National Institute of Standards and Technology

Technology Administration

U.S. Department of Commerce

Special Publication 800-12

Chapter 1

1.1 Purpose 3

1.2 Intended Audience 3

1.3 Organization 4

1.4 Important Terminology 5

1.5 Legal Foundation for Federal Computer Security Programs 7

Chapter 2

2.1 Computer Security Supports the Mission of the Organization. 9

2.2 Computer Security is an Integral Element of Sound Management. 10

2.3 Computer Security Should Be Cost-Effective. 11

2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit. 12

2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations. 12

2.6 Computer Security Requires a Comprehensive and Integrated Approach. 13

2.7 Computer Security Should Be Periodically Reassessed. 13

2.8 Computer Security is Constrained by Societal Factors. 14

Chapter 3

3.1 Senior Management 16

3.2 Computer Security Management 16

3.3 Program and Functional Managers/Application Owners 16

3.4 Technology Providers 16

3.5 Supporting Functions 18

3.6 Users 20

Chapter 4

4.1 Errors and Omissions 22

4.2 Fraud and Theft 23

4.3 Employee Sabotage 24

4.4 Loss of Physical and Infrastructure Support 24

4.5 Malicious Hackers 24

4.6 Industrial Espionage 26

4.7 Malicious Code 27

4.8 Foreign Government Espionage 27

4.9 Threats to Personal Privacy 28

Chapter 5

5.1 Program Policy 35

5.2 Issue-Specific Policy 37

5.3 System-Specific Policy 40

5.4 Interdependencies 42

5.5 Cost Considerations 43

Chapter 6

6.1 Structure of a Computer Security Program 45

6.2 Central Computer Security Programs 47

6.3 Elements of an Effective Central Computer Security Program 51

6.4 System-Level Computer Security Programs 53

6.5 Elements of Effective System-Level Programs 53

6.6 Central and System-Level Program Interactions 56

6.7 Interdependencies 56

6.8 Cost Considerations 56

Chapter 7

7.1 Risk Assessment 59

7.2 Risk Mitigation 63

7.3 Uncertainty Analysis 67

7.4 Interdependencies 68

7.5 Cost Considerations 68

Chapter 8

8.1 Computer Security Act Issues for Federal Systems 71

8.2 Benefits of Integrating Security in the Computer System Life Cycle 72

8.3 Overview of the Computer System Life Cycle 73

8.4 Security Activities in the Computer System Life Cycle 74

8.5 Interdependencies 86

8.6 Cost Considerations 86

Chapter 9

9.1 Accreditation and Assurance 90

9.2 Planning and Assurance 92

9.3 Design and Implementation Assurance 92

9.4 Operational Assurance 96

9.5 Interdependencies 101

9.6 Cost Considerations 101

Chapter 10

10.1 Staffing 107

10.2 User Administration 110

10.3 Contractor Access Considerations 116

10.4 Public Access Considerations 116

10.5 Interdependencies 117

10.6 Cost Considerations 117

Chapter 11

11.1 Step 1: Identifying the Mission- or Business-Critical Functions 120

11.2 Step 2: Identifying the Resources That Support Critical Functions 120

11.3 Step 3: Anticipating Potential Contingencies or Disasters 122

11.4 Step 4: Selecting Contingency Planning Strategies 123

11.5 Step 5: Implementing the Contingency Strategies 126

11.6 Step 6: Testing and Revising 128

11.7 Interdependencies 129

11.8 Cost Considerations 129

Chapter 12

12.1 Benefits of an Incident Handling Capability 134

12.2 Characteristics of a Successful Incident Handling Capability 137

12.3 Technical Support for Incident Handling 139

12.4 Interdependencies 140

12.5 Cost Considerations 141

Chapter 13

13.1 Behavior 143

13.2 Accountability 144

13.3 Awareness 144

13.4 Training 146

13.5 Education 147

13.6 Implementation 148

13.7 Interdependencies 152

13.8 Cost Considerations 152

Chapter 14

14.1 User Support 156

14.2 Software Support 157

14.3 Configuration Management 157

14.4 Backups 158

14.5 Media Controls 158

14.6 Documentation 161

14.7 Maintenance 161

14.8 Interdependencies 162

14.9 Cost Considerations 163

Chapter 15

