DOCSLIB.ORG

Software Assurance: a Strategic Initiative of the U.S. Department Of

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Software Assurance: a Strategic Initiative of the U.S. Department Of SoftwareSoftware Assurance:Assurance: AA StrategicStrategic InitiativeInitiative ofof thethe U.S.U.S. DepartmentDepartment ofof HomelandHomeland SecuritySecurity toto PromotePromote Integrity,Integrity, Security,Security, andand ReliabilityReliability inin SoftwareSoftware InfoSec/Privacy Considerations for Software in Advancing National Strategy to Secure Cyberspace March 21 , 2005 Joe Jarzombek, PMP Director for Software Assurance National Cyber Security Division US Department of Homeland Security National Strategy for Homeland Security "We will lead the unified national effort to secure America. We will prevent and deter terrorist attacks and protect against and respond to threats and hazards to the nation. We will ensure safe and secure borders, welcome lawful immigrants and visitors, and promote the free- flow of commerce." KeyKey ObjectiveObjective II KeyKey ObjectiveObjective IIII KeyKey ObjectiveObjective IIIIII PreventPrevent terroristterrorist ReducReducee America’sAmerica’s MinimizeMinimize thethe attacksattacks withinwithin thethe vulnerabilityvulnerability toto damagedamage andand UnitedUnited StatesStates terrorismterrorism recoverrecover fromfrom attacksattacks thatthat dodo occuroccur Authorization: Homeland Security Act of 2002 at Title 6, U.S. Code 2 Cyberspace & physical space are increasingly intertwined and software controlled/enabled Chemical Industry Transportation 66,000 chemical plants 120,000 miles of railroad Banking and Finance 590,000 highway bridges 26,600 FDIC institutions 2M miles of pipeline Agriculture and Food 300 ports 1.9M farms Telecomm 87,000 food processing plants 2B miles of cable Water Energy 1,800 federal reservoirs 2,800 power plants 1,600 treatment plants 300K production sites Public Health Key Assets 5,800 registered hospitals 104 nuclear power plants Postal and Shipping 80K dams 137M delivery sites 5,800 historic buildings 3,000 government facilities commercial facilities / 460 skyscrapers An Asymmetric Target-rich Environment 3 Cyberspace & physical space are increasingly intertwined and software controlled/enabled Agriculture and Food Energy Transportation Chemical Industry Postal and Shipping rs to ec Water Public Health Telecommunications Banking and Finance Key Assets S Critical Infrastructure / Key Resources Farms Power Plants Railroad Tracks Chemical Plants Delivery Sites Food Processing Plants Production Sites Highway Bridges s Pipelines et ss Ports Nuclear Power Plants A al Reservoirs Cable Government facilities ic ys Treatment Plants Hospitals Fiber FDIC institutions Dams Ph Physical Infrastructure Internet Hardware • Domain Name System • Database Servers s Control Systems • Web Hosting • Networking Equipment et ss • SCADA Services Software A er • PCS • Managed Security yb • Financial System C • DCS • Information Services • Human Resources Cyber Infrastructure Need for secure software applications 4 Cyber-related Disruptions and the Economy ¾ Network disruptions lead to loss of: • Money • Time • Products • Reputation • Sensitive information • Potential loss of life through cascading effects on critical systems and infrastructure BusinessBusiness LossesLosses andand DamagesDamages CoCodede Red:Red: LLooveve BuBug:g: $1.2B$1.2B iinn Slammer:Slammer: Blaster:Blaster: Zotob:Zotob: $15B$15B inin damages;damages; MyMy Doom:Doom: damages;damages; $1B$1B inin damagesdamages $50B$50B inin damagesdamages DamagDamageess TBDTBD 3.9M3.9M systesystemmss $38B$38B inin damagesdamages $740M$740M forfor 20022002 20032003 20052005 infecteinfectedd 20042004 recovrecoveeryry effortsefforts 20002000 20012001 Impact of Spyware not fully known 5 Government plays key cyber security roles Cyber Law Enforcement Information Sharing and Intelligence with the States FBI/DOJ Multi-State ISAC Homeland Security/ Secret Service Cyber Preparedness, Cyber Infrastructure Response, Recovery, Protection Homeland Security Consumer Protection Information Security Cyber Fraud Prevention Standards and Guidelines FTC NIST 6 DHS and the National Cyber Security Division SecrSecretetararyy UnderUnder UnderUnder UnderUnder AsAssistantsistant SecretarySecretary forfor SecretarySecretary forfor SecretarySecretary forfor SecretarySecretary forfor ScienceScience && ManagemeManagemenntt PreparePreparednednessss