GUIDELINES FOR THE SECURITY ANALYSIS, TESTING, AND EVALUATION OF RESOURCE-SHARING COMPUTER SYSTEMS

Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 Computer Security Subcommittee of the United.States Intelligence Board Security Committee Guidance for the Security Analysis, Test and Evaluation of Resource-Sharing Computer Systems I. PURPOSE: To prescribe the basic guidance for the security analysis, test and evaluation of resource-sharing computer systems wherein the security, authority and integrity of the data stored and/or processed must be ensured. To specify the conditions, features, procedures and relative conditions which must be analyzed, tested and evaluated prior to the system receiving accreditation within the resource-sharing computer environment.1 The guidance contained herein is applicable to all 1/ DCID No. 1/16 (New Series) assig ns the responsibility for the security analysis, test and evaluation as well as for the accreditation of such systems to individual USIB members. Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 N IDEi JT community intelligence functions using resource-sharing computer systems support for which special handling controls have been established. III. REQUIREMENTS: A. This guidance is required to .sufficiently analyze, test, and evaluate resource-sharing computer systems to ensure the security, authority, and integrity of information stored or processed in such systems is maintained by the system users.2 Since all users in an expanded system environment may not work .within one valuted area or within a single-level security environment, and may not possess the same security clearance, the techniques to be used must be beyond those used in current intelligence data handling systems. B. Techniques for interfacing with other intelligence data handling systems are also required so that present and future resource-sharing computer systems can be fully utilized in an operational environment. C. Techniques are required to handle the following conditions: 1. Simultaneous multi-level query using on-line 2/ Users are described as anyone connected with the resource- sharing computer system whether he be an operator, data base monitor, systems manager, systems analyst, librarian, job scheduler, Information System Security Officer, or functional f Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 2. Control of content integrity of the data base. ,3. Maintenance of working data within the data base. 4. Selection and extraction of data elements from the data base to produce reports and products at various levels of security classification. .5. Control of on-line updating authority of data elements within the data base. 6.. Others? IV. OBJECTIVES: The objectives of these guidelines are,to provide technical approaches to fulfill multi-level security, authority, and integrity operation requirements based upon the following: A. Hardware, software, and procedural techniques for controlling access to inputs and outputs. B. Implementation factors in the application of such techniques. C. System developments and tests being conducted or considered by various community agencies with comparable systems. V. PROBLEM DEFINITION: The problem of data protection in resource-sharing computer systems involves data security, authority, and integrity con- siderations. These three aspects of data protection overlap to some extent, and a deficiency in any of them may affect the others. These aspects are defined as follows: CON "x L 3 Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 A. Data security concerns prevention of disclosure of data to personnel or terminals at levels higher than auth- orized. Disclosure can occur through either accident or deliberate penetration. B. Data authority is concerned with the authority for making changes to the system, primarily the data base; however, including any portion of the software or hardware systems which could affect data content. C. Data integrity is concerned with the validity, accuracy, and completeness of data in the system, the isolation of errors; the problems of system degradation and recovery. VI DEFINITIONS: A. Security Analysis - This process will encompass the accumulation of all conceptual approaches for providing security protection of information handled (to be handled) within a resource-sharing computer system and applying these approaches as they pertain to the physical, software, hard- ware and procedural conditions of the system. The proof of security protection. B. Security Test - The inspection and testing of the hardware, software, physical and procedural security features of the resource-sharing system under study. To be conducted by expert technical personnel to determine the degree to which the system conforms to the requirements of appropriate 4 Irte T7-\ Try A Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 regulations and policies. The extent and duration of the inspection and testing, and the development of standards and other criteria to be met will'depend heavily?on the manner in which the.hardware and software is constructed and the class of system being evaluated. The evidence of security protection. C. Security Evaluation - The determination that the system performance does, or does not, meet the criteria established for the resource-sharing environment as established herein. This process includes the study and interpretation of the results of both the analysis and test phases, and will ultimately provide the basis for the recommendations for system certification. VII SPECIFIC PROCEDURES. A. At an early phase in planning for a new automatic data processing (ADP) facility, or in planning for replace- ment or modification of an existing computer facility, the organization commander should consider methods for making most effective use of his ADP resources. In so doing, the various possible approaches to sharing ADP resources should be analyzed and each should be examined in light of the following factors: 1. Effectiveness of support to the Commander. 