Technical Controls Policy

AGENCY IT SECURITY HANDBOOK
TECHNICAL CONTROLS
The Technical Controls Handbook focuses on security controls that
the computer system executes. These controls are dependent upon
the proper functioning of the system for their effectiveness. The
implementation of technical controls, however, always requires
significant operational considerations and should be consistent
with the management of security within the gency.
Version 2
November 2001
Technical Controls
IT Security Handbook
TABLE OF CONTENTS
1. TECHNICAL SECURITY...................................................................................................................................
11 !"R!OSE#
12 $AC%&RO"N'#
1# !OLIC(#
1) RES!ONSI$ILITIES*
2. SO!T"ARE AND DATA SECURITY..............................................................................................................11
21 !"R!OSE11
22 $AC%&RO"N'11
2# !OLIC(11
2) RES!ONSI$ILITIES1+
. NET"ORK AND CO##UNICATION SECURITY.....................................................................................1$
#1 !"R!OSE1,
#2 $AC%&RO"N'1,
## !OLIC(1,
#) RES!ONSI$ILITIES2+
%. A&&ENDI' A......................................................................................................................................................2(
)1 ACRON(-S2.
). A&&ENDI' B......................................................................................................................................................2$
+1 &LOSSAR(2,
(. A&&ENDI' C.....................................................................................................................................................%
.1 RE/ERENCES#)
2
Technical Controls
1. TECHNICAL SECURITY
1.1. PURPOSE
111 This cha0ter 0ro1ides 0olicy and 2uidance to i30le3ent technical controls that 4ill reduce
the e50osure o6 co30uter e7ui03ent and assist in achie1in2 an o0ti3u3 le1el o6
0rotection 6or the A2ency in6or3ation technolo2y 8IT9 syste3s
112 The 0olicy contained in this cha0ter co1ers all the A2ency IT resources 3aintained in:
house or in the interest o6 the A2ency These 0olicies are 3andatory on all or2ani;ational
units< e30loyees< contractors< and others ha1in2 access to and=or usin2 the IT resources o6
the A2ency
11# This 0olicy a00lies to all auto3ated in6or3ation syste3s currently in e5istence and any
ne4 auto3ated technolo2y ac7uired a6ter the e66ecti1e date o6 this 0olicy docu3ent
1.2. BACKGROUND
121 The issues that 4ill be co1ered in this cha0ter under technical security are>
Identi6ication and Authentication
Authori;ation= Access Control
Audit Trails
122 Identi6ication and Authentication are critical buildin2 blocks o6 co30uter security since
they are the basis 6or 3ost ty0es o6 access control and 6or establishin2 user accountability
Identi6ication and Authentication are technical 3easures that 0re1ent unauthori;ed 0eo0le
8or unauthori;ed 0rocesses9 6ro3 enterin2 an auto3ated in6or3ation syste3 Access
control usually re7uires that the syste3 be able to identi6y and di66erentiate a3on2 users
Access control is based on least 0ri1ile2e< 4hich re6ers to the 2rantin2 to users o6 only
those accesses 3ini3ally re7uired to 0er6or3 their duties "ser accountability re7uires
the linkin2 o6 acti1ities on a syste3 to s0eci6ic indi1iduals and there6ore< re7uires the
syste3 to identi6y users
12# Access to the A2ency?s IT resources 3ust be 3ana2ed by a co3bination o6 technical and
ad3inistrati1e controls "ni6or3 0olicy 6or access control across all the A2ency syste3s
and net4orks is needed to su00ort today?s hi2hly inter:connected en1iron3ent and ensure
that 4eaknesses at one 6acility do not 0lace all the A2ency in6or3ation assets at
unnecessary risk These controls 4ill ensure that only authori;ed indi1iduals 2ain access
to in6or3ation syste3s resources< that these indi1iduals are assi2ned an a00ro0riate le1el
o6 0ri1ile2e and that they are indi1idually accountable 6or their actions Access 4ill be
controlled and li3ited based on 0ositi1e identi6ication and authentication 3echanis3s
1.3. POLICY
1#1 Identi6ication is the 3eans by 4hich a user 0ro1ides a clai3ed identity to the syste3 The
3ost co33on 6or3 o6 identi6ication is the user I'
3
Technical Controls
1#11 "ni7ue Identi6ication E1ery A2ency in6or3ation syste3 3ust ensure that users are
uni7uely identi6ied be6ore bein2 allo4ed to 0er6or3 any actions on the syste3
1#12 Correlate Actions to "sers. Each syste3 3ust internally 3aintain the identity o6 all
acti1e users and be able to link actions to s0eci6ic users
1#1# -aintenance o6 "ser I's>
O66ices and 6acilities 3ust ensure that all user I's belon2 to currently authori;ed
users
Identi6ication data 3ust be ke0t current by addin2 ne4 users and deletin2 6or3er
users
Inacti1e "ser I's "ser I's that are inacti1e 6or *@ days 3ust be disabled
1#2 Authentication is the 3eans o6 establishin2 the validity o6 this clai3 There are three
3eans o6 authenticatin2 a user?s identity which can be used alone or in combination>
so3ethin2 the indi1idual kno4s 8a secret Ae2< a 0ass4ord< !ersonal Identi6ication
Nu3ber 8!IN9< or cry0to2ra0hic key9B so3ethin2 the indi1idual possesses 8a token A e2<
a bank?s AT- card or a s3art card9B and so3ethin2 the indi1idual is 8a bio3etric A e2<
characteristics such as a 1oice 0attern< hand4ritin2 dyna3ics< or a 6in2er0rint9
1#21 Re7uire "sers to Authenticate. "sers 3ust authenticate their clai3ed identities on all
IT resources
1#22 Li3it Lo2:on Atte30ts. The A2ency 6acilities 3ust li3it the nu3ber o6 lo2:on
atte30ts to 6i1e 8+9 This hel0s to 0re1ent 2uessin2 o6 authentication data Chere
round:the:clock syste3 ad3inistration ser1ice is a1ailable< syste3 ad3inistrator
inter1ention 4ill be re7uired to clear a locked account Chere round:the:clock
syste3 ad3inistration ser1ice is not a1ailable< accounts 4ill re3ain locked out 6or at
least ten 81@9 3inutes
1#2# Ad3inister 'ata !ro0erly. The A2ency 6acilities 3ust ha1e 0rocedures to disable lost
or stolen 0ass4ords and 3ust 3onitor syste3s to look 6or stolen or shared accounts
1#2) !ass4ords : Acce0table 0ass4ords 3ust be care6ully chosen by the user and en6orced
by the syste3 Controls 3ust be i30le3ented to re7uire stron2 0ass4ords
1#2+ Acce0table 0ass4ords 3ust include each o6 the 6ollo4in2 characteristics>
Letters : "00er or Lo4er Case Letters 8A< $< C<DE< a< b<c<DD;9
Cesterni;ed Arabic Nu3erals 8@< 1< 2D*9
Non:al0hanu3eric Fs0ecial charactersG /or e5a30le< 0unctuation or sy3bols
8HIBGJKL9
1#2. At a 3ini3u3< user 0ass4ords 3ust be at least * characters lon2
The 0ass4ord 3ust not contain the user?s e:3ail na3e< user I' or the 6ull na3e
as sho4n in the do3ain re2istry
Ne4 0ass4ords shall ne1er be the sa3e as any o6 the last # 0ass4ords
4
Technical Controls
The 0ass4ord 3ust not contain dictionary 4ords 6ro3 any lan2ua2e because
nu3erous 0ass4ord:crackin2 0ro2ra3s e5ist that can run throu2h 3illions o6
0ossible 4ord co3binations in seconds Si30ly addin2 a nu3ber onto the end o6
a 4ord is not su66icient The nu3eric and=or s0ecial characters should be
inte2rated into the 0ass4ord Ho4e1er< a co30le5 0ass4ord that cannot be
broken is useless i6 you cannot re3e3ber it /or security to 6unction< you 3ust
choose a 0ass4ord you can re3e3ber and yet is co30le5 /or e5a30le< -si+J
(old 8-y son is + years old9 or IhliC6+MyN 8I ha1e li1ed in Cali6ornia 6or + years
no49
!ass4ords 3ust be stored in irre1ersible encry0ted 6or3 and the 0ass4ord 6ile
cannot be 1ie4ed in unencry0ted 6or3
A 0ass4ord 3ust not be dis0layed on the data entry=dis0lay de1ice
O0eratin2 syste3s< syste3s so6t4are< and other syste3s at hi2h risk o6
co30ro3ise are so3eti3es installed 4ith a standard set o6 de6ault accounts and
associated standard 0ass4ords Like all accounts< these access routes 3ust be
0rotected by stron2 0ass4ords Additional 3easures< such as disablin2<
rena3in2< or decoyin2 these standard accounts< 4ill be e30loyed
'urin2 the 6irst instance o6 access 4ith a ne4 account< the initial 0ass4ord 3ust
be chan2ed by the indi1idual res0onsible 6or the account< in co30liance 4ith the
0ass4ord controls de6ined in this 0olicy
The 0ro0er and secure use o6 0ass4ords 3ust be included in user trainin2
1#2, I6 syste3:su00lied 0ass4ord 2eneration is a1ailable< it 3ust en6orce the abo1e
re7uire3ents and also include the 6ollo4in2 additional 6eatures>
The syste3 4ill 2i1e the user a choice o6 alternati1e 0ass4ords 6ro3 4hich to
choose
!ass4ords 4ill be reasonably resistant to brute:6orce 0ass4ord 2uessin2 attacks
The 2enerated se7uence o6 0ass4ords 4ill ha1e the 0ro0erty o6 rando3ness 8ie<
consecuti1e instances shall be uncorrelated and the se7uences shall not dis0lay
4ithin a 0redictable ti3e 0eriod9
1## A++ess Co,tro-.A/t0or123t1o, : Access is the ability to 0er6or3 a 6unction 4ith a
co30uter resource 8e2< use< chan2e< or 1ie49 Access controls are the syste3:based
3eans by 4hich the ability is e50licitly enabled or restricted in so3e 4ay Access controls
can 0rescribe not only 4ho 8a user9 or 4hat 8a 0rocess9 is to ha1e access to a s0eci6ic
syste3 resource< but also the le1el o6 access that is 0er3itted
1##1 The A2ency 6acilities 3ust establish a 0rocess to authori;e and docu3ent access
0ri1ile2es based on a le2iti3ate and de3onstrated need to ha1e syste3 access
1##2 Access 0ri1ile2e docu3entation 3ust be 3aintained in a 3anner that 3akes it easily
retrie1able by indi1idual user account
1### !rior to initial account distribution< 0ositi1e identi6ication o6 indi1iduals recei1in2
accounts 3ust be conducted !ositi1e 0hysical identi6ication can be done by anyone
the syste3 ad3inistrator can trust to 0er6or3 this task /or e5a30le< i6 an e30loyee
needs access to a syste3 located o66:site< the e30loyee?s su0er1isor can 3ake
5
Technical Controls
0ositi1e 0hysical identi6ication o6 the e30loyee and re7uest access 1ia electronic
3ail 'urin2 the 6irst instance o6 access 4ith a ne4 account< the initial 0ass4ord
3ust be chan2ed by the indi1idual res0onsible 6or the account< in co30liance 4ith
