A Draft Security Policy
This draft policy is provided as a model for your organization's consideration
and adoption. It was prepared by the National Computer Security Association.
We would appreciate your comments or revisions to it. You may write
us at Suite 309, 4401-A Connecticut Av NW, Washington, DC 20008. Or
you may call our BBS at 202-364-1304. Or you may call voice at 202-364-8252.
Each of the six basic requirements defined below are used by DoD in
evaluating system security, and are appropriate throughout all computer
There must be an explicit and well-defined security policy enforced
by the system. Given identified subjects and objects, there must
be a set of rules that are used by the system to determine whether
a given subject can be permitted to gain access to a specific object.
Computer systems of interest must enforce a mandatory security policy
that can effectively implement access rules for handling sensitive
nformation. These rules include requirements such as: <169>No
to classified information.<170> In addition, discretionary security
controls are required to ensure that only selected users or groups
of users may obtain access to data <197> for instance, based on a
Access control labels must be associated with objects. In order
to control access to information stored in a computer, according to
the rules of a mandatory security policy, it must be possible to mark
every object with a label that reliably identifies the object's sensitivity
level and/or the modes of access accorded those subjects who may potentially
access the object.
Individual subjects must be identified. Each access to information
must be mediated based on who is accessing the information and what
classes of information they are authorized to deal with. This identification
and authorization information must be securely maintained by the computer
Audit information must be selectively kept and protected so that
actions affecting security can be traced to the responsible party.
A trusted system must be able to record the occurrences of security-relevant
events in an audit log. The capability to select the audit events
to be recorded is necessary to minimize the expense of auditing and
to allow efficient analysis. Audit data must be protected from modification
and unauthorized destruction to permit detection and after-the-fact
nvestigations of security violations.
The computer system must contain hardware/software mechanisms that
can be independently evaluated to provide sufficient assurance that
the system enforces the policy, marking, identification, and accountability
dentified and unified collection of hardware and software controls
that perform these functions. These mechanisms are typically embedded
n the operating system of mainframes, or a combination of operating
to carry out the assigned tasks in a secure manner. The basis for
trusting such system mechanisms in their operational setting must
be clearly documented such that it is possible to independently examine
the evidence to evaluate their sufficiency.
The trusted mechanisms that enforce these basic requirements must
be continuously protected against tampering and/or unauthorized changes.
No computer system can be considered truly secure if the basic hardware
and software mechanisms that enforce the security policy are themselves
Creating a security policy is fairly simple. You can copy
the material that follows, for instance, and get the chief to sign
t. Implementing a security policy is more difficult.
* The organizations with the most success in implementing security
and somehow convince all staff that security is an ongoing business
While seemingly everyone concerned with security agree that a policy
s important, not everyone agrees that it should be agency-wide. For
example, NASA's Richard W. Carr believes that a standard approach
like the NSA's C2 level of safeguarding is not cost-effective. Because
local approaches to safeguarding information, rather than an agency-wide
Before reviewing sophisticated data security issues, it is necessary
to consider the basic physical protection of the equipment itself.
Access to micros should be physically limited to authorized users. Untrained
or malicious individuals could damage or make inappropriate use of
the equipment or the accessible data. At some organizations, such
as GTE, the entire microcomputer is kept in a locked room. If users
are reluctant to do this when they are finished with it, then they
are provided with an external hard disk that can be locked up.
* Do not permit users to leave workstations or micros unattended,
* Install timelocks that activate after an interval of no keyboard
activity, and require password to resume entry.
* Change all passwords immediately whenever an employee leaves the
* Change passwords routinely - perhaps every other month - of all
the rooms where the hardware is located, or install lockdown systems
Computers are sensitive to the quality of electrical power. Use surge
from heavy appliances or office equipment.
Smoking, Eating, and Drinking
Smoke can damage disks. Food and ashes that are dropped in the keyboard
can work down into the mechanism and cause malfunctions. Smoking,
eating, and drinking should be prohibited in the vicinity of computers.
Static electricity can badly damage a computer. This danger can be
minimized through the use of anti-static sprays, carpets, or pads.
Magnetic Media Protection
media, as it is the primary means of data storage.
Floppy disks should be handled with care.
* Always store in the protective jacket.
* Protect from bending or similar handling.
* Maintain an acceptable temperature range (50-125 degrees F.)
* Avoid contact with magnetic fields, such as telephone handsets.
* Do not write on the diskette, either directly or through the jacket
Rough handling of hard disks may damage the device. Take care not
to jostle the unit unnecessarily. Never power off the system without
Media Declassification or Destruction
Magnetic media, such as disks and tapes, that contain sensitive or
classified information should not be put in regular waste containers. They
Defective or damaged magnetic storage media that have been used in
a sensitive environment should not be returned to the vendor unless
they have been degaussed. This is required since many <169>ERASE<170>
commands do not actually erase the file. The DoD-approved erasure
method requires three overwrites of the file: first overwriting with
<169>1"s, then <170>0"s, and then random bits. Each overwrite should
be verified by visually inspecting the file contents, using some low-level
All electronic equipment emanates electromagnetic signals. Emanations
and translated into readable form by monitoring devices. Secure measures
ntended to combat these radio frequency emissions are known as <169>TEMPEST<170>
controls. TEMPEST-certified equipment is available, and used regularly
by government organizations and contractors processing classified
Hardware modifications should be strictly controlled. Uncontrolled
or poorly considered hardware modifications can adversely affect the
operation of the computer. For example, any modifications to TEMPEST-approved
of any hardware systems used for sensitive processing should be very
carefully monitored. Such devices should be sealed to prevent tampering,
and modifications made only by trusted, qualified personnel.
Trusted, Authorized Technicians
Advanced microelectronic techniques make computers vulnerable to <169>bugging.<170> A
transmitter chip can be installed by a hostile technician under the
certain that the technician performing maintenance is both authorized
and qualified. Also, circuit boards or components removed in the
course of any maintenance at a classified facility should not leave
Classify your information. IBM uses five classes of data, from unclassified,
only to employees with a predetermined need to know. If your organization
Sensitive or classified information resources must be clearly labeled
as such. These <169>resources<170> include both the hardware and
the storage media.
External Classification Labels on Micros
Micros should have external classification labels indicating the highest
cannot be reliably removed except by degaussing the entire disk surface. Also,
t is very difficult to ascertain that sensitive information has not
been stored on the disk. Consequently, hard disk systems must be
labeled to indicate the highest level of data sensitivity to which
they have ever been exposed.
Floppy Disk Labels
Label all floppy disks to indicate the type and sensitivity of data
on the disk. A floppy must be considered to assume the sensitivity
level of the device in which it is inserted. For example, a hard
a sensitive device, and any floppy disk inserted into any machine
connected (directly or through cabling) to such a hard disk must assume
that level of sensitivity. Conversely, if the floppy were more sensitive
than the hard disk, the hard disk now assumes the higher sensitivity
of the floppy.
Files stored on a hard disk containing any sensitive files must be
cannot be readily confirmed as such. Visual inspection of a file's
the file space. Sensitive files, if they must be stored on hard disks,
files are sensitive is to store them in a separated disk partition. However,
Data encryption provides a partial solution to the problem of labeling
as well as providing access control. Encryption is a technique for
to the tools necessary to see it.
Hardware implementations of encryption can provide a higher degree
of security, since software-based implementations are susceptible
to penetration by interlopers. However, take steps to ensure the
ntegrity of the device. Sensitive equipment should be sealed and
the internal configuration audited.
Securing Data Media
Lock Floppy Disks
Diskettes should be locked in a secure container. Be sure that the
keys are unique and not interchangeable with the keys to other locks.
Use Removable Hard Disk Systems
When feasible, use removable hard disk systems instead of fixed disk
consider installing power-on locks that restrict access to the machine
to individuals with lock keys. Again, the keys should be unique.
Make backup copies of all important software and data files.
Clear the micro's memory between users. Turning most micros off for
Microcomputers can enable users to transfer data to or from a mainframe. Transferring
micro user is responsible for ensuring that sensitive or classified
nformation is transferred only to other computers designated for
from mainframe to micro. Note that such transmissions may include
nformation which the user may not have perceived as being transferred.
The lack of micro hardware security engenders software insecurity. Because
modifications cannot be prevented, critical software, including operating
Operating System Weaknesses
Unlike many mainframe computer operating systems, most micro operating
User Identification and Authentication
User identification is the process by which an individual identifies
by which the user establishes that he is indeed that user, and has
a right to use the system. During the login process, the user enters
name or account number (identification) and password (authentication).
* Add password systems - software or hardware - to micros.
* Do not permit employees to use inappropriate passwords that are
easy to guess (first name, spouse's name, pet's name, birthday, etc.)
* Authentication (and, for multi-user micros and LANs, identification)
Software Attacks - Trapdoors/Trojan Horses/Viruses
Don't use any software that is not a <169>known quantity<170>. Isolate
and test new software on a test system, where Trojan horses and viruses
can do little damage.
Consider a policy which prohibits users from bringing unapproved software
nto the building. (Rockwell International has had such a written
that it be tested by your virus test group first.
Follow the advice in the chapter on viruses.
be intercepted by someone masquerading as you, actively receiving
your information, or through passive eavesdropping. Therefore, sensitive
nformation should be protected during transmission. Masquerading
can be thwarted through the use of dial-back. Dial-back is an interactive
the identification of the caller, then disconnects. If the caller's
the answering system will call back the originating system at a prearranged
number. The effectiveness of dial-back as a security measure is questionable
convenience features like call forwarding. Also, various methods
of call-back protection have been broken by hackers. Encryption is
one sure method of transmission protection.
Encryption can be adapted as a means of remote user authentication. A
user key, entered at the keyboard, authenticates the user. A second
encryption key can be stored in encrypted form in the calling system
firmware that authenticates the calling system as an approved communication
endpoint. When dial-back is used in conjunction with two-key encryption,
key), located at authorized locations (those with phone numbers listed
n the answering system's phone directory).
Remote connections to other systems make micros susceptible to remote
attacks. A micro connected to a network, for example, may be subjected
to attack by other network users. The attacker could transmit control
characters that affect the interrupt logic of the micro in such a
even if he is incapable of passing the system's login challenge. The
attacker could use other techniques to examine the user's communication
To create computer security, four basic changes must occur in the
* senior management must provide strong, overt support of the
and they must set good examples.
* employees must be educated. Employees would support security
felt that they were part of the program. Educate and involve them.
* all members of the organization must participate in the program.
Because information is handled by all employees, all must understand
the value of their contribution to security, and the value of the
nformation they access.
* staff effort must be rewarded. Be sure to reward those
The <169>human factors<170> in computer security are probably far
more important than the hardware or software you throw at the problem.
too. Ken Thompson, one of the co-developers of UNIX, writes <169>It
s only the inadequacy of the criminal code that saves the hackers
from very serious prosecution... There is an explosive situation brewing.
On the one hand, the press, television, and movies make heroes of
vandals by calling them whiz kids. On the other hand, the acts performed
by these kids will soon be punishable by years in prison... The act
of breaking into a computer system has to have the same social stigma
as breaking into a neighbor's house. It should not matter that the
neighbor's door is unlocked. The press must learn that misguided use
of a computer is no more amazing than drunk driving of an automobile.<170>
Downloaded From P-80 International Information Systems 304-744-2253