1193 lines
53 KiB
Plaintext
1193 lines
53 KiB
Plaintext
|
|
|
|
United States General Accounting Office
|
|
___________________________________________________________________
|
|
GAO Report to the Chairman, Committee on
|
|
Science, Space, and Technology,
|
|
House of Representatives
|
|
|
|
___________________________________________________________________
|
|
May 1990 COMPUTER SECURITY
|
|
|
|
Governmentwide Planning Process
|
|
Had Limited Impact
|
|
|
|
|
|
|
|
|
|
___________________________________________________________________
|
|
GAO/IMTEC-90-48
|
|
|
|
|
|
|
|
|
|
This U.S. General Accounting Office (GAO) report is 1 of 7
|
|
available over the Internet as part of a test to determine
|
|
whether there is sufficient interest within this community to
|
|
warrant making all GAO reports available over the Internet.
|
|
The file REPORTS at NIH lists the 7 reports.
|
|
|
|
So that we can keep a count of report recipients, and your
|
|
reaction, please send an E-Mail message to KH3@CU.NIH.GOV and
|
|
include, along with your E-Mail address, the following
|
|
information:
|
|
|
|
1) Your organization.
|
|
|
|
2) Your position/title and name (optional).
|
|
|
|
3) The title/report number of the above reports you have
|
|
retrieved electronically or ordered by mail or phone.
|
|
|
|
4) Whether you have ever obtained a GAO report before.
|
|
|
|
5) Whether you have copied a report onto another bulletin
|
|
board--if so, which report and bulletin board.
|
|
|
|
6) Other GAO report subjects you would be interested in.
|
|
GAO's reports cover a broad range of subjects such as
|
|
major weapons systems, energy, financial institutions,
|
|
and pollution control.
|
|
|
|
7) Any additional comments or suggestions.
|
|
|
|
Thank you for your time.
|
|
|
|
|
|
Sincerely,
|
|
|
|
Jack L. Brock, Jr.
|
|
Director,
|
|
Government Information and Financial
|
|
Management Issues
|
|
Information Management and Technology Division
|
|
|
|
B-238954
|
|
|
|
|
|
May 10, 1990
|
|
|
|
|
|
The Honorable Robert A. Roe
|
|
Chairman, Committee on Science,
|
|
Space, and Technology
|
|
House of Representatives
|
|
|
|
Dear Mr. Chairman:
|
|
|
|
This report responds to your June 5, 1989, request and
|
|
subsequent agreements with your office that we review the
|
|
governmentwide computer security planning and review process
|
|
required by the Computer Security Act of 1987. The act
|
|
required federal agencies to identify systems that contain
|
|
sensitive information and to develop plans to safeguard
|
|
them. As agreed, we assessed the (1) planning process in 10
|
|
civilian agencies as well as the extent to which they
|
|
implemented planned controls described in 22 selected plans
|
|
and (2) National Institute of Standards and Technology
|
|
(NIST)/National Security Agency (NSA) review of the plans.
|
|
|
|
This is the fifth in a series of reports on implementation
|
|
of the Computer Security Act that GAO has prepared for your
|
|
committee. Appendix I details the review's objectives,
|
|
scope, and methodology. Appendix II describes the systems
|
|
covered by the 22 plans we reviewed.
|
|
|
|
RESULTS IN BRIEF
|
|
----------------
|
|
The planning and review process implemented under the
|
|
Computer Security Act did little to strengthen computer
|
|
security governmentwide. Although agency officials believe
|
|
that the process heightened awareness of computer security,
|
|
they typically described the plans as merely "reporting
|
|
requirements" and of limited use in addressing agency-
|
|
specific problems.
|
|
|
|
Officials cited three problems relating to the design and
|
|
implementation of the planning process: (1) the plans
|
|
lacked adequate information to serve as management tools and
|
|
some agencies already had planning processes in place, (2)
|
|
managers had little time to prepare the plans, and (3) the
|
|
Office of Management and Budget (OMB) planning guidance was
|
|
sometimes unclear and misinterpreted by agency officials.
|
|
|
|
|
|
|
|
1
|
|
|
|
B-238954
|
|
|
|
Although a year has passed since the initial computer
|
|
security plans were completed, agencies have made little
|
|
progress in implementing planned controls. Agency officials
|
|
said that budget constraints and inadequate top management
|
|
support--in terms of resources and commitment--were key
|
|
reasons why controls had not been implemented.
|
|
|
|
Based on the results of the planning and review process,
|
|
OMB--in conjunction with NIST and NSA--issued draft security
|
|
planning guidance in January 1990. The draft guidance
|
|
focuses on agency security programs and calls for NIST, NSA,
|
|
and OMB to visit agencies to discuss their security programs
|
|
and problems, and provide advice and technical assistance.
|
|
We believe that efforts directed toward assisting agencies
|
|
in solving specific problems and drawing top management
|
|
attention to computer security issues have greater potential
|
|
for improving computer security governmentwide.
|
|
|
|
BACKGROUND
|
|
----------
|
|
The Computer Security Act of 1987 (P.L. 100-235) was passed
|
|
in response to concerns that the security of sensitive
|
|
information was not being adequately addressed in the
|
|
federal government.1 The act's intent was to improve the
|
|
security and privacy of sensitive information in federal
|
|
computer systems by establishing minimum security practices.
