| NATIONAL MANAGER
FOREWORD
This National Telecommunications and Information Systems Security Advisory
Memorandum (NTISSAM) is intended to provide guidance to users, security
officers, procurement
officers, and others who are responsible for the security of office automation
systems. This
guidance is intended for use by all activities of the executive branch
of the United States
Government who process classified or sensitive, but unclassified, information
in office automation
systems. Other sources of guidance, including directives, manuals, and
regulations issued by
various departments and agencies of the United States Government are cited
as references in the
document.
Additional copies may be requested from:
Executive Secretary
National Telecommunications and Information
Systems Security Committee
National Security Agency
Fort George G. Meade, MD 20755-6000
This NTISSAM may be used or quoted without restriction.
EXECUTIVE SUMMARY
Office Automation Systems (OA systems) are small, microprocessor-based
Automated
Information Systems that are used for such functions as typing, filing,
calculating, sending and
receiving electronic mail, and other data processing tasks. They are becoming
commonly used by
managers, technical employees, and clerical employees to increase efficiency
and productivity.
Examples of OA systems include personal computers, word processors, and
file servers.
This guideline provides security guidance to users of OA systems, to
the ADP System Security
Officers responsible for their operational security, and to others who
are responsible for the
security of an OA system or its magnetic storage media at some point during
its life-cycle.
This guideline explains how OA system security issues differ from those
associated with
mainframe computers. It discusses some of the threats and vulnerabilities
of OA systems, and some
of the security controls that can be used. It also discusses some of the
environmental considerations
necessary for the safe, secure operation of an OA system.
This guideline suggests some security responsibilities of OA system users,
and of ADP System
Security Officers. Also described are some of the security responsibilities
of the organization that
owns or leases the OA system.
In addition, guidance is given to the procurement officer who must purchase
OA systems or
components, and guidance is also provided to the officer who is responsible
for securely disposing
of OA systems, components, or the associated magnetic media.
This document is issued as a National Telecommunications and Information
Systems Security
Advisory Memorandum, and is therefore intended as guidance only. Nothing
in this guideline
should be construed as encouraging or permitting the circumvention of
existing Federal
Government or organizational policies.
TABLE OF CONTENTS
PART I: INTRODUCTION
1.0 INTRODUCTION 3
1.1 Purpose and Scope 3
1.2 Structure 3
2.0 THE OFFICE AUTOMATION SECURITY PROBLEM 5
2.1 Protecting Information From Unauthorized Personnel 5
2.2 Sensitivity Levels of Magnetic Media 6
2.3 OA Systems With Fixed Media vs. OA Systems With Removable Media 7
PART II: GUIDANCE FOR THE OFFICE AUTOMATION SYSTEM USER
3.0 RESPONSIBILITIES OF OA SYSTEM USERS 11
4.0 OPERATIONAL SECURITY FOR STAND-ALONE OFFICE AUTOMATION
SYSTEMS 12
4.1 OA Systems With Removable Media Only 12
4.2 OA Systems With Fixed Media 17
5.0 OPERATIONAL SECURITY FOR CONNECTED OFFICE AUTOMATION
SYSTEMS 21
5.1 Using an OA System as a Terminal Connected to Another Automated
Information System 21
5.2 OA Systems Used as Hosts on Local Area Networks 22
PART III: GUIDANCE FOR ADP SYSTEM SECURITY OFFICERS
6.0 RESPONSIBILITIES OF THE ADPSSO 27
7.0 THREATS, VULNERABILITIES, AND CONTROLS 28
7.1 Threats, Vulnerabilities, and Controls: an Overview .28
7.2 Physical and Personnel Security 29
7.3 Communications Security 31
7.4 Emanations Security 32
7.5 Hardware/Software Security 32
7.6 Magnetic Media 34
7.7 Environmental Considerations 36
7.8 Preparing Downgraded Extracts 38
PART IV: GUIDANCE FOR OTHERS
8.0 RESPONSIBILITIES OF THE ORGANIZATION OWNING THE OA SYSTEM 41
9.0 REQUIRING SECURITY IN THE PROCUREMENT OF OFFICE AUTOMATION
SYSTEMS 43
9.1 Processing Classified Information: Policy Requirements 43
9.2 Physical Environment of the OA System 44
9.3 Identification of Non-Volatile Components 44
9.4 System Communications Capabilities 44
9.5 Shared-Use Systems and Multi-User Systems 45
10.0 SECURE DISPOSAL OF OFFICE AUTOMATION SYSTEMS 47
10.1 Removable Media 47
10.2 Fixed Media 47
10.3 The Remainder of the OA System 47
APPENDIX: A Guideline on Sensitivity Marking of the Office Automation
System and Its
Storage Media 49
LIST OF ACRONYMS 53
GLOSSARY 54
REFERENCES 57
1.0 INTRODUCTION
In recent years, there has been a tremendous increase in the number of
Federal Government
personnel using Automated Information Systems (AIS) to help with their
jobs. In a large number
of cases, the AIS involved are small, microprocessor-based systems referred
to as "Office
Automation Systems," or "OA Systems," for short. These
OA Systems can increase efficiency and
productivity of those whose jobs include such functions as typing, filing,
calculating, and sending
and receiving electronic mail. In addition, these systems can be used
by technical and other
personnel to performs functions such as computing and data processing.
When used wisely, OA Systems can be a boon to the office worker and the
engineer alike, helping
to get more work done in less time. Not using them in a secure manner,
however, can result in the
compromise, improper modification, or destruction of classified or sensitive,
but unclassified,
information (as defined in NTISSP No. 2 [18]). It is therefore necessary
that OA System users be
made aware of: (1) procedures and practices which will aid in the secure
usage of these systems,
and (2) the consequences of not employing security measures. The objective
of this guideline is to
address these two issues in the context of protecting classified or sensitive,
but unclassified,
information.
1.1 Purpose and scope
This document provides guidance to users, managers, security officers,
and procurement officers
of Office Automation Systems. Areas addressed include: physical security,
personnel security,
procedural security, hardware/software security, emanations security (TEMPEST),
and
communications security for stand-alone OA Systems, OA Systems used as
terminals connected
to mainframe computer systems, and OA Systems used as hosts in a Local
Area Network (LAN).
Differentiation is made between those Office Automation Systems equipped
with removable
storage media only (e.g., floppy disks, cassette tapes, removable hard
disks) and those Office
Automation Systems equipped with fixed media (e.g., Winchester disks).
1.2 Structure
This guideline is divided into four parts, which are further subdivided
into a total of ten chapters.
Part I is the introductory part of this guideline. Chapter 1 gives an
introduction, while Chapter 2
discusses the Office Automation security problem and why it is different
from security problems
involving larger Automated Information Systems.
Part II provides guidance to the users of OA Systems. Chapter 3 details
some security
responsibilities of all OA System users. Chapter 4 provides guidance to
users of stand-alone OA
Systems, while Chapter 5 provides guidance to users of connected OA Systems.
Part III provides guidance to those ADP System Security Officers (ADPSSO)
who are responsible
for the security of OA systems. (Note: throughout this document, the term
"security officer" will
be used to mean ADPSSO.) Chapter 6 describes some of the responsibilities
of security officers.
Chapter 7 details some of the threats, vulnerabilities and security controls
associated with Office
Automation Systems.
Part IV provides guidance to others associated with OA Systems. Chapter
8 is a discussion of some
of the security responsibilities incumbent upon the organization that
owns an OA System. Chapter
9 provides guidance to procurement officers about addressing security
during the procurement
phase of the OA System life-cycle. Chapter 10 provides guidance concerning
the disposal of Office
Automation Systems and/or their components.
There is an Appendix that discusses security markings for the OA System
and media used in it, a
List of Acronyms that gives expansions for acronyms used in this guideline,
and a Glossary that
defines terms used in this document.
2.0 THE OFFICE AUTOMATION SECURITY PROBLEM
There are three major points to remember about Office Automation Systems
when considering
security of these systems throughout their life-cycle. These points are:
(1) Most current Office Automation Systems do not provide the hardware/software
controls necessary to protect information from anyone who gains physical
access to the system.
Therefore, the most effective security measures to be used with these
systems are appropriate
physical, personnel, and procedural controls.
(2) All information stored on a volume of magnetic media (e.g., floppy
disk, cassette tape,
fixed disk) should be considered to have the same sensitivity level. This
level should be at least as
restrictive as the highest sensitivity level of any information contained
on the volume of media.
(3) There are different security considerations for OA Systems with fixed
media versus
those with removable-media-only.
2.1 Protecting Information From Unauthorized Personnel
United States Government policy requires that classified information
not be given to an individual
unless he or she has the required clearance and needs the information
for the performance of the
job [6, 20]. For sensitive, but unclassified, information, no clearance
is required; therefore, all
access is based solely on need-to-know [20]. These policies must be enforced
for information
contained within OA Systems as well as for all other information. Therefore,
information
contained in OA Systems must be protected from compromise, unauthorized
modification, and
destruction.
Most current Office Automation Systems processing classified or sensitive,
but unclassified,
information do not provide sufficient hardware/software security controls
to prevent a user from
accessing information stored anywhere in the system. Simply put, most
current OA Systems are
based on microprocessors that do not support multiple hardware states.
In almost all cases, multiple
hardware states are necessary to identify users, limit their actions,
or keep them from accessing
information for which they are not authorized. (See Section 7.5 of this
document for a detailed
discussion of this problem.)
In fact, at the time of this writing, no Office Automation Systems have
been certified as meeting
even the class C1 requirements listed in the Department of Defense Trusted
Computer System
Evaluation Criteria [2], (hereafter known as the TCSEC).
Because of the lack of adequate hardware/software security, proper physical,
procedural, and
personnel access controls must be used to prevent personnel from accessing
the system while it
contains any information (either in memory or on resident media) for which
they are not
authorized.
2.2 Sensitivity Levels of Magnetic Media
All information contained on a volume of magnetic storage media should
be considered to have
the same sensitivity level. This sensitivity level should be at least
as restrictive as the highest
sensitivity level of any information contained on the media.
The reason for this requirement is simple: under ordinary circumstances,
a user of an OA System
has no way of knowing exactly what is written where on a volume of media.
It is possible that there
have been errors made in writing on the disk that result in parts of various
files being combined
without the user's knowledge.
Example: On most magnetic disks, there is a file allocation table with
entries pointing
to where on the disk each file is stored. Compromise of data can occur
if there is a cross-
link; that is, if an entry in the file allocation table for one file actually
points to part of
another file. As files are accessed and modified, it is often not possible
to write the
entire file in a contiguous set of storage locations. Therefore, the file
becomes
fragmented. The more a disk is used, the more fragmented the files become,
and the
greater the probability of a cross-link. In order to guard against compromise
of
information due to a cross-link, all information on the disk is considered
to have the
same sensitivity.
It is also likely that classified or sensitive, but unclassified, information
that has been "deleted"
from the system is still resident on the media, unless it has been completely
written over in an
approved manner. (See Reference 4 for guidance on overwriting media.)
Therefore, the media and
all information on the media should be regarded as having a single sensitivity
level.
