GUIDELINES FOR THE SECURITY ANALYSIS, TESTING, AND EVALUATION OF RESOURCE-SHARING COMPUTER SYSTEMS
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP89B01354R000200320014-0
Release Decision:
RIPPUB
Original Classification:
C
Document Page Count:
14
Document Creation Date:
December 27, 2016
Document Release Date:
March 21, 2013
Sequence Number:
14
Case Number:
Publication Date:
November 9, 1970
Content Type:
MISC
File:
Attachment | Size |
---|---|
![]() | 649.66 KB |
Body:
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21
CIA
-RDP89B01354R000200320014-0 (TAL SLIP 6-'
ATE
TO (Name, office symbol or location) INITIALS CIRCULATE
DATE
COORDI STAT
2
INITIALS
FILE
DATE
INFORMATION
r
3
INITIALS
NOTE AND
RETURN
DATE
PER
VERSATATI ON
4 INITIALS SEE ME
STAT
DATE SIGNATURE
o
Aar
At A
Do NOT use this
of appr
D
ovals, concurrences,
disapprovals, clearances, and similar actions
FROM (Name, office symbol or location)
O*
/
/
PHO
/ Z4&
Z',1& w
Z*
OPTIO AL FORM 41 t 'r * GPO: Is{e 0-314-5u 5041-101
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21
CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
.LPL` 1V 1. !k11 )-
Computer Security Subcommittee
of the
United States Intelligence Board
Security Committee
Guidance for the Security Analysis Test and Evaluation of
Resource-Sharing Computer Systems 25X1
I. Purpose:
To prescribe the basic guidance for the security analysis,
test, and evaluation of resource-sharing computer systems
wherein the security, control and integrity of the data
stored and/or processed must be ensured. To list some of the
conditions, features, procedures and relative conditions which
should be analyzed, tested and evaluated prior to the system
receiving accreditation within the resource-sharing computer
environment. While the guidance is developed for remotely-
accessed resource-sharing computer systems, it can and should
be applied to other systems as well.
II. Scope:
The guidance contained herein is applicable to all
community intelligence functions using resource-sharing com-
puter systems support for which special handling controls have
been established,
III. Guidelines for Determination of System Security Capabilities:.
All accredited resource-sharing computer systems should
be analyzed, tested and evaluated for the possession and func-
tionally dependable operability of security protection features
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
and procedures. Computer security analysis, test and eval-
uation should constitute the basis for system accreditation.
The culmination of this effort should be a statement either
recommending or not recommending such accreditation and an
explanation of the reasons for that statement. The security
analysis, test and evaluation should be conducted when, the
system is operating under relatively static, though pro-
ductive, conditions. During this time systems changes must
be separately evaluated in light of their impact on both the
security of the system and the status of the analysis, test
and evaluation.
A. Security Ana - This process will encompass the
accumulation of all conceptual approaches and features for
providing security protection of information handled (to be
handled) within a resource-sharing computer system and
applying these as they pertain to the software, hardware and
procedural conditions of the system. System configurations,
capabilities, locations and procedures will vary widely
among organizations using this guidance; however, it is
essential that, insofar as possible, they all be analyzed
based upon this guidance in?:_>conjunction with agency/departmental
regulatory guidance. Security analysis is requisite to
security testing which is, in turn, requisite to security
evaluation. While these may be independent phases, they are
not mutually exclusive. In fact, the pursuito of one phase
may require refinement of the others, regardless of the stage
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
V V A. ? J. JL JL! .." J. 'I ..& N A. AJ
of completion of all. The security analysis will be the
process of identifying security safeguards and ordering them
.into a framework based upon the manner and degree to which
they are designed to guard against possible security vul-
nerabilities.
1. Hardware Controls
a. Memory protect device A determination will
be made to insure that a memory protect device is available
to detect and prevent any attempt to read or write outside
the area of memory assigned to a given user or application.
These devices can fail, therefore, it is advisable to require
a special program which will attempt to deliberately and fre-
quently violate the memory bounds.
b.. Separation of data by device (or within device)-
Similar to memory protect, except that data separation is not
normally additionally dependent upon software protection.
However, when data is resident in memory, it is dependent upon
memory protection.
c. Protection state variables The execution
state of a processor may include one or more variables which
determine the interpretation of instructions executed by the
processor. These variables should be identified at the outset
of the security analysis exercise. For example, a processor
might have a master/slave mode protection state variable, in
which certain instructions are illegal except in master mode.
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21: CIA-RDP89BO1354R000200320014-0
? ~`4~'~'i~;~siS~" Nai l T A T.