|
|
The act required agencies to (1) identify all developmental
|
|
and operational systems with sensitive information, (2)
|
|
develop and submit to NIST and NSA for advice and comment a
|
|
security and privacy plan for each system identified, and
|
|
(3) establish computer security training programs.
|
|
|
|
OMB Bulletin 88-16, developed with NIST and NSA assistance,
|
|
provides guidance on the computer security plans required by
|
|
the act. To be in compliance, approximately 60 civilian
|
|
agencies submitted almost 1,600 computer security plans to a
|
|
NIST/NSA review team in early 1989. Nearly all of these
|
|
plans followed, to some degree, the format and content
|
|
requested by the bulletin. The bulletin requested that the
|
|
following information be included in each plan:
|
|
|
|
|
|
1The act defines sensitive information as any unclassified
|
|
information that in the event of loss, misuse, or
|
|
unauthorized access or modification, could adversely affect
|
|
the national interest, conduct of a federal program, or the
|
|
privacy individuals are entitled to under the Privacy Act of
|
|
1974 (5 U.S.C. 552a).
|
|
|
|
2
|
|
|
|
B-238954
|
|
|
|
-- Basic system identification: agency, system name and
|
|
type, whether the plan combines systems, operational
|
|
status, system purpose, system environment, and point of
|
|
contact.
|
|
|
|
-- Information sensitivity: laws and regulations affecting
|
|
the system, protection requirements, and description of
|
|
sensitivity.
|
|
|
|
-- Security control status: reported as "in place,"
|
|
"planned," "in place and planned" (i.e., some aspects of
|
|
the control are operational and others are planned), or
|
|
"not applicable," and a brief description of and expected
|
|
operational dates for controls that are reported as
|
|
planned.2 (Appendix V lists the controls.)
|
|
|
|
Appendix III presents a composite security plan that we
|
|
developed for this report as an example of the civilian
|
|
plans we reviewed. It is representative of the content,
|
|
format, and common omissions of the plans.
|
|
|
|
PLANS HAD LIMITED IMPACT ON
|
|
---------------------------
|
|
AGENCY COMPUTER SECURITY PROGRAMS
|
|
---------------------------------
|
|
The goals of the planning process were commendable--to
|
|
strengthen computer security by helping agencies identify
|
|
and evaluate their security needs and controls for sensitive
|
|
systems. According to agency officials, the process yielded
|
|
some benefits, the one most frequently cited being increased
|
|
management awareness of computer security. Further, some
|
|
officials noted that the planning process provided a
|
|
framework for reviewing their systems' security controls.
|
|
|
|
However, problems relating to the design and implementation
|
|
of the planning process limited its impact on agency
|
|
security programs. Specifically, (1) the plans lacked
|
|
adequate information to serve as effective management tools,
|
|
(2) managers had little time to prepare the plans, and (3)
|
|
the OMB guidance was sometimes unclear and misinterpreted by
|
|
the agencies. Consequently, most agency officials viewed
|
|
the plans as reporting requirements, rather than as
|
|
management tools.
|
|
|
|
|
|
2In this report, we are using the term "planned controls" to
|
|
include controls that agencies listed as "planned" or "in
|
|
place and planned" in their January 1989 plans. Both
|
|
categories indicated that the controls were not fully in
|
|
place.
|
|
|
|
|
|
3
|
|
|
|
B-238954
|
|
|
|
|
|
Plans Lacked Adequate Information to
|
|
------------------------------------
|
|
Serve as Effective Management Tools
|
|
-----------------------------------
|
|
Although agency officials said that security planning is
|
|
essential to the effective management of sensitive systems,
|
|
the plans lacked important information that managers need in
|
|
order to plan, and to monitor and implement plans. The
|
|
plans did not include this information, in part, because
|
|
they were designed not only to help agencies plan, but also
|
|
to facilitate NIST/NSA's review of the plans and to minimize
|
|
the risks of unauthorized disclosure of vulnerabilities.
|
|
For example:
|
|
|
|
-- Many plans provided minimal descriptions (a sentence or
|
|
nothing at all) of system sensitivity and planned
|
|
security controls. Detailed descriptions would have
|
|
made the plans more useful in setting priorities for
|
|
implementing planned controls.
|
|
|
|
-- The plans did not assign responsibility for each planned
|
|
control. It was not clear, therefore, who was
|
|
accountable for implementing the control (e.g., who would
|
|
be performing a risk assessment).
|
|
|
|
-- The plans did not include resource estimates needed to
|
|
budget for planned actions.
|
|
|
|
-- The plans generally did not refer to computer security-
|
|
related internal control weaknesses, although such
|
|
information can be important in developing plans.
|
|
|
|
Finally, officials from about one-third of the agencies said
|
|
that they already had more comprehensive planning processes
|
|
to help them identify and evaluate their security needs. As
|
|
a result, the governmentwide process was largely superfluous
|
|
for these agencies. Officials at such agencies said that
|
|
their plans, which included information such as detailed
|
|
descriptions of security controls, already met the
|
|
objectives of the governmentwide planning process. Many
|
|
officials said that what they needed was assistance in areas
|
|
such as network security.