It is certainly permissible to have some information on a volume of magnetic
media that is actually
less sensitive than the sensitivity level of the volume; however, due
to the fact that it is impossible
for the average user of an OA System to tell exactly what is written where,
security dictates that
this information be treated as having the higher sensitivity level.
Example: Suppose that a floppy disk is marked "Personnel privileged
information,"
and there is a file on this disk that contains only unsensitive information,
such as the
General Schedule salary tables. While this unsensitive file is on the
sensitive disk, it
must be treated as sensitive, because bad pointers or other problems could
cause the file
to actually contain sensitive information. Further, this file CANNOT be
copied to
another floppy disk unless the second floppy disk is also considered to
be sensitive, due
to the possibility of "Personnel privileged information" unintentionally
being copied.
If there is a file that is believed to be unsensitive that is stored
on a sensitive disk, it is permissible
to have a copy of that file printed, manually reviewed, and determined
to be unsensitive. This paper
copy can then be treated as unsensitive; however, the disk itself should
still be considered to be
sensitive. This applies to classified information as much as it does to
sensitive, but unclassified,
information.
2.3 OA Systems With Fixed Media vs. OA systems With Removable Media
"Removable media" are any magnetic storage media that are meant
to be frequently and easily
removed from the OA System by a user. Examples of removable media include
floppy disks,
cassette tapes, and removable hard disks.
"Fixed media" are any magnetic storage media that are not meant
to be removed from the system
by a user. Examples of fixed media include fixed disks and nonvolatile
memory expansion boards.
An OA System with removable-media-only is one which meets both of the
following criteria: (1)
the system does not currently use fixed media (e.g., Winchester disks)
to store or process
information; and (2) other than removable media such as floppy disks or
cassette tapes, the OA
System must have only volatile memory. (In determining whether or not
the OA System contains
fixed media, any read-only memory (ROM) the system contains can be ignored.)
If either condition
is not met, the system should be regarded as containing fixed media.
The sensitivity level of an OA System with removable-media-only can be
easily changed, because
all classified and sensitive, but unclassified, information can be removed
from the system after
each use. This is not true of an OA System with fixed media--the sensitivity
level of the system
cannot be lowered without a great deal of effort, because it is virtually
impossible to remove all
classified and sensitive, but unclassified, information from the system.
Therefore, if it is desired
that the OA System be used to process information of several different
sensitivity levels, or that it
be used by personnel with different levels of clearances, an OA System
with removable-media-
only should be used. (See Sections 4.1.2.2 and 4.2.2.2 of this guideline
for guidance on changing
the sensitivity levels of OA Systems.)
3.0 RESPONSIBILITIES OF OA SYSTEM USERS
One of the most common problems in Information Security is determining
exactly who is
responsible for what. This is a particularly important issue when Office
Automation Systems are
involved, since there is much less opportunity for oversight of "average
users" by "professional
security people." Therefore, it is incumbent upon each person to
do his or her part to prevent the
compromise of information.
The "average user" of an Office Automation System is the most
important person in maintaining
OA System security. If security is to be maintained, the user must develop
a "security mindset"
[16]. In view of this, the following general responsibilities of all OA
System users are described.
It should be remembered that responsibilities discussed in this section
apply equally to each user
of an OA System, regardless of whether or not that person has been formally
designated as the
security officer for that OA System.
(1) Each user of an OA System should know who the security officer for
that system is, and how
to contact that person.
(2) Each user of an OA System should have an awareness of the applicable
security guidelines [5,
11,16, 23]. Users should follow the applicable guidelines. If it is necessary
in an emergency to
deviate from the security guidelines, the user should report this deviation
to a security officer as
soon as possible, so that the security officer can take appropriate action.
(3) In addition to violations of security procedures, each user should
report suspected or known
compromise of information and/or theft of property to a security officer
[5, 23]. If a user believes
that a part of the OA System (including software and magnetic media) is
missing or damaged, or
has been changed, and the user is unable to determine why and by whom
the change was made,
then the problem should be reported to the ADPSSO at once. Similarly,
if a user has reason to
believe that information may have been copied, modified, or destroyed
improperly, the security
officer should immediately be notified.
(4) It is the responsibility of each user not to use software provided
by an unauthorized source. The
user should not violate any copyrights or other license agreements, and
is responsible for reporting
any known violations to the security officer. Further, the user should
not use any software which
he has obtained without ensuring that it has first been thoroughly tested
in an environment in which
no operational information can be compromised or damaged.
4.0 OPERATIONAL SECURITY FOR STAND-ALONE OFFICE AUTOMATION
SYSTEMS
4.1 OA Systems With Removable-Media-Only
4.1.1 Physical Access to Systems and Media
Physical access to the OA System at any given time should be limited
to those with clearance and
need-to-know for all information then contained in the system. It may
be necessary to keep the OA
System in a separate room or part of a room to keep unauthorized personnel
from being able to read
information displayed on the screen or on a printer. If the OA System
is not in a protected area,
special care should be taken to ensure that unauthorized personnel cannot
gain access to sensitive,
but unclassified, or classified information.
Example: Kelly, who is in charge of office personnel affairs, must process
the
quarterly promotion list, which contains personnel information that must
be protected
under the Privacy Act of 1974 [20]. The OA System on which he must work,
however,
is located in the middle of the office, where several people who are not
authorized to
see the information can see what he is doing. Kelly should therefore take
care to ensure
that none of his co-workers can see the information he is processing.
One way he might
do this is to use partitions to surround the OA System and block the view
of other
employees. A second way is to position the CRT screen and printer in such
a way that
no one else in the office can see them, and then to ensure that no one
is watching what
he is doing. A third way is to make sure that the room is empty before
doing his work.
It is important to emphasize that these rules also apply for personnel
performing maintenance on
the OA System. Maintenance, regardless of whether preventive or corrective,
should only be done
by authorized persons. Maintenance personnel should not be allowed physical
access to the OA
System until all classified and sensitive, but unclassified, information
for which they do not have
a clearance and need-to-know has been removed.
4.1.2 Using the Stand-Alone OA System With Removable Media Only
4.1.2.1 Normal Operation
The following procedures should be followed at all times during normal
operation of the OA
System:
(1) Monitor screens, printers, and other devices that produce human-readable
output
should be placed away from doors and windows. This helps ensure that casual
passersby cannot read information from them [5, 8, 11, 19, 23].
(2) Never leave an OA System running unattended while it contains information
that
should not be seen by everyone with physical access to it. Especially,
do not leave
an OA System unattended while classified or sensitive, but unclassified,
information is displayed on the screen. If a user must leave an OA System,
he/she
should follow the procedures outlined in Section 4.1.2.4 of this Guideline.
Example: Suppose that Tom edits a large data file containing personnel
records on an
OA System. When he is finished, he saves the edited file. Since writing
the new file
over the old one will take some time, Tom leaves the OA System to run
an errand. Sue
sees that the OA System is unattended, and accesses and modifies the personnel
file,
destroying its integrity.
(3) Electronic labels attached by the OA System to information on magnetic
storage
media should not be trusted to be accurate unless the OA System has been
evaluated by the National Computer Security Center and has been found
to be a
B1 or higher trusted system. While it is a good practice to indicate the
apparent
sensitivity of information by an electronic label of some sort (e.g.,
by a character
string in the file name or directory name, or by the value of the first
byte in the
file), these labels should not be trusted to be accurate. Therefore, all
data on the
media should be treated as being at a single sensitivity level--that which
is
indicated by the physical label attached to the media.
(4) It is not normally permissible to have a classified or sensitive,
but unclassified,
volume of magnetic storage media on line at the same time as a volume
with a
lower sensitivity level, unless the sensitivity level of the latter volume
is
immediately raised. (The exception to this is discussed Section 4.1.2.3.)
Example: Suppose that Terry has a file that she believes to contain only
Unclassified
information, but that is stored on a TOP SECRET floppy disk. Terry therefore
copies
the file to an Unclassified disk. The previously Unclassified disk should
then become
TOP SECRET. The reason for this is that there is no way for a user to
determine exactly
what has been written onto the disk; there is a chance that an error caused
TOP
SECRET information to be written onto the disk.
(5) Printers should not be left unattended while classified or sensitive,
but
unclassified, information is being printed unless the area in which it
is located provides a level of
physical security adequate to protect the printout from being read, copied,
or stolen by an
unauthorized individual.
(6) Any user who prints out classified or sensitive, but unclassified,
information
should remove that printout from the printer and/or printer area at the
earliest possible time. If this
is not done, classified or sensitive, but unclassified, information could
be compromised by an
unauthorized person reading, copying, or stealing a printout. (Note: this
is particularly true if the
printer is shared, and/or is not collocated with the rest of the OA System.
Even if adequate physical
security can be provided, it is good practice to remove the printout from
the printer area at the
earliest possible time.)
Example: Suppose that Pat is John's supervisor, and prints out John's
personnel records on
a printer. Pat then leaves the printout next to the printer, and leaves
the room to attend a
meeting. While Pat is gone, John's co-worker George walks into the room,
notices the
printout, and reads John's personnel records. This is a compromise of
information, and is
a violation of the Privacy Act of 1974 [20].
(7) The user should ensure that all printouts have appropriate sensitivity
markings
(e.g., "Personnel Privileged Information," "Proprietary,"
"Confidential," etc.) at the top and
bottom.
(8) If the printer ribbon is used to print classified information, it
should be marked at
the highest classification level it was used for, removed from the printer
when not
in use and stored and otherwise protected and disposed of as any other
classified
item.
(9) Use only software that has been obtained from authorized sources.
Do not pirate
software yourself, and do not use any software which has been obtained
by
violation of a copyright or license agreement. Furthermore, software should
not
be used unless it has been thoroughly tested by someone trustworthy (such
as the
organizational software distribution office, or the ADPSSO) for errors
and
malicious logic before it is exposed to operational information. (This
is especially
true for software obtained from the public domain.)
(10) Do not eat, drink, or smoke while using the OA System. Any spillage
could
seriously damage the system and/or magnetic media.
(11) Protect magnetic media from exposure to smoke, dust, magnetic fields,
and
liquids. Diskettes that get wet will generally warp or become otherwise
deformed. If a diskette or other volume of media does get wet, do not
attempt to
use it in an OA System, as doing so could result in damage to the system.
(12) If a manual audit log is kept for the system, record in it all necessary
information.
(13) No information should be processed or stored on any OA System until
a risk
analysis has been completed and appropriate countermeasures have been
determined.
(14) No classified information should be processed or stored on any OA
System
unless that system has been TEMPEST-approved for the zone in which it
is
operating [14, 15].
4.1.2.2 Changing the Sensitivity Level of Information the OA System is
Processing
OA Systems using removable-media-only contain no fixed media, and therefore
can be used to
process information of different sensitivity levels. In some instances
it may be more cost effective
to simply process all information as being at the system high level, and
then manually review all
output for the proper sensitivity. However, if this is impractical, then
the sensitivity level of the OA
System may be changed. When a change in the sensitivity level is desired,
the following steps
should be taken:
(l) Remove all storage media from the system (this includes media containing
both
applications and systems programs).