PolicPolicyy TechTechnolognologyy Assistant AAsssistsistaannt t Assistant AAsssistsistaannt t NNaationaltional Secretary for SSeecretcretaryary f oforr CChhieief fM Meeddicaical l Secretary for FireFire SSeecretcretaryary f oforr CaCapitpitaal l Grants and CyCybbeerr S Seeccuuritrityy & & OfficerOfficer Grants and AdAdmmininisistrattrationion InfrastrucInfrastructuturere ReRegigoionn Training TelTelee-- Training ProProttecectiontion DirecDirectortor CommCommununicationsications NationNationaal l NationNationaal lCy Cybeberr CommuniCommuniccaationstions SSeecucurityrity Div Divisionision SySystemstem 7 National Strategy to Secure Cyberspace Outlines a framework for organizing and prioritizing efforts Provides direction to federal government departments and agencies Identifies steps to improve our collective cyber security Highlights role of public-private engagement Outlines Strategic Objectives 1 2 3 Prevent cyber attacks Reduce national Minimize damage against America’s vulnerability to cyber and recovery time critical infrastructures attacks from cyber attacks that do occur 8 Cyber Preparedness TheThe NationalNational CyberCyber SecuritySecurity DivisionDivision (NCSD)(NCSD) missionmission isis toto workwork collaborativelycollaboratively withwith public,public, private,private, andand internationalinternational entitiesentities toto securesecure cyberspacecyberspace andand America’sAmerica’s cybercyber assets.assets. Mission components include: Implementation of the National Strategy to Secure Cyberspace and Homeland Security Presidential Directive #7 (HSPD#7) Implementation of priority protective measures to secure cyberspace and to reduce the cyber vulnerabilities of America’s critical infrastructures Overarching Priorities: National Cyber Security Response System Cyber Risk Management 9 National Cyber Security Division (NCSD) goals are strategically aligned to four frameworks Mandates NCSD GOALS I. National Cyberspace Security 1. Establish a National Cyber Security Response Response System System to prevent, detect, respond to, and reconstitute rapidly after cyber incidents. II. National Cyberspace Threat and Vulnerability Reduction Program 2. Work with public and private sectors to reduce National vulnerabilities and minimize the severity of III. Nation Cyberspace Security Strategy to cyber attacks. Awareness and Training Secure Program 3. Promote a comprehensive national awareness program to empower all Americans ─ Cyberspace IV. Securing Governments businesses, the general workforce, and the Cyberspace general population ─ to secure their own parts V. International Cyberspace of cyberspace. Security Cooperation 4. Foster adequate training and education “…maintain an organization to serve as a programs to support the Nation’s cyber HSPD-7 focal point for the security of security needs. cyberspace..” 5. Coordinate with the intelligence and law Provides a consistent, unifying structure NIPP for integrating the current multitude of enforcement communities to identify and CIP efforts into a single national program reduce threats to cyberspace. NRP “Cyber Describes framework for Federal cyber 6. Build a world-class organization that incident response coordination among aggressively advances its cyber security Annex” Federal departments and agencies mission and goals in partnership with its public and private stakeholders. 10 HSPD-7: A national policy to protect our nation’s infrastructure Maintain an organization to serve as a focal point for the security of cyberspace Facilitate interactions and collaborations between and among federal departments and agencies, state and local governments, the private sector, academia, and international organizations Execute a mission including analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical information systems 11 The NIPP outlines a unifying structure Allows all levels of government to collaborate with the appropriate private sector entities Encourages the development of information sharing and analysis mechanisms and continues to support existing sector-coordinating mechanisms Broken down into 17 sector-specific plans to cover all areas of critical infrastructure, including the Information Technology (IT) sector NIPP Risk Management Framework Dynamic Threat Environment Physical Assess Set Implement Risks Normalize & Measure Security Identify Protective Cyber Assets (Consequences, Prioritize Effectiveness Objectives Vulnerabilities Programs