GUIDELINES FOR THE SECURITY ANALYSIS, TESTING, AND EVALUATION OF RESOURCE-SHARING COMPUTER SYSTEMS
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP89B01354R000200320015-9
Release Decision:
RIPPUB
Original Classification:
C
Document Page Count:
25
Document Creation Date:
December 27, 2016
Document Release Date:
April 15, 2013
Sequence Number:
15
Case Number:
Content Type:
MISC
File:
Attachment | Size |
---|---|
![]() | 1.13 MB |
Body:
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Computer Security Subcommittee
of the
United.States Intelligence Board
Security Committee
Guidance for the Security Analysis, Test and Evaluation of
Resource-Sharing Computer Systems
I. PURPOSE:
To prescribe the basic guidance for the security analysis,
test and evaluation of resource-sharing computer systems wherein
the security, authority and integrity of the data stored and/or
processed must be ensured. To specify the conditions, features,
procedures and relative conditions which must be analyzed, tested
and evaluated prior to the system receiving accreditation within
the resource-sharing computer environment.1
The guidance contained herein is applicable to all
1/ DCID No. 1/16 (New Series) assig ns the responsibility for
the security analysis, test and evaluation as well as for the
accreditation of such systems to individual USIB members.
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
N IDEi JT
community intelligence functions using resource-sharing computer
systems support for which special handling controls have been
established.
III. REQUIREMENTS:
A. This guidance is required to .sufficiently analyze,
test, and evaluate resource-sharing computer systems to ensure
the security, authority, and integrity of information stored or
processed in such systems is maintained by the system users.2
Since all users in an expanded system environment may not work
.within one valuted area or within a single-level security
environment, and may not possess the same security clearance,
the techniques to be used must be beyond those used in current
intelligence data handling systems.
B. Techniques for interfacing with other intelligence
data handling systems are also required so that present and
future resource-sharing computer systems can be fully utilized
in an operational environment.
C. Techniques are required to handle the following
conditions:
1. Simultaneous multi-level query using on-line
2/ Users are described as anyone connected with the resource-
sharing computer system whether he be an operator, data base
monitor, systems manager, systems analyst, librarian, job
scheduler, Information System Security Officer, or functional
f
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
2. Control of content integrity of the data base.
,3. Maintenance of working data within the data base.
4. Selection and extraction of data elements from
the data base to produce reports and products at various levels
of security classification.
.5. Control of on-line updating authority of data
elements within the data base.
6.. Others?
IV. OBJECTIVES:
The objectives of these guidelines are,to provide technical
approaches to fulfill multi-level security, authority, and
integrity operation requirements based upon the following:
A. Hardware, software, and procedural techniques for
controlling access to inputs and outputs.
B. Implementation factors in the application of such
techniques.
C. System developments and tests being conducted or
considered by various community agencies with comparable systems.
V. PROBLEM DEFINITION:
The problem of data protection in resource-sharing computer
systems involves data security, authority, and integrity con-
siderations. These three aspects of data protection overlap to
some extent, and a deficiency in any of them may affect the
others. These aspects are defined as follows:
CON "x
L
3
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
A. Data security concerns prevention of disclosure of
data to personnel or terminals at levels higher than auth-
orized. Disclosure can occur through either accident or
deliberate penetration.
B. Data authority is concerned with the authority for
making changes to the system, primarily the data base;
however, including any portion of the software or hardware
systems which could affect data content.
C. Data integrity is concerned with the validity,
accuracy, and completeness of data in the system, the isolation
of errors; the problems of system degradation and recovery.
VI DEFINITIONS:
A. Security Analysis - This process will encompass the
accumulation of all conceptual approaches for providing
security protection of information handled (to be handled)
within a resource-sharing computer system and applying these
approaches as they pertain to the physical, software, hard-
ware and procedural conditions of the system. The proof of
security protection.
B. Security Test - The inspection and testing of the
hardware, software, physical and procedural security features
of the resource-sharing system under study. To be conducted
by expert technical personnel to determine the degree to
which the system conforms to the requirements of appropriate
4 Irte T7-\ Try A
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
regulations and policies. The extent and duration of the
inspection and testing, and the development of standards and
other criteria to be met will'depend heavily?on the manner
in which the.hardware and software is constructed and the
class of system being evaluated. The evidence of security
protection.