|
|
|
|
Managers Had Little
|
|
-------------------
|
|
Time to Prepare the Plans
|
|
-------------------------
|
|
Officials had little time to adequately consider their
|
|
security needs and prepare plans, further limiting the
|
|
usefulness of the plans. OMB Bulletin 88-16 was issued July
|
|
6, 1988, 27 weeks before the plans were due to the NIST/NSA
|
|
|
|
4
|
|
|
|
B-238954
|
|
|
|
review team, as required by the Computer Security Act.
|
|
However, less than 14 weeks was left after most agencies
|
|
issued guidance on responding to the OMB request. Within
|
|
the remaining time, instructions were sent to the component
|
|
agencies and from there to the managers responsible for
|
|
preparing the plans, meetings were held to discuss the
|
|
plans, managers prepared the plans, and the plans were
|
|
reviewed by component agencies and returned to the agencies
|
|
for review. As a result, some managers had only a few days
|
|
to prepare plans.
|
|
|
|
Guidance Was Sometimes Unclear
|
|
------------------------------
|
|
and Misinterpreted by Agencies
|
|
------------------------------
|
|
Many agency officials misinterpreted or found the guidance
|
|
unclear as to how systems were to be combined in the plans,
|
|
the definition of some key terms (e.g., "in place"), the
|
|
level of expected detail, and the need to address
|
|
telecommunications. For example, some plans combined many
|
|
different types of systems--such as microcomputers and
|
|
mainframes--having diverse functions and security needs,
|
|
although the guidance specified that only similar systems
|
|
could be combined. When dissimilar systems were combined,
|
|
the plan's usefulness as a management tool was limited.
|
|
|
|
Further, for plans that combined systems, some agencies
|
|
reported that a security control was in place for the entire
|
|
plan, although it was actually in place for only a few
|
|
systems. Agency officials stated that they combined systems
|
|
in accordance with their understanding of the OMB guidance
|
|
and NIST/NSA verbal instructions.
|
|
|
|
In addition, officials were confused about how much detail
|
|
to include in the plans and whether to address
|
|
telecommunications issues (e.g., network security). For
|
|
example, they said that although the guidance asked for
|
|
brief descriptions of systems and information sensitivity,
|
|
NIST/NSA reviewers frequently commented that plans lacked
|
|
adequate descriptions. NIST officials said they expected
|
|
that the plans would be more detailed and discuss the
|
|
vulnerabilities inherent in networks. They said, in
|
|
retrospect, that it would have been helpful if the guidance
|
|
had provided examples and clarified the level of expected
|
|
detail.
|
|
|
|
AGENCIES HAVE NOT IMPLEMENTED
|
|
-----------------------------
|
|
MOST PLANNED SECURITY CONTROLS
|
|
------------------------------
|
|
Although a year has passed since the initial computer
|
|
security plans were completed, agencies have made little
|
|
|
|
5
|
|
|
|
B-238954
|
|
|
|
progress in implementing planned controls.3 The 22 plans we
|
|
reviewed contained 145 planned security controls. According
|
|
to agency officials, as of January 1990, only 38 percent of
|
|
the 145 planned controls had been implemented.
|
|
|
|
Table 1 shows the number and percentage of planned security
|
|
controls that had been implemented as of January 1990.
|
|
|
|
Table 1: Implementation of Security Controls in 22 Plans
|
|
|
|
Percent
|
|
Security control Planned Implemented implemented
|
|
---------------- ------- ----------- -----------
|
|
Assignment of security
|
|
responsibility 7 7 100
|
|
|
|
Audit and variance
|
|
detection 7 7 100
|
|
|
|
Confidentiality
|
|
controls 3 3 100
|
|
|
|
User identification
|
|
and authentication 2 2 100
|
|
|
|
Personnel selection
|
|
and screening 7 6 86
|
|
|
|
Security measures for
|
|
support systems 9 5 56
|
|
|
|
Security awareness and
|
|
training measures 20 12 60
|
|
|
|
Authorization/access
|
|
controls 4 2 50
|
|
|
|
Contingency plans 11 5 45
|
|
|
|
Data integrity and
|
|
validation controls 8 2 25
|
|
|
|
Audit trails and
|
|
maintaining
|
|
journals 12 2 17
|
|
|
|
|
|
|
|
3Only 4 percent of the security controls had implementation
|
|
dates beyond January 1990.
|
|
|
|
6
|
|
|
|
B-238954
|
|
|
|
Production, input/
|
|
output controls 8 1 13
|
|
|
|
Risk/sensitivity
|
|
assessment 11 1 9
|
|
|
|
Security specifications 10 0 0
|
|
|
|
Design review and
|
|
testing 11 0 0
|
|
|
|
Certification/
|
|
accreditation 14 0 0
|
|
|
|
Software controls 1 0 0
|
|
|
|
Total 145 55 -
|
|
|
|
|
|
According to many agency officials, budget constraints and
|
|
lack of adequate top management support--in terms of
|
|
resources and commitment--were key reasons why security
|
|
controls had not yet been implemented.