(2) Power off the system, preferably for at least one minute. (This will
allow any
latent capacitance to bleed off, and ensure that memory is cleared. Again,
the exact time required
depends on the particular system used, and the system security officer
should specify an
appropriate minimum time for systems under his/her control.)
(3) Power on and reboot the system with the copy of the operating system
that is at
the proper sensitivity level.
(4) Insert the applications media for the new sensitivity level into
the system. There
should be a different copy of the operating system, and of each applications
package (e.g., a word
processing package) for each classification of information the system
processes (e.g., an
Unclassified copy, a SECRET copy). It is recommended that there also be
a different copy of the
operating system for each sensitivity level of information the OA System
processes (e.g., a
"Personnel Privileged" copy, a "Company X Proprietary"
copy). Each copy should be protected to
a level appropriate for the sensitivity of information it is used to process.
There is one exception to this guidance. To use only one copy of an operating
system
or applications package for all sensitivity levels, the procedure is:
first, boot the system or load the
package with no classified or sensitive, but unclassified, information
in the system. Then, remove
the diskette or tape containing the software BEFORE any classified or
sensitive, but unclassified,
information is introduced into the system. DO NOT reinsert the software
into the system until the
sensitivity level of the system has been changed using the procedures
described in Section 4.1.2.2
(5) The ribbon used to print classified or sensitive, but unclassified,
information
should be replaced by one used to print information of the new sensitivity
level. The sensitive (or
classified) ribbon should be either securely stored or disposed of, as
appropriate.
4.1.2.3 Preparing Downgraded Extracts
In some instances, it may be necessary to copy some information from
a volume of media at one
sensitivity level to another volume that is at a lower sensitivity level
(e.g., copy a file from a
SECRET disk to an Unclassified disk). This is an extremely dangerous practice,
and should only
be done following the procedures that have been set by the security officer.
Users should contact
their system's security officer for specific guidance on preparing downgraded
extracts of classified
or sensitive, but unclassified, information.
4.1.2.4 When a User is Finished Using the OA System
When a user is through using the OA System, remove all removable media
from the system and
store it in a manner commensurate with information of that sensitivity.
Record any audit trail
information that may be required. If the system is used by more than one
person at different times,
it is advisable to power the system off at the conclusion of each person's
use.
4.1.2.5 At the End of the Shift
At the end of the shift or workday, the following steps should be taken
before leaving.
(1) Remove all removable media from the OA System.
(2) Overwrite each location in the system's memory with some pattern
(e.g., all zeros,
then all ones, then a random pattern) before the system is powered off.
(3) Power off the system. If there is a key, it should be stored in a
secure place until
the next shift or working day.
(4) Any printer ribbon that has been used to print classified or sensitive
but
unclassified, information should be removed, and either securely stored
or properly disposed of.
The OA System should remain powered off during non-duty hours.
A checklist should be maintained that is signed or initialed at the end
of each day to verify that the
OA System has been properly shut down and removable media have been removed.
This will assist
in determining accountability for a discovered security problem.
4.2 OA systems With Fixed Media
4.2.1 Physical Access to Systems and Media
Physical access to the system should be restricted to those who are authorized
access for all data
currently being stored on the system. In addition, these users should
be authorized access for all
data that has been stored on the system since the system was last declassified.
(See Reference 4 for
declassification procedures.)
4.2.2 Using the Stand-Alone OA System with Fixed Media
4.2.2.1 Normal Operation
During normal operation of a stand-alone OA System with fixed media,
all recommendations
given in Section 4.1.2.1 which apply to the operation of an OA System
with removable media are
still applicable. However, additional vulnerabilities exist with OA Systems
containing fixed media
and therefore additional precautions must be taken.
Even though only one user can directly access the system at a time, it
is likely that information
originated by more than one user will be stored on the fixed media. Access
to any classified
information by a user not possessing a clearance or need-to-know for it
is a violation of Executive
Order 12356[6]. Access to certain other types of sensitive, but unclassified,
information is contrary
to the provisions of Section 3 of the Privacy Act of 1974 [20]. Systems
which do not meet the
requirements of at least class C2 cannot provide assurance of protection
of information from
anyone who gains physical access to the system. Therefore, if the OA System
has been evaluated
and found to be a class C2 or higher system, then the guidelines detailed
in Reference 3 apply.
Otherwise, all users should have proper clearance and need-to-know for
all data that is stored or
processed on the system.
Any removable media which is placed in the OA System automatically acquires
the same
sensitivity level as the system. However, if the original sensitivity
level of the removable media is
more restrictive than that of the OA System, the OA System and its fixed
media acquire the more
restrictive sensitivity level, and should be marked as such.
Example: Suppose that there is an OA System with one fixed disk and one
floppy disk
drive. The system and its fixed disk are classified SECRET. A previously
Unclassified
floppy disk placed in the system's floppy disk drive becomes classified
SECRET. If a
TOP SECRET floppy disk is placed in the floppy disk drive, however, the
entire OA
System and its fixed disk become classified TOP SECRET.
It should not normally be permissible to copy a file from a classified
or sensitive, but unclassified,
volume of removable storage media to a volume of fixed media with a lower
sensitivity level,
unless the sensitivity level of fixed media, and of the entire OA System,
is immediately raised to
the level of the removable media. (The exception to this is discussed
in Section 4.2.2.3.)
Example: Suppose that there is a file that is apparently Unclassified,
yet it currently
resides on a TOP SECRET diskette. If this file is copied to an Unclassified
fixed disk,
the sensitivity level of the previously Unclassified disk should now be
TOP SECRET.
The reason for this requirement is that we have no way of being sure exactly
what is
being copied; therefore, we must assume the worst case: that some TOP
SECRET
information may be inadvertently copied onto the Winchester disk. Therefore,
the
sensitivity level of this previously Unclassified disk should be raised.
Furthermore, it should not be permissible to copy a file from a classified
or sensitive, but
unclassified, volume of fixed media to a volume of removable media with
a lower sensitivity. If
this does occur, the sensitivity of the removable media should be immediately
raised.
Information that individual users wish to protect from other users of
the OA System should be
stored on removable media. This removable media can then be appropriately
protected when it is
not in use. This recommendation stems from the fact that OA Systems that
do not meet the TCSEC
requirements for at least class C1 cannot prevent any system user from
gaining access to any
location in the system's memory, to include the locations where the hardware/software
controls
themselves are stored. If the information is removed from the system along
with the media it
resides on, however, it cannot be accessed by others. (However, users
should be very careful, as
quite often information is left on the fixed media in the form of scratch
files or backup files.) Users
should make sure that media they remove from the OA System are properly
secured. For example,
if a floppy disk is removed, it should be locked away, not left lying
on top of a desk or put in an
unlocked container. One of the conditions for security is that adequate
physical protection must be
provided; if it is not, then all information is vulnerable.
4.2.2.2 Changing the Sensitivity Level of Information the OA System Is
Processing
It is not permissible to lower the sensitivity level of the OA System
unless it has been declassified
using the procedures described in Reference 4.
Unless the OA System meets the requirements of at least class B1 when
evaluated against the
TCSEC, it should not be used to process multiple sensitivity levels of
information simultaneously.
In this case, it is not permissible to change the sensitivity level of
the information the OA System
is processing. Any information which is being processed by the OA System
must be regarded as
having the same sensitivity level as the system itself, regardless of
its apparent sensitivity.
4.2.2.3 Preparing Downgraded Extracts
In some instances, it may be necessary to copy some information from
a volume of media at one
sensitivity level to another volume that is at a lower sensitivity level
(e.g., copy a file from a
SECRET disk to an Unclassified disk). This should only be done following
the procedures that
have been set by the security officer. Users should contact their ADPSSO
for specific guidance on
preparing downgraded extracts of classified or sensitive, but unclassified,
information.
4.2.2.4 When a User is Finished Using the OA System
If there are any classified or sensitive, but unclassified, files stored
on the fixed media that other
users of the system should not be able to access, they should be removed
from the system[8,9].
First, copy the files to a volume of removable media. Then, remove the
information contained in
these files from the fixed media by overwriting each location that contained
these files with some
pattern (e.g., all zeros, then all ones, then a random pattern) [8, 9].
The software that is used to do
the overwrite should be trusted to a level commensurate with the OA system
level of sensitivity.
4.2.2.5 At the End of the Shift
See Section 4.1.2.4. All safeguards described there are equally applicable
to OA Systems with
fixed media.
In addition, the OA system itself should be physically secured in some
way. If the room containing
the OA system is approved for open storage of classified information at
the highest level of
information contained on the OA System, it may be sufficient to secure
the room in the appropriate
manner. If the room is not approved for open storage of classified information,
then the OA System
itself should be secured by locking it in an approved cabinet.
5.0 OPERATIONAL SECURITY FOR CONNECTED OFFICE AUTOMATION SYSTEMS
(Note: In addition to the guidance given in this section, all guidance
given in Chapter 4 of
this guideline is also applicable, and should be followed whenever the
OA system is used.)
5.1 Using an OA system as a Terminal connected to Another Automated Information
system
When an OA System is used as a terminal, all of the normal rules for
connecting terminals to AIS
should apply[10]. For example, these rules should include never leaving
the OA System
unattended while it is connected to another AIS, unless a software locking
mechanism is used
which prevents anyone, not passing an authentication check, from interacting
with the remote AIS.
5.1.1 Office Automation Systems Versus "Dumb Terminals"
Office Automation Systems used as terminals can cause security problems
that do not occur when
"dumb terminals" (i.e., those that are not programmable) are
used. Among these are the possibility
of malicious communications software in the OA System, and the ability
of the OA System to store
such things as passwords.
Users of OA Systems should be wary of untested communications software.
The organization
owning the OA System should take any steps practicable to ensure that
communications software
used with their systems does exactly what its documentation claims, and
nothing else. In general,
at least one copy of the software should be tested, either by someone
within the organization or by
someone outside of the organization who can adequately test software.
If communications software is used that contains malicious code, the
communications software can
cause information (including the user's password) to be compromised, can
corrupt information
flowing between the OA System and other AIS, or can cause service to be
denied completely.
Worse still, it can do much of this without the knowledge of the person
using the software.
Therefore, it is very important not to use communications software packages
that have not been
approved for use by a responsible security officer.
Under no circumstances should a user's password for any remote AIS ever
be stored in an OA
System [11]. While it may seem convenient to program the OA System to
execute the login routine
on a mainframe computer system for you, it is important to remember that
the OA System can also
execute the same routine for someone else. This can result in another
user of the OA System being
logged into a remote AIS as you!
Example: Suppose that Janet programs her personal computer so that when
she is
communicating with the AIS called MAINFRAME and presses the CONTROL and
BREAK keys at the same time, her PC sends out her user-identifier and
password to
MAINFRAME. In other words, the PC executes Janet's login routine on
MAINFRAME for her. She thus saves the keystrokes involved in typing the
information each time she logs in, and doesn't even have to remember her
password!
