GUIDELINES FOR THE SECURITY ANALYSIS, TESTING, AND EVALUATION OF RESOURCE-SHARING COMPUTER SYSTEMS
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP89B01354R000200320012-2
Release Decision:
RIFPUB
Original Classification:
C
Document Page Count:
13
Document Creation Date:
December 27, 2016
Document Release Date:
March 21, 2013
Sequence Number:
12
Case Number:
Content Type:
MISC
File:
Attachment | Size |
---|---|
![]() | 732.97 KB |
Body:
Declassified and Approved For Release 2013/03/21 :CIA-RDP89B01.354R000200320012-2
CL, fside.A.AL;,, - _ge r
.2t-ok AtAiduirse- -440A-
C;flilau.ter Security Subcoutee
of-
nited-St- sUigcnce Board
Security Committ
,I13SEC-CSS4L7L_
Guidn,ae- for the Security Analysis, Test andEvaluation of
Resource-Sharing Computer Systems
1.
r6Q14e.._
,To tiva-, basic guidance for the security analysis,
taki
test- and evaluation of resource7sharing computer systms
-
?Q2,110 etrbutz
wherein the can-trol a444-4,401-teg-r-4-t-y of tAq.e.i?data
stored and/or processed must be ensured.
To list G.Q44P....-G4-41-re-
etyyteAG7 features, procedures and relatie- conditions which
--
should he analyzed, tested and evaluated prior to kiie-system
?S-DA__ l'P'171--- 61t2P-
reeei;:vil-cff- accreditation wi-titirin-th-e. resourcesharingpe
eb.4.4c5 OLAA? ?
-itil-mnat. While the guidance 4-developed for d-refere-t-e
--t-G_ rvt4_64-, el-av
- 1-esouree-sharing computer systems, shoid
be applied to other systems,a-s--tte-171-
f---
, 11. Scone-
The guidance contained herein is applicable to all
community intelligence functions using resource-sharing com-
puter systems support for which special handling controls have
been establisheth ?
Tr_ '1
C5t4 (P-. Crt-wLe-ditTei
-6-A.esource-sharing computer systems should
be analyzed, tested and evaluated for the possession and -func-
-tionally dependable operability of Security -ffa#&mm features .
ei.--.4%-P???a4 e. 23...e...J
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
( ;(1 11 NI ft rl, .1 6, r\ ji La ju
.4; Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
/Q
...,-
? ? , tor szycL-0)
and procedures. -Gefilp.14-tex-s-e-etm-i-ty-ana4yG4--s-r-test-andeva-l-
OLtaL
the_basis fAar?sys-tem-acoreditet-ion-c-
The-- - -----of-thi-s-e-ffor-t---should be aLs_tatame-n-t---ei-th-o-r-
. recommend-i-ng-e-r----not---rec-ommend--1-ng----s-u-ch-accrLdtta-ricTh-a-n ?
explane-tkon-of-th-e-reasons for that statement, The security
analysis, test and evaluation should be conducted when the
system is operating under relatively _static, though pro-
ductive, conditions. During this time systems changes must
be separately evaluated in light of their impact on both the
security of the system and the status of the analysis, test
and eval,?TurnoppAati?._,N,..060 0.;u4eranl OL4,,fe)
A. Security Analvsis - This process will encompass the
-
444641ANIaltA
accumulation. of all
features for
providing.5ecurity protection of information handled (to be
handled) within a re urce-sharing? computer system.c.nd ,
I e4444,1'444.. .tioue 4t4.4.4. 44.4644.4Avw 4AA
to the software,. hardware ,and
A.
procedural conditions of the system. LsYstem configurations,
capabilities, locations and procedures will vary widely
among organizations using this guidance; however, it .is
essential that, insofar as possible, they all be analyzed
based upOn this guidance in .conjunction with agency/departmental
:3 regulatory guidance. Security analysis is requisite to
security testing which is, in turn, requisite to security
evaluation. While these may be independent phases, they are
not mutually exclusive. In fact, the pursuit p of one. phase
may require refinement of the others, regardless of the stage
2 CON _T A T. ,
Declassified and Approved For Release 2013/03/21 : CIA-RDi-'89B0'1354R000200320012-2
UUIN LIJIILLN 1 11-11A
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
LI
of completion of all. The securityanalysis will be the
process of identifying security safeguards and ordering them
into a framework based upon the manner and degree to which
they are designed to guard against possible security vul'-
nerabilities.