the 0ass4ord controls de6ined in this 0olicy
1##) Chen syste3 users are no lon2er 0art o6 an or2ani;ation< or their duties chan2e< their
account access 3ust be a00ro0riately 3odi6ied or ter3inated Re7uests to chan2e
access 0ri1ile2es 3ust be si2ned and 6or4arded to the a00ro0riate desi2nated
indi1idual by the res0onsible 3ana2er 8See Cha0ter 1 F!ersonnel="ser SecurityG in
the A2ency O0erational Handbook9
1##)1 The de6ault F&uestG account on ser1ers and 4orkstations 4ill be disabled
"se o6 &uest:ty0e accounts is stron2ly discoura2ed but< i6 needed< these
accounts 3ust con6or3 to the na3in2 con1entions and the 0ass4ord 0olicy
established in this 0olicy
1##)2 In NT o0eratin2 syste3s< the Security Account -ana2er 8SA-9 3ust be
0rotected usin2 the Syste3 %ey o0tion
1##)# The A2ency 6acilities 3ust control access to resources based on the 6ollo4in2
access criteria< as a00ro0riate>
!dentity 8user I'9 The identity 3ust be uni7ue in order to su00ort
indi1idual accountability
"oles. Access to in6or3ation 3ust also be controlled by the Nob
assi2n3ent or 6unction 8ie< the role9 o6 the user 4ho is seekin2 access
#ocation. Access to 0articular syste3 resources 4ill be based u0on
0hysical or lo2ical location
Access 4ould be denied 6or a si5th user< e1en i6 the user 4ere other4ise
authori;ed to use the a00lication
ccess $odes. The A2ency 6acilities 4ill consider the ty0es o6 access<
or access 3odes Co33on access 3odes< 4hich can be used in both
o0eratin2 and a00lication syste3s< include read< 4rite< e5ecute< and
delete
1##+ Access Control -echanis3s The A2ency 6acilities 3ust i30le3ent both internal and
e5ternal access control 3echanis3s !nternal access controls are a lo2ical 3eans o6
se0aratin2 4hat de6ined users 8or user 2rou0s9 can or cannot do 4ith syste3
resources %xternal access controls are a 3eans o6 controllin2 interactions bet4een
the syste3 and outside 0eo0le< syste3s< and ser1ices Chen settin2 u0 access
controls< the A2ency 6acilities shall incor0orate the 6ollo4in2 3echanis3s 4here
a00ro0riate and a00licable>
ccess Control #ists &C#s' ACLs are a re2ister o6 users 8includin2 2rou0s<
3achines< and 0rocesses9 4ho ha1e been 2i1en 0er3ission to use a 0articular
syste3 resource and the ty0es o6 access they ha1e been 0er3itted The A2ency
6acilities 4ill 3aintain Access Control Lists and establish a 0rocedure to identity
and re3o1e users 4ho ha1e le6t the or2ani;ation or 4hose duties no lon2er
re7uire access to the a00lication Access Control Lists 4ill be re1ie4ed
re2ularly
6
Technical Controls
Constrained (ser !nterfaces. The A2ency 6acilities 4ill restrict access to s0eci6ic
6unctions by ne1er allo4in2 users to re7uest in6or3ation< 6unctions< or other
resources 6or 4hich they do not ha1e access
%ncryption. Encry0ted in6or3ation can only be decry0ted< and there6ore read< by
those 0ossessin2 the a00ro0riate cry0to2ra0hic key Chile encry0tion can
0ro1ide stron2 access control< it is acco30anied by the need 6or stron2 key
3ana2e3ent Encry0tion 4ill be utili;ed 4here a00ro0riate and a1ailable
)ort )rotection *evices. /itted to a co33unications 0ort o6 a host co30uter< a
0ort 0rotection de1ice 8!!'9 authori;es access to the 0ort itsel6< o6ten based on a
se0arate authentication 8such as a dial:back 3ode39 inde0endent o6 the
co30uter?s o4n access control 6unctions
+ecure ,ateways-.irewalls. Secure 2ate4ays block or 6ilter access bet4een t4o
net4orks 8e2 Intranet< Internet< uni1ersities< contractors< 1endors< and other
6ederal a2encies9 Secure 2ate4ays allo4 internal users to connect to e5ternal
net4orks 4hile 0rotectin2 internal syste3s 6ro3 co30ro3ise Additional
in6or3ation and re7uire3ents re2ardin2 2ate4ays and 6ire4alls are contained in
the FNet4orkG Cha0ter o6 this Handbook and on the A2ency?s In6or3ation
Security 4eb site
Host:/ased uthentication Host:based authentication 2rants access based u0on
the identity o6 the host ori2inatin2 the re7uest< instead o6 the identity o6 the user
3akin2 the re7uest the A2ency 6acilities shall use net4ork a00lications utili;in2
host:based authentication 4here a00ro0riate and a1ailable
+ystem #og01n /anner. A security lo2 on banner is incor0orated on all
net4orked syste3s This is dis0layed to users as 0art o6 the lo2 on dialo2ue<
6ollo4ed by a 0ause re7uirin2 3anual inter1ention to continue The A2ency NET
banner dis0layed each ti3e a user lo2s on to the A2ency NET is a re3inder that
any use o6 the A2ency in6or3ation technolo2y resources is 3ade 4ith the
understandin2 that such use is 2enerally not secure< is not 0ri1ate< and is not
anony3ous See the A2ency O@21@< A00ro0riate "se o6 the A2ency O66ice
E7ui03ent
2%#C1$% T1 TH% ,%3C4
This is a (nited +tates ,overnment system operated and maintained by the
gency . 2e encourage you, as an gency employee, researcher,
contractor, or member of the public, to use this system. 4ou should not
expect privacy while using this system and your activity may be monitored
to protect the system from unauthori5ed use. uthori5ed employees have
the right to examine active and stored email and files within all systems. /y
using this system you expressly consent to such monitoring and to reporting
your unauthori5ed use to the proper authorities. (nauthori5ed use of this
system is a violation of .ederal law 67 (.+.C. +ection 6898. (nauthori5ed
access may be prosecuted to the full extent of the law.
1#) Audit Trails : Audit trails 3aintain a record o6 syste3 acti1ity by syste3 or a00lication
0rocesses and by user acti1ity In conNunction 4ith a00ro0riate tools and 0rocedures< audit
trails 0ro1ide a 3eans to hel0 acco30lish se1eral security:related obNecti1es< includin2
7
Technical Controls
indi1idual accountability< reconstruction o6 e1ents< intrusion detection< and 0roble3
identi6ication
1#)1 The A2ency 6acility audit trails 4ill be used 6or the 6ollo4in2>
Indi1idual Accountability The audit trail su00orts accountability by 0ro1idin2 a
trace o6 user actions Chile users cannot be 0re1ented 6ro3 usin2 resources to
4hich they ha1e le2iti3ate access authori;ation< audit trail analysis can be used
to e5a3ine their actions
Reconstruction o6 E1ents The A2ency 4ill use audit trails to su00ort a6ter:the
6act in1esti2ations o6 ho4< 4hen< and 4hy nor3al o0erations ceased
Intrusion 'etection The A2ency 6acilities 4ill desi2n and i30le3ent their audit
trails to record a00ro0riate in6or3ation to assist in intrusion detection
Intrusions can be detected in real ti3e< by e5a3inin2 audit trails as they are
created or a6ter the 6act< by e5a3inin2 audit records in a batch 0rocess
!roble3 Identi6ication The A2ency 6acilities 4ill use audit trails as online tools
to hel0 identi6y 0roble3s other than intrusions as they occur This is o6ten
re6erred to as real:ti3e auditin2 or 3onitorin2
The A2ency ISO 3ust be noti6ied o6 all in1esti2ati1e audits o6 IT resources
1#)2 Contents o6 Audit Trail Records An audit trail 3ust include su66icient in6or3ation to
establish 4hat e1ent occurred and 4ho 8or 4hat9 caused the3 The sco0e and
contents o6 the audit trail 4ill balance security needs 4ith 0er6or3ance needs<
0ri1acy< and costs At a 3ini3u3 the e1ent record 3ust s0eci6y>
Ty0e o6 e1ent
Chen the e1ent occurred 8ti3e and day9
"ser I' associated 4ith the e1ent
!ro2ra3 or co33and used to initiate the e1ent
1#)# Audit Trail Security The A2ency o66ices and 6acilities 4ill 0rotect the audit trail 6ro3
unauthori;ed access The 6ollo4in2 0recautions 4ill be taken>
Control online audit lo2s Access to online audit lo2s 4ill be strictly controlled
Se0aration o6 duties The A2ency 6acilities 4ill ensure se0aration o6 duties
bet4een security 0ersonnel 4ho ad3inister the access control 6unction and those
4ho ad3inister the audit trail
!rotect con6identiality The A2ency o66ices and 6acilities 4ill ensure the
con6identiality o6 audit trail in6or3ation
1#)) Audit Trail Re1ie4s Audit trails 4ill be 3aintained< at a 3ini3u3< 6or si5 3onths
The 6ollo4in2 3ust be considered 4hen re1ie4in2 audit trails>
Reco2ni;e nor3al acti1ity Re1ie4ers 3ust kno4 4hat to look 6or to be
e66ecti1e in identi6yin2 unusual acti1ity They need to understand 4hat nor3al
acti1ity looks like
8
Technical Controls
"tili;e a search ca0ability Audit trail re1ie4 can be easier i6 the audit trail
6unction can be 7ueried by user I'< de1ice I'< a00lication na3e< date and ti3e<
or so3e other set o6 0ara3eters to run re0orts o6 selected in6or3ation
/ollo4:u0 re1ie4s The a00ro0riate syste3 ad3inistrator 4ill re1ie4 the audit
trails 6ollo4in2 a kno4n syste3 or a00lication so6t4are 0roble3< a kno4n
1iolation o6 e5istin2 re7uire3ents by a user< or so3e une50lained syste3 or user
0roble3
'e1elo0 re1ie4 2uidelines A00lication o4ners< data o4ners< syste3
ad3inistrators< and the ISO 4ill deter3ine ho4 3uch re1ie4 o6 audit trail
records is necessary< based on the i30ortance o6 identi6yin2 unauthori;ed
acti1ities
1#)+ Auto3ated tools Traditionally< audit trails are analy;ed in a batch 3ode at re2ular
inter1als 8e2< daily9 Audit analysis tools< such as those based on audit reduction<
attack si2nature< and 1ariance techni7ues< can be utili;ed in real:ti3e or near real:
ti3e 6ashion the A2ency 6acilities should use the 3any ty0es o6 tools that ha1e
been de1elo0ed to hel0 reduce the a3ount o6 in6or3ation contained in audit trails<
as 4ell as to distill use6ul in6or3ation 6ro3 the ra4 data
1#). All the A2ency in6or3ation syste3s 3ust ha1e the ability to audit 0ass4ord acti1ity<
s0eci6ically 4hen and 4ho last chan2ed a 0ass4ord< and 4hen and 4ho last chan2ed
account 0ri1ile2es
1#), Annually< indi1idual accounts 3ust be audited to ensure co30liance 4ith the
3ini3u3 standards outlined in this 0olicy
1#+ The A2ency IT syste3s that cannot 3eet these 3ini3u3 standards 3ust be 3odi6ied to
re3edy any de6iciencies "ntil such ti3e as de6icient syste3s are brou2ht u0 to these
security standards< syste3 o4ners< as 0art o6 their O-$ 3andated A:1#@ security 0lans