|
|
|
|
Although some officials stated that the planning process has
|
|
raised management awareness of computer security issues,
|
|
this awareness has, for the most part, apparently not yet
|
|
resulted in increased resources for computer security
|
|
programs. A number of officials said that security has been
|
|
traditionally viewed as overhead and as a target for budget
|
|
cuts. Some officials noted that requests for funding of
|
|
contingency planning, full-time security officers, and
|
|
training for security personnel and managers have a low
|
|
approval rate.
|
|
|
|
NIST/NSA REVIEW FEEDBACK WAS GENERAL
|
|
------------------------------------
|
|
AND OF LIMITED USE TO AGENCIES
|
|
------------------------------
|
|
Agency officials said that the NIST/NSA review comments and
|
|
recommendations on their plans were general and of limited
|
|
use in addressing specific problems. However, because the
|
|
plans were designed to be brief and minimize the risks of
|
|
unauthorized disclosure, they had little detailed
|
|
information for NIST and NSA to review. Thus, the NIST/NSA
|
|
review team focused their comments on (1) the plans'
|
|
conformity with the OMB planning guidance and (2)
|
|
governmentwide guidance (e.g., NIST Federal Information
|
|
Processing Standards publications) relating to planned
|
|
security controls. (Appendix IV provides an example of
|
|
typical NIST/NSA review comments and recommendations.)
|
|
|
|
7
|
|
|
|
B-238954
|
|
|
|
|
|
Despite the limited agency use of the feedback, NIST
|
|
officials said that the information in the plans will be
|
|
useful to NIST in identifying broad security weaknesses and
|
|
needs. During the review process, the NIST/NSA review team
|
|
developed a data base that included the status of security
|
|
controls for almost 1,600 civilian plans. NIST intends to
|
|
use statistics from the data base to support an upcoming
|
|
report on observations and lessons learned from the planning
|
|
and review process. Noting that the data have limitations--
|
|
for example, varying agency interpretations of "in place"--
|
|
NIST officials said that areas showing the greatest
|
|
percentage of planned controls indicated areas where more
|
|
governmentwide guidance might be needed. Appendix V shows
|
|
the status of security controls in the civilian plans,
|
|
according to our analysis of the NIST/NSA data base.4
|
|
|
|
REVISED GUIDANCE PROVIDES
|
|
-------------------------
|
|
FOR AGENCY ASSISTANCE
|
|
---------------------
|
|
The 1990 draft OMB security planning guidance calls for
|
|
NIST, NSA, and OMB to provide advice and technical
|
|
assistance on computer security issues to federal agencies
|
|
as needed. Under the guidance, NIST, NSA, and OMB would
|
|
visit agencies and discuss (1) their computer security
|
|
programs, (2) the extent to which the agencies have
|
|
identified their sensitive computer systems, (3) the quality
|
|
of their security plans, and (4) their unresolved internal
|
|
control weaknesses. NIST officials said that the number of
|
|
agencies visited in fiscal year 1991 will depend on that
|
|
year's funding for NIST's Computer Security Division, which
|
|
will lead NIST's effort, and the number of staff provided by
|
|
NSA.
|
|
|
|
In addition, under the 1990 draft guidance, agencies would
|
|
develop plans for sensitive systems that are new or
|
|
significantly changed, did not have a plan for 1989, or had
|
|
1989 plans for which NIST and NSA could not provide comments
|
|
because of insufficient information. Agencies would be
|
|
required to review their component agency plans and provide
|
|
independent advice and comment.
|
|
|
|
CONCLUSIONS
|
|
-----------
|
|
The government faces new levels of risk in information
|
|
security because of increased use of networks and computer
|
|
|
|
|
|
4NIST and NSA deleted agency and system names from the data
|
|
base provided to us.
|
|
|
|
8
|
|
|
|
B-238954
|
|
|
|
literacy and greater dependence on information technology
|
|
overall. As a result, effective computer security programs
|
|
are more critical than ever in safeguarding the systems that
|
|
provide essential government services.
|
|
|
|
The planning and feedback process was an effort to
|
|
strengthen computer security by helping agencies identify
|
|
and assess their sensitive system security needs, plans, and
|
|
controls. However, the plans created under the process were
|
|
viewed primarily as reporting requirements, and although the
|
|
process may have elevated management awareness of computer
|
|
security, as yet it has done little to strengthen agency
|
|
computer security programs.
|
|
|
|
OMB's draft planning security guidance creates the potential
|
|
for more meaningful improvements by going beyond planning
|
|
and attempting to address broader agency-specific security
|
|
problems. However, although NIST, NSA, and OMB assistance
|
|
can provide an impetus for change, their efforts must be
|
|
matched by agency management commitment and actions to make
|
|
needed improvements. Ultimately, it is the agencies'
|
|
responsibility to ensure that the information they use and
|
|
maintain is adequately safeguarded and that appropriate
|
|
security measures are in place and tested. Agency
|
|
management of security is an issue we plan to address in our
|
|
ongoing review of this important area.
|
|
|
|
|
|
--- --- ---
|
|
|
|
As requested, we did not obtain written agency comments on
|
|
this report. We did, however, discuss its contents with
|
|
NIST, OMB, and NSA officials and have included their
|
|
comments where appropriate. We conducted our review between
|
|
July 1989 and March 1990, in accordance with generally
|
|
accepted government auditing standards.