1. Hardware Controls
,SANo-649
a. Memory_protect device - A determination
be made to insure that a memory prOtect d_y-ce is available
to detect and prevent any attempt to read or write outside
the area of memory assigned to a given user or application.
These devices can fail, therefore, it is advisable to require
a special program which will attempt to deliberately and
quently violate the memory bounds.
b. Separation 6f data by device (or within
device)
Similar to memory protect, except that data separation is-not
normally additionally dependent upon software protectiont
However, when data is resident inmemory, it is ?dependent upon
memory protection.
c0 Protection statevariables - The executiOn
state of a processor may include one or more variables which
determine the interpretation of instructions executed by the
processor. These variables should be identified at the outset
of the .security analysis exercise. For example, a processor ?
might have a master/slave mode protection state variable, in
.which certain instructions are illegal except in master mode..
3
CONITI:DENTI2
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
4.11N -L. 4 ???9?? ? fef....?
?
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
1/4,)
2.. Software- Controls.
a.- Security labeis.7 Security ? classification
and other required control labelsshould be identified with
the information and programs in the system to insure appro-?
priate 'labeling of output/input and _access authority.
b. User Identification/Authentication - User
1dentification/authentication?for access to resource-sharing
computer systems will primarily apply to remote users; however,
all persons accessing any part of the system should be ruired
to identify themselves in ?some-manner. This will be-the(soft-
ware) means by which the system assures that the individual- at
a terminal or access unit is the person he represents himself
to be and has authorityto access information which he is
requesting.
c.- System Supervisor (also known as Executive
and Monitor). . The supervisor acts as the overall guard of the
system. It is that portion of the software which internally
manages job flow through the computer, allocates systems re-
-sources to jobs, and contrels information flowing to and from
files and terminals. The malfunctionor deliberate alteration
of the supervisor could couple information from one program to
another; change the security classification of users, files or
programs; or,. at a minimum :destroy information in the system.
For these reasons, rigid controls must be inforced to insure
that only authorized personnel have access to the supervisor.
d. -Privileged instructions - Coupled with the
supervisor and 'the hardware controls, the architecture of the
4 GONF/Piladna.AL
Declassified and Approved For Release 2013/03/21 : ulA-RDP89B01354R000200320012-2
)I
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
%??7 cm/
5Wi
computer must provide for privileged instructions. The
set of privileged instructions must contain all input/output
commands and also every command which could change a memory
boundary or protection barrier. Moreover, the design of the
computer should be such as to insure that only, the supervisor
program can operate the privileged instructions. It is
absolutely essential that the supervisor program not be by-
passed.
e. ....e_paration of User/Executive Modes of Oper-
ation -?The user .and executive ? modes of system operation shall
be separated so that a program operating in user mode is
prevented, from performing unauthorized executive functions.
f. -Residue Cleanout - Instructions for performing
residue cleanout should be stalidard within the system for all
? K.
user programs to execute under the following conditions:.
1(1) Upon job completion.'
1(2) Upon program error (without recovery)
,a44-4ntxt+s4Q.,a-haz b
?- 1' ? ,
upervil-tor-tira-t
. (5) Upon release of the allocated storage
area to the supervisor.
(6) Upon each-s/
initiation.
(7) Before allocation and after de-allocation
of any assigned
permanent user storage area.
OrMTUTTYrriVfMT A /S-
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
iN
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2 ?
