Technology Assessment: Methods for Measuring the Level of Computer Security
Total Page:16
File Type:pdf, Size:1020Kb
AlllDb 33MMn Computer Science National Bureau and Technology of Standards NBs NBS Special Publication 500-133 PUBLICATIONS Technology Assessment: Methods for Measuring the Level of Connputer Security William Neugent, John Gilligan, ance Hoffman, and Zella G. Ruthberg 100, ' .1157 500-133 1985 . ] I he National Bureau of Standards' was established by an act of Congress on March 3, 1901. The Bureau's overall goal is to strengthen and advance the nation's science and technology and facilitate their effective application for public benefit. To this end, the Bureau conducts research and provides: (1) a basis for the nation's physical measurement system, (2) scientific and technological services for industry and government, (3) a technical basis for equity in trade, and (4) technical services to promote public safety. The Bureau's technical work is performed by the National Measurement Laboratory, the National Engineering Laboratory, the Institute for Computer Sciences and Technology, and the Institute for Materials Science and Engineering The National Measurement Laboratory Provides the national system of physical and chemical measurement; • Basic Standards^ coordinates the system with measurement systems of other nations and • Radiation Research furnishes essentiaJ services leading to accurate and uniform physical and • Chemical Physics chemical measurement throughout the Nation's scientific community, in- • Analytical Chemistry dustry, and commerce; provides advisory and research services to other Government agencies; conducts physical and chemical research; develops, produces, and distributes Standard Reference Materials; and provides calibration services. The Laboratory consists of the following centers: The National Engineering Laboratory Provides technology and technical services to the public and private sectors to Applied Mathematics address national needs and to solve national problems; conducts research in Electronics and Electrical engineering and applied science in support of these efforts; builds and main- Engineering' tains comf)etence in the necessary disciplines required to carry out this Manufacturing Engineering research and technical service; develops engineering data and measurement Building Technology capabilities; provides engineering measurement traceability services; develops Fire Research test methods and proposes engineering standards and code changes; develops Chemical Engineering-^ and proposes new engineering practices; and develops and improves mechanisms to transfer results of its research to the ultimate user. The Laboratory consists of the following centers: The Institute for Computer Sciences and Technology Conducts research and provides scientific and technical services to aid Programming Science and Federal agencies in the selection, acquisition, application, and use of com- Technology puter technology to improve effectiveness and economy in Government Computer Systems operations in accordance with Public Law 89-306 (40 U.S.C. 759), relevant Engineering Executive Orders, and other directives; carries out this mission by managing the Federal Information Processing Standards Program, developing Federal ADP standards guidelines, and managing Federal participation in ADP voluntary standardization activities; provides scientific and technological ad- visory services and assistance to Federal agencies; and provides the technical foundation for computer-related policies of the Federal Government. The In- stitute consists of the following centers: The Institute for Materials Science and Engineering Conducts research and provides measurements, data, standards, reference Inorganic Materials materials, quantitative understanding and other technical information funda- Fracture and Deformation^ mental to the processing, structure, prop)erties and performance of materials; Polymers addresses the scientific basis for new advanced materials technologies; plans Metallurgy research around cross-country scientific themes such as nondestructive Reactor Radiation evaluation and phase diagram development; oversees Bureau-wide technical programs in nuclear reactor radiation research and nondestructive evalua- tion; and broadly disseminates generic technical information resulting from its programs. The Institute consists of the following Divisions: 'Headquarters and Laboratories at Gaithersburg, MD, unless otherwise noted; mailing address Gaithersburg, MD 20899. ^Some divisions within the center are located at Boulder, CO 80303. 