Management Guide to the Protection of Information Resources National Institute of Standards and Technology The National Institute of Standards and Technology (NIST), is responsible for developing standards, providing technical assistance, and conducting research for computers and related systems. These activities provide technical support to government and industry in the effective, safe, and economical use of computers. With the passage of the Computer Security Act of 1987 (P.L. 100-235), NIST's activities also include the development of standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems. This guide represents one activity towards the protection and management of sensitive information resources. Acknowledgments This guide was written by Cheryl Helsing of Deloitte, Haskins & Sells in conjunction with Marianne Swanson and Mary Anne Todd, National Institute of Standards and Technology. Executive Summary Today computers are integral to all aspects of operations within an organization. As Federal agencies are becoming critically dependent upon computer information systems to carry out their missions, the agency executives (policy makers) are recognizing that computers and computer-related problems must be understood and managed, the same as any other resource. They are beginning to understand the importance of setting policies, goals, and standards for protection of data, information, and computer resources, and are committing resources for information security programs. They are also learning that primary responsibility for data security must rest with the managers of the functional areas supported by the data. All managers who use any type of automated information resource system must become familiar with their agency's policies and procedures for protecting the information which is processed and stored within them. Adequately secure systems deter, prevent, or detect unauthorized disclosure, modification, or use of information. Agency information requires protection from intruders, as well as from employees with authorized computer access privileges who attempt to perform unauthorized actions. Protection is achieved not only by technical, physical and personnel safeguards, but also by clearly articulating and implementing agency policy regarding authorized system use to information users and processing personnel at all levels. This guide is one of three brochures that have been designed for a specific audience. The "Executive Guide to the Protection of Information Resources" and the "Computer User's Guide to the Protection of Information Resources" complete the series. Table of Contents Executive Summary iv Introduction 1 Purpose of Guide 1 The Risks 1 Responsibilities 2 Information Systems Development 5 Control Decisions 5 Security Principles 5 Access Decisions 7 Systems Development Process 7 Computer Facility Management 9 Physical Security 9 Data Security 11 Monitoring and Review 11 Personnel Management 13 Personnel Security 13 Training 14 For Additional Information 15 Introduction Purpose of this Guide This guide introduces information systems security concerns and outlines the issues that must be addressed by all agency managers in meeting their responsibilities to protect information systems within their organizations. It describes essential components of an effective information resource protection process that applies to a stand alone personal computer or to a large data processing facility. The Risks Effort is required by every Federal agency to safeguard information resources and to reduce risks to a prudent level. The spread of computing power to individual employees via personal computers, local-area networks, and distributed processing has drastically changed the way we manage and control information resources. Internal controls and control points that were present in the past when we were dealing with manual or batch processes have not been established in many of today's automated systems. Reliance upon inadequately controlled computer systems can have serious consequences, including: Inability or impairment of the agency's ability to perform its mission Inability to provide needed services to the public Waste, loss, misuse, or misappropriation of funds Loss of credibility or embarrassment to an agency To avoid these consequences, a broad set of information security issues must be effectively and comprehensively addressed. Responsibilities All functional managers have a responsibility to implement the policies and goals established by executive management for protection of automated information resources (data, processes, facilities, equipment, personnel, and information). Managers in all areas of an organization are clearly accountable for the protection of any of these resources assigned to them to enable them to perform their duties. They are responsible for developing, administering, monitoring, and enforcing internal controls, including security controls, within their assigned areas of authority. Each manager's specific responsibilities will vary, depending on the role that manager has with regard to computer systems. Portions of this document provide more detailed information on the respective security responsibilities of managers of computer resources, managers responsible for information systems applications and the personnel security issues involved. However, all agency management must strive to: Achieve Cost-Effective Security The dollars spent for security measures to control or contain losses should never be more than the projected dollar loss if something adverse happened to the information resource. Cost-effective security results when reduction in risk through implementation of safeguards is balanced with costs. The greater the value of information processed, or the more severe the consequences if something happens to it, the greater the need