? ?.cs.1
.g. Audit Trail - The computer system should pro-,
.?duce in -a secure manner an audit trail containing sufficient
information to ?permit a regular security review of system
.activity. System ? usage recording functions can be used to
detect improper use or maintenance of the data base. These
functions are specifically directed toward protection of data
? security and assured integrity. They should be performed by
? the system Supervisor in.connection with a special system
log and access authentication .library.. The-audit trail will
allow for:
-(1)- Detection of database/system misuse.
.(2) ? Documentation of data base/system misuse.
-(3) Audit of task performance.
3. Other Controls:
a. Personnel Security
(1)? During the analysisga determination
will be made that all personnel who have an operational require-
ment to access the computer center and/or remote terminals
have been cleared. to the highest level of classified informa-
tion stored or processed by the system. All other personnel
must be properly escorted.
(2) Procedures will be insured for unescorted
access to the ?computer center area. This access should be
limited to personnel with a predetermined need and holding
clearances ?commensurate with. the highest category of dlassified
inform otion processed or stored by the system. Access to a
(Thl\PLIITTYT:411:1771
6"
Ai_ it A
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
--- -
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
remote terminal should be limited to personnel whoare cleared
and have access approvals for information designated ?for output
at that terminal.
b. ical Security
.TA determination willjpe made that the
computer facility and remote terminals meet_ applic4,4e physical
security standards presdribed for safeguarding classified in
formation stored or processed by the system.?
(2) ? Physical_security requirements for the
computer -center ? area should be based upon the over-all require-
ments of the entire system; however, remote terminal area re-
quirements may be based upon the--highest level of information
designated for input/output at each terminal.
-(3)- PrOvisionS may be made for downgrading
area controls to the level of protection required for the in-
formation actually being processed provided that measured are
taken to maintain a level of security commensurate with the
highest category of classified information resident in the
system.
.- Communications Links The communications
links between all components of a system shall be secured in
a manner appropriate for the transmission of the highest
classified data 'designated to be carried by the link.
d.? Emanations Security - Control measures and
tests will be applied to equipment and systems to .the extent
necessary to prevent the compromise of classified- or controlled
(j, 1\17-07-*P' 1NrPTAL
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
Ca)
information by the unauthorized interception of spurious
emissions from equipment used to process the information.
Individual organizations will retain the responsibility for
applying control measures for those systems within their per
view in accordance with the National Policy on Compromising
Emanations.
e, Procedures and Administrative Safeguards
. (1) Procedures and administrative processes
and channels must be established to maintain access controls
and to insure that system security measures bare performing
adequately.
(2) Procedures prescribed for systems users
at remote terminals must provide adequate protection for all
levels and categories of classified information handled by
each terminal.
(3) Computer facility access procedures must
be established to provide maximum control over access to. the
area.
B. Security Testing - This process will include the
inspection and testing of the hardware, software, physical
and procedural security features of the resource-sharing
system under study. The testing will determine the degree
to which the syStem conforms to the requirements of appropriate
regulations and policies. The extent and duration of the
.inspection and testing, and the development of standards and
other criteria to be met will depend heavily on the manner in
',1"IFT,1-)11P,Nrr '1 A 17,,
ilarlaccifiPri 2nd Approved For Release 2013/03/21 CIA-RDP89B01354R000200320012-2
1
UJ I: ?
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
co) cw)
which.the hardware and. software is constructed and the class.
of the system being ,studied.- .The process measures the extent?
to which security safeguards. guard against projected security
vulnerabilities.
- 1. Hardware Controls
a. Memory Protect Device - This device should
be exercised over a period of time, utilizing all available
or representative programs, to insure the positive operability
of the device.
b. Separation of data by device (or ?within device)-
A check should be made to determine the extent of this tcchnic,ue
and the security .orotection afforded data from these devices
while they are core kesident. This technique will depend upon
other protection features once data has left the resident
peripherals or devices.
CG. Protection State Variables - The actual
ability of the? processor to' - access locations in primary memory
will be tested to insure that all original and modified capa7
bilities are known, &iderstood and controlled.