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
2. Software Controls
a. Security labels - Security classification
and other required control labels should be identified with
the information and programs in the system to insure appro-
priate labeling of output/input and access authority.
b. User Identification/Authentication - User
identification/authentication for access to resource-sharing
computer systems will primarily apply to remote users; however,
all-persons accessing any part of the system should be required
to identify themselves in some manner. This will be the soft-
ware means by which the system assures that the individual at
a terminal or access unit is the person he represents himself
to be and has authority to access information which he is
requesting.
c. System Supervisor (also known as Executive
and Monitor). The supervisor acts as the overall guard of the
system. It is that portion of the software which internally
manages job flow through the computer, allocates systems re-
sources to jobs, and controls information flowing to and from
files and terminals. The malfunction or deliberate alteration
of the supervisor could couple information from one program to
another; change the security classification of users, files or
programs; or, at a minimum, destroy information in the system.
For these reasons, rigid controls must be inforced to insure
that only authorized personnel have access to the supervisor.
d. Privileged instructions - Coupled with the
supervisor and'the hardware controls, the architecture of the
I~UN r~IDENr1111L
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21: CIA-RDP89B01354R000200320014-0
VVlI J. AL1J1I A.
computer rust provide for privileged instructions. The
set of privileged instructions must contain all input/output
commands and also every command which could change a memory
boundary or protection barrier. Moreover, the design of the
computer should be such as to insure that only the supervisor
program.can operate the privileged instructions. It is
absolutely essential that the supervisor program not be by-
passed.
e. Separation of User/Executive Modes of Oper-
ation - The user and executive modes of system operation shall
be separated so that a program operating in user mode is
prevented from performing unauthorized executive functions.
f. Residue Cleanout - Instructions for performing
residue cleanout should be standard within the system for all
user programs to execute under the following conditions:
(1) Upon job completion.
(2) Upon program error (without recovery)
(3) Upon notification by the Supervisor that
an intrusion has been attempted.
(4) Upon site environment failure.
(5) Upon release of the allocated storage
area to the supervisor.
(6) Upon each systems' bootstrap, whether
system recovery or initiation.
(7) Before allocation and after de-allocation
of any assigned permanent user storage areav
r..ONTPTTIPATmT A T
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89B01354R000200320014-0
- n r- it ~r-~ ' '~ T T A T
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
g. Audit Trail - The computer system should pro-
duce in a secure manner an audit trail containing sufficient
information to permit a regular security review of system
.activity. System usage recording functions can be used to
detect improper use or maintenance of the data base. These
functions are specifically directed toward protection of data
security and assured integrity. They-'should be performed by
the system Supervisor in connection with a special system
log and access authentication library. The audit trail will
allow for:
(1) Detection of data base/system misuse.
(2) Documentation of data base/system misuse.
(3) Audit of task performance.
3. Other Controls:
a. Personnel Security
(1) During the analysise a determination
will be made that all personnel who have an operational require-
ment to access the computer center and/or remote terminals
have been cleared to the highest level. of classified informa-
tion stored or processed by the system. All other personnel
must be properly escorted.
(2) Procedures will be insured for unescorted
access to the computer center area. This access should be
limited to personnel with a predetermined need and holding
clearances commensurate with the highest category of classified
information processed or stored by the system. Access to a
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21: CIA-RDP89BO1354R000200320014-0
U
remote terminal should be limited to personnel who are cleared
and have access approvals for information designated for output
at that terminal.
b. Physical Security
(1) A ,determination will'.;be made that the
computer facility and remote terminals meet applica(le physical
security standards prescribed for safeguarding classified in-
formation stored or processed by the system.
(2) Physical security requirements for the
computer center area should be based upon the over-all require-
ments of the entire system; however, remote terminal area re-
quirements maybe based upon the highest level of information
designated for input/output at each terminal.
.(3), Provisions may be made for downgrading
area controls to the level.of protection required for the in-
formation actually being processed provided that measures are
taken to maintain a level of security commensurate with the
highest category of classified information resident in the
system.
c. Communications Links - The communications
links between all components of a system shall be secured'in
a manner appropriate for the transmission of the highest
classified data designated to be carried by the link.
d. Emanations'Security - Control measures and
tests will be applied to equipment and systems to the extent
necessary to prevent the compromise of classified or controlled
7
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21: CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 CIA-RDP89BO1354R000200320014-0
U
U
information by the unauthorized interception of spurious
emissions from equipment used to process the information.
Individual organizations will retain the responsibility for
applying control measures for those systems within their per-
view in accordance with the National Policy on Compromising
Emanations.
e. Procedures and Administrative Safeguards
(1) Procedures and administrative processes
and channels must be established to maintain access controls
and to insure that system security measuresare performing
adequately.
(2) Procedures prescribed for systems users
at remote terminals must provide adequate protection for all
levels and categories of classified information handled by
each terminal.