and risk assess3ents< 3ust acce0t in 4ritin2 any risk to the A2ency Enter0rise
1.4. RESPONSIBILITIES
1)1 T0e A4e,+y CIO. Ensures that the 0ro1isions o6 this cha0ter are i30le3ented at all
6acilities 4ithin the A2ency
1)2 O551+e He36s7 3,6 !3+1-1ty D1re+tors. Ensure that ade7uate technical security controls are
i30le3ented on all syste3s 6or 4hich they hold res0onsibility
1)# T0e A4e,+y CIO>
1)#1 Certi6ies the syste3s under their control The technical controls 3ust be in 0lace and
6unctionin2 as intended< 0rior to certi6ication o6 the syste3
1)#2 Ensures that durin2 the de1elo03ent and ac7uisition 0hase o6 de1elo0in2 local
syste3s that security re7uire3ents and s0eci6ications are incor0orated into any
0urchase o6 auto3ated in6or3ation syste3s
1)) System 36m1,1str3tors>
9
Technical Controls
1))1 Ensures that the technical controls are 6unctionin2 as e50ected and re0ort any
si2ni6icant discre0ancies noted to the ISO
1))2 -onitors the syste3 by re1ie4in2 syste3 lo2s and utili;in2 1arious auto3ated tools
such as 1irus scanners< check:su33in2< 0ass4ord crackers< inte2rity 1eri6ication
0ro2ra3s< intrusion detectors< and syste3 0er6or3ance 3onitorin2
1))# E1aluates account and 0ass4ord 3ana2e3ent controls yearly to ensure that the
A2ency 0ass4ord 0olicy is bein2 technically i30le3ented
1))) Ensures that the ISO is noti6ied o6 all in1esti2ati1e audits o6 IT syste3s
1)+ ISO.AISO>
1)+1 Assists the the A2ency CIO in 0er6or3in2 sensiti1ity assess3ents and in deter3inin2
security re7uire3ents and s0eci6ications 6or technical controls in any ne4 syste3s to
be 0urchased and o0erated at the 6acility
1)+2 Audits the technical controls This can be acco30lished by conductin2 re2ular audits
o6 the syste3 The ISO 3ust 4ork 4ith the syste3 3ana2er and the the A2ency
CIO in de1elo0in2 e66ecti1e 3easures to audit the 1arious syste3s in a 6acility
1)+# 'e1elo0s 0rocedures and 0olicy concernin2 authori;in2 and docu3entin2 access
0ri1ile2es 6or users based on a le2iti3ate and de3onstrated need to ha1e syste3
access
1). I,61v16/3- /sers8 Select stron2 0ass4ords in accordance 4ith this 0olicy
10
Technical Controls
2. SOFTWARE AND DATA SECURITY
2.1. PURPOSE
211 This cha0ter 0ro1ides security 2uidance on so6t4are selection< de1elo03ent< testin2<
i30le3entation and 3aintenance o6 the A2ency so6t4are
212 Security controls 6or o0eratin2 syste3 and a00lication so6t4are are detailed belo4 and are
a00licable to all so6t4are 8the A2ency de1elo0ed and Co33ercial O66:The:Shel6 8COTS99
used in the A2ency IT resources
2.2. BACKGROUND
221 The A2ency currently buys COTS so6t4are Security controls 3ust be 3et in these
circu3stances to ensure that 3ission critical and all other sensiti1e data is established<
3aintained< trans0orted and utili;ed in a secure 3anner
2.3. POLICY
2#1 &eneral So6t4are Security Ele3ents are>
2#11 Controllin2 4hat so6t4are is used on a syste3
All COTS a00lication so6t4are 0urchases 3ust be certi6ied and accredited 0rior
to use
A00lication so6t4are used on the A2ency IT resources 3ust be obtained throu2h
authori;ed 0rocure3ent channels
Each syste3 installation o6 the A2ency de1elo0ed or o66:the:shel6 so6t4are 3ust
be re1ie4ed and a00ro1ed by the re1ie4 board 0rior to installation This also
includes so6t4are ac7uired by any other 3eans 8e2< 0ublic do3ain so6t4are<
bulletin board ser1ices< 0ersonally o4ned so6t4are< Internet obtainable 6ree4are9
See the A2ency O@2< A00ro0riate "se o6 the A2ency O66ice E7ui03ent and the
A2ency O1+< Ne4 'eskto0 So6t4are Re7uests
All a00lication so6t4are authori;ed to run on the A2ency IT resource 3ust be
identi6ied in the syste3?s security 0lan
2#12 Ensurin2 that so6t4are has not been 3odi6ied 4ithout 0ro0er authori;ation
Cill6ul and intentional 3odi6ication o6 the A2ency so6t4are 6or ille2al or
disru0ti1e 0ur0oses or 6or 0ersonal 2ain is a cri3e There 3ust not be any
3odi6ications o6 these 0ro2ra3s e5ce0t by an authori;ed a2ent o6 the CIO
Sa6e2uards 3ust be in 0lace to detect and 3ini3i;e inad1ertent or 3alicious
3odi6ication or destruction< or atte30ts to do so< o6 the A2ency?s IT a00lication
so6t4are< o0eratin2 syste3 so6t4are< and critical data 6iles The sa6e2uards
should achie1e the inte2rity obNecti1es and be docu3ented in the syste3?s
security 0lan The le1el o6 0rotection 3ust be co33ensurate 4ith the sensiti1ity
o6 the in6or3ation 0rocessed
11
Technical Controls
A00ro1ed so6t4are< re2ardless o6 source< 3ust be scanned 6or 1iruses 0rior to
initial use
Anti:Virus and 3alicious code 8so6t4are9 3ust be e30loyed on e1ery the A2ency
IT resource to 0rotect the inte2rity o6 the so6t4are and data
2#1# Ensurin2 that so6t4are is 0ro0erly licensed< as re7uired
"se o6 co0yri2hted so6t4are 4ill co30ly 4ith co0yri2ht la4s and license
a2ree3ents
The A2ency licensed so6t4are 3ay not be installed on other syste3s 4ithout
3ana2e3ent a00ro1al 8e2 anti:1irus so6t4are9
2#2 O9er3t1,4 System So5t:3re Co,tro-s The o0eratin2 syste3 so6t4are e30loyed to
0rocess data by 3ulti0le users< includin2 local area net4orks< 3ust control user access to
resources and ca0abilities that are re7uired and authori;ed The o0eratin2 syste3 so6t4are
should also ha1e the ca0ability to identi6y< Nournal< re0ort< and assi2n accountability 6or the
6unctions 0er6or3ed or atte30ted by a user and to deny user access to ca0abilities or
resources that ha1e not been authori;ed At a 3ini3u3< the o0eratin2 syste3 3ust>
2#21 Control all trans6ers bet4een 3e3ory and on:line stora2e de1ices bet4een a central
co30uter and re3ote de1ices and bet4een on:line stora2e de1ices
2#22 Control all o0erations associated 4ith allocatin2 syste3 resources 8e2 3e3ory<
0eri0heral de1ices< etc9< 3e3ory 0rotection< syste3 interru0ts and chan2es bet4een
the 0ri1ile2ed and non:0ri1ile2ed states
2#2# Identi6y a 1alid syste3 user and direct the user to authori;ed o0tions or a00lications
"se o6 such a 6eature 8lo2:on dialo2ue9 li3its user access and 0rotects syste3
0ro2ra3s and data 6iles 6ro3 unauthori;ed access
2#2) !ro1ide the ca0ability to li3it the ty0es o6 o0erations 8e2< read< 4rite< and delete9 that
can be 0er6or3ed by indi1idual users on 2i1en data or 0ro2ra3 6iles
2#2+ Control syste3 access throu2h an a00ro1ed 6or3 o6 user authentication
2#2. !ro1ide the ca0ability to record actual or atte30ted access to the syste3 and other
acti1ity
2#2, !ro1ide the ca0ability to ter3inate a 0rocess auto3atically and lo2:o66 a user 4hen an
access session re3ains inacti1e 6or so3e s0eci6ied len2th o6 ti3e
2#2O !ro1ide the ca0ability u0on a break o6 connection or a lo2:o66 to ter3inate an access
session
2#2* Control 0ro2ra3s or utilities 4hich 3ay be used to 3aintain and=or 3odi6y the
o0eratin2 syste3< access control syste3s< sensiti1e databases and other so6t4are
3odules 4hich could a66ect or co30ro3ise the inte2rity o6 the 2eneral 0ur0ose
so6t4are or sensiti1e a00lications
2#21@ !re1ent a user 0ro2ra3 6ro3 e5ecutin2 0ri1ile2ed instructions
12
Technical Controls
2#211 Isolate the 0ro2ra3s and data areas o6 one user 6ro3 those o6 other users and the
o0eratin2 syste3 so6t4are
2#212 Assure error detection 4hen accessin2 3e3ory as 4ell as 0arity and hard4are
re2ister checkin2
2#21# Cause a screen 4arnin2 3essa2e to be dis0layed at lo2on to identi6y to the user that
access is restricted to authori;ed users 6or le2iti3ate 0ur0oses only and that their
acti1ities are subNect to 3onitorin2
2#21) $e 3aintained by the 3ini3u3 nu3ber o6 authori;ed 0ersons This is
acco30lished by li3itin2 the nu3ber o6 e30loyees 4ith ad3inistrati1e 0ri1ile2es
2#21+ $e co0ied a6ter each 3odi6ication 4ith the co0y to be i33ediately stored as a
backu0 6or e3er2ency use
2## A99-1+3t1o, So5t:3re Co,tro-s An a00lication that 0rocesses sensiti1e data< or re7uires
0rotections because o6 the risk and 3a2nitude o6 loss or har3 that could result 6ro3
i30ro0er o0eration< 3ani0ulation or disclosure 3ust be 0ro1ided 0rotection a00ro0riate to
its sensiti1ity The 6ollo4in2 4ill be considered as the 3ini3u3 controls to be a00lied to
sensiti1e a00lications< 4ith additional controls or sa6e2uards to be i30osed i6 a00ro0riate>
2##1 The A2ency a00ro1ed security re7uire3ents and s0eci6ications 4ill be de6ined 0rior to
ac7uirin2 or startin2 de1elo03ent o6 a00lications< or 0rior to 3akin2 a substantial
chan2e to the e5istin2 a00lication
2##2 'esi2n re1ie4s 4ill be conducted at 0eriodic inter1als durin2 the de1elo03ental
0rocess to assure that the 0ro0osed desi2n 4ill satis6y the 6unctional and security
re7uire3ents s0eci6ied
2### Ne4 or substantially 3odi6ied sensiti1e a00lications 3ust be thorou2hly tested 0rior
to i30le3entation to 1eri6y that the user 6unctions and the re7uired ad3inistrati1e<
technical< and 0hysical sa6e2uards are 0resent and are o0erationally ade7uate This
is to be acco30lished as 0art o6 the certi6ication and accreditation 0rocess
2##) Sensiti1e data or 6iles 4ill not be used to test a00lications so6t4are until so6t4are
inte2rity has been reasonably assured by testin2 4ith non:sensiti1e data or 6iles
2##+ Sensiti1e a00lication so6t4are 4ill not be 0laced in a 0roduction status until the
syste3 tests ha1e been success6ully co30leted and the a00lication has been 0ro0erly
certi6ied and accredited !rototy0es that 0rocess 0roduction data 3ust be certi6ied
and accredited be6ore they are de0loyed or i30le3ented
2##. Current backu0 co0ies o6 critical a00lication so6t4are< docu3entation< data bases and
other resources re7uired 6or its o0eration< 4ill be 3aintained and be readily
a1ailable 6or use in the e1ent o6 an e3er2ency
2##, Sensiti1e a00lications 4ill be re:certi6ied e1ery three years or 6ollo4in2 3aNor
chan2es
2##O Sensiti1e so6t4are docu3entation 3ust be 0ro1ided the sa3e de2ree o6 0rotection as
that 0ro1ided 6or the so6t4are
13
Technical Controls
2#) So5t:3re Se+/r1ty Im9-eme,t3t1o, &ro+e6/res So6t4are desi2ned to 0ro1ide
in6or3ation security is li3ited by the e66ecti1eness o6 the 0rocedures i30le3ented to
su00ort it !rocedural issues< 4hich relate to the use o6 the syste3 so6t4are and 4hich