15.1 Physical Access Controls 166

15.2 Fire Safety Factors 168

15.3 Failure of Supporting Utilities 170

15.4 Structural Collapse 170

15.5 Plumbing Leaks 171

15.6 Interception of Data 171

15.7 Mobile and Portable Systems 172

15.8 Approach to Implementation 172

15.9 Interdependencies 174

15.10 Cost Considerations 174

Chapter 16

16.1 I&A Based on Something the User Knows 180

16.2 I&A Based on Something the User Possesses 182

16.3 I&A Based on Something the User Is 186

16.4 Implementing I&A Systems 187

16.5 Interdependencies 189

16.6 Cost Considerations 189

Chapter 17

17.1 Access Criteria 194

17.2 Policy: The Impetus for Access Controls 197

17.3 Technical Implementation Mechanisms 198

17.4 Administration of Access Controls 204

17.5 Coordinating Access Controls 206

17.6 Interdependencies 206

17.7 Cost Considerations 207

Chapter 18

18.1 Benefits and Objectives 211

18.2 Audit Trails and Logs 214

18.3 Implementation Issues 217

18.4 Interdependencies 220

18.5 Cost Considerations 221

Chapter 19

19.1 Basic Cryptographic Technologies 223

19.2 Uses of Cryptography 226

19.3 Implementation Issues 230

19.4 Interdependencies 233

19.5 Cost Considerations 234

Chapter 20

20.1 Initiating the Risk Assessment 241

20.2 HGA's Computer System 242

20.3 Threats to HGA's Assets 245

20.4 Current Security Measures 248

20.5 Vulnerabilities Reported by the Risk Assessment Team 257

20.6 Recommendations for Mitigating the Identified Vulnerabilities 261

20.7 Summary 266

Index -- Cross Reference and General Index 269

Acknowledgments

NIST would like to thank the many people who assisted with the development of this handbook. For their initial recommendation that NIST produce a handbook, we thank the members of the Computer System Security and Privacy Advisory Board, in particular, Robert Courtney, Jr. NIST management officials who supported this effort include: James Burrows, F. Lynn McNulty, Stuart Katzke, Irene Gilbert, and Dennis Steinauer.

In addition, special thanks is due those contractors who helped craft the handbook, prepare drafts, teach classes, and review material:

Daniel F. Sterne of Trusted Information Systems (TIS, Glenwood, Maryland) served as Project Manager for Trusted Information Systems on this project. In addition, many TIS employees contributed to the handbook, including: David M. Balenson, Martha A. Branstad, Lisa M. Jaworski, Theodore M.P. Lee, Charles P. Pfleeger, Sharon P. Osuna, Diann K. Vechery, Kenneth M. Walker, and Thomas J. Winkler-Parenty.

Additional drafters of handbook chapters include:

Lawrence Bassham III (NIST), Robert V. Jacobson, International Security Technology, Inc. (New York, NY) and John Wack (NIST).

Significant assistance was also received from:

Lisa Carnahan (NIST), James Dray (NIST), Donna Dodson (NIST), the Department of Energy, Irene Gilbert (NIST), Elizabeth Greer (NIST), Lawrence Keys (NIST), Elizabeth Lennon (NIST), Joan O'Callaghan (Bethesda, Maryland), Dennis Steinauer (NIST), Kibbie Streetman (Oak Ridge National Laboratory), and the Tennessee Valley Authority.

Moreover, thanks is extended to the reviewers of draft chapters. While many people assisted, the following two individuals were especially tireless:

Robert Courtney, Jr. (RCI) and Steve Lipner (MITRE and TIS).

Other important contributions and comments were received from:

Members of the Computer System Security and Privacy Advisory Board, and the

Steering Committee of the Federal Computer Security Program Managers' Forum.

Finally, although space does not allow specific acknowledgement of all the individuals who contributed to this effort, their assistance was critical to the preparation of this document.

Disclaimer: Note that references to specific products or brands is for explanatory purposes only; no endorsement, explicit or implicit, is intended or implied.