Human & Threats) Governance National Risk Profile 12 NRP Cyber Annex describes the framework for response coordination National Cyber Response Coordination Group Provide indications and warning Analyze cyber of potential threats, incidents, vulnerabilities, exploits, and attacks Information sharing and attack methodologies both inside and outside the government Conduct investigations, Provide technical forensics analysis assistance and prosecution Attribute the source Defend against the attack of the attacks Lead National Recovery Efforts 13 DHS National Cyber Security Division (NCSD) provides the framework for addressing cyber security and software assurance challenges Key Functions of the DHS Cybersecurity Partnership Program Cross-Sector:
Load more

Recommended publications
  • Validators Report
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report IBM Global Security Kit (GSKit) 8.0.14 Report Number: CCEVS-VR-VID10394-2011 Dated: 2012-03-06 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 ACKNOWLEDGEMENTS Validation Team Jim Brosey Orion Security Fort Meade, Maryland Jandria S. Alexander Aerospace Fort Meade, Maryland Vicky Ashby The MITRE Corporation McLean, Virginia Evaluation Team Alejandro Masino, Trang Huynh, Courtney Cavness atsec Information Security Corporation Austin, Texas Table of Contents 1. EXECUTIVE SUMMARY ........................................................................................................................................ 4 2. IDENTIFICATION .................................................................................................................................................... 4 3. CLARIFICATION OF SCOPE ................................................................................................................................. 6 3.1. PHYSICAL SCOPE ................................................................................................................................................... 6 3.2. LOGICAL SCOPE ....................................................................................................................................................
    [Show full text]
  • Cen Workshop Agreement Cwa 14722-3
    CEN CWA 14722-3 WORKSHOP August 2004 AGREEMENT ICS 35.240.15 Supersedes CWA 14722-3:2004 English version Embedded financial transactional IC card reader (embedded FINREAD) - Part 3: Functional and Security Specifications This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of which is indicated in the foreword of this Workshop Agreement. The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG Management Centre: rue de Stassart, 36 B-1050 Brussels © 2004 CEN All rights of exploitation in any form and by any means reserved worldwide
    [Show full text]
  • Part 3: Security Assurance Components
    Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components September 2012 Version 3.1 Revision 4 CCMB-2012-09-003 Foreword This version of the Common Criteria for Information Technology Security Evaluation (CC v3.1) is the first major revision since being published as CC v2.3 in 2005. CC v3.1 aims to: eliminate redundant evaluation activities; reduce/eliminate activities that contribute little to the final assurance of a product; clarify CC terminology to reduce misunderstanding; restructure and refocus the evaluation activities to those areas where security assurance is gained; and add new CC requirements if needed. CC version 3.1 consists of the following parts: Part 1: Introduction and general model Part 2: Security functional components Part 3: Security assurance components Trademarks: UNIX is a registered trademark of The Open Group in the United States and other countries Windows is a registered trademark of Microsoft Corporation in the United States and other countries Page 2 of 233 Version 3.1 September 2012 Legal Notice: The governmental organisations listed below contributed to the development of this version of the Common Criteria for Information Technology Security Evaluation. As the joint holders of the copyright in the Common Criteria for Information Technology Security Evaluation, version 3.1 Parts 1 through 3 (called “CC 3.1”), they hereby grant non- exclusive license to ISO/IEC to use CC 3.1 in the continued development/maintenance of the ISO/IEC 15408 international standard. However, these governmental organisations retain the right to use, copy, distribute, translate or modify CC 3.1 as they see fit.