2. ? Software Controls
a. Security labels - The use of security labels
.will be closely related to external labeling, internal file or
record labeling and user.identification/authorization. Access
to the data contents will be controlled through?the label iden-
tification. Furthermore,-each user will possess access to
9
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
'1 ..j Ili L' !IN "1
-% Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
resident files based upon his'identification/authorization..
label access authority,- which will be contained in the access?
libraries and/or executive system.
b. User.Identification/Authentication - The
user activity must insure that only individuals with proper
clearance and access authorization are permitted to utilize
remote terminals at their activity. Additionally, Software
checks should be introduced and Used to insure user authenti-
cation for the access of specified files or data which ? is
available through the system. Numerous methodologies of
user identification/authentication have been and are being
devised. Regardless of the specific method chosen, the
recommended approach of system resources from a security
authority standpoint is a software lockout in which a number
of program:checks are made against ? the following input para-
meters:
(1) User name.
(2) User classification and security release
codes.
(3) Console identification.
(4) Console classification.
(5) Overlay identification.
(6) Program classification and security
release codes.
(7)? Record classification and security
release codes,
CTINTTMpTWITTAir, ?
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
Software control- of the release- of data by security classi-.
fication and control codes promises to provide greater
efficiency in system usage with security control and provides
a better foundation for control on interchanges of data with
other systems where direct interface becomes a reality. ? The
security test of this featurewill determine the capabilities
and functional operability.
c. System Supervisor - A check should be-made
to insure 'that rigid access control is exercised over the
Supervisor.. Only specified individuals should be permitted
to change, modify, update or otherwise alter the Supervisor.
A file-query system which merely provides the user at a
remote terminal the capability to access files using a set of
fully checked programs is probably the least dangerous mode
of operation in. a resource-sharing computer system.
d. Privileged Instructions - A check should be
made to ascertain the extent- of use of privileged instructions,
if any exist. The check should also include 'useraccess to
these instructions and maintenance responsibilities. A liffe
test using the instructions should be accomplished against
various software systems to verify the exact functions and re-
sults of the instructions from a security/data integrity
standpoint.
e. Separation of User/Executive Modes of Oper-
ation,- rA test should be performed, after investigation of
Ce2v7.--,IT-7-,-7-1-i,,Trrrr A -7,-
J rk. _LC). _LA
Declassified and Approved For Release 2013/03/21 .: CIA-RDP89B01354R000200320012-2
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
cs)
the system documentation, to insure that application/user
programs are incapable of performing any alteration to the
executive. It may be necessary to investigate all user pro-
grams to make this determination.
f. Residue Cleanout.- A test should be performed
to confirm the operability of the. residue cleanout function.
'Upon execution of residue cleanout instructions, sample data
should be printed/displayed-to allow review to insure that the
process has been successful.:-Measures should be implemented
to insure that memoryresidue from terminated user programs
is made inaccessible to unauthorized users.
g.- Audit Trail - During the testing of the audit
trail software feature, special care mustbe used to confirm
that all access and security authorization violations are de-
tected and recorded. For this reason, special "spy" programs
or intentional violator programs Should be exercised aginst
the system to determine the effectiveness of the audit trail
to detect violators and give the appropriate alarm. The other
system accounting capabilities. of the audit trail should be
secondary to security protect features.
C. Securit. Evaluation - Based upon the security analysis
and test results, a thorough evaluation should be conducted
with the final objective being system accreditation for multi-
level security, resource-sharing computer environment. The
decision should be based Upon a .demonstrated capability of the
12
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B013541i000200320012-2
Declassified and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2
- entire system; .its hardware, software, procedures, physical-
:? plant and personnel, that adequate protection can and will
be provided the information scheduled to be processedby
the 'system.
13 CONFIDENTIAL
Declassified, and Approved For Release 2013/03/21 : CIA-RDP89B01354R000200320012-2