Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-12 Title: An Introduction to Computer Security: the NIST Handbook Publication Date(s): October 1995 Withdrawal Date: June 21, 2017 Withdrawal Note: SP 800-12 is superseded in its entirety by the publication of SP 800-12 Revision 1. Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-12 Revision 1 Title: An Introduction to Information Security Author(s): Michael Nieles; Kelley Dempsey; Victoria Yan Pillitteri Publication Date(s): June 2017 URL/DOI: https://doi.org/10.6028/NIST.SP.800-12r1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Laboratory) Latest revision of the SP 800-12 Rev. 1 (as of June 21, 2017) attached publication: Related information: Withdrawal N/A announcement (link): Date updated: :ƵŶĞϮϭ͕ϮϬϭϳ HATl INST. OF STAND & TECH R.I.C. NIST PUBLICATIONS AlllOB SEDS3fl NIST Special Publication 800-12 An Introduction to Computer Security: The NIST Handbook U.S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards Barbara Guttman and Edward A. Roback and Technology COMPUTER SECURITY Contingency Assurance User 1) Issues Planniii^ I&A Personnel Trairang f Access Risk Audit Planning ) Crypto \ Controls O Managen»nt U ^ J Support/-"^ Program Kiysfcal ~^Tiireats Policy & v_ Management Security Operations i QC 100 Nisr .U57 NO. 800-12 1995 The National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in the development of technology . needed to improve product quality, to modernize manufacturing processes, to ensure product reliability . and to facilitate rapid commercialization ... of products based on new scientific discoveries." NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the agency's basic functions is to develop, maintain, and retain custody of the national standards of measurement, and provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal Government. As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and applied research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303. Major technical operating units and their principal activities are listed below. For more information contact the Public Inquiries Desk, 301-975-3058. Office of the Director Manufacturing Engineering Laboratory • Advanced Technology Program • Precision Engineering • Quality Programs • Automated Production Technology • International and Academic Affairs • Intelligent Systems • Manufacturing Systems Integration Technology Services • Fabrication Technology • Manufacturing Extension Partnership • Standards Services Electronics and Electrical Engineering • Technology Commercialization Laboratory • Measurement Services • Microelectronics • Technology Evaluation and Assessment • Law Enforcement Standards • Information Services • Electricity • Semiconductor Electronics Materials Science and Engineering • Electromagnetic Fields' Laboratory • Electromagnetic Technology' • Intelligent Processing of Materials • Optoelectronics' • Ceramics • Materials Reliability' Building and Fire Research Laboratory • Polymers • Structures • Metallurgy • Building Materials • Reactor Radiation • Building Environment • Fire Safety Chemical Science and Technology • Fire Science Laboratory • Biotechnology Computer Systems Laboratory • Chemical Kinetics and Thermodynamics • Office of Enterprise Integration • Analytical Chemical Research • Information Systems Engineering • Process Measurements • Systems and Software Technology • Surface and Microanalysis Science • Computer Security • Thermophysics^ • Systems and Network Architecture • Advanced Systems Physics Laboratory • Electron and Optical Physics Computing and Applied Mathematics • Atomic Physics Laboratory • Molecular Physics • Applied and Computational Mathematics^ • Radiometric Physics • Statistical Engineering^ • Quantum Metrology • Scientific Computing Environments^ • Ionizing Radiation • Computer Services • Time and Frequency' • Computer Systems and Communications^ • Quantum Physics' • