📄 computer security_2.txt
字号:
GAO General Accounting Office IMTEC Information Management and Technology Division NIST National Institute of Standards and Technology NSA National Security Agency OMB Office of Management and Budget 11 APPENDIX I APPENDIX I OBJECTIVES, SCOPE, AND METHODOLOGY ---------------------------------- In response to a June 5, 1989, request of the Chairman, House Committee on Science, Space, and Technology, and subsequent agreements with his office, we assessed the impact of the computer security planning and review process required by the Computer Security Act of 1987. As agreed, we limited our review primarily to 10 civilian agencies in the Washington, D.C. area: the Departments of Agriculture, Commerce, Energy, Health and Human Services, the Interior, Labor, Transportation, the Treasury, and Veterans Affairs and the General Services Administration. As agreed, the Department of Defense was excluded from our review because the plans it submitted differed substantially in format and content from the civilian plans. Specifically, we --assessed the computer security planning process and NIST/NSA review comments on the security plans developed as a result of the process, --determined the extent to which the 10 agencies implemented planned control measures reported in 22 selected plans, and --developed summary statistics using a NIST/NSA data base covering over 1,500 civilian computer security plans. To assess the impact of the planning and review process on agencies' security programs, we interviewed information resource management, computer security, and other officials from the 10 agencies listed above. In addition, we interviewed officials from NIST, NSA, and OMB who were involved in the planning process, to gain their perspectives on the benefits and problems associated with the process. We analyzed 22 computer security plans developed by the 10 agencies and the NIST/NSA review feedback relating to the plans. Most plans addressed groups of systems. (See app. II for a description of the systems.) We selected the systems primarily on the basis of their sensitivity, significance, and prior GAO, President's Council on Integrity and Efficiency, and OMB reviews. We also reviewed federal computer security planning and review guidance, department requests for agency component plans, and department and agency computer security policies. 12 APPENDIX I APPENDIX I To determine the extent to which planned computer security controls have been implemented, we reviewed the 22 plans and discussed with agency officials the status of these controls. To develop security plan statistics, we used the NIST/NSA data base, which contains data on the status of controls for over 1,500 plans. We did not verify the status of the planned controls as reported to us by agency officials, the accuracy of the plans, or the data in the NIST/NSA data base. 13 APPENDIX II APPENDIX II PLANS GAO REVIEWED ------------------ Organization Plan ------------ ---- Farmers Home Administration Automated Field Management System Accounting Systems Patent and Trademark Office Patent and Trademark Automation Systems Social Security Administration Benefit Payment System Social Security Number Assignment System Earnings Maintenance System Access Control Event Processor System Bureau of Labor Statistics Economic Statistics System Employment Standards Federal Employees' Administration Compensation System Level I U.S. Geological Survey National Digital Cartographic Data Base National Earthquake Information Service Federal Aviation Administration En Route and Terminal Air Traffic Control System Maintenance and Operations Support Systems Interfacility Communications System Ground-to-Air Systems Weather and Flight Services Systems 14 APPENDIX II APPENDIX II Organization Plan ------------ ---- Internal Revenue Service Compliance Processing System Tax Processing System Customs Service Automated Commercial System Veterans Affairs Austin Data Mainframe Equipment Processing Center Configuration General Services Administration FSS-19 Federal Supply System Department of Energy Strategic Mainframe Computer and PC Petroleum Reserve Project Sensitive Systems Management Office Note: Summary information describing each of the above systems has been omitted from this version of the report. Call GAO report distribution at 202-275-6241 to obtain a complete copy of this report. 15 APPENDIX III APPENDIX III COMPUTER SECURITY AND PRIVACY PLAN ---------------------------------- We developed this composite security plan to show what most civilian plans contained, their format, and some common omissions. Notes in parentheses show common deviations from the OMB guidance. Computer Security and Privacy Plan 1. BASIC SYSTEM IDENTIFICATION Reporting Department or Agency - Department of X Organizational Subcomponent - Subagency Y Operating Organization - Organization Z System Name/Title - Automated Report Management System (ARMS) System Category [X] Major Application [ ] General-Purpose ADP Support System Level of Aggregation [X] Single Identifiable System [ ] Group of Similar Systems Operational Status [X] Operational [ ] Under Development General Description/Purpose - The primary purpose of ARMS is to retrieve, create, process, store, and distribute data. (Note: The description and purpose is incomplete. OMB Bulletin 88-16 required a one or two paragraph description of the function and purpose of the system.) System Environment and Special Considerations - System is controlled by a ABC series computer which is stored in the computer room. (Note: The environment is not adequately described. OMB Bulletin 88-16 requested a description of system location, types of computer hardware and software involved, types of users served, and other special considerations.) Information Contact - Security Officer, J. Doe, 202/275-xxxx 16 APPENDIX III APPENDIX III 2. SENSITIVITY OF INFORMATION General Description of Information Sensitivity The data ARMS maintains and uses are those required to provide a total management information function. (Note: This description is inadequate. OMB Bulletin 88-16 requested that the plans describe, in general terms, the nature of the system and the need for protective measures.) Applicable Laws or Regulations Affecting the System 5 U.S.C. 552a, "Privacy Act," c. 1974. System Protection Requirements The Protection Requirement is: Primary Secondary Minimal/NA [X] Confidentiality [X] [ ] [ ] [X] Integrity [X] [ ] [ ] [X] Availability [ ] [X] [ ] 3. SYSTEM SECURITY MEASURES Risk Assessment - There currently exists no formal large scale risk assessment covering ARMS. We are scheduling a formal risk analysis. Applicable Guidance - FIPS PUBS No. 41, Computer Security Guidelines for Implementing the Privacy Act of 1974; FIPS PUB No. 83, Guidelines on User Authentication Techniques for Computer Network Access Control. 17 APPENDIX III APPENDIX III SECURITY MEASURES ----------------- MANAGEMENT CONTROLS In Place In Place Planned & Planned N/A -------- ------- --------- --- Assignment of Security Responsibility [X] [ ] [ ] [ ] Risk/Sensitivity Assessment [ ] [ ] [X] [ ] A formal risk analysis program will be used to update the current assessment. (Note: An expected operational date is not included. OMB Bulletin 88-16 states that there should be expected operational dates for controls that are planned or in place and planned.) Personnel Selection Screening [ ] [ ] [X] [ ]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -