary, well-chosen security rules and procedures

do not

exist for their

own

sake

put in place to protect important assets and thereby support the overall organizational mission.

Security, therefore,

business, having

ought

is

good

a

means

security

to an
is

end and not an end

to increase the firm's ability to

make

For example,

make

in

a private- sector

a profit. Security, then,

a profit. In a public-sector agency, security

secondary to the agency's service provided to
service provided to the citizen.

in itself.

usually secondary to the need to

citizens.

is

usually

Security, then, ought to help improve the


/.

To

and Overview

Introduction

act

on

this,

managers need

understand both
mission and

to

their organizational

how each

This chapter draws upon the

information

OECD's Guidelines for the Security

of Information Systems, which was endorsed by the United

system supports that mission. After a

It

provides

States.

for:

system's role has been defined, the
Accountability

security requirements implicit in that
role can

be defined. Security can then

be explicitly stated

in

-

The responsibilities and

accountability of owners,

providers and users of information systems and other
parties... should

be explicit.

terms of the
Awareness

organization's mission.

Owners, providers, users and other

-

parties should

readily be able, consistent with maintaining security, to gain

The

roles

appropriate knowledge of and be informed about the existence and

and functions of a system may

general extent of measures...for the security of information systems.

not be constrained to a single
organization. In an interorganizational

Ethics

system, each organization benefits from

systems should be provided and used in such a manner that the

securing the system. For example, for

rights

electronic

commerce

security

system also benefits the
is

on

interest of others are respected.

Measures, practices and procedures for the

relevant considerations and viewpoints....

the buyer's

less likely to

Proportionality

the

seller;

be used

otherwise negatively affect the
is

-

the security of information

security of information systems should take account of and address
all

for fraud or to be unavailable or

(The reverse

and legitimate

Multidisciplinary

controls to protect their resources.

buyer's system

The Information systems and

to be successful,

each of the participants requires security

However, good

-

-

Security levels, costs, measures, practices and

procedures should be appropriate and proportionate to the value of

and degree of reliance on the information systems and
severity, probability

and extent of potential

to the

harm....

seller.

Integration

also true.)

-

Measures, practices and procedures for the security of

information systems should be coordinated and integrated with each

Computer Security is an
Integral Element of Sound
Management.

2.2

other and other measures, practices and procedures of the

organization so as to create a coherent system of security.

Timeliness

-

Public and private parties, at both national and

international levels, should act in a timely coordinated

manner

to

prevent and to respond to breaches of security of information

Information and computer systems are

systems.

often critical assets that support the

mission of an organization. Protecting

them can be

Reassessment - The security of information systems should be
reassessed periodically, as information systems and the

as critical as protecting

requirements for their security vary over time.

other organizational resources, such as

money, physical

assets, or

employees.

Democracy - The

security of information systems should

be

compatible with the legitimate use and flow of data and information

However, including security
considerations in the management of
information and computers does not

in

a democratic society.

a^^iHHHBn^HHHMHHaMaBnaaa

completely eliminate the possibility that these assets will be harmed. Ultimately, organization

managers have to decide what the

level

of risk they are willing to accept, taking into account the

10


2.

Elements of Computer Security

cost of security controls.

As with many other

resources, the

organizational boundaries.

When

management of information and computers may transcend
an organization's information and computer systems are linked

with external systems, management's responsibilities also extend beyond the organization. This

may

management

require that

( 1 )

know what

general level or type of security

is

employed on the

external system(s) or (2) seek assurance that the external system provides adequate security for
the using organization's needs.

2.3

Computer Security Should Be

The

costs and benefits of security should be carefully examined in both monetary

monetary terms to ensure

that the cost

Cost-Effective.

and non-

of controls does not exceed expected benefits.

Security

should be appropriate and proportionate to the value of and degree of reliance on the computer

systems and to the severity, probability and extent of potential harm. Requirements for security
vary, depending

upon the

In general, security

is

particular

computer system.

By

a smart business practice.

investing in security measures, an

organization can reduce the frequency and severity of computer security-related losses. For

example, an organization

may

estimate that

it is

inventory through fraudulent manipulation of

improved access control system, may

its

experiencing significant losses per year in

computer system. Security measures, such as an

significantly

reduce the

loss.

Moreover, a sound security program can thwart hackers and can reduce the frequency of viruses.
Elimination of these kinds of threats can reduce unfavorable publicity as well as increase morale

and productivity.
Security benefits, however, do have both direct and indirect costs. Direct costs include

purchasing, installing, and administering security measures, such as access control software or
fire-suppression systems. Additionally, security measures can sometimes affect system

performance, employee morale, or retraining requirements. All of these have to be considered
addition to the basic cost of the control

itself.

exceed the

is

initial

cost of the control (as

In

many

cases, these additional costs

may

in

well

often seen, for example, in the costs of administering an

access control package). Solutions to security problems should not be chosen
directly or indirectly, than simply tolerating the problem.

11

if

they cost more,


Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×