    [Show full text]
  • Facilitating Project Management Through Effective Quality Management: the Need for Implementing ISO 9000 in Construction
    Built-Environment-Sri Lanka -Vol. 03, Issue 02:2003 Facilitating project management through effective quality management: the need for implementing ISO 9000 in construction N.D. Gunawardena Abstract This paper describes the relationship between project management and quality management. It identifies the similarity between the recognised project quality management processes and the ISO 9001 quality management system; then it illustrates how ISO 9001 quality requirements could be applied to construction project management. The paper also presents the results of a survey carried out to identify quality management practices adopted by local construction companies, using ISO 9001 standard as a yardstick. According to the survey, the companies had some shortcomings with respect to quality management during the construction stage. The results indicate that the lack of proper quality management could, in turn, affect the project management adversely; this point is supported by the Project Management Process Maturity Model, which is a quality improvement model that uses five levels to determine the relative maturity of any organisation and its ability to achieve cost and schedule objectives of a project. Finally, the paper suggests that the quality managements systems based on ISO 9000 could be very effective in facilitating the project management efforts in the construction industry. Introduction A project can be defined as a complex, non-routine, parties must have mutual understanding as to what one-time effort limited by time, budget, resources and services are to be provided by the contractor in return performance specifications (Gray and Larson, 2000). for the agreed consideration; this usually is ensured by Project Management is the application of knowledge, a set of documents such as drawings and specifications skills, tools and techniques to project activities in order that define the scope and the performance aspects of to meet or exceed stakeholder need and expectations the product.
    [Show full text]
  • Influence of ISO 9001 Certification on Project Management Performance in Software Industry
    European Online Journal of Natural and Social Sciences 2018; www.european-science.com Vol. 7, No.3(s) Special Issue on Contemporary Research in Social Sciences ISSN 1805-3602 Influence of ISO 9001 certification on project management performance in software industry Anum Safder*, Samina Yousaf Comsats Institute of Information Technology, Lahore, Pakistan *E-mail: [email protected] Abstract For the success of software projects, the Project Management is considered as an important tool. Organizations can understand Project Management Performance in an improved way if they exercise Quality Management System. This empirical study investigates the impact of ISO 9001 certification on Project Management Performance (six constructs of PMP) and how PM Performance varies for ISO- certified software houses and Non-certifies software houses. Data was collected from project managers of both ISO-certified and Non-certificated software organizations registered under P@SHA and PSEB of Pakistan. 192 questionnaires were used for analysis. Independent Sample t- test was used for conducting the analysis and results concluded that software houses with ISO- certification show a better PM Performance than with no certification. Keywords: Project Management, ISO 9001 certification, software industry. Introduction Currently, project management is being extensively used in business. Quality management and project management are two interlinked terms and can be described in similar manner. The situation in which there is a strong influence of repetitious processes, the quality management is most successful field. In reference to the project management process, how to conduct a project is a scenario where there is a very vivid effect of QM which is slightly ignored or a limited focus is paid on its effect by academic professional.
