PROBLEM AREAS IN THE AUTOMATIC DATA PROCESSING ENVIRONMENT

Approved For Release 2008/05/30: CIA-RDP89BO1354R000100120010-7 FOR OFFICIAL USE ONLY Op-92C2/dts Ser 3803P92 MEMORANDUM FOR THE CHAIRMAN, COMPUTER SECURITY WORKING GROUP, UNITED STATES INTELLIGENCE BOARD SECURITY COMMITTEE Subj: Problem Areas in the Automatic Data Processing Environment Ref: (a) IBSEC-CSWG-M-2 dated 2 Jul 1968 1. In response to reference (a), the following Navy problem areas within the ADP environment are identified: a. Multi-level, remote terminal ADP installations. The ADP security area of greatest concern to the Navy, and for which the first priority of effort is recommended, concerns those problems generated by third generation computer equipment with its online, remote terminal, time sharing and multi-level capabilities. Specific problem areas include: (1) Protection at Boundaries - to insure that no information is passed to or accepted from any portion of the system at a security level not commensurate with the certification of that portion of the system. (Should include a determination of the acceptable level of risk for failure of this security function.) (2) Identification of classification - an adequate means of notifying users of the classification level of the information furnished to them by the system. (3) Recei tin - to include a method (i.e., a log of transactions) indicating that classified informa- tion provided any user by the system. (4+) Certification - the procedure for certifying a multi-security level system and the requirement for re- certification when changes in the hardware or software occur. (5) Remote devices - the physical security and access control required a remote input and output device installations. DEPARTMENT OF THE NAVY (?, l)P OFFICE OF THE CHIEF OF NAVAL OPERATIONS WASHINGTON, D.C. 20350 Approved For Release 2008/05/30: CIA-RDP89BO1354R000100120010-7  Approved For Release 2008/05/30: CIA-RDP89B01354R000100120010-7 Op-92C2/dts Ser 3803P92 (6) Inadvertent dump - the protection necessary against intentional ntampering, spurious altering or loss of data. b. Collateral problems. Associated with those security problems unique to multi-level, remote terminal ADP installations are security problems also common to earlier computer systems. These problems have already been solved or resolved by the Navy out of necessity, and it is recommended that initially they be examined in connection with the multi-level, remote terminal problem. Policy developed could then be applied to other ADP systems when more effective security is provided or when uniformity in security measures between the various government agencies is desired. These collat- eral security problems include: (1) Downgrading and declassification of discs, drums and tapes (2) Personnel access control (3) Security identification of stowed data (4) Contracting for computer services, (5) TEMPEST (6) Marking of output (7) Stowage of tapes, drums and discs Very re ctfully, RO ERT C. ALLEN Navy Member Computer Security Working Group Approved For Release 2008/05/30: CIA-RDP89B01354R000100120010-7