'Located at Boulder, CO, with some elements at Gaithersburg, MD. OF STAlfDAEl/S ZJERARY Computer Science and Technology NBS Special Publication 500-133 Technology Assessment: Methods for Measuring the Level of Computer Security William Neugent and John Gilligan System Development Corporation McLean, VA 22101 Lance Hoffman George Washington University Washington, DC 20052 Zella G. Ruthberg Center for Programming Science and Technology Institute for Computer Sciences and Technology National Bureau of Standards Gaithersburg, MD 20899 Issued October 1985 U.S. DEPARTMENT OF COMMERCE Malcolm Baldrige, Secretary National Bureau of Standards Ernest Ambler, Director Reports on Computer Science and Technology The National Bureau of Standards has a special responsibility within the Federal Government for computer science and technology activities. The programs of the NBS Institute for Computer Sciences and Technology are designed to provide ADP standards, guidelines, and technical advisory services to improve the effectiveness of computer utilization in the Federal sector, and to perform appropriate research and development efforts as foundation for such activities and programs. This publication series will report these NBS efforts to the Federal computer community as well as to interested specialists in the academic and private sectors. Those wishing to receive notices of publications in this series should complete and return the form at the end of this publication. Library of Congress Catalog Card Number: 85-600600 National Bureau of Standards Special Publication 500-133 Natl. Bur. Stand. (U.S.), Spec. Publ. 500-133, 216 pages (Oct. 1985) CODEN: XNBSAV U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 1985 For sale by the SuDenntendent of Documents. U S Government Printing Ollice, Washington, DC 20402 CONTENTS CHAPTER 1 INTRODUCTION 1.1 PROGRAM BACKGROUND 1-1 1.1.1 NBS Computer Security, Integrity, And Risk Management Standards Program 1-1 1.1.2 Security Measurement, Certification, And Accreditation 1-3 1.2 BASIC TERMINOLOGY 1-2 1.3 TECHNOLOGY ASSESSMENT OVERVIEW 1-6 1.3.1 Scope 1-6 1.3.2 Organization 1-6 1.3.3 Sources And Approach 1-7 CHAPTER 2 ENVIRONMENTS 2.1 ENVIRONMENTAL FACTORS INFLUENCING SYSTEM SECURITY 2-1 2.1.1 An Early Approach (1977) 2-1 2.1.2 A More Detailed Later Approach (1979) 2-3 2.1.3 Conclusions About Environmental Factors And System Security 2-7 2.2 ENVIRONMENTAL FACTORS INFLUENCING SECURITY EVALUATION 2-7 2.3 CONCLUSIONS 2-9 CHAPTER 3 CONTROLS 3.1 CONTROL GROUPINGS OR STRUCTURES 3-1 3.1.1 Systems Auditability And Control (SAC) Study [IIA77-2] . 3-2 3.1.2 Security: Checklist For Computer Center Self-Audits [AFI793 3-7 3.1.3 Army Regulation 380-380 [USA79] 3-9 3.1.4 Computer Control Guidelines [CIC70] 3-12 3.1.5 Information Security Handbook [WIL80] .... 3-12 3.1.6 Control Objectives 1980 [EAF80] 3-13 3.1.7 GAO Internal Controls Course [GA080] 3-14 3.1.8 NBS SP 500-57 [RUT80] 3-14 3.1.9 EDP Insurance [MIG80] 3-16 3.1.9.1 EDP All Risk 3-16 3.1.9.2 EDP Fidelity 3-16 3.1.9.3 Criteria For Insurance Selection 3-17 3-17 3.2 SUMMARY OF CONTROL GROUPINGS OR STRUCTURES . 3.2.1 Roles Served By Control Groupings Or Structures 3-17 3.2.2 General Control Structure 3-20 3.3 EXPOSURE GROUPINGS OR STRUCTURES 3-22 CHAPTER 4 SYSTEM EVALUATION METHODOLOGIES - 4-1 4.1 SECURITY EVALUATION METHODOLOGIES . 4.1.1 Touche Ross & Co. [MAI76] 4-2 4.1.1.1 Description 4-2 iii 4.1.1.2 Distinguishing Features 4-13 4.1.1.3 Notable Experiences And Lessons 4-13 4.1.1.4 Major Strengths And Weaknesses 4-13 4.1.2 Peat Marwick Mitchell & Co. [PMM803 4-14 4.1.2.1 Description 4-14 4.1.2.2 Distinguishing Features 4-16 4.1.2.3 Notable Experiences And Lessons 4-16 4.1.2.4 Major Strengths And Weaknesses 4-16 4.1.3 SRI International/use Info. Sciences Institute (ISI) [NEM78] 4-17 4.1.3.1 Description 4-17 4.1.3.2 Distinguishing Features 4-22 4.1.3.3 Notable Experiences And Lessons 4-22 4.1.3.4 Major Strengths And Weaknesses 4-22 4.1.4 Department Of Defense (DoD) [D0D83] 4-22 4.1.4.1 Description 4-22 4.1.4.2 Distinguishing Features 4-33 4.1.4.3 Notable Experiences And Lessons 4-33 4.1.4.4 Major Strengths And Weaknesses 4-33 4.1.5 Testing 4-34 4.1.5.1 External Testing 4-35 4.1.5.1.1 Independent Definition 4-36 4.1.5.1.2 Pass/Fail Criteria 4-36 4.1.5.2 Internal Testing 4-37 4.1.5.2.1 Measures Of Coverage 4-39 4.1.5.2.2 Software Quality Metrics 4-40 4.1.5.3 Testing For Security Evaluation 4-41 4.1.6 Other Approaches 4-43 4.1.6.1 Canadian Institute Of Chartered Accountants [CIC75] 4-43 4.1.6.2 Arthur Andersen & Co. [AAC78] 4-48 4.1.6.3 AFIPS Security Checklist For Computer Center Self-Audits [AFI79] 4-52 4.1.6.4 Internal Controls For Computerized System [FIT78] 4-55 4.1.6.5 Coopers & Lybrand [C^L82] [HAL85] 4-56 4.1.6.6 Auditing Computer Systems [PER81] 4-58 4.1.6.7 Information Security Handbook [WIL80] .... 4-59 4.1.6.8 Department Of Health And Human Services [HHS78] [HHS82] 4-60 4.1.6.9 Department Of Agriculture [DOA80] [D0A84] . 4-61 4.1.6.10 GAO Audit Guides [GA081-13 [GA081-2] 4-63 4.1.6.11 Department Of Energy [D0E83] [D0E84] 4-65 4.1.6.12 Formal Verification 4-68 4.2 RISK ASSESSMENT METHODOLOGIES 4-72 4.2.1 Individual Methodologies 4-72 4.2.1.1 FIPS PUB 65 [FIP653 4-73 4.2.1.2 Air Force Risk Analysis Management Program (AFRAMP) [AFRAMP] 4-74 4.2.1.3 Department Of Agriculture [D0A77] 4-75 4.2.1.4 SDC Navy Risk Assessment Methodology [SDC79] .