The problem occurs when Pat sees what Janet does, and decides to take
advantage of
this "user-friendliness." When Joe is not around, Pat simply
connects Janet's PC to
MAINFRAME, presses the CONTROL and BREAK keys simultaneously, and is now
logged onto MAINFRAME as Janet. Once this happens, there is no way to
prevent the
compromise of information, since MAINFRAME has no way of knowing that
it is not
really Janet at the other end of the terminal!
In summary, storing a password in an OA System is the same as writing
it down on a piece of
paper--if anyone ever finds it, the security that was to be provided by
that password has been
defeated.
5.1.2 Consequences of Removable Media vs. Fixed Media
Because the sensitivity level of an OA System with fixed media cannot
be easily changed, it is
difficult to use one of these systems as a terminal to a wide variety
of other AIS, particularly if each
of these remote AIS is processing information of different sensitivity
levels. Therefore, once an
OA System with fixed media is connected to an AIS processing classified
information, that OA
System should be considered to be classified. It should NOT be connected
at a later time as a
terminal to an AIS that is not approved to process information classified
at the same or a higher
level.
An AIS with removable-media-only, however, can more easily be used as
a terminal to, for
example, a SECRET host at 2:00 pm and an Unclassified host at 4:30 pm,
because its sensitivity
level can be changed. If you are using an OA System with removable-media-only,
and it is
necessary to connect to an AIS that is processing a different sensitivity
level of information than
the last AIS that the OA System was connected to, the sensitivity level
of your OA System should
be changed in accordance with Section 4.1.2.2 of this guideline.
5.2 OA systems Used as Hosts on Local Area Networks
Suppose that there is an OA System attached to a Local Area Network (LAN).
It is important for
both the user and the security officer to understand that, as a general
rule, any person who can
access any other component of that LAN can access any information contained
in that OA System.
This includes any information that is stored on both fixed and removable
media that are currently
contained in the system, and applies regardless of whether the person
is accessing the OA System
from its keyboard or over a network. Therefore, the problem of compromise
of information to an
unauthorized individual is greatly increased any time an OA System is
connected to a network. For
this reason, the user should NEVER leave the OA System while it is logged
in to the LAN.
5.2.1 Consequences of Removable Media vs. Fixed Media
If some information in the OA System is stored on removable media, those
media can be removed
from the system so that the information cannot be accessed by a remote
user. If the information is
stored on fixed media, it cannot be easily removed from the system, and
the owner of the
information should be aware of its vulnerability to compromise.
Suppose that there is an OA System that does not meet the class B1 requirements
and that is used
as a LAN host. Any information that should not be shared with every user
of the LAN should be
stored on removable media, and these media kept out of the OA System when
this information is
not needed.
If the OA System meets the requirements of class B1 or higher, then these
media may be left in the
system.
5.2.2 Controlling Access to System Resources
In order to prevent the compromise of information, access to the resources
of the LAN and of each
OA System connected to it should be controlled. These controls may include
physical, procedural,
and hardware/software features, or some combination thereof.
One way to ensure that information is not compromised is to provide such
hardware/software
features as access control, identification and authentication, and audit.
If these features are
provided, and the network as a whole can be trusted to prevent users from
gaining access to
information for which they are not authorized, then the other controls
needed for security (e.g.,
procedural controls, physical access controls) are similar to those required
for stand-alone OA
Systems.
However, since the hardware/software controls necessary to provide security
in a LAN are often
unavailable, procedural controls should be implemented. These include:
(1) Have all OA Systems connected to the LAN operate at the same sensitivity
level.
That is, there should be no information processed anywhere on the LAN
that some user of the LAN
does not have a clearance, formal access approval, and need-to-know. Users
should make certain
that they remove from their OA Systems any media containing information
that they do not want
to share with each other user in the LAN.
(2) Provide specific LAN-oriented physical access controls. Instead of
keeping
unauthorized personnel away from a single OA System, it is now necessary
to keep them away
from all OA Systems that are connected to the LAN. Some of these OA systems
may be located or
may have peripheral devices (e.g., shared laser printers) that are located
in public areas. Therefore,
each user must help to ensure that no one is using any part of the LAN
without authorization.
Further, each user should pick up any human-readable output from any shared
devices as soon as
possible. For example, printouts should not be left in the printer room
for six or eight hours if the
room is not sufficiently protected to keep unauthorized personnel from
gaining access to classified
or sensitive, but unclassified, information. A good rule of thumb is,
if you don't want others to read
a sensitive file, do not leave it where it can be seen.
6.0 RESPONSIBILITIES OF THE ADPSSO
There should be one individual who is responsible for the security of
each Office Automation
System [5,11]. This individual may be one of the users of the system itself,
or he/she may be a
person who has responsibility for the security of all OA Systems within
the organization. (It should
not be the OA System manager, due to the potential lack of accountability.)
Regardless of who the
individual is, the ADPSSO has certain responsibilities which must be carried
out in order to ensure
that the OA security policy is enforced. These include:
(1) Ensuring that each OA System is certified and accredited, if required
by organization
policy.
(2) Ensuring that all users of the system are aware of the security requirements,
and
assuring that all procedures are being followed.
(3) Investigating all reported or suspected security violations, and
determining (to the best
of his/her ability) what has happened.
(4) Reporting violations to appropriate authorities (e.g., top management,
agency security
officers, etc.).
(5) Ensuring that the configuration management program is followed. He/she
should
approve maintenance before it is done, and ensure that no changes are
made to either the hardware
or software of the system without approval.
(6) Reviewing the audit logs for anomalies (if audit logs are used).
(7) Enforcing (and possibly also developing) procedures by which downgrading
of
information contained on magnetic media can be done, if the organization
permits such
downgrading.
7.0 THREATS, VULNERABILITIES AND CONTROLS
7.1 Threats, Vulnerabilities, and Controls: an Overview
The security officer of any OA System should have a familiarity with
some of the security issues
involved with that system. This chapter will give the security officer
that familiarity.
In computer security terminology, a threat is a person, thing, or event
that can exploit a
vulnerability of the system. Examples of threats include a maintenance
man who wants
information to sell, a wiretapper, or a business competitor.
A vulnerability is an area in which an attack, if made, is likely to
be successful. Examples of
vulnerabilities include lack of identification and authentication schemes,
lack of physical access
controls, and lack of communications security controls.
If a threat and a vulnerability coincide, then a penetrator can cause
a violation of the system's
security policy. For example, suppose that there is a maintenance person
(the threat) who is secretly
working for an unscrupulous contractor. In addition, there is a vulnerability
in that lack of physical
access controls allows maintenance personnel to work on the OA System
without supervision. In
this case, information may be corrupted, causing a disruption in the normal
work routine.
A security control is a step that is taken in an attempt to reduce the
probability of exploitation of a
vulnerability. This control may take one of many forms: an operational
procedure, a hardware/
software security feature, the use of encryption, or several others.
There are many possible threats to the information being stored by an
Office Automation System,
as well as to the system itself. The system may be stolen or destroyed.
Information stored on the
system may be compromised; that is, it may be exposed to a user or process
that does not have
proper authorization to see it. Information may also be corrupted or destroyed
altogether by a
malicious user. Another threat might be the interference with the system's
ability to process
information correctly. It is the purpose of this document to educate the
security officer and the user
as to the proper defenses against each of these threats. The following
is a breakdown of some of
the security issues involved in combating each of several types of threats.
7.2 Physical and Personnel Security
7.2.1 Physical and Personnel Security Threats and Vulnerabilities
In many instances, there is a danger that classified or other sensitive,
but unclassified, data being
processed in an OA System will be exposed to someone without a proper
clearance or authorization
for it. This is particularly true if the OA System is not physically located
in an appropriate area, or
if an OA System is directly accessible to external users by a communications
line.
(An "appropriate area" is one that is approved for the highest
level of information that has ever
been processed or stored on the OA System.)
For the purposes of determining the level of security needed for an OA
System, the following rule
should be used:
Any information that can be accessed using the communications capability
of an OA
System should be regarded as being processed by that OA System.
This may mean that a more stringently controlled area is needed for a
particular OA System, or that
certain communications should not be allowed.
Example: Suppose that there is an OA System physically located in an
area that is
approved for no higher than SECRET information. If the OA System is connected
to
another AIS that contains TOP SECRET information, and the remote AIS is
not trusted
to separate TOP SECRET and SECRET information, then the OA System should
be
regarded as processing TOP SECRET information. In this case, there are
two things
that can be done: not allow the connection of the OA System to the remote
AIS, or
upgrade the physical surroundings of the OA System so that TOP SECRET
information
may be stored there, and institute physical and procedural controls to
ensure that only
personnel with TOP SECRET clearances can gain physical access to the OA
System.
Regardless of the physical area in which the OA System is located, it
is possible that all or part of
the machine can be stolen or modified. The theft of a hardware part of
the system may result in
damage being done to the owning organization, since many times it is possible
to recover residual
information directly from the hardware
7.2.2 Physical Access Controls
The OA System should be located in an area that is approved for data
as sensitive as the highest
level of information it has stored or processed since all of its fixed
media and semiconductor media
were last declassified. Further, any other AIS or AIS component that can
access the OA System
should also be located in an area that is approved for this highest sensitivity
of information.
Example: Suppose that an OA System is used to process TOP SECRET data.
This
system should be stored in an area that is approved to store at least
TOP SECRET
material. (This requirement holds even if some or most of the information
processed on
the system is classified at a lower level than TOP SECRET.) Any other
AIS or AIS
component that is logically connected to this OA System must also be kept
in an area
that is approved for TOP SECRET data.
Regardless of the physical area in which it is located, the OA System
should be marked with the
most restrictive sensitivity of information that may be processed on it.
(See the Appendix of this
Guideline for detailed guidance on the marking of OA Systems.)
The OA System itself should be protected in such a way that sufficient
protection is provided
against theft or destruction of the system or its components. Possible
precautions that can be taken
include locking the OA System and its peripheral devices to a table, locking
it in a cabinet, or
keeping it in a locked room or vault. Any apparent theft or destruction
of the OA System or any of
its components (to include software) should be reported immediately to
the security officer.
7.2.3 Personnel Security Controls
Executive Order 12356 states that "A person is eligible for access
to classified information
provided that a determination of trustworthiness has been made by agency
heads or designated
officials and provided that such access is essential to the accomplishment
of lawful and authorized
Government purposes" [6]. The Privacy Act of 1974 states that no
agency may disclose privacy
information to any person without the prior written consent of the person
to whom the information
pertains, except for a limited set of purposes[20]. In order to meet these
and other policy-based
requirements, only personnel who possess the proper clearances, formal
access approvals, and
need-to-know for all information then contained in the OA system should
be allowed physical
access to the system. Under ideal circumstances, maintenance or configuration
changes that must
be done by vendor or support personnel should only be done by personnel
who are cleared for and
have a need-to-know for all information then contained in the system.
If this is not possible, then
vendor or support personnel should be escorted by someone who is cleared
and has a need-to-know
for all information on the system. If the OA system or parts of it must
be sent to another location
for repair, care should be taken to ensure that no one without the proper
clearances and need-to-
know for information previously contained (or possibly contained) in the
system at any given time
has access to the OA System at that time.