should be addressed< are as 6ollo4s>
2#)1 A 3ini3u3 len2th o6 ei2ht characters is re7uired 6or 0ass4ords The 3ini3u3 len2th
4ill be so6t4are controlled
2#)2 'e6ault "ser Accounts O0eratin2 syste3s are so3eti3es installed 4ith a standard set
o6 de6ault user accounts and associated standard security 0ass4ords The access
route shall be 0rotected by either disablin2 the standard user account or by chan2in2
the 0ass4ords
2#)# All security 0roble3 6i5 so6t4are< 0atches< co33and scri0ts< and the like 0ro1ided by
1endors< o66icial co30uter e3er2ency res0onse tea3s 8CERTs9< and other trusted
third 0arties 3ust be 0ro30tly installed and docu3ented
2#+ &ro+ess1,4 E,v1ro,me,ts The A2ency auto3ated in6or3ation syste3s use se1eral
0rocessin2 en1iron3ents that 3eet the s0eci6ic and 1aried needs o6 users /ollo4in2 are
descri0tions o6 0rocessin2 en1iron3ents and the uni7ue in6or3ation security as0ects
related to the3>
2#+1 !roduction en1iron3ent is the en1iron3ent 6or the 0rocessin2 o6 o66icial data utili;ed
in su00ort o6 o66ice and 6acility 3issions and 3ana2e3ent In6or3ation security
0rocedures 6or 0roduction en1iron3ents 3ust s0eci6ically address controls 6or>
Vie4in2< 3odi6yin2< do4nloadin2 or deletin2 0roduction syste3 data and
0ro2ra3s
&eneration and dis0osition o6 out0uts
Trackin2 0roduction 0ro2ra3 1ersion chan2es 83aintenance o6 a so6t4are
u0date history lo2 is re7uired under con6i2uration 3ana2e3ent discussed in
Cha0ter ) o6 the A2ency O0erational Controls Handbook9
Access to the co30uter and its 0eri0heral de1ices
2#+2 'e1elo03ent and Veri6ication is the en1iron3ent 6or the de1elo03ent< testin2< and
1eri6ication o6 0ro2ra3 code 6or the 3aintenance< 3odi6ication or enhance3ent o6
e5istin2 a00lications< or the de1elo03ent o6 ne4 a00lications In6or3ation security
0rocedures 6or this en1iron3ent 3ust s0eci6ically address controls 6or>
Vie4in2< 3odi6yin2< or deletin2 test data
Creatin2< 1ie4in2< 3odi6yin2< or deletin2 de1elo03ent 0ro2ra3s
&eneration and dis0osition o6 out0uts
Trans6er o6 a00lication 0ro2ra3s and data 6iles 6ro3 the de1elo03ent and
1eri6ication en1iron3ent to the 0roduction en1iron3ent
The co30uter syste3 and its 0eri0heral and teleco33unication de1ices
2#+# 'e3onstration and=or Trainin2 enables use o6 syste3 or a00lication so6t4are
6unctions in an on:line 3ode 8usin2 0roduction or de1elo03ent co30uter resources9
4ithout a66ectin2 the 0roduction or de1elo03ent en1iron3ents The de3onstration
14
Technical Controls
and=or trainin2 en1iron3ent 3ust si3ulate on a de3onstration or trainin2 disk< the
0roduction en1iron3ent and use non:sensiti1e data to test< train< or de3onstrate the
syste3 In6or3ation security 0rocedures 6or this en1iron3ent 3ust s0eci6ically
address>
!rotectin2 0roduction and de1elo03ent syste3 0ro2ra3s and data 6iles
Accessin2 the P'e3onstrationP account by the 2eneral 0ublic 8other than the
A2ency sta669
Li3itin2 user access to only those ca0abilities necessary to utili;e the
de3onstration 0ro2ra3s
Li3itin2 access to the co30uter and its 0eri0heral and co33unications de1ices
&eneric access codes 3ay be used to enter the P'e3onstrationP en1iron3ent and
is the only e5ce0tion to the 3andated re7uire3ent 6or indi1idual 0ass4ord codes
2)1 A4e,+y So5t:3re Deve-o9ers>
2)11 Ensure that security controls are incor0orated in the desi2n< de1elo03ent< and testin2
o6 contractor:de1elo0ed so6t4are
2)12 Ensure that the A2ency de1elo0ed a00lication so6t4are and 0atches are certi6ied 0rior
to release to the a2ency
2)2 A4e,+y CIO7 Te+0,1+3- Serv1+es7 or 6es14,ee>
2)21 Accredit all the A2ency so6t4are and 0atches 0rior to release to the a2ency
2)22 Ensure that all the A2ency 6acilities are in co30liance 4ith the 0olicy outlined in this
cha0ter
2)# O551+e He36s7 3,6 !3+1-1ty D1re+tors8 Ensure that ade7uate a00lication security controls
on locally 0urchased a00lication so6t4are are i30le3ented at their sites
2)) tA4e,+y CIO>
2))1 Ensures that the o0eratin2 syste3 and a00lication so6t4are security controls on all
so6t4are used throu2hout the a2ency 3eet the A2ency re7uire3ents
2))2 Ensures that any COTS a00lications 0urchased by o66ices and re2ional 6acilities 3eet
the A2ency security controls
2)+ System 36m1,1str3tors>
2)+1 -aintain the so6t4are utili;ed on their syste3s
2)+2 Ensure that the o0eratin2 syste3 and a00lication so6t4are controls are o0eratin2 as
intended on the syste3s under their res0onsibility
15
Technical Controls
2)+# Install all 0roble3 6i5 so6t4are< 0atches< co33and stri0s on a00ro0riate syste3s in a
ti3ely 3anner
2). ISO.AISO>
2).1 Ensure that locally 0rocured so6t4are has been a00ro1ed by the re1ie4 board and
certi6ied and accredited by the o66ice head or 6acility director
2).2 Audit to ensure that so6t4are 8a00lication and o0eratin2 syste39 controls are in 0lace
and 6unctionin2 as desi2ned
16
Technical Controls
3. NETWORK AND COMMUNICATION SECURITY
3.1. PURPOSE
#11 This cha0ter 0ro1ides 2uidance and 0olicy related to net4ork and co33unication security
6or the A2ency sites Inde0endent Internet 2ate4ays< electronic 3ail< 6acsi3ile 86a59
trans3issions< local areas net4orks 8LANs9< and 4ide area net4orks 8CANs9 need
security controls established to ensure the con6identiality< inte2rity< and a1ailability o6 the
data bein2 trans3itted
#12 The 0olicy contained in this cha0ter co1ers all the A2ency IT resources 3aintained in:
house or in the interest o6 the A2ency These 0olicies are 3andatory on all or2ani;ational
units< e30loyees< contractors< and others ha1in2 access to and=or usin2 the IT resources o6
the A2ency
#1# This 0olicy a00lies to all the A2ency auto3ated in6or3ation syste3s 0rocessin2 sensiti1e
data currently in e5istence and any ne4 auto3ated technolo2y ac7uired a6ter the e66ecti1e
date o6 this 0olicy docu3ent
3.2. BACKGROUND
#21 Net4ork security is not any di66erent 6ro3 sin2le host security in ter3s o6 con6identiality<
inte2rity< and a1ailability o6 resources The real di66erence in 0ro1idin2 basic security
ser1ices occurs because o6 the increased co30le5ity o6 the net4orked en1iron3ent
!ro1idin2 con6identiality o6 in6or3ation< 6or e5a30le< is di66icult enou2h 4hen the entire
syste3 resides in a sin2le roo3 Consider the i30lications o6 allo4in2 access to
in6or3ation 6ro3 3ulti0le locations both inside and outside o6 the A2ency Security 6or a
sin2le host is 2enerally the res0onsibility o6 a sin2le indi1idual In a net4orked
en1iron3ent< the security o6 indi1idual syste3s is the res0onsibility o6 nu3erous
indi1iduals Intruders to net4orks continually count on 6indin2 a sin2le 4eak link in the
net4ork chain that 4ill then allo4 the3 access to the rest o6 the net4ork Net4ork
security 3easures 3ust account 6or this< as 4ell as other co30le5ities< in an atte30t to
3aintain the security o6 the net4ork data and resources
3.3. POLICY
##1 Ge,er3- Net:or; &o-1+y
The A2ency sa6e2uards 3ust ensure the 0ri1acy o6 sensiti1e in6or3ation durin2 stora2e<
0rocessin2< and trans3ission
##11 The A2ency users 4ill be 2ranted access to the A2ency net4orks based u0on duty
re7uire3ents and the need to access resources
##12 The A2ency 6acilities 4ill i30le3ent the necessary 3echanis3s and 0rocedures to
0rotect in6or3ation 0rocessed on net4orks< to include>
-aintainin2 a record o6 authori;ed users o6 a net4ork and their net4ork
0ri1ile2es and re1ie4in2 this record on a re2ular basis to ensure that access to the
net4ork is li3ited to only those indi1iduals 4ith a Nusti6ied need
17
Technical Controls
Ensurin2 that all net4orks are certi6ied and accredited 8See -ana2e3ent
Controls Handbook 6or details9
Ensurin2 that co30uter syste3s are con6i2ured to ter3inate a user 0rocess i6 that
user:net4ork connecti1ity is interru0ted be6ore a 0ro0er lo2 out
Ensurin2 that the net4ork and syste3s auto3atically ter3inate sessions a6ter
0eriods o6 inacti1ity
Establishin2 indi1idual accounts 6or each user on the net4ork F&eneric
accountsG that allo4 users access to net4ork resources anony3ously< are
0rohibited
Establishin2 6or3al re0ortin2 0rocedures 6or une50ected e1ents and acti1ity
##2 E<ter,3- Co,,e+t1o,s An e5ternal connection is any connection 8not Nust an Internet
connection9 6ro3 an outside net4ork 8a source other than the A2ency9 that is
electronically linked to a syste3 or net4ork that is o4ned or o0erated by or in behal6 o6
the A2ency
##21 E5ternal connections 3ust incor0orate ade7uate controls to sa6e2uard the A2ency IT
resources
##22 At a 3ini3u3< all e5ternal connections 3ust incor0orate a 6ire4all Net4ork
6ire4alls are de1ices used to 0rotect a trusted co30uter net4ork 6ro3 an untrusted
one
##2# The A2ency 0olicy has established the 6ollo4in2 as the 3ini3u3 s0eci6ications 6or a
6ire4all>
##2#1 Con6i2uration and Installation>
Acti1ate the 3ini3u3 set o6 o0eratin2 syste3 ser1ices to su00ort 6ire4all
o0eration Acti1ate no other o0eratin2 syste3 ser1ices
Con6i2ure the 6ire4all co30uter?s o0eratin2 syste3 4ith all current 0atches and
0lu2s to kno4n e50loits
Su00ort hi2h a1ailability con6i2urations and load balancin2 throu2h inte2rated
ca0abilities or by inte2ration o6 third 0arty 0roducts
Con6i2ure the 6ire4all so that it cannot be identi6iable as such to other
net4ork8s9< or< at 3ost< a00ears to be Nust another router
'is2uise or hide internal 'o3ain Na3e Syste3s 8'NS9 to 0re1ent direct
e5ternal re7uests
I2nore ser1ice re7uests like FechoG or Fchar2enG that could be used in a denial o6
ser1ice attack
!re1ent net4ork connections 6ro3 by0assin2 the 6ire4all
$e installed in locations that are 0hysically secure 6ro3 ta30erin2
##2#2 Access -ana2e3ent>
Restrict use o6 a 0articular a00lication only to custo3ers authori;ed to access the
a00lication
18
Technical Controls
I30le3ent a Fdeny all ser1ices e5ce0t those s0eci6ically 0er3ittedG desi2n
0olicy
I30le3ent t4o:6actor authentication 6or ad3inistrati1e lo2:in to 0er3it secure
re3ote lo2:in by the authori;ed syste3 ad3inistrator
Su00ort inte2ration o6 e5ternal authentication databases< such as RA'I"S or
L'A!