    [Show full text]
  • IT Gurus and Gadgets
    a Volume 2, No. 10, November-December 2011 ISSN 1729-8709 IT gurus and gadgets • Guest Interview : Sony and the value of standards th • ISO 34 General Assembly INDIA a Contents Comment Sadao Takeda, ISO Vice-President (policy) Tech-timing – Creating tomorrow’s gadgets today ................................................... 1 ISO Focus+ is published 10 times a year World Scene (single issues : July-August, November-December) International events and international standardization ............................................ 2 It is available in English and French. Guest Interview Bonus articles : www.iso.org/isofocus+ ISO Update : www.iso.org/isoupdate Ken Wheatley – Sony Electronics, Inc. .................................................................... 3 The electronic edition (PDF file) of ISO Special Report Focus+ is accessible free of charge on the Daring visions – Laying the foundations for innovation .......................................... 8 ISO Website www.iso.org/isofocus+ An annual subscription to the paper edition Gurus and ICT standards – Translating visions into technical success stories ....... 10 costs 38 Swiss francs. Cloud computing – Building firm foundations for standards development ............. 12 Publisher Entertainment of the future – From 3D to virtual reality ........................................ 15 ISO Central Secretariat (International Organization for Zoomed in – The evolving landscape of digital photography .................................. 18 Standardization) 1, chemin de la Voie-Creuse Driving
    [Show full text]
  • ISO Focus, November 2008.Pdf
    ISO Focus The Magazine of the International Organization for Standardization Volume 5, No. 11, November 2008, ISSN 1729-8709 e - s t a n d a rdiza tio n • Siemens on added value for standards users • New ISO 9000 video © ISO Focus, www.iso.org/isofocus Contents 1 Comment Elio Bianchi, Chair ISO/ITSIG and Operating Director, UNI, A new way of working 2 World Scene Highlights of events from around the world 3 ISO Scene Highlights of news and developments from ISO members 4 Guest View Markus J. Reigl, Head of Corporate Standardization at ISO Focus is published 11 times a year (single issue : July-August). Siemens AG It is available in English. 8 Main Focus Annual subscription 158 Swiss Francs Individual copies 16 Swiss Francs Publisher ISO Central Secretariat (International Organization for Standardization) 1, ch. de la Voie-Creuse CH-1211 Genève 20 Switzerland Telephone + 41 22 749 01 11 Fax + 41 22 733 34 30 E-mail [email protected] Web www.iso.org Manager : Roger Frost e-standardization Acting Editor : Maria Lazarte • The “ nuts and bolts” of ISO’s collaborative IT applications Assistant Editor : Janet Maillard • Strengthening IT expertise in developing countries Artwork : Pascal Krieger and • The ITSIG/XML authoring and metadata project Pierre Granier • Zooming in on the ISO Concept database ISO Update : Dominique Chevaux • In sight – Value-added information services Subscription enquiries : Sonia Rosas Friot • Connecting standards ISO Central Secretariat • Standards to go – A powerful format for mobile workers Telephone + 41 22 749 03 36 Fax + 41 22 749 09 47 • Re-engineering the ISO standards development process E-mail [email protected] • The language of content-creating communities • Bringing the virtual into the formal © ISO, 2008.
    [Show full text]
  • ISO 9000: Is It Worth It? ISO 9000: an Ineffective Quality System Chris Heffner, Steven C
    ISO 9000: Is It Worth It? ISO 9000: An Ineffective Quality System Chris Heffner, Steven C. "Swede" Larson, Barney "Tim" Lowder and Patti Stites ISO 9000 was created as a family of models in 1987, based on a wartime British manufacturing standard, as the answer to perceived manufacturing problems with quality and safety. The program was originally published in 1987 by the International Organization for Standardization (ISO), which is a specialized international agency that focuses on the standardization of organizational processes. The organization is composed of standards from organizations representing 90 countries. ISO 9000 was quickly adopted as the premier standard to ensure uniform manufacturing and auditing processes. The program went through a major revision in 2000 and now includes ISO 9000:2000 (definitions), ISO 9001:2000 (requirements) and ISO 9004:2000 (continuous improvement). But even after these major revisions, the program is often criticized as ineffective for a wide variety of reasons. We agree. Overemphasis on Inspection First, many researchers believe ISO 9000 is ineffective because it is based on conservatism, overemphasizes inspections and audits, and fails to encourage real improvement. Barnes (2000), for example, said that the current commercial certification process results in a "pursuit of quality certificates, as opposed to a pursuit of quality." Johannsen (1995) also asserted that the ISO concept does not incorporate the advances of Total Quality Management because it is "narrow, static and emphasize[s] conformance to specifications" (p. 234). After overseeing more than 50 ISO registrations, Bill Robinson (cited in Clifford, 2005), argued that ISO is not one of the better systems that can be used for process improvement.