7.3 Communications Security
7.3.1 Communications Security Threats and Vulnerabilities
Communications Security vulnerabilities are those that can be exploited
whenever an Office
Automation system has the capability to electronically send information
to or receive information
from another AIS. These vulnerabilities exist primarily in two areas:
(a) interception of
information during transmission, and (b) non-detection of improper messages
and message headers
received by the OA System.
Whenever an OA System is used to electronically send information to or
receive information from
another computer system, there is a chance that the information will be
compromised by being
intercepted while en route. Therefore, steps should be taken to ensure
that no information is
compromised during transmittal.
In addition to the problem of compromise, an OA System receiving information
from another
system should have some amount of assurance that the message and its header
are authentic--that
is, the receiving OA System is not being tricked into believing a false
header. The integrity of
messages and control information is crucial to the secure operation of
a network. If a message were
to be received with a phony header that was not detected, it could cause
the system or a human
using that system to take some action that would violate the security
policy. Therefore, any forged
messages or message playback should be detected by the OA System or by
the network it is
connected to.
For additional information, please contact your organization's Computer
Security Office.
Additional information is available from NSA, 9800 Savage Road, Ft. George
G. Meade, MD
20755-6000, Attention: DDI.
7.3.2 Communications Security Controls
Regardless of whether the system is being used as a terminal attached
to a mainframe or as a host
attached to a local area network, either encryption or physically protected
communications media
should be used whenever the OA System is used for the communication of
classified information.
This protection must be sufficient for the highest classification of data
that will be transmitted over
the communications media.
Encryption should be used to protect information from being compromised
any time it is not
possible to physically protect the communications media. In addition,
cryptographic techniques
may be considered even when communications media can be physically protected
only help
prevent compromise of information by interception, it will also help prevent
spoofing.
Cryptographic checksums can be used to verify the integrity of the message
and its sender.
The term "physically protected communications media" means
that the media (e.g., the
communications lines) cannot be accessed by a system penetrator (that
is, they are immune to a
hostile wiretap, either active or passive), and that TEMPEST considerations
do not raise a
significant problem in the specific environment. An example of physically
protected
communications lines is communication cables that are physically located
within a secure area and
are used to connect OA Systems in a LAN.
7.4 Emanations Security
Under certain circumstances, it is possible to detect what information
is being processed by a
computer system by analyzing the electromagnetic emanations coming from
the system. This
could result in the compromise of classified or sensitive, but unclassified
information. To prevent
this OA Systems that process classified information must be protected
in accordance with the
National Policy on the Control of Compromising Emanations. For specific
applications see NACSI
5004, "TEMPEST Countermeasures for Facilities Within the United States
(U)" [14], and NASCI
5005, "TEMPEST Countermeasures for Facilities Outside the United
States (U)" [15]. (Note: The
entire OA System must be protected. Connecting a TEMPEST approved CPU,
monitor, printer,
and keyboard together with an unapproved cable or without due regard for
proper RED/BLACK
separation and installation criteria can result in the failure of the
entire system to meet the
TEMPEST requirements.)
7.5 Hardware/Software Security
7.5.1 Hardware/Software Threats and Vulnerabilities
Hardware/Software vulnerabilities are those that can be exploited because
of the inability of the
OA System's hardware, software, and firmware to prevent users from accessing
data in or
controlled by the system.
The threats to exploit these vulnerabilities generally fall into one
of three general categories:
compromise of classified or sensitive, but unclassified, data; unauthorized
modification or
destruction of data; and denial of services to authorized users. More
specifically, an unauthorized
user can access data, can modify data, or can deny use of the data or
even the OA System itself to
authorized users.
If an OA System is networked, the vulnerability of data is greatly increased.
First, a user of one
OA System may be able to access another AIS, and data that was previously
inaccessible is
vulnerable to attack. Second, an unauthorized user may be able to access
the OA System from a
remote location, and thus evade the physical and procedural controls that
have been set up to
protect the OA System locally.
7.5.2 Hardware/Software Controls
Most current OA System architectures do not provide the hardware features
which are needed to
implement separate address spaces (or "domains") for the operating
system and applications
programs. They also do not provide the privileged instructions that are
necessary to prevent
applications programs from directly performing security-relevant operations,
nor do they provide
memory protection features to prevent unauthorized access to sensitive
parts of the system[16,
21,23].
The limitations of these single-state OA Systems prevent them from providing
effective hardware/
software security features. For example, a knowledgeable user can access
any memory location
directly by using assembly language-type commands. (The memory locations
which he/she can
access in this manner include not only the system's own semiconductor
memory, but also
everything currently accessible to any part of the system, such as floppy
disks, fixed disks, and
cassette tapes.) In this manner, a user can read, modify, and/or destroy
any information contained
in the OA System--including security critical entities such as password
files and encryption
information. The system cannot protect itself from an unauthorized user.
There are currently a number of hardware and software packages available
on the market that claim
to provide security for data resident on the system. On all current OA
Systems that support only a
single processor state, it is easy to circumvent these packages. For example,
a user may be able to
bypass a security package by booting the system with a different copy
of the operating system--
one that does not have the security features on it [16,21]. A user may
additionally be able to use
one of the commercially-available utilities packages to bypass security
controls [16,21].
Despite their weaknesses, some current hardware/software packages do
have uses. Packages which
provide such mechanisms as user identification and authentication, discretionary
access controls,
and audit trails can provide a degree of protection that is certainly
better than that provided by an
OA System without them. In addition, hardware/software controls can help
to prevent accidents.
If these controls are used, it is much less likely that a non-malicious
user of the OA System will
accidentally gain access to, modify, or delete information belonging to
other users. A user will
have to make a determined effort to gain access to information belonging
to other users.
There are currently some microprocessors available that provide the hardware
features necessary
to support hardware/software security controls (e. g., multiple processor
states). OA Systems that
are based on these microprocessors and that have the necessary security
mechanisms can be
evaluated against the TCSEC [2]. With the proper hardware/software security
features added on,
it is possible for the OA System to reach the class B1 level, when evaluated
against the TCSEC. In
addition, if OA Systems are designed with hardware/software security as
an initial consideration,
they would be able to achieve any trust level defined by the TCSEC.
In summary, hardware/software controls should not be relied upon by themselves
to provide
separation of users from information in most current OA Systems. However,
as long as these
controls do not lull the user into a false sense of security, they will
not harm and may assist in
raising the overall level of Office Automation security.
7.6 Magnetic Media
7.6.1 Magnetic Remanence: Threats, Vulnerabilities, and Controls
Magnetic remanence is the residue remaining on magnetic storage media
after a file has been
overwritten or the media have been degaussed. Many times, after a file
has been overwritten or
media have been degaussed, it is still possible for someone with physical
possession of the media
to recover the information that was formerly present. This magnetic remanence,
therefore, is a
major vulnerability of any OA System employing magnetic storage media.
The threat
corresponding to this vulnerability is that persons may come into possession
of magnetic media
which contain classified or sensitive, but unclassified, information for
which they are not
authorized. The general control to combat this is for all magnetic media
to be properly cleared or
declassified before being released for reuse. The following sections give
general guidance in the
areas of clearing and declassifying magnetic storage media. For more detailed
guidance, please see
the Department of Defense Magnetic Remanence Security Guideline [4].
7.6.2 Clearing and Declassification of Magnetic Media
Clearing of magnetic media refers to a procedure by which the classified
information recorded on
the media is removed, but the totality of declassification is lacking.
Clearing is a procedure used
when magnetic media will remain within the physical protection of the
facility in which it was
previously used. Declassification refers to a procedure by which all classified
information recorded
on magnetic media can be totally removed. Declassification is required
when magnetic media
which have ever contained classified data are to be released outside of
a controlled environment.
7.6.2.1 Clearing of Magnetic Media
Certain types of removable media (e.g., magnetic tapes, floppy disks,
cassettes, and magnetic
cards) may be cleared by overwriting the entire media one time with any
one character. Floppy
disks may be cleared by applying a vendor's formatting program that overwrites
each location with
a given character.
Fixed media (e.g., Winchester disks) should be cleared by overwriting
at least one time with any
one character. One way to do this is by applying a vendor-supplied formatting
program that
overwrites each location on the disk with a given character, if it can
be shown that this program
actually works as advertised. The user should beware: some programs that
purport to overwrite all
locations do not actually do this.
Cleared media may be reused within the controlled facility or released
for destruction; however,
they should be marked and controlled at the level of the most restrictive
sensitivity of information
ever recorded.
7.6.2.2 Declassification of Magnetic Media
Certain types of removable media can be declassified using a degaussing
device that has been
approved for declassifying media of that type. (A list of approved devices
is maintained by NSA.)
If a fixed medium (for example, a hard, or Winchester, disk) is operative,
an approved method of
declassifying the disk pack is to employ an overwrite procedure which
must overwrite all
addressable locations at least three times by writing any character, then
its complement (e.g.,
binary ones and binary zeros) alternately.
When fixed media become inoperative, it is impossible to declassify the
media by the overwrite
method. In this case, there are two alternate procedures that may be used:
(1) disassemble the disk
pack, and degauss each platter with the appropriate approved degaussing
equipment; and (2)
courier the inoperative media to the vendor's facility, have the magnetic
media (e.g., disk platters)
removed in sight of the courier and returned to the courier for destruction
at the secure site. The
vendor can then install new platters and repair any other problems with
the disk unit. See Reference
4 for a detailed discussion of each of these alternatives.
7.6.3 Destruction of Magnetic Media
Magnetic media that have contained classified or sensitive, but unclassified,
information and are
no longer useful should be destroyed. Prior to destruction, all labels
or other markings that are
indicative of classified or other sensitive, but unclassified, use should
be removed.
Detailed methods for destruction of different types of magnetic media
are given in Reference 4.
7.6.4 Media Encryption
Cryptography has important applications in an Office Automation environment,
since in many
cases it is impossible to physically protect magnetic media from all individuals
who lack either the
clearance or need-to-know for all information contained on the media [22].
(For example, if an OA
System with fixed media is shared by two or more users, there quite often
is information for which
one user does not have a need-to-know that needs to be stored in the system.)
In these cases, the
use of cryptography to help prevent compromise of classified or sensitive,
but unclassified,
information should be considered.
In many cases, information security can be enhanced if the information
is stored on the media in
encrypted form. There are two strategies which can be used: bulk file
encryption and integral file
encryption. Each of these strategies has its advantages and disadvantages;
see Reference 23 for a
description of each.
7.7 Environmental Considerations
Office Automation Systems are generally designed to be used in the "typical"
office environment
[23]. Therefore, they seldom require special environmental controls such
as air conditioning or air
contamination controls. However, an OA System and its media can be seriously
damaged or even
destroyed by such things as electrical urges, fire, water, crumbs of food,
termites, chemicals, or
dust. Since destruction of the system and/or information represents a
serious loss to the
organization, it is imperative that steps be taken to help prevent unnecessary
damage to the OA
System. The following discussion is adapted from NBS Special Publication
500-120, Reference
23.