E30loy techni7ues such as content 6ilterin2 to 0er3it or deny ser1ices to s0eci6ic
e5ternal hosts< such as 4eb sites that the A2ency sta66s are restricted 6ro3
accessin2
Incor0orate and o0erate a syste3atic 3ethod o6 intrusion detection 'ata 6ro3
intrusion detection 3ust be stored such that it can ser1e as e1idence in 6orensic
in1esti2ations
##2## Auditin2 and /ilterin2
Lo2 access to and throu2h the 6ire4all
Ca0ture lo2:in atte30ts by authori;ed and unauthori;ed users
E30loy a 6le5ible< user:6riendly I!:6ilterin2 lan2ua2e that is easy to 0ro2ra3 and
can 6ilter on a 4ide 1ariety o6 attributes< includin2 source and destination I!
addresses< 0rotocol ty0es< 0ort nu3bers< and inbound and outbound inter6aces
Screen data co3in2 throu2h the 6ire4all
Concentrate< 6ilter< and lo2 dial:in access
&enerate an audit trail o6 calls 0assin2 throu2h the 6ire4all 6or re1ie4 o6 security
ano3alies at 6uture ti3es
Su00ort third:0arty 0roducts 6or lo2 analysis and data reduction
... Not151+3t1o,
###1 !ro1ide noti6ication o6 threats< includin2 unsolicited distribution o6 e5ecutable 6iles<
and noti6ication o6 e66orts by acce0ted users to 2ain access to syste3s or
a00lications that they do not ha1e 0er3ission to enter
###2 &enerate alar3s< 0redicated on the occurrence o6 a s0eci6ic e1ent or co3bination o6
e1ents< on a ti3ely basis 8e2< 4ithin .@ seconds9 a6ter the e1ent occurs
##) !/t/re Se+/r1ty E,03,+eme,ts
##)1 Acco33odate ne4 ser1ices and needs to allo4 6or chan2es in the A2ency and the
A2ency security 0olicy
##)2 Contain ad1anced authentication 3easures< or the hooks 6or installin2 ad1anced
authentication 3easures< i6 stron2 authentication 6or inbound access is re7uired
##)# E5ternal connections 3ust be accredited 0rior to use
##)) E5ternal connections 4ill be 0eriodically inde0endently re1ie4ed by an or2ani;ation
other than that 4hich s0onsors the use and ad3inistration o6 the e5ternal connection
19
Technical Controls
These re1ie4s 4ill be conducted 4hen there is si2ni6icant chan2e to the 0rotected
asset< or at least e1ery other year a6ter initial accreditation These re1ie4s 4ill
ensure that e5ternal connections re3ain in co30liance 4ith the 3ini3u3 security
standards outlined in this 0olicy< and 4ill ensure that risk assess3ents< security
0lans< and contin2ency 0lans re3ain current
##)+ Chere user access ori2inates 6ro3 outside the internal the A2ency 0rotected net4ork<
all users 3ust be identi6ied and authenticated at the 2ate4ay 0rior to bein2 2ranted
access to internal resources
##). Chere sensiti1e data is to be accessed 6ro3 or throu2h untrusted net4orks< the entire
session 3ust be encry0ted
##+ I,ter,et.&/b-1+ A++ess
##+1 There are se1eral 3ethods a1ailable 6or connectin2 to the Internet syste3 They
include< but are not li3ited to 0urchasin2 a co33ercial ser1ice< establishin2 an
inde0endent 2ate4ay or connectin2 throu2h the A2ency Internet &ate4ays
##+2 The A2ency Internet &ate4ays ha1e been established as a co33on resource 6or all the
A2ency 6acilities to use The A2ency Internet &ate4ays are 0ro1ided to su00ort
in6or3ation sharin2< research< and education in and a3on2 the A2ency 6acilities<
research and instructional institutions< and other 2o1ern3ent a2encies and
co33ercial ser1ices Althou2h use o6 the A2ency Internet &ate4ays is not
3andatory< the A2ency sites are stron2ly encoura2ed to use these syste3s 6or
conductin2 business 4ith the Internet co33unity
##+# Those sites electin2 to establish their o4n connection to the Internet or to other
net4orks e5ternal to the A2ency 8ie< uni1ersities< 1endors< other 2o1ern3ent
a2encies9 3ust 3eet all o6 the security re7uire3ents established by the A2ency
##+) The A2ency 3ust a00ro1e e5ternal connections 0rior to o0eration
##++ The A2ency e30loyees are e50ected to conduct the3sel1es 0ro6essionally in the
4ork0lace and 3ust not use the Internet 6or acti1ities that are ina00ro0riate or
o66ensi1e to co:4orkers or the 0ublic Such acti1ities include 0layin2 electronic
2a3es< or accessin2 se5ually e50licit 3aterials or 3aterials that ridicule others on
the basis o6 race< creed< reli2ion< color< se5< disability< national ori2in or se5ual
orientation
##+. E30loyees 3ust ensure that all sites accessed ha1e no cost attached /or e5a30le< a
0ro30t to enter a s0ecial 0ass4ord< or to re2ister 0rior to enterin2 the database 3ay
indicate that it is 6ee:based
##+, &o1ern3ent:issued credit cards 3ust not be used 6or 0ersonal access to the Internet<
or to 0urchase ite3s 6ro3 the Internet 6or 0ersonal use
##+O E30loyees 3ust not use dial:out 3ode3s to connect to co33ercial Internet ser1ice
0ro1iders< such as A3erica Online I6 e5ce0tions are re7uired< a00ro1al 3ust be
obtained 6ro3 senior 3ana2e3ent
20
Technical Controls
##+* E30loyees usin2 the A2ency resources to access the Internet are subNect to
3onitorin2 Incidents o6 ina00ro0riate access 4ill be re0orted to su0er1isors and the
ISO 6or disci0linary action
##+1@ All so6t4are and 6iles do4nloaded 6ro3 non:the A2ency sources 1ia the Internet 8or
any other 0ublic net4ork9 3ust be screened 4ith 1irus detection so6t4are The
screenin2 3ust take 0lace 0rior to bein2 run or e5a3ined 1ia another 0ro2ra3 such
as a 4ord 0rocessin2 0acka2e
##+11 All 0ublic access syste3s 4ill be located outside the internal the A2ency net4ork
##+12 Syste3s that are e50osed to the Internet< such as the A2ency 0ublic access syste3s<
4ill not be 0er3itted direct access to the internal the A2ency net4ork
##. #o6em +omm/,1+3t1o,s
##.1 'ata co33unication connections 1ia 3ode3s are to be li3ited and ti2htly controlled
as they 0ose a serious risk that can circu31ent security controls intended to 0rotect
the A2ency net4orks 6ro3 e5ternal< FuntrustedG net4orks
##.2 E30loyees are 0rohibited 6ro3 connectin2 dial:u0 3ode3s to the A2ency
4orkstations that are si3ultaneously connected to the A2ency?s net4ork or another
internal co33unication net4ork
##.# Re3ote users 8teleco33uters and e30loyees on tra1el9 dialin2 into the A2ency
syste3s 3ust be routed throu2h a 3ode3 0ool that includes an a00ro1ed e5tended
user authentication security syste3
##.) Reliable and con6idential hard4are and so6t4are authentication syste3s are to be
incor0orated into the A2ency a00ro1ed co33unication ser1ers !ositi1e
authentication is to be established 0rior to 2rantin2 access to net4ork resources
##.+ E1ent lo22in2 6unctions are to be 0ro1ided to enable a re1ie4 o6 sus0icious acti1ities
##.. Controls are re7uired 6or re3ote access to the A2ency syste3s A lo2 4ill be
3aintained and re1ie4ed 7uarterly o6 indi1iduals 2ranted re3ote access to ensure
that accountability is 3aintained
##, E-e+tro,1+ #31- 8e3ail9
##,1 Only authori;ed e3ail so6t4are 3ay be used
##,2 The A2ency e30loyees 4ho utili;e e3ail syste3s 4ill do so 4ith the understandin2
that they ha1e no e50ectation o6 0ersonal 0ri1acy relatin2 to that use
##,# Chen a00ro0riately authori;ed by 3ana2e3ent< electronic 3ail 3essa2es 6lo4in2
throu2h the A2ency syste3s 3ay be 3onitored 6or internal 0olicy co30liance<