    [Show full text]
  • Ccdb-2009-03-001
    Supporting Document Mandatory Technical Document Application of Attack Potential to Smartcards March 2009 Version 2.7 Revision 1 CCDB-2009-03-001 Foreword This is a supporting document, intended to complement the Common Criteria version 3 and the associated Common Evaluation Methodology for Information Technology Security Evaluation. Supporting documents may be “Guidance Documents”, that highlight specific approaches and application of the standard to areas where no mutual recognition of its application is required, and as such, are not of normative nature, or “Mandatory Technical Documents”, whose application is mandatory for evaluations whose scope is covered by that of the supporting document. The usage of the latter class is not only mandatory, but certificates issued as a result of their application are recognized under the CCRA. Technical Editor: BSI Document History: V2.7 March 2009 (technical update of rating categories and update on usage of open samples based upon corresponding JIL document version 2.7) V2.5 December 2007 (explicit statements added that the points for identification and exploitation have to be added at the end to achieve the final attack potential value, references updated) V2.3 April 2007 (evaluation time guideline and rules regarding the use of open samples added and updated for use with both CC version 2 and 3) V2.1 April 2006 (classification as mandatory technical document, several updates to the tables) V1.1, July 2002 (draft indicator deleted, references updated, same content as V1.0) General purpose: The security properties of both hardware and software products can be certified in accordance with CC. To have a common understanding and to ensure that CC is used for hardware integrated circuits in a manner consistent with today’s state of the art hardware evaluations, the following chapters provide guidance on the individual aspects of the CC assurance work packages in addition to the Common Evaluation Methodology [CEM].
    [Show full text]
  • Microsoft Windows Common Criteria Evaluation Security Target
    Windows 10, Server 2012 R2 Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Microsoft Windows Server 2012 R2 Security Target Document Information Version Number 1 Updated On March 17, 2016 Microsoft © 2016 Page 1 of 97 Windows 10, Server 2012 R2 Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious.
    [Show full text]
  • NGDA Baseline Standards Inventory Companion Guide
    The Companion Guide: Achieving an NGDA Baseline Standards Inventory A Baseline Assessment to Meet Geospatial Data Act, Federal Data Strategy, and Other Requirements Federal Geographic Data Committee August 31, 2020 Contents Introduction .................................................................................................................................................. 1 Approach ....................................................................................................................................................... 2 Outcomes ...................................................................................................................................................... 2 How to Use this Document ........................................................................................................................... 2 Geospatial Data and Metadata Standards .................................................................................................... 3 Data Standards Categories ............................................................................................................................ 5 Data Content Standards Category Definitions .......................................................................................... 5 Data Exchange Standards Definitions ....................................................................................................... 8 Metadata Standards Categories ..................................................................................................................
    [Show full text]
  • Validators Report
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report SGI Red Hat Enterprise Linux Version 5.1 Report Number: CCEVS-VR-VID10286-2008 Dated: 2008-04-21 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6740 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740 ACKNOWLEDGEMENTS Validation Team The Aerospace Corporation Columbia, MD Noblis Falls Church, VA atsec Information Security Corporation Austin, TX Table of Contents 1. EXECUTIVE SUMMARY ........................................................................................................................................4 2. IDENTIFICATION ....................................................................................................................................................5 3. SECURITY POLICY .................................................................................................................................................6 3.1. I&A.......................................................................................................................................................................6 3.2. AUDITING ..............................................................................................................................................................6 3.3. DISCRETIONARY ACCESS CONTROL ......................................................................................................................7
    [Show full text]