7.7.1 Electrical Power Quality
Surges in electrical power can cause a great deal of damage to an OA
System, and can cause
information stored within to be permanently inaccessible. Furthermore,
frequent power outages
cause the loss of use of the system and its resources. Therefore, if the
local power supply quality
is unusually poor (e.g., large fluctuations in voltage or frequency, voltage
spikes, or frequent
outages), then such devices as surge protectors, battery backup, or uninterruptible
power supply
systems should be considered. In addition, disconnecting the system should
be considered during
intense electrical storms.
7.7.2 Air Contaminants
The general cleanliness of the area in which OA Systems are operated
has an effect on reliability,
both of the equipment and of the magnetic storage media. Although it is
generally not necessary to
install special-purpose air purifiers for the OA System, cutting down
or eliminating such
contaminants as smoke and dust can only help the OA System and its media.
The best guidance
that can be given in this area is to keep smoke, dust, cigar and cigarette
ashes, and similar airborne
contaminants as far away from the OA System as possible.
7.7.3 Fire Damage
Fire and excess heat can cause the destruction of an OA System in a very
short time. Therefore,
any Office Automation equipment in the office should be kept as far away
from any open flames
or other heat sources as possible. In addition to this, all users of the
system should be familiar with
procedures to be followed in case a fire should break out. Fire protection
equipment (e.g.,
extinguishers) should be present and conveniently located so that the
damage caused by a fire is
limited as much as possible [5].
7.7.4 Static Electricity
Another way in which Office Automation equipment can be damaged is by
static electricity. If the
climate in a particular area results in the presence of large amounts
of static electricity, the use of
antistatic sprays, carpets or pads should be considered. In addition,
since static electricity can quite
often build up in personnel, particularly when carpeting is used, personnel
can be instructed to
discharge any built-up static charge by simply touching a grounded object,
such as a metal desk or
doorknob.
7.7.5 Other Environmental Considerations
There are other ways in which Office Automation equipment can be damaged
by environmental
hazards. One of these is by the spillage of food or liquid onto the equipment
or media. Spilling a
soft drink on a keyboard, for example, can cause damage that requires
extensive repair or
replacement of the keyboard. Spilling water or crumbs of food onto a floppy
disk can cause it to
be unusable, possibly resulting in the loss of information stored on it.
Therefore, keep all food and
drinks away from Office Automation equipment and media [5].
7.8 Preparing Downgraded Extracts
In some instances, it is operationally necessary to copy information
from a volume of media at one
sensitivity level to another volume that is at a lower sensitivity level.
If the OA System does not
meet the requirements of at least Class B1, this is always dangerous,
as classified or sensitive, but
unclassified, information could be compromised without the user's knowledge.
Therefore, any
decision to permit the electronic downgrading of information should be
made only after the risks
of compromise have been carefully considered. The person or organization
making the decision
should be willing to accept the risk that classified or other sensitive,
but unclassified, information
will be compromised.
Each ADPSSO is responsible for enforcing the procedures by which downgrading
of information
can be done. The ADPSSO may also be responsible for developing these procedures;
however,
they may be dictated by organizational policy. The following method is
appropriate in some
instances; however, the reader should again be warned that the possibility
of information
compromise exists when this is done:
(l) Format a new volume of media; make sure that it has never been written
on before. It
would be best if the volume could be removed from a sealed container (e.g.,
a new box
of diskettes).
(2) Copy the necessary information from its current location to the new
media.
(3) Carefully examine the new media. Look for any signs that information
other than what
was intended has been copied. If it is feasible, print out everything
on the target media,
to verify that they contain no other information.
Of course, it is still possible that information could have been copied
onto the new media without
being detected. However, if it is necessary that downgrading be permitted,
this is a risk that must
be taken.
8.0 RESPONSIBILITIES OF THE ORGANIZATION OWNING* THE OA SYSTEM
Good Information Security begins at the top levels of an organization.
If the organization has a
commitment to Information Security, there is a far better chance of a
security program succeeding.
In order to foster good Office Automation System Security, and in turn
good Information Security,
the following conditions should exist within the organization (e.g., Department,
Agency) that
"owns" the OA system.
(1) The organization should have a comprehensive Information Security
policy. Further, the
organization should have an AIS Security policy that ensures the implementation
of its Information
Security policy for information contained within or processed by AIS.
In addition, the organization
should have an OA System Security policy that is consistent with both
its overall Information
Security policy and its AIS Security policy [5]. This OA System Security
policy should describe,
at a minimum:
(a) What actions are permissible on an Office Automation System, what
information
may be processed when and by whom, and what is prohibited.
(b) What the organization permits regarding the use of government-owned
OA
Systems offsite (e.g., at home, or while traveling on official business),
the use of personally-owned
OA Systems to do government work, and the use of government-owned resources
to do outside
work (e.g., schoolwork).
(c) Procedures for maintenance of OA Systems.
(d) Procedures for the proper secure operation of an OA System.
(e) Procedures for the secure handling, marking, storage, and disposal
of classified or
sensitive, but unclassified, information handled by an OA System.
(2) The owning organization should set up a training program to properly
instruct users and
security officers in the areas of information security, including computer
security and Office
Automation security. If each person that uses the OA System is properly
trained in the security
aspects as well as the functional aspects of the system, the chance of
a security problem occurring
because of user error is significantly decreased.
(3) The owning organization should have a policy concerning the procurement
and use of
hardware/software. The organization is responsible for ensuring that all
copyrights and license
agreements are followed, and that no pirated or otherwise illegally obtained
software is used in its
OA Systems. Furthermore, the organization should set up a program to test
newly purchased or
developed software prior to its use in operational systems. The purpose
of this program is to
ascertain that the software works as advertised, and does not contain
trapdoors, Trojan horses,
worms, viruses, or other malicious code. (A program of this type is also
an excellent way to detect
bugs in the software.)
(4) The owning organization should have a configuration management program
that maintains
control over changes to the OA System. This program can also maintain
records of maintenance
done to the system, and keep an inventory of hardware and software to
help detect theft [5].
(5) The organization should have a policy covering whether or not audit
trails are required and
what information is required to be recorded.
(6) The organization should have a policy covering the certification
and accreditation of OA
Systems that handle classified or sensitive, but unclassified, information
[9].
9.0 REQUIRING SECURITY IN THE PROCUREMENT OF OFFICE AUTOMATION
SYSTEMS
Security is an important consideration throughout the entire lifecycle
of an Office Automation
System. If security is not considered during the initial system specifications
and Request for
Proposal (RFP), it may not be designed into the OA System, and will remain
a problem throughout
the system life-cycle. Often, when deciding upon what OA System to buy,
security is ignored in
favor of performance and compatibility with other AIS. Security does not
have to be incompatible
with other goals; therefore, ignoring it because of them is not valid.
OMB Circular A-130 requires that a risk analysis be done by the person
or organization
responsible for the security of any AIS before procurement of the system
is begun [13]. (Risk
analyses are also required at other times during the system life-cycle;
see Reference 13 for further
guidance.) This requirement applies as much to OA Systems as to any other
AIS.
This risk analysis, which may be anything from a very informal review
to a fully quantified risk
analysis, should help identify potential security problems. These problems
can then be addressed
before and during the procurement of the system.
(Note: At this point, it is helpful to remind procurement officers and
security officers that the
prospective vendor's security claims should be verified to the greatest
extent possible. Many times,
mechanisms or features claimed by vendors are either not present, or are
so easily subvertible that
they are of little use.)
The following guidelines should be considered when writing system specifications
and Requests
for Proposal.
9.1 Processing Classified Information: Policy Requirements
If the OA System will be processing classified information, it must comply
with the appropriate
national TEMPEST policy directive [13, 14]. The Request for Proposal must
state that the system
is to meet this policy. Furthermore, if in addition to processing classified
information the OA
System is to have a communications capability, then appropriate Communications
Security
(COMSEC) measures, as approved by the National Security Agency, must be
taken. The RFP and
the system specification should require the capability to adapt to whatever
COMSEC measures will
be used to protect the system's communications (e. g., compatibility with
cryptographic devices).
9.2 Physical Environment of the OA system
An OA System is generally considered to be a high-dollar asset. If the
OA System will be kept in
an area that does not provide an adequate level of protection against
theft, then the purchase of
devices that lock the system to a table or in a closet should be considered.
Also, the use of OA
Systems with the capability for removable-media-only may be considered
if there is a high
probability of vandalism to the system. If a system with fixed media were
to be vandalized, the
information stored on the fixed media since the last backup could also
be lost, while information
contained on removable media can be protected by locking up the media.
The probability of
vandalism cannot be appreciably lowered by this method, but the damage
caused by a vandal can
be significantly lessened by protecting the information.
If the OA System will be used to process classified information, and
will be kept in an area that is
not approved for open storage of information of that sensitivity, an OA
System with removable-
media-only should be used. This will lessen the chance of compromise of
information if an
unauthorized user were able to access the system, as classified or sensitive,
but unclassified,
information could be removed from the system and secured when the system
is unattended.
A GSA-approved, tamper-resistant cabinet in which the entire system can
be secured should be
purchased if the system will be used to process classified information,
will contain fixed media,
and will be kept in an area that is not approved for open storage of classified
information. Given
this scenario, this cabinet is the only way in which the security requirements
of the system can be
satisfied.
9.3 Identification of Non-Volatile Components
All components of the proposed OA System that are non-volatile (i.e.,
that retain information after
power has been removed) should be identified prior to procurement. If
the OA System is identified
as having only removable media, and there is non-volatile memory that
has not been identified as
such, then the OA System has been incorrectly identified, since it contains
a type of fixed media.
9.4 System Communications Capabilities
If it is known at the time of procurement that the OA System is to be
connected with other OA
Systems to form a Local Area Network (LAN) then the security requirements
of the entire LAN
must be considered first. If the procurement is to be of the entire LAN
(i.e., of all of its
components), then the issues in this chapter must be addressed for the
LAN as a whole, as well as
for each of its components. Individual nodes of the LAN may have different
security requirements
than other nodes on the LAN.
If the procurement is to be for an OA System which is to be attached
to an existing LAN, then the
security requirements and mechanisms of the existing LAN must be examined
prior to writing the
specifications of the OA System. The new OA System should support all
security mechanisms that
already exist in the LAN, and should not allow a violation of the LAN's
security policy.
(Note: The LAN should enforce a security policy, as any AIS should. This
particular security
policy should be driven by the owning organization's overall Information
Security Policy, and the
particular environment in which it operates. See Chapter 8.0 of this guideline
for a further
discussion of security policies.)
If the OA System must be alternately connected as a terminal to several
different AIS that process
different sensitivity levels of information, the procurement should specify
that only OA Systems
using removable-media-only shall be considered. Since the sensitivity
level of an OA System with
fixed media cannot be easily lowered, switching between AIS with different
sensitivity levels of
information is impractical, if not impossible, for these systems.