sus0ected cri3inal acti1ity< and other syste3s 3ana2e3ent reasons
##,) The A2ency users are 0rohibited 6ro3 sendin2 or 6or4ardin2 any 3essa2es 1ia the
A2ency?s in6or3ation syste3s that a reasonable 0erson 4ould consider to be
de6a3atory< harassin2< or e50licitly se5ual E30loyees are also 0rohibited 6ro3
sendin2 or 6or4ardin2 3essa2es or i3a2es 1ia the A2ency syste3s that 4ould be
21
Technical Controls
likely to o66end on the basis o6 race< 2ender< national ori2in< se5ual orientation<
reli2ion< 0olitical belie6s< or disability
##,+ Chen e30loyees recei1e un4anted and unsolicited e:3ail 8also kno4n as S!A-9<
they 3ust re6rain 6ro3 res0ondin2 directly to the sender Instead< 6or4ard the
3essa2e to the e3ail ad3inistrator 4ho 4ill take ste0s to 0re1ent 6urther
trans3ission
##,. The A2ency 0roNects and co33ercial 0roducts 6or secure electronic 3ail 8e3ail9
syste3s are under2oin2 ra0id de1elo03ent and 4ill be a1ailable in the near 6uture
"ntil such 0roducts are i30le3ented< users 3ust not send sensiti1e in6or3ation 1ia
e3ail
##,, The A2ency syste3 ad3inistrators establish and 3aintain a syste3atic 0rocess 6or the
retention and destruction o6 electronic 3ail 3essa2es and acco30anyin2 lo2s
##,O "sers 3ust re2ularly 3o1e i30ortant in6or3ation 6ro3 electronic 3ail 3essa2e 6iles
to 4ord 0rocessin2 docu3ents< databases< and other 6iles Electronic 3ail syste3s
are not intended 6or the archi1al stora2e o6 i30ortant in6or3ation Stored electronic
3ail 3essa2es are 0eriodically e50un2ed by syste3 ad3inistrators< 3istakenly
erased by users< and other4ise lost 4hen syste3 0roble3s occur
##O Te-e+omm/t1,4 Se+/r1ty
##O1 The security o6 the A2ency 0ro0erty at an alternati1e 4ork site 8ie< ho3e< hotel< etc9
is Nust as i30ortant as it is at the A2ency 6acility At alternati1e 4ork sites<
reasonable 0recautions 3ust be taken to 0rotect the A2ency hard4are< so6t4are< and
in6or3ation 6ro3 the6t< da3a2e< and 3isuse
##O2 "sers 3ust not discard sensiti1e in6or3ation at ho3e< in hotel 4astebaskets or other
0ublicly accessible trash containers Instead< sensiti1e in6or3ation 3ust be retained
until it can be shredded< or destroyed by other a00ro1ed 3ethods
##O# Teleco33uters 3ust ensure that the syste3s they utili;e re3otely 3aintain the current
anti:1irus so6t4are
##O) Re3ote users should not 3aintain sensiti1e data on their syste3s unless ade7uately
secured 1ia encry0tion or authenticated access control 3echanis3s This is
es0ecially i30ortant i6 the syste3 is also used to connect to the Internet
##O+ Teleco33uters 3ust use the 0ass4ord 6acility in their screen sa1er
##O. Only authori;ed teleco33uters 4ill be 2i1en access to the A2ency?s net4orks
-ana2ers 3ust take ste0s to ensure that teleco33utin2 e30loyees do not
co30ro3ise the inte2rity o6 the A2ency syste3s
##O, Teleco33uters 3ust be authenticated 0rior to access to the A2ency?s net4ork Chere
0ossible< user access should be li3ited to s0eci6ic syste3s s0eci6ied durin2 the lo2:
in 0rocess
##OO Sensiti1e data should not be trans3itted unless a00ro0riately secured 1ia encry0tion
22
Technical Controls
##O* E30loyees are res0onsible 6or the inte2rity and con6identiality o6 the data on re3ote
syste3s Access controls 3ust be in 0lace to 0rotect the A2ency syste3s and
electronic in6or3ation located at re3ote sites 8ie< ho3e< teleco33utin2 4ork
locations< hotels and con1ention centers9
##* !3+s1m1-e =53<> tr3,sm1ss1o,
##*1 Sensiti1e in6or3ation 4ill only be trans3itted 1ia a secure 6acsi3ile syste3 8e2<
encry0ted or 1ia a 0rotected net4ork9 Co33ercial:o66:the:shel6 8COTS9 so6t4are
and hard4are are a1ailable to 0ro1ide the necessary sa6e2uards and should be
e30loyed as a00ro0riate
##*2 Each o66ice and 6acility should de1elo0 0olicies and 0rocedures to 0rotect 0ri1acy
4hile trans3ittin2 in6or3ation 1ia 6acsi3ile The 0olicy and 0rocedures 3ust>
Li3it use to ur2ent situations
Ensure a00ro0riate location o6 6acsi3ile 3achines
Assi2n accountability 6or 3ana2in2 each 6acsi3ile 3achine
'e6ine a00ro0riate sa6e2uards to ensure trans3issions are sent to the a00ro0riate
indi1idual
'e6ine 0rocedures 6or cases o6 3isdirected trans3issions and recei0ts
Routine disclosure o6 in6or3ation should be 3ade throu2h re2ular 3ail or courier
Auto6a5in2< 4hich allo4s auto3atic 6acsi3ile trans3ission o6 re0orts< should be
set u0 care6ully to ensure that they are necessary and that correct 6acsi3ile
nu3bers are contained in the syste3
A co1er letter should acco30any each trans3ission and include>
'ate=ti3e trans3ission
Sendin2 6acility?s na3e< address< tele0hone and 6acsi3ile nu3bers
Authori;ed recei1er?s na3e
Nu3ber o6 0a2es trans3itted
Con6identiality notice< includin2 instructions on re:disclosure and
destruction
##*# A 0rocedure 3ust be de1elo0ed to co1er instances 4hen a site is noti6ied that a 6a5
4as recei1ed by other than the intended reci0ient The internal lo22in2 syste3 o6
the 6acsi3ile 3achine should be checked to obtain the nu3ber to 4hich the
trans3ission 4as sent in error I6 the nu3ber 4as incorrect a 6acsi3ile should be
sent to that nu3ber e50lainin2 that the in6or3ation 4as 3isdirected and ask 6or the
docu3ents to be returned by 3ail to the sendin2 6acility
##*) A 0rocedure 3ust be de1elo0ed re2ardin2 the recei0t o6 6acsi3ile docu3ents
containin2 sensiti1e in6or3ation The 0rocedure should address the 6ollo4in2 areas>
Accountability 6or 3onitorin2 the 6acsi3ile 3achine A 6a5 3achine 3ust be
located in a secure< controlled area
23
Technical Controls
Ensurin2 the re3o1al o6 docu3ents 0ro30tly
Checkin2 6or co30leteness and le2ibility o6 recei1ed in6or3ation
Noti6yin2 senders o6 trans3ission 0roble3s
/ollo4in2 the instructions on the co1er 0a2e
Arran2in2 6or secure deli1ery o6 the docu3ents
##1@ &B' =Te-e90o,e> Se+/r1ty
##1@1 %ee0 !$Q attendant console roo3s< tele0hone 4irin2 closets< tele0hone e7ui03ent
roo3s< and Local E5chan2e Co30any 8LEC9 de3arcation roo3s locked and
secured These roo3s shall 3eet the sa3e 0hysical security re7uire3ents as
outlined in the A2ency?s O0erations Handbook< Cha0ter + F!hysical=En1iron3ental
SecurityG
##1@2 Re7uest 0ositi1e identi6ication 6ro3 all ser1ice e7ui03ent 1endors and technicians
##1@# Ensure that any re3ote 3aintenance line 0hone nu3ber is un0ublished< 0re6erably
not in the sa3e nu3bers 2rou0s< and not recorded on Nacks< 4all6ield< distribution
6ra3e< etc
##1@) Secure any re0orts< docu3entation< or other in6or3ation 6iles that 3ay re1eal the
trunk access codes or 0ass4ords
##1@+ Chan2e all de6ault 0ass4ords i33ediately a6ter installation
##1@. Choose 0ass4ords that 3eet the re7uire3ents as outlined in Cha0ter 1 FTechnical
SecurityG o6 this Handbook
##1@, 'eacti1ate unused codes and 6eatures
##1@O Allo4 only three atte30ts to enter a 1alid access code
##1@* Ha1e the !$Q 4ait 6our or 6i1e rin2s be6ore ans4erin2 the re3ote access line
##1@1@ Restrict callin2 0ri1ile2es to indi1idual e30loyees
##1@11 $lock area codes 4here business is not done< es0ecially *@@< ,@@< and *,.
