computer security_2.txt

黑客培训教程

               National Agency Check Inquiries (NACI) are required for all
               employees but have not been completed for everyone having
               access to sensitive information.  Expected operational date -
               October 1989.


               DEVELOPMENT CONTROLS

                                                            In Place
                                     In Place    Planned    & Planned   N/A
                                     --------    -------    ---------   ---
               Security
               Specifications            [X]         [ ]         [ ]      [ ]

               Design Review
               & Testing                 [ ]         [ ]         [ ]      [X]

               Certification/
               Accreditation             [ ]         [X]         [ ]      [ ]

               (Note:  No information is given for certification/
               accreditation.  OMB Bulletin 88-16 states that a general
               description of the planned measures and expected operational
               dates should be provided.)




                                         18










                 APPENDIX III                                    APPENDIX III

               OPERATIONAL CONTROLS

                                                             In Place
                                      In Place    Planned    & Planned   N/A
                                      --------    -------    ---------   ---

               Production, I/O Controls  [X]         [ ]         [ ]      [ ]

               Contingency Planning      [ ]         [X]         [ ]      [ ]

               A contingency plan is being developed in compliance with
               requirements established by the agency's security program.
               Completion date - November 1990.

               Audit and Variance
               Detection                 [ ]         [ ]         [X]      [ ]

               Day-to-day procedures are being developed for variance
               detection.  Audit reviews are also being developed and will be
               conducted on a monthly basis.  Completion date - June 1989.

               Software Maintenance
               Controls                  [X]         [ ]         [ ]      [ ]

               Documentation             [X]         [ ]         [ ]      [ ]


               SECURITY AWARENESS AND TRAINING

                                                              In Place
                                       In Place    Planned    & Planned   N/A
                                       --------    -------    ---------   ---
               Security Awareness and
               Training Measures         [ ]         [ ]         [X]      [ ]

               Training for management and users in information and
               application security will be strengthened, and security
               awareness training provided for all new employees beginning in
               June 1989.



                                         19










                 APPENDIX III                                    APPENDIX III

               TECHNICAL CONTROLS

                                                              In Place
                                       In Place    Planned    & Planned   N/A
                                       --------    -------    ---------   ---
               User Identification and
               Authentication            [X]         [ ]         [ ]      [ ]

               Authorization/Access
               Controls                  [X]         [ ]         [ ]      [ ]

               Data Integrity &
               Validation Controls       [X]         [ ]         [ ]      [ ]

               Audit Trails & Journaling [X]         [ ]         [ ]      [ ]



               SUPPORT SYSTEM SECURITY MEASURES

                                                              In Place
                                       In Place    Planned    & Planned   N/A
                                       --------    -------    ---------   ---
               Security Measures for
               Support Systems           [X]         [ ]         [ ]      [ ]


          4.   NEEDS AND ADDITIONAL COMMENTS

               (Note:  This section was left blank in most plans.  OMB
               Bulletin 88-16 stated that the purpose of this section was to
               give agency planners the opportunity to include comments
               concerning needs for additional guidance, standards, or other
               tools to improve system protection.)




                                         20










          APPENDIX IV                                             APPENDIX IV

                     NIST/NSA FEEDBACK ON COMPUTER SECURITY PLANS
                     --------------------------------------------

          The following example shows typical NIST/NSA comments and
          recommendations.

          COMPUTER SECURITY PLAN REVIEW PROJECT COMMENTS AND RECOMMENDATIONS

                                     REF. NO. 0001

          AGENCY NAME:  Department of X
                        Subagency Y

          SYSTEM NAME:  Automated Report Management System


          The brevity of information in the information sensitivity, general
          system description, and the system environment sections made it
          difficult to understand the security needs of the system.
          Information on the physical, operational, and technical environment
          and the nature of the sensitivity is essential to understanding the
          security needs of the system.

          For some controls, such as security training and awareness,
          expected operational dates are not indicated as required by OMB
          Bulletin 88-16.

          The plan refers to the development control, design review and
          testing, as not applicable.  Even in an operational system,
          development controls should be addressed as historical security
          measures and as ongoing measures for changing hardware and
          software.

          The plan notes that a more formal risk assessment is being planned.
          This effort should help your organization more effectively manage
          risks and security resources.  National Institute of Standards and
          Technology Federal Information Processing Standards Publication 65,
          "Guideline for Automatic Data Processing Risk Analysis," and 73,
          "Guideline for the Security of Computer Applications" may be of
          help in this area.




                                         21










          APPENDIX V                                               APPENDIX V


                      STATUS OF SECURITY CONTROLS IN 1,542 PLANS
                      ------------------------------------------
                                                          Planned &
                                 Plan         In place    in place    Planned
                                 ----         --------    ---------   -------
    Security controls            responses#a  (percent)   (percent)   (percent)

    Management controls

    Assignment of security
    responsibility               1,448        91           5          4

    Personnel selection and
    screening                    1,268        84          11          5

    Risk analysis and
    sensitivity assessment       1,321        71          13         17

    Development controls

    Design review and testing      728        82          10          8

    Certification and
    accreditation                  948        66          10         24

    Security and acquisition
    specifications               1,093        83          10          7

    Operational controls

    Audit and variance
    detection                    1,177        81           7         12

    Documentation                1,375        83          10          8

    Emergency, backup, and
    contingency planning         1,381        69          14         17

    Physical and environmental
    protection                     450        87          10          4

    Production and input/
    output controls              1,290        87           7          7

    Software maintenance
    controls                     1,327        87           7          7

    Security training and
    awareness measures           1,408        58          27         15


                                         22










          APPENDIX V                                               APPENDIX V

    Technical controls

    Authorization/access
    controls                     1,389        87           6          7

    Confidentiality controls       357        84           7          9

    Audit trail mechanisms       1,194        83           8          9

    Integrity controls           1,220        85           8          7

    User identification
    and authentication           1,370        87           7          6


    Weighted average               --         81          10         10


    Note:  The status of security controls is based on information reported
    in 1,542 civilian plans in early 1989 and contained in the NIST/NSA data
    base.  Missing and not applicable answers were not included in the
    percentages.  Some percentages do not add up to 100 due to rounding.

   a"Plan responses" is the number of plans, out of 1,542, that addressed
    each control.



                                         23










    APPENDIX VI                                                   APPENDIX VI
                        MAJOR CONTRIBUTORS TO THIS REPORT
                        ---------------------------------

    INFORMATION MANAGEMENT AND TECHNOLOGY DIVISION, WASHINGTON, D.C.
    ----------------------------------------------------------------
    Linda D. Koontz, Assistant Director
    Jerilynn B. Hoy, Assignment Manager
    Beverly A. Peterson, Evaluator-in-Charge
    Barbarol J. James, Evaluator

    (510465)



                                         24










                              RELATED GAO PRODUCTS
                              --------------------
    Computer Security:  Identification of Sensitive Systems Operated on
    Behalf of Ten Agencies (GAO/IMTEC-89-70, Sept. 27, 1989).

    Computer Security:  Compliance With Security Plan Requirements of the
    Computer Security Act (GAO/IMTEC-89-55, June 21, 1989).

    Computer Security:  Compliance With Training Requirements of the
    Computer Security Act of 1987 (GAO/IMTEC-89-16BR, Feb. 22, 1989).

    Computer Security:  Status of Compliance With the Computer Security Act
    of 1987 (GAO/IMTEC-88-61BR, Sept. 22, 1988).


                                         25