for control measures to protect it. The person who can best determine the value or importance of data is the functional manager who is responsible for the data. For example, the manager responsible for the agency's budget program is the one who should establish requirements for the protection of the automated data which supports the program. This manager knows better than anyone else in the organization what the impact will be if the data is inaccurate or unavailable. Additionally, this manager usually is the supervisor of most of the users of the data. It is important that these trade-offs of cost versus risk reduction be explicitly considered, and that management understand the degree of risk remaining after selected controls are implemented. Assure Operational Continuity With ever-increasing demands for timely information and greater volumes of information being processed, the threat of information system disruption is a very serious one. In some cases, interruptions of only a few hours are unacceptable. The impact due to inability to process data should be assessed, and actions should be taken to assure availability of those systems considered essential to agency operation. Functional management must identify critical computer applications and develop contingency plans so that the probability of loss of data processing and telecommunications support is minimized. Maintain Integrity Integrity of information means you can trust the data and the processes that manipulate it. Not only does this mean that errors and omissions are minimized, but also that the information system is protected from deliberate actions to wrongfully change the data. Information can be said to have integrity when it corresponds to the expectations and assumptions of the users. Assure Confidentiality Confidentiality of sensitive data is often, but not always, a requirement of agency systems. Privacy requirements for personal information is dictated by statute, while confidentiality of other agency information is determined by the nature of that information, e.g., information submitted by bidders in procurement actions. The impact of wrongful disclosure must be considered in understanding confidentiality requirements. Comply with Applicable Laws and Regulations As risks and vulnerabilities associated with information systems become better understood, the body of law and regulations compelling positive action to protect information resources grows. OMB Circular No. A-130, "Management of Federal Information Resources" and Public Law 100-235, "Computer Security Act of 1987" are two documents where the knowledge of these regulations and laws provide a baseline for an information resource security program. Information Systems Development This section describes the protective measures that should be included as part of the design and development of information processing application systems. The functional manager that is responsible for and will use the information contained in the system, must ensure that security measures have been included and are adequate. This includes applications designed for personal computers as well as large mainframes. Control Decisions The official responsible for the agency function served by the automated information system has a critical role in making decisions regarding security and control. In the past, risk was often unconsciously accepted when such individuals assumed the computer facility operators were taking care of security. In fact, there are decisions to be made and security elements to be provided that cannot be delegated to the operator of the system. In many cases, the user or manager develops the application and operates solely. The cost of control must be balanced with system efficiency and usability issues. Risk must be evaluated and cost-effective controls selected to provide a prudent level of control while maximizing productivity. Controls are often closely connected with the system function, and cannot be effectively designed without significant understanding of the process being automated. Security Principles There are some common security attributes that should be present in any system that processes valuable personal or sensitive information. System designs should include mechanisms to enforce the following security attributes. Identification and Authentication of Users Each user of a computer system should have a unique identification on the system, such as an account number or other user identification code. There must also be a means of verifying that the individual claiming that identity (e.g., by typing in that identifying code at a terminal) is really the authorized individual and not an imposter. The most common means of authentication is by a secret password, known only to the authorized user. Authorization Capability Enforcing the Principle of Least Possible Privilege Beyond ensuring that only authorized individuals can access the system, it is also necessary to limit the users access to information and transaction capabilities. Each person should be limited to only the information and transaction authority that is required by their job responsibilities. This concept, known as the principle of least possible privilege, is a long-standing control practice. There should be a way to easily assign each user just the specific access authorities needed. Individual Accountability From both a control and legal point of view, it is necessary to maintain records of the activities performed by each computer user. The requirements for automated audit trails should be developed when a system is designed. The information to be recorded depends on what is significant about each particular system. To be able to hold individuals accountable for their actions, there must be a positive means of uniquely identifying each computer user and a routinely maintained