##1@12 "se the 3a5i3u3 authori;ation and Re3ote Access barrier code len2th
##1@1# "se security de1ices on all 0orts
##1@1) Ensure that all unused 0orts are disconnected 6ro3 the syste3
##11 ?o1+e #31-
##111 'on?t allo4 out2oin2 calls 6ro3 a 3ailbo5
##112 $lock access to lon2 distance trunks or local lines
24
Technical Controls
##11# Toll restrict lines bet4een the 1oice 3ail syste3 and !$Q
##11) 'elete all unused 1oice 3ailbo5es
#)1 T0e A4e,+y CIO Ensures that all IT syste3s in the a2ency are in co30liance 4ith the
technical 0olicy outlined in this cha0ter
#)2 O551+e He36s7 3,6 !3+1-1ty D1re+tors>
#)21 Ensure that the security technical controls are established on all the syste3s at their
6acilities
#)22 Accredit all syste3s i30le3entin2 e5ternal connections initiated 6ro3 the site to non:
the A2ency sources
#)2# !rior to i30le3entation< ensure that the re1ie4 board has a00ro1ed all e5ternal
connections initiatin2 6ro3 the site that connects the A2ency?s net4ork 4ith an
e5ternal non:the A2ency net4ork
#)# A4e,+y CIO>
#)#1 Ensures that the security technical controls outlined in this cha0ter are i30le3ented
on the A2ency IT resources
#)#2 Ensures that all syste3s i30le3entin2 e5ternal connections 6ro3 the site to non:the
A2ency sources are secure and certi6ied
#)## Ensures that all e5ternal connections 6ro3 the A2ency?s net4ork to non:the A2ency
net4orks 3eet the A2ency security criteria and recei1e 6inal a00ro1ed o6 the re1ie4
board 0rior to accreditation by the CIO
#)#) Ensures that all syste3s i30le3entin2 e5ternal connections 6ro3 the site to non:the
A2ency sources are accredited 0rior to o0eration
#)#+ Ensures that all e5ternal connections are re:certi6ied and accredited e1ery other year
a6ter initial accreditation
#)#. Ensures that all dial:u0 3ode3s are Nusti6ied and a00ro1ed 0rior to use
#)) ISO.AISO>
#))1 -aintains a record o6 authori;ed users o6 a net4ork and their net4ork 0ri1ile2es This
3ay be dele2ated to the re1ie4 board i6 a00ro0riate
#))2 Re1ie4s this record on a re2ular basis to ensure that access to the net4ork is li3ited to
only those indi1iduals 4ith a Nusti6ied need
#))# Cork 4ith the syste3 ad3inistrators and the CIO to ensure that all syste3s are
certi6ied and accredited
25
Technical Controls
#))) Conducts audits to ensure that technical controls are i30le3ented and 0er6or3in2 as
re7uired
26
Technical Controls
4. AENDI! A
4.1. ACRONYMS
ACL Access Control List
AISO Alternate In6or3ation Security O66icer
CIO Chie6 In6or3ation O66icer
COTS Co33ercial O66:The: Shel6
DOD 'e0art3ent o6 'e6ense
DNS 'o3ain Na3e Syste3s
E#AIL Electronic -ail
!A' /acsi3ile
I& Internet !rotocol
IRS Internal Re1enue Ser1ice
ISO In6or3ation Security O66icer
IT In6or3ation Technolo2y
LAN Local Area Net4ork
LEC Local E5chan2e Co30any
&B' !ri1ate $ranch E5chan2e
&IN !ersonal Identi6ication Nu3ber
&&D !ort !rotection 'e1ice
SA# Security Account -ana2er
SSA Social Security Ad3inistration
"AN Cide Area Net4ork
27
Technical Controls
5. AENDI! B
5.1. GLOSSARY
A++ess Co,tro- Security control desi2ned to 0er3it authori;ed access to an IT
syste3 or a00lication
A++re61t3t1o, A 6or3al declaration by the O66ice Head that the IT is a00ro1ed to
o0erate in a 0articular security 3ode usin2 a 0rescribed set o6
sa6e2uards Accreditation is the o66icial 3ana2e3ent authori;ation
6or o0eration o6 IT and is based on the certi6ication 0rocess< as
4ell as other 3ana2e3ent considerations The accreditation
state3ent a66i5es security res0onsibility 4ith the O66ice Head and
sho4s that due care has been taken 6or security
A/t0e,t1+3t1o, Veri6ication o6 the identity o6 a user< user de1ice< or other entity< or
the inte2rity o6 data stored< trans3itted< or other4ise e50osed to
unauthori;ed 3odi6ication in an IT
A/61t Tr31- A record sho4in2 4ho has accessed a co30uter syste3 and 4hat
o0erations he or she has 0er6or3ed durin2 a 2i1en 0eriod o6 ti3e
Audit trails are use6ul both 6or 3aintainin2 security and 6or
reco1erin2 lost transactions
A/tom3te6 I,5orm3t1o,
System=s> =AIS>
An asse3bly o6 co30uter hard4are< so6t4are and=or 6ir34are
con6i2ured to collect< create< co33unicate< co30ute< disse3inate<
0rocess< store< and=or control data or in6or3ation
Av31-3b1-1ty o5 D3t3 The state 4hen data are in the 0lace needed by the user< at the ti3e
the user needs the3< and in the 6or3 needed by the user
B3+;/9 A co0y o6 data and=or a00lications contained in the IT stored on
3a2netic 3edia outside o6 the IT to be used in the e1ent IT data are
lost
Cert151+3t1o, The co30rehensi1e e1aluation o6 the technical and non:technical
security 6eatures o6 an IT and other sa6e2uards< 3ade in su00ort o6
the accreditation 0rocess< that establishes the e5tent to 4hich a
0articular desi2n and i30le3entation 3eet a s0eci6ied set o6
security re7uire3ents
C190erte<t /or3 o6 cry0to2ra0hy in 4hich the plaintext is 3ade unintelli2ible
to anyone< 4ho interce0ts it by a trans6or3ation o6 the in6or3ation
itsel6< based on so3e key
Co,516e,t13-1ty The conce0t o6 holdin2 sensiti1e data in con6idence li3ited to an
a00ro0riate set o6 indi1iduals or or2ani;ations
Co,514/r3t1o,
#3,34eme,t
The 0rocess o6 kee0in2 track o6 chan2es to the syste3< i6 needed<
a00ro1in2 the3
28
Technical Controls
Co,t1,4e,+y &-3, A 0lan 6or e3er2ency res0onse< backu0 o0erations< and 0ost:
disaster reco1ery 3aintained by an acti1ity as a 0art o6 its security
0ro2ra3 that 4ill ensure the a1ailability o6 critical resources and
6acilitate the continuity o6 o0erations in an e3er2ency situation
COTS So5t:3re Co33ercial O66 The Shel6 So6t4are A so6t4are ac7uired by
2o1ern3ent contract throu2h a co33ercial 1endor This so6t4are
is a standard 0roduct< not de1elo0ed by a 1endor 6or a 0articular
2o1ern3ent 0roNect
D3t3 I,te4r1ty The state that e5ists 4hen auto3ated data is the sa3e as that in
source docu3ents< or has been correctly co30uted 6ro3 source
data< and has not been e50osed to alteration or destruction
De43/ss1,4 #e613 -ethod to 3a2netically erase data 6ro3 3a2netic ta0e
De53/-t A 1alue or settin2 that a de1ice or 0ro2ra3 auto3atically selects i6
you do not s0eci6y a substitute
D13-@/9 The ser1ice 4hereby a co30uter ter3inal can use the tele0hone to
initiate and e66ect co33unication 4ith a co30uter
E,+ry9t1o, The 0rocess o6 3akin2 in6or3ation indeci0herable to 0rotect it
6ro3 unauthori;ed 1ie4in2 or use< es0ecially durin2 trans3ission
or stora2e Encry0tion is based on an al2orith3 and at least one
key E1en i6 the al2orith3 is kno4n< the in6or3ation cannot be
decry0ted 4ithout the key8s9
!3+s1m1-e A docu3ent that has been sent< or is about to be sent< 1ia a 6a5
3achine
!1re:3-- A syste3 or co3bination o6 syste3s that en6orces a boundary
bet4een t4o or 3ore net4orks
!r1e,6-y Term1,3t1o, The re3o1al o6 an e30loyee 6ro3 the or2ani;ation 4hen there is no
reason to belie1e that the ter3ination is other than 3utually
acce0table
G3te:3y A brid2e bet4een t4o net4orks
H3r6:3re Re6ers to obNects that you can actually touch< like disks< disk dri1es<
dis0lay screens< keyboards< 0rinters< boards< and chi0s
I6e,t151+3t1o, The 0rocess that enables reco2nition o6 a user described to an IT
I,ter,et A 2lobal net4ork connectin2 3illions o6 co30uters As o6 1***<
the Internet has 3ore than 2@@ 3illion users 4orld4ide< and that
nu3ber is 2ro4in2 ra0idly
I,tr3,et A net4ork based on TC!=I! 0rotocols 8an internet9 belon2in2 to an
or2ani;ation< usually a cor0oration< accessible only by the
or2ani;ation?s 3e3bers< e30loyees< or others 4ith authori;ation
29
Technical Controls
An intranet?s Ceb sites look and act Nust like any other Ceb sites<
but the 6ire4all surroundin2 an intranet 6ends o66 unauthori;ed
access
I,tr/s1o, Dete+t1o, !ertainin2 to techni7ues< 4hich atte30t to detect intrusion into a
co30uter or net4ork by obser1ation o6 actions< security lo2s< or
audit data 'etection o6 break:ins or atte30ts either 3anually or
1ia so6t4are e50ert syste3s that o0erate on lo2s or other
in6or3ation a1ailable on the net4ork
ISO.AISO The 0ersons res0onsible to the O66ice Head or /acility 'irector 6or
ensurin2 that security is 0ro1ided 6or and i30le3ented throu2hout
the li6e cycle o6 an IT 6ro3 the be2innin2 o6 the conce0t
de1elo03ent 0lan throu2h its desi2n< de1elo03ent< o0eration<
3aintenance< and secure dis0osal
Iss/e@s9e+151+ &o-1+y !olicies de1elo0ed to 6ocus on areas o6 current rele1ance and
concern to an o66ice or 6acility $oth ne4 technolo2ies and the
a00earance o6 ne4 threats o6ten re7uire the creation o6 issue:
s0eci6ic 0olicies 8e2< e:3ail< Internet usa2e9
IT Se+/r1ty -easures and controls that 0rotect an IT a2ainst denial o6 and
unauthori;ed 8accidental or intentional9 disclosure< 3odi6ication< or
destruction o6 ITs and data IT security includes consideration o6
all hard4are and=or so6t4are 6unctions
IT Se+/r1ty &o-1+y The set o6 la4s< rules< and 0ractices that re2ulate ho4 an
or2ani;ation 3ana2es< 0rotects< and distributes sensiti1e
in6or3ation
IT Systems An asse3bly o6 co30uter hard4are< so6t4are and=or 6ir34are
con6i2ured to collect< create< co33unicate< co30ute< disse3inate<
0rocess< store< and=or control data or in6or3ation
LDA& Short 6or Li2ht4ei2ht 'irectory Access !rotocol< a set o6 0rotocols
6or accessin2 in6or3ation directories L'A! is based on the
standards contained 4ithin the Q+@@ standard< but is si2ni6icantly
si30ler And unlike Q+@@< L'A! su00orts TC!=I!< 4hich is
necessary 6or any ty0e o6 Internet access
Le3st &r1v1-e4e The 0rocess o6 2rantin2 users only those accesses they need to
0er6or3 their o66icial duties
Lo+3- Are3 Net:or; A short:haul data co33unications syste3s that connects IT de1ices
in a buildin2 or 2rou0 o6 buildin2s 4ithin a 6e4 s7uare 3iles<
includin2 8but not li3ited to9 4orkstations< 6ront:end 0rocessors<
controllers< s4itches< and 2ate4ays
#3,34eme,t Co,tro-s Security 3ethods that 6ocus on the 3ana2e3ent o6 the co30uter