9.5 Shared-Use Systems and Multi-User Systems
A "shared-use system" is an OA System that is used by more
than one person, but not by more than
one at a time. A "multi-user system" is an OA System that can
be used by more than one person at
a time. Whenever an OA System is to be shared by more than one person,
either serially or
simultaneously, there are security concerns which should be addressed
that do not occur if the OA
System is used exclusively by one person.
9.5.1 Shared-Use Systems Processing One Sensitivity Level of Information
If the system is to be shared by several users, and not all users will
have the necessary clearances
and need-to-know for all information that will ever be processed or controlled
by that OA System,
the possibility of acquiring an OA System that uses removable-media-only
should be investigated.
With this type of system, information can be removed and locked away to
prevent its compromise.
If a system with fixed media is procured and used, any information that
is stored on fixed media
may be accessible to all users of the system. If some users of the OA
System do not have a need-
to-know for some of the information stored on it, this access is contrary
to the provisions of the
Privacy Act of 1974 [20] (See Section 3, paragraph (b) of Reference 20).
Therefore, if a system
that contains fixed media is to be used in this situation, it should meet
the requirements of at least
class C2, when evaluated against the TCSEC.
9.5.2 Shared-Use Systems Processing Information of Multiple Sensitivity
Levels
In many cases, it is desirable to send machine-readable copies of information
processed on one OA
System to another site for use (e.g., copy a file from one OA System onto
a floppy disk, and then
use that floppy disk in another OA System). If this is the case, and if
the OA System will be used
to process several different sensitivity levels of information (e.g.,
Unclassified through TOP
SECRET; personnel, medical, and financial), an OA System that uses removable-media-only
should be used. An OA System with fixed media should not be used, since
the sensitivity level of
the system may not be lowered, and since any removable media which is
inserted into an OA
System with fixed media must be regarded as having the same sensitivity
level as the system itself.
9.5.3 Shared-Use Systems and Multi-User Systems With Fixed Media
If the OA System is to utilize fixed media, and it is desired that users
with differing clearances and/
or need-to-know be able to access the system, hardware/software security
should be specified in
the RFP. Specifically, if some users of the OA System do not have a clearance
and/or a need-to-
know for some of the information to be processed on the system, the RFP
should follow the
guidance given in References 2 and 3. It is possible that no vendor will
be able to respond to the
RFP, because there are currently no OA Systems available that meet these
requirements. If this
occurs, the planned mode of operation of the OA System should be revised
to reflect the security
capabilities of those systems that are available.
9.5.4 Multi-User Systems Processing Information of Multiple Sensitivity
Levels
If it is desired that the OA System be able to simultaneously process
and store information of
different sensitivity levels, and the system must be trusted to maintain
the separation of information
by sensitivity level, the specifications should require a system that
meets the recommendations
given in References 2 and 3. If no vendor is able to respond to the RFP
because of lack of hardware/
software security controls, the planned mode of operation of the OA System
should be revised to
reflect the security capabilities of those systems that are available.
10.0 SECURE DISPOSAL OF OFFICE AUTOMATION SYSTEMS
When an Office Automation System has outlived its usefulness and has
become obsolete, or when
it has become damaged beyond repair, it must be disposed of properly.
If the OA System has been
used to process or store classified or sensitive, but unclassified, information,
certain precautions
should be taken before the system can be disposed of through normal channels.
These precautions
will help to prevent the compromise of any classified or sensitive, but
unclassified, information
remaining in the system after it is beyond the control of the organization
that once used it.
10.1 Removable Media
Any removable media that were used in the OA System should be removed.
If these media will be
used in another OA System without being cleared, care must be taken to
ensure that the new OA
System is approved for processing information of the removable media's
sensitivity level.
If it is desired that the removable media be reused in the same facility
(but after information
currently stored on them is erased), they may be cleared by one of the
methods detailed in
Reference 4.
In all other cases, removable media that once contained classified or
sensitive, but unclassified,
information should be either declassified or destroyed, as appropriate,
using the methods detailed
in Reference 4.
10.2 Fixed Media
Fixed media attached to the OA System that contain or formerly contained
classified or sensitive,
but unclassified, information should be declassified, destroyed, or removed
from the system before
they leave the controlling organization. Declassification and destruction
procedures are described
in Reference 4.
10.3 The Remainder of the OA system
Once both fixed and removable media have been removed from the system
and handled
appropriately, any semiconductor memory that remains in the system should
be properly
declassified. To declassify semiconductor memory, the following procedures
should be followed
prior to disconnecting the power supply. A random pattern of bits must
be written over each
location. No further data is to be inserted for a 24-hour period and the
power is to remain on. This
same overwrite procedure should be used a second and third time, i.e.,
inserting a random pattern
of bits and leaving the system powered up for 24 hours, for a total of
72 hours, and no interim
insertion of bits. Upon completion of the third cycle, the memory will
be considered unclassified.
As a second option, the security officer may have the semiconductor memory
removed from the
OA system and destroyed before the system leaves his control.
Users who cannot use either of these options should contact their organization's
Computer Security
Office. Additional information is also available from NSA, Ft. George
G. Meade, MD 20755-
6000, ATTN: Division of Computer Security Standards.
APPENDIX
A Guideline on sensitivity Marking of the Office Automation System and
Its Storage Media
Throughout this guideline, sensitivity marking of OA Systems processing
classified or sensitive,
but unclassified, information and of magnetic storage media is discussed.
This appendix provides
guidance on how to mark the OA System and its media appropriately.
A.1 Sensitivity Marking of OA Systems Having Removable-Media-Only
The OA System and its peripheral devices must be clearly marked with
the highest sensitivity of
information that it is allowed to process [9,22]. Stickers indicating
the highest sensitivity of
information that may be processed by that device should be applied directly
to the OA System and
each peripheral device. Under normal circumstances, this label should
not be removed from the
system.
An OA System with removable media (and with only volatile semiconductor
memory) is
considered to have the same sensitivity level as the media which are currently
contained in it. Since
OA Systems that do not contain fixed media can change sensitivities (see
Section 4.1.2.2), it is
recommended that there be a clearly-visible sign placed near the system
that indicates when the
OA System is being used to process a specific type or range of information
(e.g., classified,
personnel privileged, proprietary). In this manner, others in the office
can be forewarned not to
allow visitors to wander about in the vicinity of the OA System. (The
user should be aware that
this sign might also have the effect of "advertising" the fact
that classified or sensitive, but
unclassified, information is being processed. This could draw unwanted
attention from curious
people. Again, the user should be very careful that no one is looking
at what is being done.)
A.2 Sensitivity Marking of OA Systems Containing Fixed Media
Any OA System on which classified or sensitive, but unclassified, information
is stored is
considered to be a sensitive OA System. Any sensitive OA System is assumed
to have the same
sensitivity level as the highest classified or most sensitive information
stored on it. This includes
systems with fixed media, as well as systems with nonvolatile semiconductor
memory. These
systems must always be given the same level of protection as any other
information of that
sensitivity level [22].
There should be attached to the OA System and each peripheral device,
which is not physically
collocated with it, a human-readable label (e.g., a sticker) on which
is clearly and legibly written
the sensitivity of the OA System. Under normal circumstances, this label
should never be removed.
If the sensitivity level of the system or device changes, a new label
indicating the new sensitivity
of the system can be placed on top of the old one.
Because of the presence of the fixed media, the sensitivity level of
the OA System may never be
decreased, unless the system is declassified in accordance with Reference
4.
The label attached to a peripheral device (e.g., a laser printer) that
is shared among several OA
Systems should indicate the highest (most restrictive) sensitivity of
information that may be sent
to that device.
A.3 Sensitivity Marking of Removable Storage Media
The sensitivity level of a volume of removable media is the same as the
most restrictive sensitivity
level of information stored on that volume. All information on a volume
of removable media
should be regarded as being at the same sensitivity level (e.g., it is
not permissible to consider one
file on a diskette to be TOP SECRET and another file on the same diskette
to be Unclassified).
There should be a human-readable label attached to the container of each
volume of removable
media (e.g., the outside of a diskette, the outside of a tape reel) that
clearly indicates the current
sensitivity level of that volume of media [5,1l,12,22,23]. Under normal
circumstances, this label
should not be removed unless the volume of media is declassified using
procedures specified in
Reference 4. Labels should be color coded in accordance with applicable
government and agency
or departmental standards.
Example: An orange label may be used to indicate a TOP SECRET diskette,
a red label
indicates a SECRET diskette, a blue label indicates CONFIDENTIAL, a purple
label
means personnel data is contained on the diskette, a grey label indicates
"Company X
Proprietary Information," a green label may be used on a diskette
that contains
unsensitive information only.
The volume of media should then be protected to a level that is at least
commensurate with this
label.
Example: A floppy disk that is marked SECRET should be given the same
level of
protection as a piece of paper that is marked SECRET (e.g., stored in
a GSA-approved
safe when not in use).
It is permissible to raise the sensitivity level of a volume of media.
When this happens, the label
on the media should also be changed. A new label indicating the higher
sensitivity level may be
placed on top of the old label, or the old label may be removed before
the new label is applied.
It should not be permissible to decrease the sensitivity level of a volume
of media without first
declassifying it using one of the approved methods described in Reference
4.
Any volume of media which is in the OA System at the same time as other
media of a more
restrictive sensitivity level should automatically acquire that more restrictive
sensitivity [l6].
Example: If an Unclassified system disk is placed in drive A of an OA
System, with a
TOP SECRET disk in drive B, the system disk should be considered to be
TOP
SECRET and protected as such. The reason for this is that the average
user has no way
of being absolutely certain what is being written on each disk, and must
therefore guard
against the OA System writing to the wrong disk by upgrading the sensitivity
of the
system disk.
Any volume of removable media that is not sealed in its original package
and is not labeled should
be presumed to be at the same sensitivity level as the OA System in which
it is used [5,l5]. If this
OA System can have a range of sensitivity levels (e.g., is a system with
removable-media-only),
the volume of media should be considered to have the same sensitivity
level as the highest
classified or most sensitive information the system can process.
If there is an unsealed, unlabeled volume of media, and it cannot be
determined which (if any) OA
System it has been used in, the media should be considered to have the
same sensitivity level as
the highest sensitivity level of any OA System that they could have been
used in.
Example: Suppose that there are four OA Systems in the same room. Three
are
Unclassified systems, while the fourth is TOP SECRET. An unlabeled floppy
disk is
found lying on top of a desk in this room, and it cannot be determined
in which, if any,
of these four OA Systems this particular floppy has been used. This floppy
disk should
therefore be considered to be TOP SECRET.
A.4 Sensitivity Marking of Fixed Storage Media
All fixed media should be regarded as having the same sensitivity level
as the OA Systems to
which they are attached.
Unless the OA System has been approved to simultaneously process information
of a range of
sensitivity levels, all information on the fixed media should be regarded
as being at the same level:
the highest sensitivity level of any information on the media.
