home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
HACKING
/
REVBLT.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
14KB
|
284 lines
NCSL BULLETIN
OCTOBER, 1990
REVIEW OF FEDERAL AGENCY
COMPUTER SECURITY AND PRIVACY PLANS (CSPP): A SUMMARY REPORT
Sensitive information and information resources have become
increasingly important to the functioning of the federal
government. The protection of such information is integral to
the government serving the public trust. Concern that federal
agencies were not protecting their information caused Congress to
enact Public Law 100-235, "Computer Security Act of 1987" (the
Act). The Act reaffirmed the National Institute of Standards and
Technology's (NIST) computer security responsibilities. These
responsibilities include developing standards and guidelines to
protect sensitive unclassified information. Other
responsibilities include providing new governmentwide programs in
computer security awareness training and security planning.
The Act required federal agencies to conduct educational programs
to increase staff awareness of the need for computer security.
The first-year activity included agencies identifying their
computer systems containing sensitive information. These
agencies prepared and submitted security plans for those systems
to the NIST and National Security Agency (NSA) review team for
advice and comment. This document summarizes a report on the
review of the computer security and privacy plans that were
submitted by federal agencies.
How The Reviews Were Conducted
The Office of Management and Budget (OMB) issued OMB Bulletin 88-
16, "Guidance for Preparation and Submission of Security Plans
for Federal Computer Systems Containing Sensitive Information,"
to guide agencies on preparing and submitting computer security
plans. The bulletin specified the information that was to appear
in each plan. The bulletin further requested that agencies
identify systems as major application or general ADP support
systems. Finally, the bulletin provided the agency the option of
identifying any needs for guidance or technical support. This
option also included making any comments the agency thought
appropriate. Although a four-part format appeared, agencies were
able to use latitude as long as all pertinent information was
present. This permitted agencies with existing programs to
submit current related documents. Submission of an agency
overview was optional and most agencies chose not to provide one.
The joint NIST/NSA review team examined 1,583 plans for 63
federal civilian agencies and 27,992 plans from 441 Department of
Defense (DoD) organizations. Most DoD submissions consisted
mainly of accreditation documentation prepared for other computer
security planning purposes. During the review process, the
review team recorded data about the systems for analysis. The
conclusions made in this report stem principally, but not
exclusively, from the civilian agency submissions.
Major Findings
The review team arrived at a number of conclusions about the
plans and the plan review process, seeing both many positive
signs and some areas for improvement. These findings include:
o The civilian agency CSPPs basically conformed with the
guidance given by OMB Bulletin 88-16. Many controls to
protect sensitive systems were already in place or
planned. These controls appeared consistent with
identified system functions, environment, and security
needs. However, some respondents appeared to have just
"checked the boxes," perhaps presenting a falsely
optimistic picture.
o Many agencies appeared to report on isolated systems
rather than all systems subject to the Computer
Security Act and OMB Bulletin 88-16.
o Agencywide guidance on how to prepare the plans was not
clear. There was also some question whether a high-
level official reviewed the plans. Also unclear is the
distribution of agency-level computer security policy
and guidance. Further, most plans did not reflect the
joint involvement of ADP, computer security, and
applications communities in computer security planning.
o Significantly, the plans rarely addressed the security
concerns on networking, interfaces with other systems,
and the use of contractors and their facilities. This
may reflect a general confusion about the boundaries
and limits of responsibility for a given system.
o Many plans equated sensitivity only with privacy or
confidentiality and did not fully address requirements
for integrity and availability.
o Most plans did not communicate an appreciation for the
role of risk management activities in computer security
planning.
o Although most agencies said they had computer security
awareness and training, many did not show that all
applicable employees received periodic training.
o Finally, the CSPP submission and review effort raised
the level of federal awareness regarding the need to
protect sensitive information and the importance of
computer security planning.
Recommendations for Agencies
Based on the needs that became apparent during the plan review,
the review team recommends the following:
o Agency management should ensure that computer security
has the highest level of management involvement. This
involvement is also important in the computer security
planning process. Computer security benefits from the
multiple perspectives of and input from agency
information resources management, computer security,
and functional, user, and applications personnel.
o Agency management should identify and describe the
security needs of their systems which contain sensitive
information.
o Agency management should recognize the importance of
computer security and its required planning. This
recognition should be aggressively communicated to
their staffs, perhaps using their computer security and
awareness training programs as one of the vehicles.
o Agencies should incorporate computer security planning
with other information systems planning activities.
o Agencies should consider the protection requirements
for integrity and availability on an equal basis with
that of confidentiality.
o Agencies should assess risks, and select and implement
realistic controls throughout the system life cycle.
This involves awareness of technology changes with
regard to system hardware and software. This awareness
also requires a knowledge of new technology and new
methods for protecting and recovering from system
threats. In addition, agencies should fully document
in-place controls to ease periodic reevaluation,
internal audit, and oversight agency review.
o Agencies should implement certification and
accreditation programs. There is a lack of awareness
of guidance regarding certification and accreditation,
including FIPS PUB 102, "Guideline for Computer
Security Certification and Accreditation." There is
also a lack of knowledge of the certification
requirements in OMB Circular A-130, "Management of
Federal Information Resources." Agencies may use OMB
Circular A-130 as the basis for these programs.
o Agencies should clarify the boundaries and limits of
responsibility for each system, and should include, in
any planned risk assessment activity, full
consideration of the telecommunications and networking
environment and relationships with co