security syste3 and the 3ana2e3ent o6 risk 6or a syste3
#o6em An electronic de1ice that allo4s a 3icroco30uter or a co30uter
30
Technical Controls
ter3inal to be connected to another co30uter 1ia a tele0hone line
Net:or; T4o or 3ore syste3s connected by a co33unications 3ediu3B a
net4ork is co30osed o6 a co33unications 3ediu3 and all
co30onents attached to that 3ediu3 4hose res0onsibility is the
trans6erence o6 in6or3ation
O9er3t1,4 System The 3ost i30ortant 0ro2ra3 that runs on a co30uter E1ery
2eneral:0ur0ose co30uter 3ust ha1e an o0eratin2 syste3 to run
other 0ro2ra3s O0eratin2 syste3s 0er6or3 basic tasks< such as
reco2ni;in2 in0ut 6ro3 the keyboard< sendin2 out0ut to the dis0lay
screen< kee0in2 track o6 6iles and directories on the disk< and
controllin2 0eri0heral de1ices such as disk dri1es and 0rinters
O9er3t1o, Co,tro-s Security 3ethods that 6ocus on 3echanis3s that 0ri3arily are
i30le3ented and e5ecuted by 0eo0le 8as o00osed to syste3s9
Over:r1t1,4 me613 -ethod 6or clearin2 data 6ro3 3a2netic 3edia O1er4ritin2 uses a
0ro2ra3 to 4rite 81s< Os< or a co3bination9 onto the 3edia
O1er4ritin2 should not be con6used 4ith 3erely deletin2 the
0ointer to a 6ile 84hich ty0ically ha00ens 4hen a FdeleteG
co33and is used9
&3ss:or6 !rotected=0ri1ate character strin2 used to authenticate an identity or
to authori;e access to data
&3r1ty The 7uality o6 bein2 either odd or e1en The 6act that all nu3bers
ha1e 0arity is co33only used in data co33unication to ensure the
1alidity o6 data This is called 0arity checkin2
&B' Short 6or 0ri1ate branch e5chan2e< a 0ri1ate tele0hone net4ork
used 4ithin an enter0rise "sers o6 the !$Q share a certain nu3ber
o6 outside lines 6or 3akin2 tele0hone calls e5ternal to the !$Q
&er190er3- Dev1+e Any e5ternal de1ice attached to a co30uter E5a30les o6
0eri0herals include 0rinters< disk dri1es< dis0lay 3onitors<
keyboards< and 3ice
&ort An inter6ace on a co30uter to 4hich you can connect a de1ice
&ort &rote+t1o, Dev1+e A de1ice that authori;es access to the 0ort itsel6< o6ten based on a
se0arate authentication inde0endent o6 the co30uter?s o4n access
control 6unctions
RADIUS Short 6or Re3ote Authentication 'ial:In "ser Ser1ice< an
authentication and accountin2 syste3 used by 3any Internet
Ser1ice !ro1iders 8IS!s9 Chen you dial in to the IS! you 3ust
enter your userna3e and 0ass4ord This in6or3ation is 0assed to a
RA'I"S ser1er< 4hich checks that the in6or3ation is correct< and
then authori;es access to the IS! syste3
Re3- T1me Occurrin2 i33ediately Real ti3e can re6er to e1ents si3ulated by
31
Technical Controls
a co30uter at the sa3e s0eed that they 4ould occur in real li6e
Remote A++ess The hooku0 o6 a re3ote co30utin2 de1ice 1ia co33unication lines
such as ordinary 0hone lines or 4ide area net4orks to access
net4ork a00lications and in6or3ation
R1s; The 0robability that a 0articular threat 4ill e50loit a 0articular
1ulnerability o6 the syste3
R1s; A,3-ys1s The 0rocess o6 identi6yin2 security risks< deter3inin2 their
3a2nitude< and identi6yin2 areas needin2 sa6e2uards Risk analysis
is a 0art o6 risk 3ana2e3ent
R1s; #3,34eme,t !rocess o6 identi6yin2< controllin2< and eli3inatin2 or reducin2
risks that 3ay a66ect IT resources
Ro/ter An interconnection de1ice that is si3ilar to a brid2e but ser1es
0ackets or 6ra3es containin2 certain 0rotocols Routers link LANs
at the net4ork layer
R/-es o5 Be03v1or Rules established and i30le3ented concernin2 use o6< security in<
and acce0table le1el o6 risk 6or the syste3 Rules 4ill clearly
delineate res0onsibilities and e50ected beha1ior o6 all indi1iduals
4ith access to the syste3 Rules should co1er such 3atters as 4ork
at ho3e< dial:in access< connection to the Internet< use o6
co0yri2hted 4orks< uno66icial use o6 /ederal &o1ern3ent
e7ui03ent< the assi2n3ent and li3itation o6 syste3 0ri1ile2es< and
indi1idual accountability
Se+/r1ty I,+16e,t An ad1erse e1ent in a co30uter syste3 or the threat o6 such an
e1ent occurrin2
Se+/r1ty &-3, 'ocu3ent that details the security controls established and 0lanned
6or a 0articular syste3
Se+/r1ty S9e+151+3t1o,s A detailed descri0tion o6 the sa6e2uards re7uired to 0rotect a
syste3
Se,s1t1ve D3t3 Any in6or3ation< the loss< 3isuse< 3odi6ication o6< or unauthori;ed
access to< could a66ect the national interest or the conduct o6
/ederal 0ro2ra3s< or the 0ri1acy to 4hich indi1iduals are entitled
under Section ++2a o6 Title +< "S Code< but has not been
s0eci6ically authori;ed under criteria established by an E5ecuti1e
order or an act o6 Con2ress to be ke0t classi6ied in the interest o6
national de6ense or 6orei2n 0olicy
Se93r3t1o, o5 D/t1es A 0rocess that di1ides roles and res0onsibilities so that a sin2le
indi1idual cannot sub1ert a critical 0rocess
Server The control co30uter on a local area net4ork that controls so6t4are
access to 4orkstations< 0rinters< and other 0arts o6 the net4ork
32
Technical Controls
Sm3rt C3r6 A credit:card:si;ed de1ice 4ith e3bedded 3icroelectronics
circuitry 6or storin2 in6or3ation about an indi1idual This is not a
key or token< as used in the re3ote access authentication 0rocess
So5t:3re Co30uter instructions or data Anythin2 that can be stored
electronically is so6t4are
So5t:3re Co9yr140t The ri2ht o6 the co0yri2ht o4ner to 0rohibit co0yin2 and=or issue
0er3ission 6or a custo3er to e30loy a 0articular co30uter
0ro2ra3
S&A# To crash a 0ro2ra3 by o1errunnin2 a 6i5ed:site bu66er 4ith
e5cessi1ely lar2e in0ut data Also< to cause a 0erson or ne4s2rou0
to be 6looded 4ith irrele1ant or ina00ro0riate 3essa2es
System Set o6 0rocesses< co33unications< stora2e< and related resources
that are under the sa3e direct 3ana2e3ent control< ha1e the sa3e
6unction or -ission obNecti1e< ha1e essentially the sa3e o0eratin2
characteristics and security needs< and reside in the sa3e 2eneral
o0eratin2 en1iron3ent
System Av31-3b1-1ty The state that e5ists 4hen re7uired auto3ated in6or3ation can be
0er6or3ed 4ithin an acce0table ti3e 0eriod e1en under ad1erse
circu3stances
System I,te4r1ty The 7uality that a syste3 has 4hen it 0er6or3s its intended 6unction
in an uni30aired 3anner< 6ree 6ro3 deliberate or inad1ertent
unauthori;ed 3ani0ulation o6 the syste3
System A6m1,1str3tor The indi1idual res0onsible 6or de6inin2 the syste3?s o0eratin2
0ara3eters< authori;ed 6unctions< and security re7uire3ents This
indi1idual is usually the 0erson 4ho 3aintains the syste3 on a day:
to:day basis
System O:,er The indi1idual 4ho is ulti3ately res0onsible 6or the 6unction and
security o6 the syste3
TC&.I& Trans3ission Control !rotocol=Internet !rotocol The Internet
!rotocol is based on this suite o6 0rotocols
Te+0,1+3- Co,tro-s Security 3ethods consistin2 o6 hard4are and so6t4are controls
used to 0ro1ide auto3ated 0rotection to the syste3 or a00lications
Technical controls o0erate 4ithin the technical syste3 and
a00lications
Te+0,1+3- Se+/r1ty
&o-1+y
S0eci6ic 0rotection conditions and=or 0rotection 0hiloso0hy that
e50ress the boundaries and res0onsibilities o6 the IT 0roduct in
su00ortin2 the in6or3ation 0rotection 0olicy control obNecti1es and
counterin2 e50ected threats
Te-e+omm/,1+3t1o,s Any trans3ission< e3ission< or rece0tion o6 si2nals< 4ritin2<
i3a2es< sound or other data by cable< tele0hone lines< radio< 1isual
33
Technical Controls
or any electro3a2netic syste3
T0re3t Any circu3stance or e1ent 4ith the 0otential to cause har3 to a
syste3 in the 6or3 o6 destruction< disclosure< 3odi6ication o6 data<
and=or denial thereo6
TroA3, Horse Any 0ro2ra3 desi2ned to do thin2s that the user o6 the 0ro2ra3 did
not intend to do< or that dis2uise its har36ul intent A 0ro2ra3 that
installs itsel6 4hile the user is 3akin2 an authori;ed entryB and<
then is used to break:in and e50loits the syste3
U,5r1e,6-y Term1,3t1o, The re3o1al o6 an e30loyee under in1oluntary or ad1erse
conditions This 3ay include ter3ination 6or cause< RI/<
in1oluntary trans6er< resi2nation 6or F0ersonality con6licts<G and
situations 4ith 0endin2 2rie1ances
User Any 0erson 4ho is 2ranted access 0ri1ile2es to a 2i1en IT
User I,ter53+e The 0art o6 an a00lication that the user 4orks 4ith "ser inter6aces
can be te5t:dri1en< such as 'OS< or 2ra0hical< such as Cindo4s
?1r/s A sel6:0ro0a2atin2 TroNan horse 8a 0ro2ra3 that surre0titiously
e50loits the security=inte2rity o6 a 0ro2ra39< co30osed o6 a 3ission
co30onent< a tri22er co30onent< and a sel6:0ro0a2atin2
co30onent
?/-,er3b1-1ty A 4eakness in auto3ated syste3 security 0rocedures< technical
controls< en1iron3ental controls< ad3inistrati1e controls< internal
controls< etc< that could be used as an entry 0oint to 2ain
unauthori;ed access to in6or3ation or disru0t critical 0rocessin2
"16e Are3 Net:or; A 0hysical or lo2ical net4ork that 0ro1ides ca0abilities 6or a
nu3ber o6 inde0endent de1ices to co33unicate 4ith each other
o1er a co33on trans3ission:interconnected to0olo2y in
2eo2ra0hic areas lar2er than those ser1ed by local area net4orks
34
Technical Controls
6. AENDI! C
6.1. REFERENCES
Co30uter Security Act o6 1*O, 8!L 1@@:2#+9
O-$ Circular A:12#< Internal Control Syste3s
O-$ Circular A:1#@< -ana2e3ent o6 /ederal In6or3ation Resources< A00endi5 III< FSecurity o6
/ederal Auto3ated In6or3ation Syste3sG
!ri1acy Act o6 1*,) 8!L:*#:+,*9 and A3end3ents
NIST S! O@@:12< An Introduction to Co30uter SecurityB the NIST Handbook
NIST S! O@@:1)< &enerally Acce0ted !rinci0als and !ractices 6or Securin2 In6or3ation Technolo2y
Syste3s
NIST A! O@@:1.< In6or3ation Technolo2y Security Trainin2 Re7uire3ents> A Role: and !er6or3ance:
$ased -odel
the A2ency 'irecti1e QQQ< In6or3ation Technolo2y Syste3s Security !olicy
35

Technical Controls Policy

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Technical Controls Policy

Hochgeladen von

Copyright:

Verfügbare Formate

AGENCY IT SECURITY HANDBOOK

Das könnte Ihnen auch gefallen