2. Existing national security regulations. Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 J_J IJJ 3. Existing "state-of-the-art" in computer and communications technology. 4. Comparative costs, including hardware, software, site preparation, personnel, management, security clearances, power, and air conditioning. B. The degree to which ADP resources will be shared should be decided on a case-by-case basis. While both cost effectiveness and management implications will be considered, the controlling factors should be operational considerations and responsiveness consistent with security requirements. C. Once the organization commander has determined that the subject computer system is required to operate in a resource- sharing environment, he will request system security analysis, test, evaluation and certification from his responsible USIB member. Upon receipt of such request, the USIB member will appoint a (or activate his appointed) team of technical experts who will perform the certification review. This team will be composed of competent individuals trained and experienced in both security and computer technical applications, policies and procedures. 1. The certification team will have earlier specified the exact test procedures and evaluation criteria for the type system. Additionally, the team will provide technical assistance to individual security officers who are charged to manage/approve/control changes in hardware/software to a pys- tem previously certified. 6 Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 2. The team will specify (exercise or test) computer programs which overtly attempt to penetrate the system so that necessary. statistical data can be collected. 3. Guidance will'be provided by the responsible USIB member on procedures and other matters that may assist in arriving at a decision when approval to operate the computer in a resource-sharing environment is requested.' D. All accredited resource-sharing computer systems shall,be analyzed, tested and evaluated for the possession of the following security capabilities, as an absolute minimum: 1. Information System Security Officer (ISSO): The commander shall appoint a security officer for the computer system who will be specifically responsible for ensuring continued application of the requirements set forth in DCID 1/16 (New Series), for reporting security deficiencies in system operation, and for controlling any changes in system operation as they may affect the security status of the total system. In order to perform some of.the tasks associated with his position, the ISSO shall have the technical expertise of a highly skilled systems programmer. In those cases when it is impractible to assign a highly skilled systems programmer as ISSO, an individual possessing these capabilities will be made available/responsible to the ISSO for technical advise and consent. a. Responsibilities of the ISSO should include 7 Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 (1) Recommend system certification;to the certifying authority (team). (2) System inspection. (3) Continuous system testing and attempted penetration. (4) Review of all modifications to system hardware and software. (5) Supervision of installation of changes or repair of system hardware and software. (6) Control of authentication list. (7) Supervision of implementation of revised authentication lists. (8) Preparation of documentation on pro- cedures related to the security of the system, including system messages to users. (9) Preparation, coordination, approval and/ or implementation, during system test, of the following: (a) -ISSO Guide. QQ (b) Initial test procedures. (c) Security classification guide. (d) Security control procedures. (e) Test period operating techniques. (f) Scheduling procedures. (g) Installation guides. (h) Revised Red/Black criteria for Main Computer and remote devices. n is __ T , -t Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 CON-"T111 NI T (i) Physical disconnect procedures. (j) Approved sanitizing procedures. (k) Statistics logging and correlation procedures. (1) Test period programming guide. (m) Core compartmentation procedures. (n) Input/output processes. (o) Operator interrupts and supervisor overrides procedures. 