C. Security Evaluation - The determination that the
system performance does, or does not, meet the criteria
established for the resource-sharing environment as established
herein. This process includes the study and interpretation
of the results of both the analysis and test phases, and will
ultimately provide the basis for the recommendations for
system certification.
VII SPECIFIC PROCEDURES.
A. At an early phase in planning for a new automatic
data processing (ADP) facility, or in planning for replace-
ment or modification of an existing computer facility, the
organization commander should consider methods for making
most effective use of his ADP resources. In so doing, the
various possible approaches to sharing ADP resources should
be analyzed and each should be examined in light of the
following factors:
1. Effectiveness of support to the Commander.
2. Existing national security regulations.
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
J_J
IJJ
3. Existing "state-of-the-art" in computer and
communications technology.
4. Comparative costs, including hardware, software,
site preparation, personnel, management, security clearances,
power, and air conditioning.
B. The degree to which ADP resources will be shared
should be decided on a case-by-case basis. While both cost
effectiveness and management implications will be considered,
the controlling factors should be operational considerations
and responsiveness consistent with security requirements.
C. Once the organization commander has determined that
the subject computer system is required to operate in a resource-
sharing environment, he will request system security analysis,
test, evaluation and certification from his responsible USIB
member. Upon receipt of such request, the USIB member will
appoint a (or activate his appointed) team of technical experts
who will perform the certification review. This team will be
composed of competent individuals trained and experienced in
both security and computer technical applications, policies
and procedures.
1. The certification team will have earlier specified
the exact test procedures and evaluation criteria for the type
system. Additionally, the team will provide technical
assistance to individual security officers who are charged to
manage/approve/control changes in hardware/software to a pys-
tem previously certified.
6
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
2. The team will specify (exercise or test) computer
programs which overtly attempt to penetrate the system so
that necessary. statistical data can be collected.
3. Guidance will'be provided by the responsible USIB
member on procedures and other matters that may assist in
arriving at a decision when approval to operate the computer
in a resource-sharing environment is requested.'
D. All accredited resource-sharing computer systems
shall,be analyzed, tested and evaluated for the possession of
the following security capabilities, as an absolute minimum:
1. Information System Security Officer (ISSO): The
commander shall appoint a security officer for the computer
system who will be specifically responsible for ensuring
continued application of the requirements set forth in DCID
1/16 (New Series), for reporting security deficiencies in
system operation, and for controlling any changes in system
operation as they may affect the security status of the total
system. In order to perform some of.the tasks associated with
his position, the ISSO shall have the technical expertise of
a highly skilled systems programmer. In those cases when it
is impractible to assign a highly skilled systems programmer
as ISSO, an individual possessing these capabilities will be
made available/responsible to the ISSO for technical advise
and consent.
a. Responsibilities of the ISSO should include
7
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
(1) Recommend system certification;to the
certifying authority (team).
(2) System inspection.
(3) Continuous system testing and attempted
penetration.
(4) Review of all modifications to system
hardware and software.
(5) Supervision of installation of changes
or repair of system hardware and software.
(6) Control of authentication list.
(7) Supervision of implementation of revised
authentication lists.
(8) Preparation of documentation on pro-
cedures related to the security of the system, including system
messages to users.
(9) Preparation, coordination, approval and/
or implementation, during system test, of the following:
(a) -ISSO Guide. QQ
(b) Initial test procedures.
(c) Security classification guide.
(d) Security control procedures.
(e) Test period operating techniques.
(f) Scheduling procedures.
(g) Installation guides.
(h) Revised Red/Black criteria for
Main Computer and remote devices.
n is __ T , -t
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
CON-"T111 NI T
(i) Physical disconnect procedures.
(j) Approved sanitizing procedures.
(k) Statistics logging and correlation
procedures.
(1) Test period programming guide.
(m) Core compartmentation procedures.
(n) Input/output processes.
(o) Operator interrupts and supervisor
overrides procedures.
2. Personnel Security and System Access Control
Measures: Access to the computer center shall be determined
by the access approval level and need to know of the request-
ing individual.' Access approval will be commensurate with
the requirements as set forth in DCID 1/16 (~w ;series) .