record of each user's activities. Audit Mechanisms Audit mechanisms detect unusual events and bring them to the attention of management. This commonly occurs by violation reporting or by an immediate warning to the computer system operator. The type of alarm generated depends on the seriousness of the event. A common technique to detect access attempts by unauthorized individuals is to count attempts. The security monitoring functions of the system can automatically keep track of unsuccessful attempts to gain access and generate an alarm if the attempts reach an unacceptable number. Performance Assurance A basic design consideration for any information system should be the ability to verify that the system is functioning as intended. Systems that are developed without such design considerations are often very difficult to independently audit or review, leading to the possibility of unintended results or inaccurate processing. Recoverability Because Federal agencies can potentially be heavily dependent on a computer system, an important design consideration is the ability to easily recover from troublesome events, whether minor problems or major disruptions of the system. From a design point of view, systems should be designed to easily recover from minor problems, and to be either transportable to another backup computer system or replaced by manual processes in case of major disruption or loss of computer facility. Access Decisions Once the automated system is ready to use, decisions must be made regarding access to the system and the information it contains. For example, many individuals require the ability to access and view data, but not the ability to change or delete data. Even when computer systems have been designed to provide the ability to narrowly designate access authorities, a knowledgeable and responsible official must actually make those access decisions. The care that is taken in this process is a major determining factor of the level of security and control present in the system. If sensitive data is being transmitted over unprotected lines, it can be intercepted or passive eavesdropping can occur. Encrypting the files will make the data unintelligible and port protection devices will protect the files from unauthorized access, if warranted. Systems Development Process All information systems software should be developed in a controlled and systematic manner according to agency standards. The quality and efficiency of the data processed, and the possible reconfiguration of the system can all be affected by an inadequate development process. The risk of security exposures and vulnerabilities is greatly reduced when the systems development process is itself controlled. Computer Facility Management Functional managers play a critical role in assuring that agency information resources are appropriately safeguarded. This section describes the protective measures that should be incorporated into the ongoing management of information resource processing facilities. As defined in OMB Circular No. A-130, "Management of Federal Information Resources," the term "information technology facility" means an organizationally defined set of personnel, hardware, software, and physical facilities, a primary function of which is the operation of information technology. This section, therefore applies to any manager who houses a personal computer, mainframe or any other form of office system or automated equipment. Physical Security Information cannot be appropriately protected unless the facilities that house the equipment are properly protected from physical threats and hazards. The major areas of concern are described below. Environmental Conditions For many types of computer equipment, strict environmental conditions must be maintained. Manufacturer's specifications should be observed for temperature, humidity, and electrical power requirements. Control of Media The media upon which information is stored should be carefully controlled. Transportable media such as tapes and cartridges should be kept in secure locations, and accurate records kept of the location and disposition of each. In addition, media from an external source should be subject to a check-in process to ensure it is from an authorized source. Control of Physical Hazards Each area should be surveyed for potential physical hazards. Fire and water are two of the most damaging forces with regard to computer systems. Opportunities for loss should be minimized by an effective fire detection and suppression mechanism, and planning reduces the danger of leaks or flooding. Other physical controls include reducing the visibility of the equipment and strictly limiting access to the area or equipment. Contingency Planning Although risks can be minimized, they cannot be eliminated. When reliance upon a computer facility or application is substantial, some type of contingency plan should be devised to allow critical systems to be recovered following a major disaster, such as a fire. There are a number of alternative approaches that should be evaluated to most cost-effectively meet the agency's need for continuity of service. Configuration Management Risk can be introduced through unofficial and unauthorized hardware or software. Another key component of information resource management is ensuring only authorized hardware and software are being utilized. There are several control issues to be addressed. Maintaining Accurate Records Records of hardware/software inventories, configurations, and locations should be maintained and kept up-to-date. Complying with Terms of Software Licenses Especially with microcomputer software, illegal copying and other uses in conflict with licensing agreements are concerns. The use of software subject to licensing agreements must be monitored to ensure it is used according to the terms of the