LIST OF ACRONYMS
ACRONYM EXPANSION
ADPSSO ADP System Security Officer
AIS Automated Information System
LAN Local Area Network
NACSI National Communications Security Instruction
NCSC National Computer Security Center
OA System Office Automation System
PC Personal Computer
TCSEC Department of Defense Trusted Computer System Evaluation Criteria
WP Word Processor
GLOSSARY
ADP System Security Officer (ADPSSO)
The person who is nominally responsible for the secure operation of an
OA system.
Automated Information System (AIS)
An assembly of computer hardware, software, and firmware configured in
such a way that it
can collect, communicate, compute, process, disseminate, and/or control
data.
Connected Office Automation System
An OA System that is electrically connected to one or more AIS. The OA
System may be used
as a host, a file server, a terminal, or any other component of a network.
Local Area Network
An interconnected group of OA Systems or system components that are physically
located
within a small geographic area, such as a building or campus.
Magnetic Remanence
A measure of the magnetic flux density remaining after removal of an
applied magnetic force.
Can also mean any data remaining on ADP storage media after removal of
the power.
Multi-User System
An OA System that can be used by more than one person simultaneously.
Non-removable Magnetic Media
Any magnetic media used for the storage of information that is not designed
to be regularly
removed from the system. Examples of non-removable media include fixed
or "Winchester" disks.
(This will also be referred to as "fixed media'' for short.)
Nonvolatile Memory
Memory contained within an Office Automation System that retains its
information after
power has been removed.
Office Automation System
Any microprocessor-based AIS or AIS component that is commonly used in
an office
environment. This includes, but is not limited to, Personal Computers,
Word Processors, printers,
and file servers. It does not include electric typewriters, photocopiers,
and facsimile machines.
Personal computer (PC)
A microprocessor-based computer which is primarily intended to be used
by one person at a
time. It is usually characterized by relatively low cost and small physical
size (usually small
enough to fit on a desk or table).
Physically Protected Communications Media
Any communications media to which physical access is sufficiently controlled
that the chance
of compromise, improper modification, or destruction of information is
assumed to be zero.
Removable Magnetic Media
Any magnetic media used for the storage of information that is designed
to be frequently and
easily removed from the Office Automation System by a user. Examples of
removable magnetic
media include floppy disks, removable hard disks (e.g., Bernoulli disks)
and magnetic tapes. (This
will also be referred to as "removable media" for short.)
Sensitive, but Unclassified Information
Information the disclosure, loss, misuse, alteration, or destruction
of which could adversely
affect national security or other Federal Government interests. National
security interests are those
unclassified matters that relate to the national defense or the foreign
relations of the U.S.
Government. Other government interests are those related, but not limited
to the wide range of
government or government-derived economic, human, financial, industrial,
agricultural,
technological, and law enforcement information, as well as the privacy
or confidentiality of
personal or commercial proprietary information provided to the U.S. Government
by its citizens
[19].
Sensitivity Label
The physical representation of the sensitivity level of information.
Sensitivity Level
A designation, associated with information, indicating (l) the amount
of harm that can be
caused by the exposure of that information to an unauthorized user, (2)
any formal access approvals
that must be granted prior to the granting of access to that information,
and (3) any specific
handling restrictions placed on that information. Sensitivity levels contain
both a hierarchical
component (e.g., Unclassified, CONFIDENTIAL, SECRET, TOP SECRET) and a
non-
hierarchical component (e.g., For Official Use Only (FOUO), Proprietary
Information Enclosed
(PROPIN)).
Shared-Use System
An OA System that is used by more than one person, but is used by only
one person at a time.
Stand-Alone Office Automation System
An OA System that is electrically and physically isolated from all other
AIS.
Volatile Memory
Memory contained within an Office Automation System that loses its information
a short time
after power has been removed.
Word Processor (WP)
An Office Automation System that is designed to be used primarily in
the preparation of
documents containing alphanumeric text.
Workstation
The total collection of Office Automation equipment, physically located
in one place, that
makes up the resources meant to be used by one person at a time.
REFERENCES
l. U.S. Air Force Computer Security Program Office, "Guidance for
Secure Operating
Procedures for the Zenith Z-l50 Personal Computer," 1 June 1985.
2. Department of Defense Standard 5200. 28-STD, "Department of Defense
Trusted
Computer System Evaluation Criteria," 26 December 1985.
(Note: this document is also referenced as: DoD Computer Security Center,
Department of Defense Trusted Computer System Evaluation Criteria, CSC-STD-
001-83, 15 August 1983.)
3. DoD Computer Security Center, Computer Security Requirements--Guidance
for
Applying the Department of Defense Trusted Computer System Evaluation
Criteria in
Specific Environments, CSC-STD-003-85, 25 June 1985.
4. DoD Computer Security Center, Department of Defense Magnetic Remanence
Security
Guideline, CSC-STD-005-85, 15 November 1985 (FOR OFFICIAL USE ONLY).
5. Department of Energy, "Security Guidelines for Microcomputers
and Word Processors,"
DOE/MA-0181, March 1985.
6. Executive Order 12356, National Security Information, 6 April 1982.
7. Federal Emergency Management Agency, "Information Systems Policy,"
Instruction
1500.3, 23 March 1984.
8. Federal Emergency Management Agency Manual 1540.2, "Automated
Information
Systems (AIS) Security," September 1984.
9. Federal Information Processing Standards Publication (FIPS PUB) 102,
Guideline for
Computer Security Certification and Accreditation, 27 September 1983.
10. Department of the Interior, "Acquisition and Use of Microcomputers,"
376 DM 12.1.
11. Lawrence Livermore National Laboratory, "Computer Security Guidelines
for
Microcomputer Users," January 1985.
12. Los Alamos National Laboratory, "Word Processor Security Policy,"
June 1982.
13. Office of Management and Budget (OMB) Circular A-130, "Management
of Federal
Information Resources," 12 December 1985.
14. National COMSEC Instruction (NACSI) 5004, "TEMPEST Countermeasures
for Facilities
Within the United States (U)," l January 1984 (SECRET).
15. National COMSEC Instruction (NACSI) 5005, "TEMPEST Countermeasures
for Facilities
Outside of the United States (U)," 1 January 1984 (SECRET).
16. National Computer Security Center, Personal Computer Security Considerations,
NCSC-
WA-002-85, December 1985.
17. National Security Decision Directive 145, National Policy on Telecommunications
and
Automated Information Systems Security, September 17, 1984.
18. National Telecommunications and Information Systems Security Policy
(NTISSP) No. 2,
"National Policy on Protection of Sensitive, but Unclassified Information
in Federal
Government Telecommunications and Automated Information Systems",
29 October
1986.
19. U.S. Nuclear Regulatory Commission, NRC Manual, Chapter NRC-2301,
"Systems
Security", March 16, 1985.
20. Public Law 93-579, "Privacy Act of 1974," 31 December,
1974.
21. Schaefer, Marvin, "Security Vulnerabilities of Office Automation
Systems," in
Proceedings of the Security Affairs Support Association's Fall 1985 Symposium:
"INFOSEC FOR THE NINETIES", 21-22 November 1985.
22. Department of State, "Security Standards for Office Automation
Systems used for National
Security Information in the Washington, D.C. Metropolitan Area,"
A/ISS Systems Security
Standard Number 1, 22 December 1985.
23. Steinauer, Dennis D., Security of Personal Computer Systems: A Management
Guide, NBS
Special Publication #500-120, January 1985.
DISTRIBUTION:
NSA
NSC (ATTN: Mr. DeGraffenreid)
OMB (Intel Branch NSD)
ODASD (C3I) (Greg O'Hara) (2)
OJCS (C3S) (2)
CSA (DAIM-OI) (2)
CSA (DAMI-CIC) (2)
CSA (DALO-SMC) (2)
CSA (DAMA-CSC) (2)
CNO (OP-941) (3)
CMC (CC) (5)
USCINCCENT (RC6J6-O) (2)
USCINCEUR (C3S) (2)
USCINCLANT (C3S) (2)
USCINCPAC (C3S) (2)
USCINCRED (RCC4S-O) (2)
USCINCSO (J6) (2)
HQ USAF (SITT) (3)
HQ SPACECMD (2)
HQ MAC (SI) (2)
HQ SAC (SI) (2)
HQ TAC (SI) (2)
AFCSC (EPXP) (20)
AFCSC/EPVL
COMUSFORCARIB (J6) (2)
COMUSFJAPAN (J6) (2)
COMUSFKOREA (J6) (2)
DIR ARFCOS (2)
DCSO (CODE B210) (20)
DIA (RSI-5) (10)
DIS (V0410) (5)
DLA (DLA-TI) (2)
DNA (LECD)
DIR TRI-TAC (TT-SC)
CDR JTE/JTC3A
CDR USAINSCOM (IAOPS-OP-P) (15)
CDR USACSLA (SELCL-NMP) (5)
COMNAVSECGRU (G-61) (15)
COMDT COGARD (GTES-5)
COMCOGARDLANTAREA
COMCOGARDPACAREA
COMCOGARDONE
COMCOGARDTWO
COMCOGARDTHREE
COMCOGARDFIVE
COMCOGARDSEVEN
COMCOGARDEIGHT
COMCOGARDNINE
COMCOGARDELEVEN
COMCOGARDTWELVE
COMCOGARDTHIRTEEN
COMCOGARDFOURTEEN
COMCOGARDSEVENTEEN
COMNAVELEXSYSCOM (PDE 110-231) (3)
DCMS (T60) (6)
CG MCDEC (DEVCEN C3) (2)
Dept. of Agriculture (MSD/FAS) (2)
Dept. of Commerce (IS) (2)
Dept. of Energy (CSTM (2)
Dept. of Health & Human Services (IG) (2)
Dept. of Interior (AMO) (2)
Dept. of Justice (JMD/SS) (2)
Dept. of State (ASC) (2)
Dept. of Transportation (OIS M-50) (2)
Dept. of Treasury (AIT) (10)
CIA (OC-CSD) (2)
CIA (DIR OIT) (2)
CIA (OS MAIL) (ATTN: CHARLES U.) (2)
CIA (Chief, TEMPEST Division, OS) (2)
DIR, IC STAFF (IIHC) (2)
DIR, IC STAFF (DCI SECURITY COMMITTEE) (2)
DIR, IC STAFF (POLICY AND PLANNING STAFF) (2)
DCA (Code B310)
DMA OTS (OMD)
DMA TT
Drug Enforcement Administration (AIOC) (2)
FAA (ADL-15) (6)
FBI (TSD) (5)
FCC (OMD) (2)
FEMA (OP-IR) (7)
GSA (KJS) (6)
NASA (NIS) (20
NASA (TS) (15)
NCS (MGR) (2)
NRC (5721-NMBB) (2)
NTAISS
NATIONAL
TELECOMMUNICATIONS
AND
AUTOMATED
INFORMATION
SYSTEMS
SECURITY
PART I:
INTRODUCTION
PART II:
GUIDANCE FOR THE OFFICE AUTOMATION SYSTEM USER
PART III:
GUIDANCE FOR ADP SYSTEM SECURITY OFFICERS
PART IV:
GUIDANCE FOR OTHERS
WILLIAM E. ODOM
Lieutenant General, USA
|