This approval also applies to access authority to and use of
remote terminals connected to the resource-sharing computer
system. Administrative and procedural safeguards should be
applied to provide data integrity to information and data
handled by the operations center, the systems staff, and
remote access users.
a. Communications links joining remote terminals
and the central facility must be secured by approved methods.
b. The central computer spaces must be secure.
Persons entering the area must have proper authorization and
reason for being there.
FIT P7_ TTT A
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
c. All data. delivered to and released from the
central facility should be carefully logged in and signed
for. Only authorized persons should be allowed to conduct these
transactions.
d. Only authorized operator and systems and
maintenance personnel should be allowed to operate equipment
in the central computing area. These operators and programmers
should be cleared for all categories of information processed
by the system.
e. Only authorized personnel should be allowed
access to magnetic tape, source deck libraries, data management
systems, executives, operating systems and applications
programs.
f. The user activity and ISSO must insure that .
only individuals with proper clearance and access authorization
are permitted to utilize remote terminals located at their
activity.
g. Hardware maintenance engineers and-.technicians
should be granted access to all categories of information
processed by the system.
3. Physical Security Protection: Physical security
protection requirements shall be satisfied according to
direction contained in DCID 1/16 (New Series). In all cases,
access to or use of remote terminals will be determined by
the security protection requirements of the information
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
r ti ..may. ~,_ w~
designated for input/output at that terminal. Likewise, the
central facility will possess certification for the handling
of the highest classification of information designated for
processing by the system. Physical security protection re-
quirements which must be analyzed, tested and evaluated for
adequacy area:
a. Personnel access control.
.b. Physical disconnect procedures.
c. Emergency destruction procedures.
d. Shielding requirements, as pertains to
physical security through emanations protection?:
e. Security guard procedures.
f. P usical data distribution control procedures.
4. Communications Links: Communications links
between all components of the system shall be secured in a
manner appropriate for the transmission of the highest classi-
fied data designated to be handled by the link. The spectrum
of the types of communications links can be from:
a. Store and forward switching networks using
encryption devices to;
b. Direct dialing between systems with encrypted
transmissions to;
c. Off-line teletype connections to;
d. Direct connection using encrypted transmission
and distributed network message processing systems to;
rn,
11
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
CONFIDENTJAL?'
e. Use of human interfaces at either end of
an encrypted transmission to;
f. Use of special communications network for
transmitting digital or analog, data in a highly formatted
or textual form to;
g. Use of direct data links between components
of a system within a secure environment
h. Use of direct data links between components
of a system within a multi-level security environment.
All communication cables, conduits, wire-line distribution,
connectors, terminals, cryptography, encryption/decryption
equipment and procedures will be 'analyzed, tested and
evaluated according to current governing directives.
5. Emanations Security Aspects. Control measures
and tests will be applied to equipment and systems to the
extent necessary to prevent the compromise of c, ssified
or controlled information by the unauthorized interception
of spurious emissions from equipment used to process the
information. individual USIE members will retain responsi-
bility for applying control measures for those systems
within their assigned area. Only measures essential to-
the prevention of compromise shall be applied. Electric
phenomana cause all active electronic circuits to produce
an electromagnetic field, immediately adjacent to the
equipment and the surrounding space; which characterizes the
?ONFIDENTIAL WORKS
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
0 , UUNHVENTIAL W
electric current flowing in the circuit- (s) . In digital
equipment, the signals emitted (radiated or conducted) may
be considered as a series of impulses. Each impulse in
the series may represent a "hit," or, if all bits in a
character are generated simultaneously, a. single character.
A series of these impulses is often referred to as data
related or, intelligence bearing signals,, since they bear
a relationship to the characters in process. However, these
terms may be misleading because the signals emitted may be
related to machine functions common to all programs in the
processing cycle and not to raw or processed data with
an intelligence value.
The multitude of signals that emanate from several,
components simultaneously may be especially difficult to
detect, record and analyze. Therefore, equipment
monitors must review the entire machine room, or remote-term-
inal area, as a highly complex source of emanations. Under
these circumstances, the usefulness of any recorded
emanations depends on the degree to which the measuring and
recording system can identify each. of the many different
sources of emanations originated from within the system.