|
|
|
|
As arranged with your office, unless you publicly release
|
|
the contents of this report earlier, we plan no further
|
|
distribution until 30 days after the date of this letter.
|
|
At that time we will send copies to the appropriate House
|
|
and Senate committees, major federal agencies, OMB, NIST,
|
|
NSA, and other interested parties. We will also make copies
|
|
available to others on request.
|
|
|
|
This report was prepared under the direction of Jack L.
|
|
Brock, Jr., Director, Government Information and Financial
|
|
Management, who can be reached at (202) 275-3195. Other
|
|
major contributors are listed in appendix VI.
|
|
|
|
|
|
9
|
|
|
|
B-238954
|
|
|
|
Sincerely yours,
|
|
|
|
|
|
|
|
|
|
|
|
Ralph V. Carlone
|
|
Assistant Comptroller General
|
|
|
|
|
|
|
|
10
|
|
|
|
B-238954
|
|
|
|
CONTENTS Page
|
|
--------- ----
|
|
|
|
LETTER 1
|
|
|
|
|
|
APPENDIX
|
|
|
|
I Objectives, Scope, and Methodology 12
|
|
|
|
II Plans GAO Reviewed 14
|
|
|
|
III Computer Security and Privacy Plan 16
|
|
|
|
IV NIST/NSA Feedback on Computer Security Plans 21
|
|
|
|
V Status of Security Controls in 1,542 Plans 22
|
|
|
|
VI Major Contributors to This Report 24
|
|
|
|
Related GAO Products 25
|
|
|
|
TABLE
|
|
|
|
1 Implementation of Security Controls in 22 6
|
|
Plans
|
|
|
|
ABBREVIATIONS
|
|
-------------
|
|
GAO General Accounting Office
|
|
IMTEC Information Management and Technology Division
|
|
NIST National Institute of Standards and Technology
|
|
NSA National Security Agency
|
|
OMB Office of Management and Budget
|
|
|
|
|
|
11
|
|
|
|
APPENDIX I APPENDIX I
|
|
|
|
|
|
OBJECTIVES, SCOPE, AND METHODOLOGY
|
|
----------------------------------
|
|
In response to a June 5, 1989, request of the Chairman,
|
|
House Committee on Science, Space, and Technology, and
|
|
subsequent agreements with his office, we assessed the
|
|
impact of the computer security planning and review process
|
|
required by the Computer Security Act of 1987.
|
|
|
|
As agreed, we limited our review primarily to 10 civilian
|
|
agencies in the Washington, D.C. area: the Departments of
|
|
Agriculture, Commerce, Energy, Health and Human Services,
|
|
the Interior, Labor, Transportation, the Treasury, and
|
|
Veterans Affairs and the General Services Administration.
|
|
As agreed, the Department of Defense was excluded from our
|
|
review because the plans it submitted differed
|
|
substantially in format and content from the civilian plans.
|
|
|
|
|
|
Specifically, we
|
|
|
|
--assessed the computer security planning process and
|
|
NIST/NSA review comments on the security plans developed as
|
|
a result of the process,
|
|
|
|
--determined the extent to which the 10 agencies implemented
|
|
planned control measures reported in 22 selected plans, and
|
|
|
|
--developed summary statistics using a NIST/NSA data base
|
|
covering over 1,500 civilian computer security plans.
|
|
|
|
To assess the impact of the planning and review process on
|
|
agencies' security programs, we interviewed information
|
|
resource management, computer security, and other officials
|
|
from the 10 agencies listed above. In addition, we
|
|
interviewed officials from NIST, NSA, and OMB who were
|
|
involved in the planning process, to gain their perspectives
|
|
on the benefits and problems associated with the process.
|
|
|
|
We analyzed 22 computer security plans developed by the 10
|
|
agencies and the NIST/NSA review feedback relating to the
|
|
plans. Most plans addressed groups of systems. (See app.
|
|
II for a description of the systems.) We selected the
|
|
systems primarily on the basis of their sensitivity,
|
|
significance, and prior GAO, President's Council on
|
|
Integrity and Efficiency, and OMB reviews. We also reviewed
|
|
federal computer security planning and review guidance,
|
|
department requests for agency component plans, and
|
|
department and agency computer security policies.
|
|
|
|
|
|
12
|
|
|
|
APPENDIX I APPENDIX I
|
|
|
|
To determine the extent to which planned computer security
|
|
controls have been implemented, we reviewed the 22 plans and
|
|
discussed with agency officials the status of these
|
|
controls. To develop security plan statistics, we used the
|
|
NIST/NSA data base, which contains data on the status of
|
|
controls for over 1,500 plans. We did not verify the status
|
|
of the planned controls as reported to us by agency
|
|
officials, the accuracy of the plans, or the data in the
|
|
NIST/NSA data base.
