ADP SYSTEMS SECURITY - PROBLEM STATEMENT
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP86B00689R000300140012-0
Release Decision:
RIPPUB
Original Classification:
S
Document Page Count:
3
Document Creation Date:
December 20, 2016
Document Release Date:
July 17, 2007
Sequence Number:
12
Case Number:
Publication Date:
April 7, 1982
Content Type:
MEMO
File:
Attachment | Size |
---|---|
CIA-RDP86B00689R000300140012-0.pdf | 137.69 KB |
Body:
Approved For Release 2007/07/17: CIA-RDP86B00689R000300140012-0
?HSA 82-017
7 April 1982
MEMORANDUM FOR: ISSG
FROM: DDA/IHSA
SUBJECT: ADP Systems Security - Problem Statement
Developing a comprehensive ADP systems security program for the Agency
extends beyond the promulgation of policy & establishment of procedures.
Assuming that physical, personal and technical security standards will
remain stringent and high, the problem in ADP systems security is one of
definition and application. Management must support the policies, the
providers must select and apply the controls and the users must understand
and operate within the guidelines.
The security threat is real. As more information becomes available at
increased data rates to increasing numbers of people, the potential for
unauthorized disclosure, accidental loss or destruction, intentional
penetration or alteration of data increases proportionally. In formulating
a program for computer security these vulnerabilities must not only be
identified but countermeasures developed as well as verified. Confidence
in the computer systems must be assured. Coupled to the above is the
desire to provide a homogeneous environment for Information Handling
Systems while maintaining compartmentation and need to know principles.
As concluded by the IHSA Working Group on Information Protection and
Management, there is a gap between existing ADP policy and procedures and
the current operating environment. The goals developed by this group are
indicative of the current perception in that users do not feel comfortable
in their knowledge or interpretation of security concerns in ADP systems.
These goals are tabulated below:
Goal: Continue emphasis in promulgating security policy and
guidelines which more precisely define areas of responsibilities,
assign accountability, identify authority and encourage
judicious application of technology for the protection
of information in the future IH environment.
Objective 1.1: Accelerate the coordination and implementation
of DCID 1/16 and F----Ias modified.
?25X1
Approved For Release 2007/07/17: CIA-RDP86B00689R000300140012-0
Approved For Release 2007/07/17: CIA-RDP86B00689R000300140012-0
~;~ tr ~ i~ x ?
Objective 1.2: Provide an acceptable and reliable
emergency destruction technique for
digitally stored data.
Objective 1.3: Identify new devices, techniques or
methodologies for application in
dissemination controls, access limitations,
compartmentation, communications security,
emanations control and emanation analysis.
Objective 1.4: Incorporate security enhancements
into system design and procurement which
will accomplish security policy, for audit
trails in particular.
Objective 1.5: Conduct research in the design and
development of reliable, secure information
systems, addressing hardware as well as
software aspects of'information.sy_stem
technology.
Objective 1.6: Develop acceptable and reliable COMSEC
techniques for information protection
through the encryption of data bases.
Objective 1.7: Investigate expansion of current security
policy to specify more frequent reinvestigations
for selected ADP personnel.
In the IHSA paper presented to EXCOM, the goals for the 1985-1989
timeframe were extrapolated from the above and focused primarily on
compartmentation controls, the possible use of secure operating systems,
encryption of data bases and TEMPEST protection.
Analysis of the goals and objectives articulated by the Working Group
and the extension of those goals by the IHSA provide a perspective on what
a cross-sectional representation of the Agency population perceives as
weaknesses in our security profile and what needs to be done. It can be
deduced, although not empirically, that accomplishment of the objectives
stated by the Working Group in the 1982-85 timeframe would be extremely
supportive of the IHSA expectations for the 1985-1989 timeframe.
The problem then not only lies in the definition but in achieving a
proper balance between apathy and paranoia.. A pragmatic approach which
does not constrain operational flexibility and efficiency but provides
confidence in data integrity, availability and confidentiality is required.
Provision of the right information to the right people at the right time
remains a basic objective.
From a systems architecture planning perspective, an ADP systems
security program requires three major ingredients. These are policy,
specification and validation. More specifically there is a need for:
SECRET.
Approved For Release 2007/07/17: CIA-RDP86B00689R000300140012-0
Approved For Release 2007/07/17: CIA-RDP86B00689R000300140012-0
? ~~ i555~~J ?
o Specific policy provisions for computer networking
- Connection of terminals at overseas locations to
headquarters computers
- End-to-end encryption
o Development of security models as a means of specifying
security requirements
o Policy and practices on validation of systems and networks
25X1
SECRET
Approved For Release 2007/07/17: CIA-RDP86B00689R000300140012-0