The term "Compromising Emanations" implies that the
theoretical prescence of a signal alone does not suffice to
classify the signal as compromising. The signal must be
amenable to being: First, recorded on a suitable medium; and
second, analyzed. The equipment and techniques necessary to
these actions are numerous and limitations are serious due
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
.CONFIDENTIAL
ae The AD?E speed and comol.exity.
b:.- T .e coding methods used in the machine
system.
C< The state-o-the-art limitation broadband
recording and other necessary equipments.
d. The broad frequency range over which
signals occur.
e. The possible requirement for long-tern,
on-station monitoring without risk of detection.
Additionally environmental noise r:o i:- - of f_ects will
tJ .I cause the signal-to-noise ratio (A
to decrease more
rapidly than the measured signal amplitude, and thus reduce
the emitted signals susceptability to reliable analysis.
Many factors must be evaluated simultaneously when
determining whether TEMPESTI control procedures should be
applied to an ADP system, since no single factor will
suffice to establish the installation's vulnerability or
to identify the control procedures to be used. Factors
known to affect vulnerability have been carefully evaluated
to the extent that theoretical. and limited test results allow.
l/
CONFIDENTIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
25X1
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Next 2 Page(s) In Document Denied
Iq
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
W UWII UCi1 I IRL
Primary controls to consider are
rity cl_assi.i:ication. and
(.1) 'Security Labels- Secu
other required control labels stall be icing. ti f ier with t .e
information arid: programs in the system to insure ap7ropa to
labeling of output/input- and access authority. The use of
these labels will be closely related to external h labeling,
internal file or record labeling and user iden.tlf ication/
authorization. Tapes, card decks, listings and displays
shall contain proper security identification to alert thee
user to the security protection required for the handling
of the information. Flies (and/or records, when individual
records or portions can be individually, acci:'sed) will
contain in the identification and control labels, the
appropriate security level of information contained wit"-)in.
Via.
Access to the file(or record) contPwts will be controlld
through this label identification. Furthermore, each user .
will possess access to resident files based upon his
identification/authorization label access authority, which
will be contained in the access libraries and/or executive
system.
(2) User ?C+entlf3i:aGio ?CPlxt'I.Ci~i:E..cucit"_ iY?. User
identification/ iithe_ntication for access to resource-sharing
computer systems will primarily apply to remote users; however,
all persons accessing any part of the systems will be required
to identify themselves in some manner. The user activity
must insure that only individuals with proper clearance and
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
W uunrIurjv I,AL W
access authorization x are permitted to utilize r r o;.e
terminals located at their activity. Additionally, certain
system R~'".k checks must be ?exercised to insure user authentica-
tion for the access of specified files or data which is
available through the system. This iden t ification is another
level in the pyramidical check to insure that data security,
authority and integrity are achieved and maintained.. The
mechanism through which this will be obtained. shall consist
of software and/or hardware devices, mane al control procedures
at terminal sites, and other appopriate measures designed to
validate the identity and access authority of system Users.
Identification/a.uthenticat ion is the means by which a computer
system assures that the individual at a temial is the person
he represents himself to be, User authentication is usually
provided on existing systems through a pa ssww7ord. This
technique can provide adequate protection for privacy purposes
S
(a) The pa~,words are given protection comparable
to that required for the most sensitive information available
(b) They are changed periodically to minimize
the possibility of compromise. (Comparable to changing saf'k
conbinations).
(c) They are not user-generated (to prevent
penetration by 'iducated guessing).
More elaborate schemes such as one time passwords or
challenge dependent passwords may not be necessary to achieve
the objectives of privacy However, installations handling
19 ~ ONFW NTI I.
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Tiff
LcONFIDENTIA[
-
very sensitive material should require these additional
safeguards.
Numerous methodologtEe.s of user identification and
authentication have been and are being devised. Regardless
of the specific method chosen, the recommended, approach of
system resources from a security authority standpoint is a
software lockout in which a .number of program checks are made
against the following input parameters:
-User name
? User classification and security release codes.
.Console identification.
Console classification.
? Overlay identification.