agreement. Protecting Against Malicious Software and Hardware The recent occurrences of destructive computer "viruses" point to the need to ensure that agencies do not allow unauthorized software to be introduced to their computer environments. Unauthorized hardware can also contain hidden vulnerabilities. Management should adopt a strong policy against unauthorized hardware/software, inform personnel about the risks and consequences of unauthorized additions to computer systems, and develop a monitoring process to detect violations of the policy. Data Security Management must ensure that appropriate security mechanisms are in place that allow responsible officials to designate access to data according to individual computer users' specific needs. Security mechanisms should be sufficient to implement individual authentication of system users, allow authorization to specific information and transaction authorities, maintain audit trails as specified by the responsible official, and encrypt sensitive files if required by user management. Monitoring and Review A final aspect of information resource protection to be considered is the need for ongoing management monitoring and review. To be effective, a security program must be a continuous effort. Ideally, ongoing processes should be adapted to include information protection checkpoints and reviews. Information resource protection should be a key consideration in all major computer system initiatives. Earlier, the need for system audit trails was discussed. Those audit trails are useful only if management regularly reviews exception items or unusual activities. Irregularities should be researched and action taken when merited. Similarly, all information-related losses and incidents should be investigated. A positive benefit of an effective monitoring process is an increased understanding of the degree of information-related risk in agency operations. Without an ongoing feedback process, management may unknowingly accept too much risk. Prudent decisions about trade-offs between efficiency and control can only be made with a clear understanding of the degree of inherent risk. Every manager should ask questions and periodically review operations to judge whether changes in the environment have introduced new risk, and to ensure that controls are working effectively. Personnel Management Managers must be aware that information security is more a people issue than a technical issue. Personnel are a vital link in the protection of information resources, as information is gathered by people, entered into information resource systems by people, and ultimately used by people. Security issues should be addressed with regard to: People who use computer systems and store information in the course of their normal job responsibilities People who design, program, test, and implement critical or sensitive systems People who operate computer facilities that process critical or sensitive data Personnel Security From the point of hire, individuals who will have routine access to sensitive information resources should be subject to special security procedures. More extensive background or reference checks may be appropriate for such positions, and security responsibilities should be explicitly covered in employee orientations. Position descriptions and performance evaluations should also explicitly reference unusual responsibilities affecting the security of information resources. Individuals in sensitive positions should be subject to job rotation, and work flow should be designed in such a way as to provide as much separation of sensitive functions as possible. Upon decision to terminate or notice of resignation, expedited termination or rotation to less sensitive duties for the remainder of employment is a reasonable precaution. Any Federal computer user who deliberately performs or attempts to perform unauthorized activity should be subject to disciplinary action, and such disciplinary action must be uniformly applied throughout the agency. Any criminal activity under Federal or state computer crime laws must be reported to law enforcement authorities. Training Most information resource security problems involve people. Problems can usually be identified in their earliest stages by people who are attuned to the importance of information protection issues. A strong training program will yield large benefits in prevention and early detection of problems and losses. To be most effective, training should be tailored to the particular audience being addressed, e.g., executives and policy makers; program and functional managers; IRM security and audit: ADP management and operations; end users. Most employees want to do the right thing, if agency expectations are clearly communicated. Internal policies can be enforced only if staff have been made aware of their individual responsibilities. All personnel who access agency computer systems should be aware of their responsibilities under agency policy, as well as obligations under the law. Disciplinary actions and legal penalties should be communicated. For Additional Information National Institute Of Standards and Technology Computer Security Program Office, A-216 Technology Gaithersburg, MD 20899 (301) 975-5200 For further information on the management of information resources, NIST publishes Federal Information Processing Standards Publications (FIBS PUBS). These publications deal with many aspects of computer security, including password usage, data encryption, ADP risk management and contingency planning, and computer system security certification and accreditation. A list of current publications is available from: Standards Processing Coordinator (ADP) National Computer Systems Laboratory National Institute of Standards and Technology Technology Building, B-64 Gaithersburg, MD 20899 Phone: (301) 975-2817