2. Personnel Security and System Access Control Measures: Access to the computer center shall be determined by the access approval level and need to know of the request- ing individual.' Access approval will be commensurate with the requirements as set forth in DCID 1/16 (~w ;series) . This approval also applies to access authority to and use of remote terminals connected to the resource-sharing computer system. Administrative and procedural safeguards should be applied to provide data integrity to information and data handled by the operations center, the systems staff, and remote access users. a. Communications links joining remote terminals and the central facility must be secured by approved methods. b. The central computer spaces must be secure. Persons entering the area must have proper authorization and reason for being there. FIT P7_ TTT A Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 c. All data. delivered to and released from the central facility should be carefully logged in and signed for. Only authorized persons should be allowed to conduct these transactions. d. Only authorized operator and systems and maintenance personnel should be allowed to operate equipment in the central computing area. These operators and programmers should be cleared for all categories of information processed by the system. e. Only authorized personnel should be allowed access to magnetic tape, source deck libraries, data management systems, executives, operating systems and applications programs. f. The user activity and ISSO must insure that . only individuals with proper clearance and access authorization are permitted to utilize remote terminals located at their activity. g. Hardware maintenance engineers and-.technicians should be granted access to all categories of information processed by the system. 3. Physical Security Protection: Physical security protection requirements shall be satisfied according to direction contained in DCID 1/16 (New Series). In all cases, access to or use of remote terminals will be determined by the security protection requirements of the information Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 r ti ..may. ~,_ w~ designated for input/output at that terminal. Likewise, the central facility will possess certification for the handling of the highest classification of information designated for processing by the system. Physical security protection re- quirements which must be analyzed, tested and evaluated for adequacy area: a. Personnel access control. .b. Physical disconnect procedures. c. Emergency destruction procedures. d. Shielding requirements, as pertains to physical security through emanations protection?: e. Security guard procedures. f. P usical data distribution control procedures. 4. Communications Links: Communications links between all components of the system shall be secured in a manner appropriate for the transmission of the highest classi- fied data designated to be handled by the link. The spectrum of the types of communications links can be from: a. Store and forward switching networks using encryption devices to; b. Direct dialing between systems with encrypted transmissions to; c. Off-line teletype connections to; d. Direct connection using encrypted transmission and distributed network message processing systems to; rn, 11 Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 CONFIDENTJAL?' e. Use of human interfaces at either end of an encrypted transmission to; f. Use of special communications network for transmitting digital or analog, data in a highly formatted or textual form to; g. Use of direct data links between components of a system within a secure environment h. Use of direct data links between components of a system within a multi-level security environment. All communication cables, conduits, wire-line distribution, connectors, terminals, cryptography, encryption/decryption equipment and procedures will be 'analyzed, tested and evaluated according to current governing directives. 5. Emanations Security Aspects. Control measures and tests will be applied to equipment and systems to the extent necessary to prevent the compromise of c, ssified or controlled information by the unauthorized interception of spurious emissions from equipment used to process the information. individual USIE members will retain responsi- bility for applying control measures for those systems within their assigned area. Only measures essential to- the prevention of compromise shall be applied. Electric phenomana cause all active electronic circuits to produce an electromagnetic field, immediately adjacent to the equipment and the surrounding space; which characterizes the ?ONFIDENTIAL WORKS Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 0 , UUNHVENTIAL W electric current flowing in the circuit- (s) . In digital equipment, the signals emitted (radiated or conducted) may be considered as a series of impulses. Each impulse in the series may represent a "hit," or, if all bits in a character are generated simultaneously, a. single character. A series of these impulses is often referred to as data related or, intelligence bearing signals,, since they bear a relationship to the characters in process. However, these terms may be misleading because the signals emitted may be related to machine functions common to all programs in the processing cycle and not to raw or processed data with an intelligence value. The multitude of signals that emanate from several, components simultaneously may be especially difficult to detect, record and analyze. Therefore, equipment