(3) Computer facility access procedures must
be established to provide maximum control over access to the
area.
B. Security Testing - This process will include the
inspection and testing of the hardware, software, physical
and procedural security features of the resource-sharing
system under study. The testing will determine the degree
to which the system conforms to the requirements of appropriate
regulations and policies. The extent and duration of the
inspection and testing, and the development of standards and
other criteria to be met will depend heavily on the manner in
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
which the hardware and software is constructed and the class
of the system being studied. The process measures the extent
to which security safeguards guard against projected security
vulnerabilities.
1. Hardware Controls
a. Memory Protect Device - This device should
be exercised over a period of time, utilizing all available
or representative programs, to insure the positive operability
of .the device.
b. Separation of data by device (or within device)-
A check should be made to determine the extent of this technique
and the security protection afforded data from these devices
while they are core resident. This technique will depend upon
other protection features once data has left the resident
peripherals or devices,
c. Protection State Variables - The actual
ability of the processor to access locations in primary memory
will be tested to insure that all original and modified capa-
bilities are known, understood and controlled.
2. Software Controls
a. Security labels - The use of security labels
will be closely related to external labeling, internal file or
record labeling and user identification/authorization. Access
to the data contents will be controlled through the label iden-
tification. E`urthermore, each user will possess access to
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21: CIA-RDP89B01354R000200320014-0
resident files based upon his identification/authorization
label access authority, which will be contained in the access
libraries and/or executive system.
b. User Identification/Authentication - The
user activity must insure that only individuals with proper
clearance and access authorization are permitted to utilize
remote terminals at their activity. Additionally, software
checks should be introduced and used to insure user authenti-
cation for the access of specified files or data which is
available through the system. Numerous methodologies of
user identification/authentication have been and are being
devised. Regardless of the specific method chosen, the
recommended approach of system resources from a security
authority standpoint is a software lockout in which a number
of program-,checks are made against the following input para-
meters:
(1) User name.
(2) User classification and security release
(3) Console identification.
(4) Console classification.
(5) Overlay identification.
(6) Program classification and security
(7)' Record classification and security
release codes,.
CONFIDENTIAL
I Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89B01354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89B01354R000200320014-0
Software control of the release of data by security.^lassi-
fication and control codes promises to provide greater
efficiency in system usage with security control and provides
a better foundation for control on interchanges of data with
other systems where direct interface becomes a reality. The
security test of this feature will determine the capabilities
and functional operability.
c. System Supervisor - A check Should be made
to insure that rigid access control is exercised over the
Supervisor. Only specified individuals should be permitted
to change, modify, update or otherwise alter the Supervisor.
A file-query system which merely provides the user at a
remote terminal the capability to access files using a set of
fully checked programs is probably the least dangerous mode
of operation in a resource-sharing computer system.
d. Privileged Instructions - A check should be
made to ascertain the extent of use of privileged instructions,
if any exist. The check should also include user access to
these instructions and maintenance responsibilities. A lice
test using the instructions should be accomplished against
various software systems to verify the exact functions and re-
sults of the instructions from a security/data integrity
standpoint.
e. Separation of User/Executive Modes of Oper-
ation?- A test should be performed, after investigation of
11 .
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89B01354R000200320014-0
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21: CIA-RDP89BO1354R000200320014-0
L)
the system documentation, to insure that application/user
programs are incapable of performing any alteration to the
executive. It may be necessary to investigate all user pro-
grams to make this determination.
f. Residue Cleanout - A test should be performed
to confirm the operability of the residue cleanout function.
Upon execution of residue cleanout instructions, sample data
should be printed/displayed to allow review to insure that the
process has been successful. Measures should be implemented
to insure that memory residue from terminated user programs.:
is made inaccessible to unauthorized users.
g. Audit Trail - During the testing of the audit
trail software feature, special care must be used to confirm
that all access and security authorization violations are de-
tected and recorded. For this reason, special "spy" programs
or intentional violator programs should be exercised against
the system to determine the effectiveness of the audit trail
to detect violators and give the appropriate alarm. The other
system accounting capabilities of the audit trail should be
secondary to security protect features.
C. Security Evaluation - Based upon the security analysis
and test results, a thorough evaluation should be conducted
with the final objective being system accreditation for multi-
level security, resource-sharing computer environment. The
decision should be based upon a demonstrated capability of the
12 CJO FT HJ d IA I
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89BO1354R000200320014-0
(A)NN'II)N;N`I'IAI
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89B01354R000200320014-0
Q
entire system; its hardware, software, procedures, physical
plant and personnel, that adequate protection can and will
be provided the information scheduled to be processed by
the system.
13 CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/03/21 : CIA-RDP89B01354R000200320014-0