Program classification and security release codes.
? Record classification and security release codes.
Software control of the release of data by security class-
ification and control codes promises to provide greater
efficiency in system usage with security control and provides
a better foundation for control on interchanges of data with
others systems whe direct interface becomes a
reality.
(3) Memory Protection.: Hardware and software control
shall be exercised by the system over the addresses to
which a user program has access. Within the software controls
the most critical portion i; the Supervisor (a.lso called the
Executive or the Monitor). The Sumerv? sor acts as the over-
all guard of the system. It is that. portion of the software
e _
which internally manages job flow through the compute,
~~~?E~B~aA WS+?t~ae s.~
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
v w
CONFIDENTIAL
allocates system resources to jobs, and &ontrols information
flowing to and from files and terminals. Th( malfunction or
deliberate alteration of the Supervisor could couple inf orm..a-
tion from one program to another; change t.h.e sec ?r1_ty classifi-
cation of users, files or programs; or, at a miniI` m, de troy
information in the system.
One of the highest security risks in the operation o4f
resource-sharing computer,, systems occurs where users at remote
terminals are permitted extensive programming capability in
many languages and with any compiiel. in such cases, extreme
care must be exercised to insure that the user .,,ill not alter
the Supervisor, thereby changing all the rules of,the system
operation... A file-Query -system which merely provides t-he
user at a remote terminal the capability to access files
using a set of fully checked programs is probably the least
dangerous mode of operation in a resource-sharing computer
system.
Coupled with the Supervisor sand the hardware memory
bounds below, the architecture ofthe computer must p.r..ovid.e
for privileged instructions. The set of privileged instructions
must contain all input/output commands and also every command
which could change a memory boundary or protection barrier.
Moreover, the design of the computer must be such as to insure
that only the Supervisor program can operate the privileged
instructions., it is absolutely essential that the Supervisor
r
program not be bypassed.
;coNFIoENTEAL
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
j.LONFIDENTIA[
The principal hardware t echniooue.s employed for segregating
programs and data bases are various forms of memory )rounds
protection devices. These ;gust be sufficient so that any
attempt to read or, wwrite outside the area of memory assigned
to a given user will be detected and prevented. I shoI.11.r+. ?e
stresses', however, that memory bounds protection can faiT.
Therefore, it may be necessary to require a special program
which wwi1.l attempt to delib7,er_ately and frec;uen.tly violate the
memory bounds to verify that the protection device is, in fact,
working. This is particularly important after a cold start,
initial program load, or maintenance.
(4) Separation of User/Executive Modes of Operation:
The user and executive modes of system operation shall be
a?
separated so that a program operating in user mode is Dreve
from performing unauthorized executive functions. This reasoning
follows the explanation in Memory Protection a}rove. t?lhi le the
two modes must remain separate, }both must recognize and be
capable of handling the following:
. `t'ypes of I/Op
I/O media- characteristics.
Processing interfaces between system resources.
System resources involved.
Data protection r.ecuirements.
System status (on--l.ne versus off-line)
Ingredients of data protection/control (hardware,
software, and procedures).
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
AA-IriIAr-ITI a e
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
(5) RE?S1Q 't r? Clean nut: ~}n. __ otheL- s.
tei~ tO~.Jr~2.1-d S~C'lJ.rl:_
authority, and into Milt`:?` protection with-in re.sourc('-sharinq
com-cuter systems is residue clew:--out. Instructi.ons for
performinc; this function should be standard. within the system
for all user programs to execute residue clean-out under the
following conditions:
Upon job completion.
Upon program error (without recovery)
Upon notification by the Supervisor that arw
~~ ;.cR t~rR has been attempted.
Upon site environment failure.
Upon release of -the allocateCk storage area
to the Supervisor.
Upon execution of residue clean-.ou, instructions, sample
data will be printed/displayed to allow review by operator/
user personnel to insure- that the process has been successful.
Measures shall t^ _
`.~en be . implemented, to insure insure that ~ r~c_t:.ory, rresidue
from terminated user programs is made inaccessible to un-
authorized users.
