Index

National Institute of Standards and Technology

Technology Administration

U.S. Department of Commerce

 

An Introduction to Computer Security:

The NIST Handbook

 

 

Special Publication 800-12

 

Table of Contents

 

I. INTRODUCTION AND OVERVIEW

Chapter 1

INTRODUCTION

1.1 Purpose 3

1.2 Intended Audience 3

1.3 Organization 4

1.4 Important Terminology 5

1.5 Legal Foundation for Federal Computer Security Programs 7

Chapter 2

ELEMENTS OF COMPUTER SECURITY

2.1 Computer Security Supports the Mission of the Organization. 9

2.2 Computer Security is an Integral Element of Sound Management. 10

2.3 Computer Security Should Be Cost-Effective. 11

2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit. 12

2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations. 12

2.6 Computer Security Requires a Comprehensive and Integrated Approach. 13

2.7 Computer Security Should Be Periodically Reassessed. 13

2.8 Computer Security is Constrained by Societal Factors. 14

Chapter 3

ROLES AND RESPONSIBILITIES

3.1 Senior Management 16

3.2 Computer Security Management 16

3.3 Program and Functional Managers/Application Owners 16

3.4 Technology Providers 16

3.5 Supporting Functions 18

3.6 Users 20

Chapter 4

COMMON THREATS: A BRIEF OVERVIEW

4.1 Errors and Omissions 22

4.2 Fraud and Theft 23

4.3 Employee Sabotage 24

4.4 Loss of Physical and Infrastructure Support 24

4.5 Malicious Hackers 24

4.6 Industrial Espionage 26

4.7 Malicious Code 27

4.8 Foreign Government Espionage 27

4.9 Threats to Personal Privacy 28

II. MANAGEMENT CONTROLS

Chapter 5

COMPUTER SECURITY POLICY

5.1 Program Policy 35

5.2 Issue-Specific Policy 37

5.3 System-Specific Policy 40

5.4 Interdependencies 42

5.5 Cost Considerations 43

Chapter 6

COMPUTER SECURITY PROGRAM MANAGEMENT

6.1 Structure of a Computer Security Program 45

6.2 Central Computer Security Programs 47

6.3 Elements of an Effective Central Computer Security Program 51

6.4 System-Level Computer Security Programs 53

6.5 Elements of Effective System-Level Programs 53

6.6 Central and System-Level Program Interactions 56

6.7 Interdependencies 56

6.8 Cost Considerations 56

Chapter 7

COMPUTER SECURITY RISK MANAGEMENT

7.1 Risk Assessment 59

7.2 Risk Mitigation 63

7.3 Uncertainty Analysis 67

7.4 Interdependencies 68

7.5 Cost Considerations 68

Chapter 8

SECURITY AND PLANNING

IN THE COMPUTER SYSTEM LIFE CYCLE

8.1 Computer Security Act Issues for Federal Systems 71

8.2 Benefits of Integrating Security in the Computer System Life Cycle 72

8.3 Overview of the Computer System Life Cycle 73

8.4 Security Activities in the Computer System Life Cycle 74

8.5 Interdependencies 86

8.6 Cost Considerations 86

Chapter 9

ASSURANCE

9.1 Accreditation and Assurance 90

9.2 Planning and Assurance 92

9.3 Design and Implementation Assurance 92

9.4 Operational Assurance 96

9.5 Interdependencies 101

9.6 Cost Considerations 101

III. OPERATIONAL CONTROLS

Chapter 10

PERSONNEL/USER ISSUES

10.1 Staffing 107

10.2 User Administration 110

10.3 Contractor Access Considerations 116

10.4 Public Access Considerations 116

10.5 Interdependencies 117

10.6 Cost Considerations 117

Chapter 11

PREPARING FOR CONTINGENCIES AND DISASTERS

11.1 Step 1: Identifying the Mission- or Business-Critical Functions 120

11.2 Step 2: Identifying the Resources That Support Critical Functions 120

11.3 Step 3: Anticipating Potential Contingencies or Disasters 122

11.4 Step 4: Selecting Contingency Planning Strategies 123

11.5 Step 5: Implementing the Contingency Strategies 126

11.6 Step 6: Testing and Revising 128

11.7 Interdependencies 129

11.8 Cost Considerations 129

Chapter 12

COMPUTER SECURITY INCIDENT HANDLING

12.1 Benefits of an Incident Handling Capability 134

12.2 Characteristics of a Successful Incident Handling Capability 137

12.3 Technical Support for Incident Handling 139

12.4 Interdependencies 140

12.5 Cost Considerations 141

Chapter 13

AWARENESS, TRAINING, AND EDUCATION

13.1 Behavior 143

13.2 Accountability 144

13.3 Awareness 144

13.4 Training 146

13.5 Education 147

13.6 Implementation 148

13.7 Interdependencies 152

13.8 Cost Considerations 152

 