monitors must review the entire machine room, or remote-term- inal area, as a highly complex source of emanations. Under these circumstances, the usefulness of any recorded emanations depends on the degree to which the measuring and recording system can identify each. of the many different sources of emanations originated from within the system. The term "Compromising Emanations" implies that the theoretical prescence of a signal alone does not suffice to classify the signal as compromising. The signal must be amenable to being: First, recorded on a suitable medium; and second, analyzed. The equipment and techniques necessary to these actions are numerous and limitations are serious due CONFIDENTIAL Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 .CONFIDENTIAL ae The AD?E speed and comol.exity. b:.- T .e coding methods used in the machine system. C< The state-o-the-art limitation broadband recording and other necessary equipments. d. The broad frequency range over which signals occur. e. The possible requirement for long-tern, on-station monitoring without risk of detection. Additionally environmental noise r:o i:- - of f_ects will tJ .I cause the signal-to-noise ratio (A to decrease more rapidly than the measured signal amplitude, and thus reduce the emitted signals susceptability to reliable analysis. Many factors must be evaluated simultaneously when determining whether TEMPESTI control procedures should be applied to an ADP system, since no single factor will suffice to establish the installation's vulnerability or to identify the control procedures to be used. Factors known to affect vulnerability have been carefully evaluated to the extent that theoretical. and limited test results allow. l/ CONFIDENTIAL Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9  25X1 Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 Next 2 Page(s) In Document Denied Iq Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 W UWII UCi1 I IRL Primary controls to consider are rity cl_assi.i:ication. and (.1) 'Security Labels- Secu other required control labels stall be icing. ti f ier with t .e information arid: programs in the system to insure ap7ropa to labeling of output/input- and access authority. The use of these labels will be closely related to external h labeling, internal file or record labeling and user iden.tlf ication/ authorization. Tapes, card decks, listings and displays shall contain proper security identification to alert thee user to the security protection required for the handling of the information. Flies (and/or records, when individual records or portions can be individually, acci:'sed) will contain in the identification and control labels, the appropriate security level of information contained wit"-)in. Via. Access to the file(or record) contPwts will be controlld through this label identification. Furthermore, each user . will possess access to resident files based upon his identification/authorization label access authority, which will be contained in the access libraries and/or executive system. (2) User ?C+entlf3i:aGio ?CPlxt'I.Ci~i:E..cucit"_ iY?. User identification/ iithe_ntication for access to resource-sharing computer systems will primarily apply to remote users; however, all persons accessing any part of the systems will be required to identify themselves in some manner. The user activity must insure that only individuals with proper clearance and Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 W uunrIurjv I,AL W access authorization x are permitted to utilize r r o;.e terminals located at their activity. Additionally, certain system R~'".k checks must be ?exercised to insure user authentica- tion for the access of specified files or data which is available through the system. This iden t ification is another level in the pyramidical check to insure that data security, authority and integrity are achieved and maintained.. The mechanism through which this will be obtained. shall consist of software and/or hardware devices, mane al control procedures at terminal sites, and other appopriate measures designed to validate the identity and access authority of system Users. Identification/a.uthenticat ion is the means by which a computer system assures that the individual at a temial is the person he represents himself to be, User authentication is usually provided on existing systems through a pa ssww7ord. This technique can provide adequate protection for privacy purposes S (a) The pa~,words are given protection comparable to that required for the most sensitive information available (b) They are changed periodically to minimize the possibility of compromise. (Comparable to changing saf'k conbinations). (c) They are not user-generated (to prevent penetration by 'iducated guessing). More elaborate schemes such as one time passwords or challenge dependent passwords may not be necessary to achieve the objectives of privacy However, installations handling 19 ~ ONFW NTI I. Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 Tiff LcONFIDENTIA[ - very sensitive material should require these additional safeguards. Numerous methodologtEe.s of user identification and authentication have been and are being devised. Regardless of the specific method chosen, the recommended, approach of system resources from a security authority standpoint is a software lockout in which a .number of program checks are made against the following input parameters: -User name ? User classification and security release codes. .Console identification. Console classification. ? Overlay identification. Program classification and security release codes. ? Record classification and security release codes. Software control of the release of data by security class- ification and control codes promises to provide greater efficiency in system usage with security control and provides a better foundation for control on interchanges of data with others systems whe direct interface becomes a reality. (3) Memory Protection.: Hardware and software control shall be exercised by the system over the addresses to which a user program has access. Within the software controls the most critical portion i; the Supervisor (a.lso called the Executive or the Monitor). The Sumerv? sor acts as the over- all guard of the system. It is that. portion of the software e _ which internally manages job flow through the compute, ~~~?E~B~aA WS+?t~ae s.~ Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 v w CONFIDENTIAL allocates system resources to jobs, and &ontrols information flowing to and from files and terminals. Th( malfunction or deliberate alteration of the Supervisor could couple inf orm..a- tion from one program to another; change t.h.e sec ?r1_ty classifi- cation of users, files or programs; or, at a miniI` m, de troy information in the system. One of the highest security risks in the operation o4f resource-sharing computer,, systems occurs where users at remote terminals are permitted extensive programming capability in many languages and with any compiiel. in such cases, extreme care must be exercised to insure that the user .,,ill not alter the Supervisor, thereby changing all the rules of,the system operation... A file-Query -system which merely provides t-he user at a remote terminal the capability to access files using a set of fully checked programs is probably the least dangerous mode of operation in a resource-sharing computer system. Coupled with the Supervisor sand the hardware memory bounds below, the architecture ofthe computer must p.r..ovid.e for privileged instructions. The set of privileged instructions must contain all input/output commands and also every command which could change a memory boundary or protection barrier. Moreover, the design of the computer must be such as to insure that only the Supervisor program can operate the privileged instructions., it is absolutely essential that the Supervisor r program not be bypassed. ;coNFIoENTEAL Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 j.LONFIDENTIA[ The principal hardware t echniooue.s employed for segregating programs and data bases are various forms of memory )rounds protection devices. These ;gust be sufficient so that any attempt to read or, wwrite outside the area of memory assigned to a given user will be detected and prevented. I shoI.11.r+. ?e stresses', however, that memory bounds protection can faiT. Therefore, it may be necessary to require a special program which wwi1.l attempt to delib7,er_ately and frec;uen.tly violate the memory bounds to verify that the protection device is, in fact, working. This is particularly important after a cold start, initial program load, or maintenance. (4) Separation of User/Executive Modes of Operation: The user and executive modes of system operation shall be a? separated so that a program operating in user mode is Dreve from performing unauthorized executive functions. This reasoning follows the explanation in Memory Protection a}rove. t?lhi le the two modes must remain separate, }both must recognize and be capable of handling the following: . `t'ypes of I/Op I/O media- characteristics. Processing interfaces between system resources. System resources involved. Data protection r.ecuirements. System status (on--l.ne versus off-line) Ingredients of data protection/control (hardware, software, and procedures). Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  AA-IriIAr-ITI a e Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 (5) RE?S1Q 't r? Clean nut: ~}n. __ otheL- s. tei~ tO~.Jr~2.1-d S~C'lJ.rl:_ authority, and into Milt`:?` protection with-in re.sourc('-sharinq com-cuter systems is residue clew:--out. Instructi.ons for performinc; this function should be standard. within the system for all user programs to execute residue clean-out under the following conditions: Upon job completion. Upon program error (without recovery) Upon notification by the Supervisor that arw ~~ ;.cR t~rR has been attempted. Upon site environment failure. Upon release of -the allocateCk storage area to the Supervisor. Upon execution of residue clean-.ou, instructions, sample data will be printed/displayed to allow review by operator/ user personnel to insure- that the process has been successful. Measures shall t^ _ `.