(6) Access Control: It may be found, in a resource-
sharing facility, that the number of personnel requiring special
access will increase. This may be especially true in the early
stages of a facilities' operation before it is certified for
full multi-level security operations,. Unfortunately, present
technology offers no way to protect the operating system and
tae information contained in the system from subversion from
t.
CONFBDETIAL
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
? CONE IDENpIAL
t he c ntral 'operation s stai_ f ; Z e. , operators , system,- pro-
gramme r. , to hiii. -! us s, Etc. h refo e, trat-i-ve v and
procedural safeguards r?.7.st e applied to protect classified
information and data handle by the operations center and its-
attached remote terminals . "
It a) The central computer spaces mist be secure.
(b) The remote term final areas shall be secured
to the level. of information to he processed by that station.
(c) Access shall be limited to persons possessing
the authorization and requirement for entrance.
(d) Only authorized operator and sesteris and.
maintenance personnel. should be alloyed to oteratrr, equipment
in the central computer area. These opera tors and pr_ograrn mers
must be cleared for all cateoories of information. processed
by the system.
(e) only authorized personnel should be allowed
access to magnetic tape and source deck libraries .
(f) The user activity must insure that only
individuals with proper clearance and access authorization are
permitted to enter the area and/or to utilize remote terminals
located at this activity.
(g) Hardware maintenance engineers and technicians
should be granted access to all categories of info.,rrmat-Lon
processed by -the system.
(h) The access control measures must be estab-
lished, monitored and changed by the information System Sedur.i.t
Officer (ISCO) , even though access control responsihi litv w11 l
CONFIDENT
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
,CONFi6~7-jAp
rest with e_a ch i ,(Ii_vidua within ; he resource-shar_ incg facility.
inc 'control of access to the areas
of t? e facility can take several -Forms, e.g. access roster,
clearance badge, video monitory security guard, etC. t';} atever
control method is used, it must insure absolute control of
access to the resource-sharing syrstem.
Trcw iJ (~
7 Audit i. is PT.)a,}'%iz"? The i:e-'S017rCG-sharing
41
computer system shall produce in a secure manner an audit
trail containing sufficient information to permit a regular
security review of: system activity. System usage recording
functions can be used. to detect improper use or maintenance
of the data hase. These functions are specifically d.i.rected
toy-yard protection of data security and assured; i ni_e-grity.
They will allow for_
Detection of data base/system misuse.
Documentation of c.ata base/system misuse.
Audit of task p~ez: formance.
The Audit Trail functions will he per formeC1 by the syste
Supervisor in connection with a s ecial System Log and Access
Authentication Library. As the Supervisor allocates no.-tions
of the system to users a:a terminals, it w` ill have first verified
the authority of the requestor to access the particular portion.
The improper or unauthorized requests will be logged and,
dependent upon the seriousness of the infraction, the systen
can take several actions. These actions range from job
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
? CONFIDENTIAL V
termination with accompanying audio and visual security
alarms to a daily denial report for the WSO. The system
must maintain detailed data on all user actions. From this
data, the actions of all users can be traced and weak areas
isolated and corrected. The Audit Trail will receive data
from the security verification programs which will be used
to provide continuous checks on the system operation.
7. CONCLUSION. In the final analysis, the security of a
resource-sharing computer system must come from an interlocking
of personnel security, software techniques, communications
security, and administrative procedures. Exclusive dependence
on one area (for example,. software) must be avoided.. Suffivient
experience with the day-to-day use of resource-sharing com-
puter systems, and enough in-depth analysis is available to
provide some confidence that the major problems with reference
to security are known. I f used properly and intelligently, and Q,','>- subjected to stringent and frequent testing, resource-
sharing computer systems employing today's hardware can provide
acceptable protection of classified information, even multi-
levels of classified information. In fact, they can probably
provide greater protection than many manual methods of handling
classified information. The knowledge, expertise and imagina-
tion of assigned resource-sharing computer systems managers,
programmers, operators, analysts, and users will be tested and
retested as systems grow in capabilities and complexity.
Greater reliance on the systems and their capabilitic? will he
required to fully exploit these capabilities and improve the
,.
26 901HFUTIA1
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9
? VUNFW !T!AL v
security, authority and integrity of information processed
by the systems.
27 P 111 r1~1177 I^
Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9