|
|
|
|
|
|
|
|
13
|
|
|
|
APPENDIX II APPENDIX II
|
|
|
|
PLANS GAO REVIEWED
|
|
------------------
|
|
Organization Plan
|
|
------------ ----
|
|
Farmers Home Administration Automated Field Management
|
|
System
|
|
|
|
Accounting Systems
|
|
|
|
Patent and Trademark Office Patent and Trademark
|
|
Automation Systems
|
|
|
|
Social Security Administration Benefit Payment System
|
|
|
|
Social Security Number
|
|
Assignment System
|
|
|
|
Earnings Maintenance System
|
|
|
|
Access Control Event
|
|
Processor System
|
|
|
|
Bureau of Labor Statistics Economic Statistics System
|
|
|
|
Employment Standards Federal Employees'
|
|
Administration Compensation System
|
|
Level I
|
|
|
|
U.S. Geological Survey National Digital
|
|
Cartographic Data Base
|
|
|
|
National Earthquake
|
|
Information Service
|
|
|
|
Federal Aviation Administration En Route and Terminal Air
|
|
Traffic Control System
|
|
|
|
Maintenance and Operations
|
|
Support Systems
|
|
|
|
Interfacility
|
|
Communications System
|
|
|
|
Ground-to-Air Systems
|
|
|
|
Weather and Flight
|
|
Services Systems
|
|
|
|
|
|
|
|
|
|
14
|
|
|
|
|
|
APPENDIX II APPENDIX II
|
|
|
|
Organization Plan
|
|
------------ ----
|
|
Internal Revenue Service Compliance Processing
|
|
System
|
|
|
|
Tax Processing System
|
|
|
|
Customs Service Automated Commercial
|
|
System
|
|
|
|
Veterans Affairs Austin Data Mainframe Equipment
|
|
Processing Center Configuration
|
|
|
|
General Services Administration FSS-19 Federal Supply
|
|
System
|
|
|
|
Department of Energy Strategic Mainframe Computer and PC
|
|
Petroleum Reserve Project Sensitive Systems
|
|
Management Office
|
|
|
|
Note: Summary information describing each of the above
|
|
systems has been omitted from this version of the report.
|
|
Call GAO report distribution at 202-275-6241 to obtain a
|
|
complete copy of this report.
|
|
|
|
|
|
|
|
|
|
15
|
|
|
|
APPENDIX III APPENDIX III
|
|
|
|
COMPUTER SECURITY AND PRIVACY PLAN
|
|
----------------------------------
|
|
We developed this composite security plan to show what most
|
|
civilian plans contained, their format, and some common omissions.
|
|
Notes in parentheses show common deviations from the OMB guidance.
|
|
|
|
|
|
Computer Security and Privacy Plan
|
|
|
|
1. BASIC SYSTEM IDENTIFICATION
|
|
|
|
Reporting Department or Agency - Department of X
|
|
|
|
Organizational Subcomponent - Subagency Y
|
|
|
|
Operating Organization - Organization Z
|
|
|
|
System Name/Title - Automated Report Management System (ARMS)
|
|
|
|
System Category
|
|
|
|
[X] Major Application
|
|
[ ] General-Purpose ADP Support System
|
|
|
|
Level of Aggregation
|
|
|
|
[X] Single Identifiable System
|
|
[ ] Group of Similar Systems
|
|
|
|
Operational Status
|
|
|
|
[X] Operational
|
|
[ ] Under Development
|
|
|
|
|
|
General Description/Purpose - The primary purpose of ARMS is
|
|
to retrieve, create, process, store, and distribute data.
|
|
(Note: The description and purpose is incomplete. OMB
|
|
Bulletin 88-16 required a one or two paragraph description of
|
|
the function and purpose of the system.)
|
|
|
|
System Environment and Special Considerations - System is
|
|
controlled by a ABC series computer which is stored in the
|
|
computer room. (Note: The environment is not adequately
|
|
described. OMB Bulletin 88-16 requested a description of
|
|
system location, types of computer hardware and software
|
|
involved, types of users served, and other special
|
|
considerations.)
|
|
|
|
Information Contact - Security Officer, J. Doe, 202/275-xxxx
|
|
|
|
16
|
|
|
|
APPENDIX III APPENDIX III
|
|
|
|
2. SENSITIVITY OF INFORMATION
|
|
|
|
General Description of Information Sensitivity
|
|
|
|
The data ARMS maintains and uses are those required to provide
|
|
a total management information function. (Note: This
|
|
description is inadequate. OMB Bulletin 88-16 requested that
|
|
the plans describe, in general terms, the nature of the system
|
|
and the need for protective measures.)
|
|
|
|
|
|
Applicable Laws or Regulations Affecting the System
|
|
|
|
5 U.S.C. 552a, "Privacy Act," c. 1974.
|
|
|
|
|
|
|
|
System Protection Requirements
|
|
|
|
The Protection Requirement is:
|
|
|
|
Primary Secondary Minimal/NA
|
|
[X] Confidentiality [X] [ ] [ ]
|
|
[X] Integrity [X] [ ] [ ]
|
|
[X] Availability [ ] [X] [ ]
|
|
|
|
|
|
|
|
3. SYSTEM SECURITY MEASURES
|
|
|
|
Risk Assessment - There currently exists no formal large scale
|
|
risk assessment covering ARMS. We are scheduling a formal
|
|
risk analysis.
|
|
|
|
Applicable Guidance - FIPS PUBS No. 41, Computer Security
|
|
Guidelines for Implementing the Privacy Act of 1974;
|
|
FIPS PUB No. 83, Guidelines on User Authentication Techniques
|
|
for Computer Network Access Control.