 

Chapter 14

SECURITY CONSIDERATIONS

IN COMPUTER SUPPORT AND OPERATIONS

14.1 User Support 156

14.2 Software Support 157

14.3 Configuration Management 157

14.4 Backups 158

14.5 Media Controls 158

14.6 Documentation 161

14.7 Maintenance 161

14.8 Interdependencies 162

14.9 Cost Considerations 163

Chapter 15

PHYSICAL AND ENVIRONMENTAL SECURITY

15.1 Physical Access Controls 166

15.2 Fire Safety Factors 168

15.3 Failure of Supporting Utilities 170

15.4 Structural Collapse 170

15.5 Plumbing Leaks 171

15.6 Interception of Data 171

15.7 Mobile and Portable Systems 172

15.8 Approach to Implementation 172

15.9 Interdependencies 174

15.10 Cost Considerations 174

 

IV. TECHNICAL CONTROLS

Chapter 16

IDENTIFICATION AND AUTHENTICATION

16.1 I&A Based on Something the User Knows 180

16.2 I&A Based on Something the User Possesses 182

16.3 I&A Based on Something the User Is 186

16.4 Implementing I&A Systems 187

16.5 Interdependencies 189

16.6 Cost Considerations 189

Chapter 17

LOGICAL ACCESS CONTROL

17.1 Access Criteria 194

17.2 Policy: The Impetus for Access Controls 197

17.3 Technical Implementation Mechanisms 198

17.4 Administration of Access Controls 204

17.5 Coordinating Access Controls 206

17.6 Interdependencies 206

17.7 Cost Considerations 207

Chapter 18

AUDIT TRAILS

18.1 Benefits and Objectives 211

18.2 Audit Trails and Logs 214

18.3 Implementation Issues 217

18.4 Interdependencies 220

18.5 Cost Considerations 221

 

 

Chapter 19

CRYPTOGRAPHY

19.1 Basic Cryptographic Technologies 223

19.2 Uses of Cryptography 226

19.3 Implementation Issues 230

19.4 Interdependencies 233

19.5 Cost Considerations 234

 

V. EXAMPLE

Chapter 20

ASSESSING AND MITIGATING THE RISKS

TO A HYPOTHETICAL COMPUTER SYSTEM

20.1 Initiating the Risk Assessment 241

20.2 HGA's Computer System 242

20.3 Threats to HGA's Assets 245

20.4 Current Security Measures 248

20.5 Vulnerabilities Reported by the Risk Assessment Team 257

20.6 Recommendations for Mitigating the Identified Vulnerabilities 261

20.7 Summary 266

 

Index -- Cross Reference and General Index 269

 

 

 

 

Acknowledgments

 

NIST would like to thank the many people who assisted with the development of this handbook. For their initial recommendation that NIST produce a handbook, we thank the members of the Computer System Security and Privacy Advisory Board, in particular, Robert Courtney, Jr. NIST management officials who supported this effort include: James Burrows, F. Lynn McNulty, Stuart Katzke, Irene Gilbert, and Dennis Steinauer.

In addition, special thanks is due those contractors who helped craft the handbook, prepare drafts, teach classes, and review material:

Daniel F. Sterne of Trusted Information Systems (TIS, Glenwood, Maryland) served as Project Manager for Trusted Information Systems on this project. In addition, many TIS employees contributed to the handbook, including: David M. Balenson, Martha A. Branstad, Lisa M. Jaworski, Theodore M.P. Lee, Charles P. Pfleeger, Sharon P. Osuna, Diann K. Vechery, Kenneth M. Walker, and Thomas J. Winkler-Parenty.

Additional drafters of handbook chapters include:

Lawrence Bassham III (NIST), Robert V. Jacobson, International Security Technology, Inc. (New York, NY) and John Wack (NIST).

Significant assistance was also received from:

Lisa Carnahan (NIST), James Dray (NIST), Donna Dodson (NIST), the Department of Energy, Irene Gilbert (NIST), Elizabeth Greer (NIST), Lawrence Keys (NIST), Elizabeth Lennon (NIST), Joan O'Callaghan (Bethesda, Maryland), Dennis Steinauer (NIST), Kibbie Streetman (Oak Ridge National Laboratory), and the Tennessee Valley Authority.

Moreover, thanks is extended to the reviewers of draft chapters. While many people assisted, the following two individuals were especially tireless:

Robert Courtney, Jr. (RCI) and Steve Lipner (MITRE and TIS).

Other important contributions and comments were received from:

Members of the Computer System Security and Privacy Advisory Board, and the

Steering Committee of the Federal Computer Security Program Managers' Forum.

Finally, although space does not allow specific acknowledgement of all the individuals who contributed to this effort, their assistance was critical to the preparation of this document.

Disclaimer: Note that references to specific products or brands is for explanatory purposes only; no endorsement, explicit or implicit, is intended or implied.