SECURITY RESPONSIBILITIES IN INTERAGENCY COMPUTER TERMINAL LINKS

Declassified and Approved For Release 2012/01/24: CIA-RDP89BO1354R000100090007-5 JSA ~ NATIONAL SECURITY AGENCY FORT GEORGE G. MEADE, MARYLAND 20755 Serial: M503/'%0307 19 March 197 _ MEMORANDUM FOR THE CHAIRMAN, COMPUTER SECURITY SUBCOMMITTEE SECURITY COMMITTEE, USIB SUBJECT: Security Responsibilities in Interagency Computer Terminal Links (U) 1. As requested, the proposed USIB policy statement concerning subject was coordinated among interested NSA elements. The responses received indicate that the proposed policy statement is not required because: a. The responsibilities identified are implicit in the recently issued DCID 1/16; b. The policy is not pertinent to networks of computers; c. Security responsibilities must be included when establishing the parameters of operational, technical and managerial responsibility inherent in the relationship between one Agency and another when a remote terminal in one is connected to a computer system in another; and d. For several years, all arrangements entered into by participating Agencies have included as a major consideration, those essential elements of security control necessary to the proper functioning of such a terminal-computer configuration. 2. During the meeting of the Subcommittee on 12 March 1971, the above views were presented. Discussions which followed prompted agreement that the proposed statement should be rewritten to exclude the application of the policy to network operations (e.g., COINS) and that consideration could be given to a restatement of the responsibilities in broader, less directive terms. Additional coordination within NSA has established the view that such a restatement of responsibilities should not be a matter of USIB policy but one in which appropriate emphasis is placed on security and other responsibilities inherent in any relationship which calls for the placement of a remote terminal in an Agency for the purpose of accessing information from a Central Processing Unit in another. An alternative statement is offered below: Declassified and Approved For Release 2012/01/24: CIA-RDP89BO1354R000100090007-5  Declassified and Approved For Release 2012/01/24: CIA-RDP89B01354R000100090007-5 kevf .. ~ ?? ~Y Y ~ 4 a ` k4C~ wTIA r RESPONSIBILITIES IN INTERAGENCY COMPUTER TERMINAL RELATIONSHIPS "An increasing number of remote terminal installations in the community has been identified where a computer terminal device is located in one Agency, and with the approval of Agency officials concerned, is provided access to information housed in a Central Processing Unit of another. In such relationships, emphasis should be placed on establishing the individual responsi- bilities of the participating Agencies for the technical, operational, managerial and security aspects of the activity. It is important that the purposes for the configuration be defined and that clearly established avenues of communication exist between the participants to resolve any issue of operational or security import. Normally, networks of computers within the community function under an overall plan incorporating all these issues and are subject to multilateral agreements." 3. The consideration of the Subcommittee is requested in changing the existing policy statement to one which reflects sub- stantially the views expressed above. In this regard, it is requested that: a. The existing policy statement not be approved for the reasons cited in paragraph one above. b. The suggested statement of responsibilities in paragraph two above be considered for adoption in lieu of the existing policy statement. c. Any changes, additions or deletions made by the Subcommittee in the suggested statement should be made available for further review and comment/concurrence by this Agency. R. G. KA NSA Represent ve Computer Security Subcommittee, Security Committee, USIB CON T AL Declassified and Approved For Release 2012/01/24: CIA-RDP89B01354R000100090007-5