|
|
|
|
|
|
|
|
|
|
17
|
|
|
|
APPENDIX III APPENDIX III
|
|
|
|
|
|
SECURITY MEASURES
|
|
-----------------
|
|
|
|
MANAGEMENT CONTROLS
|
|
In Place
|
|
In Place Planned & Planned N/A
|
|
-------- ------- --------- ---
|
|
Assignment of Security
|
|
Responsibility [X] [ ] [ ] [ ]
|
|
|
|
Risk/Sensitivity
|
|
Assessment [ ] [ ] [X] [ ]
|
|
|
|
A formal risk analysis program will be used to update the
|
|
current assessment. (Note: An expected operational date is
|
|
not included. OMB Bulletin 88-16 states that there should be
|
|
expected operational dates for controls that are planned or
|
|
in place and planned.)
|
|
|
|
Personnel Selection
|
|
Screening [ ] [ ] [X] [ ]
|
|
|
|
National Agency Check Inquiries (NACI) are required for all
|
|
employees but have not been completed for everyone having
|
|
access to sensitive information. Expected operational date -
|
|
October 1989.
|
|
|
|
|
|
DEVELOPMENT CONTROLS
|
|
|
|
In Place
|
|
In Place Planned & Planned N/A
|
|
-------- ------- --------- ---
|
|
Security
|
|
Specifications [X] [ ] [ ] [ ]
|
|
|
|
Design Review
|
|
& Testing [ ] [ ] [ ] [X]
|
|
|
|
Certification/
|
|
Accreditation [ ] [X] [ ] [ ]
|
|
|
|
(Note: No information is given for certification/
|
|
accreditation. OMB Bulletin 88-16 states that a general
|
|
description of the planned measures and expected operational
|
|
dates should be provided.)
|
|
|
|
|
|
|
|
|
|
18
|
|
|
|
APPENDIX III APPENDIX III
|
|
|
|
OPERATIONAL CONTROLS
|
|
|
|
In Place
|
|
In Place Planned & Planned N/A
|
|
-------- ------- --------- ---
|
|
|
|
Production, I/O Controls [X] [ ] [ ] [ ]
|
|
|
|
Contingency Planning [ ] [X] [ ] [ ]
|
|
|
|
A contingency plan is being developed in compliance with
|
|
requirements established by the agency's security program.
|
|
Completion date - November 1990.
|
|
|
|
Audit and Variance
|
|
Detection [ ] [ ] [X] [ ]
|
|
|
|
Day-to-day procedures are being developed for variance
|
|
detection. Audit reviews are also being developed and will be
|
|
conducted on a monthly basis. Completion date - June 1989.
|
|
|
|
Software Maintenance
|
|
Controls [X] [ ] [ ] [ ]
|
|
|
|
Documentation [X] [ ] [ ] [ ]
|
|
|
|
|
|
SECURITY AWARENESS AND TRAINING
|
|
|
|
In Place
|
|
In Place Planned & Planned N/A
|
|
-------- ------- --------- ---
|
|
Security Awareness and
|
|
Training Measures [ ] [ ] [X] [ ]
|
|
|
|
Training for management and users in information and
|
|
application security will be strengthened, and security
|
|
awareness training provided for all new employees beginning in
|
|
June 1989.
|
|
|
|
|
|
|
|
19
|
|
|
|
APPENDIX III APPENDIX III
|
|
|
|
TECHNICAL CONTROLS
|
|
|
|
In Place
|
|
In Place Planned & Planned N/A
|
|
-------- ------- --------- ---
|
|
User Identification and
|
|
Authentication [X] [ ] [ ] [ ]
|
|
|
|
Authorization/Access
|
|
Controls [X] [ ] [ ] [ ]
|
|
|
|
Data Integrity &
|
|
Validation Controls [X] [ ] [ ] [ ]
|
|
|
|
Audit Trails & Journaling [X] [ ] [ ] [ ]
|
|
|
|
|
|
|
|
SUPPORT SYSTEM SECURITY MEASURES
|
|
|
|
In Place
|
|
In Place Planned & Planned N/A
|
|
-------- ------- --------- ---
|
|
Security Measures for
|
|
Support Systems [X] [ ] [ ] [ ]
|
|
|
|
|
|
4. NEEDS AND ADDITIONAL COMMENTS
|
|
|
|
(Note: This section was left blank in most plans. OMB
|
|
Bulletin 88-16 stated that the purpose of this section was to
|
|
give agency planners the opportunity to include comments
|
|
concerning needs for additional guidance, standards, or other
|
|
tools to improve system protection.)
|
|
|
|
|
|
|
|
|
|
20
|
|
|
|
APPENDIX IV APPENDIX IV
|
|
|
|
NIST/NSA FEEDBACK ON COMPUTER SECURITY PLANS
|
|
--------------------------------------------
|
|
|
|
The following example shows typical NIST/NSA comments and
|
|
recommendations.
|
|
|
|
COMPUTER SECURITY PLAN REVIEW PROJECT COMMENTS AND RECOMMENDATIONS
|
|
|
|
REF. NO. 0001
|
|
|
|
AGENCY NAME: Department of X
|
|
Subagency Y
|
|
|
|
SYSTEM NAME: Automated Report Management System
|
|
|
|
|
|
The brevity of information in the information sensitivity, general
|
|
system description, and the system environment sections made it
|
|
difficult to understand the security needs of the system.