~en be . implemented, to insure insure that ~ r~c_t:.ory, rresidue from terminated user programs is made inaccessible to un- authorized users. (6) Access Control: It may be found, in a resource- sharing facility, that the number of personnel requiring special access will increase. This may be especially true in the early stages of a facilities' operation before it is certified for full multi-level security operations,. Unfortunately, present technology offers no way to protect the operating system and tae information contained in the system from subversion from t. CONFBDETIAL Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9 ? CONE IDENpIAL t he c ntral 'operation s stai_ f ; Z e. , operators , system,- pro- gramme r. , to hiii. -! us s, Etc. h refo e, trat-i-ve v and procedural safeguards r?.7.st e applied to protect classified information and data handle by the operations center and its- attached remote terminals . " It a) The central computer spaces mist be secure. (b) The remote term final areas shall be secured to the level. of information to he processed by that station. (c) Access shall be limited to persons possessing the authorization and requirement for entrance. (d) Only authorized operator and sesteris and. maintenance personnel. should be alloyed to oteratrr, equipment in the central computer area. These opera tors and pr_ograrn mers must be cleared for all cateoories of information. processed by the system. (e) only authorized personnel should be allowed access to magnetic tape and source deck libraries . (f) The user activity must insure that only individuals with proper clearance and access authorization are permitted to enter the area and/or to utilize remote terminals located at this activity. (g) Hardware maintenance engineers and technicians should be granted access to all categories of info.,rrmat-Lon processed by -the system. (h) The access control measures must be estab- lished, monitored and changed by the information System Sedur.i.t Officer (ISCO) , even though access control responsihi litv w11 l CONFIDENT Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89B01354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 ,CONFi6~7-jAp rest with e_a ch i ,(Ii_vidua within ; he resource-shar_ incg facility. inc 'control of access to the areas of t? e facility can take several -Forms, e.g. access roster, clearance badge, video monitory security guard, etC. t';} atever control method is used, it must insure absolute control of access to the resource-sharing syrstem. Trcw iJ (~ 7 Audit i. is PT.)a,}'%iz"? The i:e-'S017rCG-sharing 41 computer system shall produce in a secure manner an audit trail containing sufficient information to permit a regular security review of: system activity. System usage recording functions can be used. to detect improper use or maintenance of the data hase. These functions are specifically d.i.rected toy-yard protection of data security and assured; i ni_e-grity. They will allow for_ Detection of data base/system misuse. Documentation of c.ata base/system misuse. Audit of task p~ez: formance. The Audit Trail functions will he per formeC1 by the syste Supervisor in connection with a s ecial System Log and Access Authentication Library. As the Supervisor allocates no.-tions of the system to users a:a terminals, it w` ill have first verified the authority of the requestor to access the particular portion. The improper or unauthorized requests will be logged and, dependent upon the seriousness of the infraction, the systen can take several actions. These actions range from job Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 ? CONFIDENTIAL V termination with accompanying audio and visual security alarms to a daily denial report for the WSO. The system must maintain detailed data on all user actions. From this data, the actions of all users can be traced and weak areas isolated and corrected. The Audit Trail will receive data from the security verification programs which will be used to provide continuous checks on the system operation. 7. CONCLUSION. In the final analysis, the security of a resource-sharing computer system must come from an interlocking of personnel security, software techniques, communications security, and administrative procedures. Exclusive dependence on one area (for example,. software) must be avoided.. Suffivient experience with the day-to-day use of resource-sharing com- puter systems, and enough in-depth analysis is available to provide some confidence that the major problems with reference to security are known. I f used properly and intelligently, and Q,','>- subjected to stringent and frequent testing, resource- sharing computer systems employing today's hardware can provide acceptable protection of classified information, even multi- levels of classified information. In fact, they can probably provide greater protection than many manual methods of handling classified information. The knowledge, expertise and imagina- tion of assigned resource-sharing computer systems managers, programmers, operators, analysts, and users will be tested and retested as systems grow in capabilities and complexity. Greater reliance on the systems and their capabilitic? will he required to fully exploit these capabilities and improve the ,. 26 901HFUTIA1 Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9  Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9 ? VUNFW !T!AL v security, authority and integrity of information processed by the systems. 27 P 111 r1~1177 I^ Declassified in Part - Sanitized Copy Approved for Release 2013/04/15: CIA-RDP89BO1354R000200320015-9