|
|
Information on the physical, operational, and technical environment
|
|
and the nature of the sensitivity is essential to understanding the
|
|
security needs of the system.
|
|
|
|
For some controls, such as security training and awareness,
|
|
expected operational dates are not indicated as required by OMB
|
|
Bulletin 88-16.
|
|
|
|
The plan refers to the development control, design review and
|
|
testing, as not applicable. Even in an operational system,
|
|
development controls should be addressed as historical security
|
|
measures and as ongoing measures for changing hardware and
|
|
software.
|
|
|
|
The plan notes that a more formal risk assessment is being planned.
|
|
This effort should help your organization more effectively manage
|
|
risks and security resources. National Institute of Standards and
|
|
Technology Federal Information Processing Standards Publication 65,
|
|
"Guideline for Automatic Data Processing Risk Analysis," and 73,
|
|
"Guideline for the Security of Computer Applications" may be of
|
|
help in this area.
|
|
|
|
|
|
|
|
|
|
21
|
|
|
|
APPENDIX V APPENDIX V
|
|
|
|
|
|
STATUS OF SECURITY CONTROLS IN 1,542 PLANS
|
|
------------------------------------------
|
|
Planned &
|
|
Plan In place in place Planned
|
|
---- -------- --------- -------
|
|
Security controls responses#a (percent) (percent) (percent)
|
|
|
|
Management controls
|
|
|
|
Assignment of security
|
|
responsibility 1,448 91 5 4
|
|
|
|
Personnel selection and
|
|
screening 1,268 84 11 5
|
|
|
|
Risk analysis and
|
|
sensitivity assessment 1,321 71 13 17
|
|
|
|
Development controls
|
|
|
|
Design review and testing 728 82 10 8
|
|
|
|
Certification and
|
|
accreditation 948 66 10 24
|
|
|
|
Security and acquisition
|
|
specifications 1,093 83 10 7
|
|
|
|
Operational controls
|
|
|
|
Audit and variance
|
|
detection 1,177 81 7 12
|
|
|
|
Documentation 1,375 83 10 8
|
|
|
|
Emergency, backup, and
|
|
contingency planning 1,381 69 14 17
|
|
|
|
Physical and environmental
|
|
protection 450 87 10 4
|
|
|
|
Production and input/
|
|
output controls 1,290 87 7 7
|
|
|
|
Software maintenance
|
|
controls 1,327 87 7 7
|
|
|
|
Security training and
|
|
awareness measures 1,408 58 27 15
|
|
|
|
|
|
22
|
|
|
|
APPENDIX V APPENDIX V
|
|
|
|
Technical controls
|
|
|
|
Authorization/access
|
|
controls 1,389 87 6 7
|
|
|
|
Confidentiality controls 357 84 7 9
|
|
|
|
Audit trail mechanisms 1,194 83 8 9
|
|
|
|
Integrity controls 1,220 85 8 7
|
|
|
|
User identification
|
|
and authentication 1,370 87 7 6
|
|
|
|
|
|
Weighted average -- 81 10 10
|
|
|
|
|
|
Note: The status of security controls is based on information reported
|
|
in 1,542 civilian plans in early 1989 and contained in the NIST/NSA data
|
|
base. Missing and not applicable answers were not included in the
|
|
percentages. Some percentages do not add up to 100 due to rounding.
|
|
|
|
a"Plan responses" is the number of plans, out of 1,542, that addressed
|
|
each control.
|
|
|
|
|
|
|
|
23
|
|
|
|
APPENDIX VI APPENDIX VI
|
|
MAJOR CONTRIBUTORS TO THIS REPORT
|
|
---------------------------------
|
|
|
|
INFORMATION MANAGEMENT AND TECHNOLOGY DIVISION, WASHINGTON, D.C.
|
|
----------------------------------------------------------------
|
|
Linda D. Koontz, Assistant Director
|
|
Jerilynn B. Hoy, Assignment Manager
|
|
Beverly A. Peterson, Evaluator-in-Charge
|
|
Barbarol J. James, Evaluator
|
|
|
|
(510465)
|
|
|
|
|
|
|
|
24
|
|
|
|
RELATED GAO PRODUCTS
|
|
--------------------
|
|
Computer Security: Identification of Sensitive Systems Operated on
|
|
Behalf of Ten Agencies (GAO/IMTEC-89-70, Sept. 27, 1989).
|
|
|
|
Computer Security: Compliance With Security Plan Requirements of the
|
|
Computer Security Act (GAO/IMTEC-89-55, June 21, 1989).
|
|
|
|
Computer Security: Compliance With Training Requirements of the
|
|
Computer Security Act of 1987 (GAO/IMTEC-89-16BR, Feb. 22, 1989).
|
|
|
|
Computer Security: Status of Compliance With the Computer Security Act
|
|
of 1987 (GAO/IMTEC-88-61BR, Sept. 22, 1988).
|
|
|
|
|
|
25
|
|
|
|
|
|
Downloaded From P-80 International Information Systems 304-744-2253
|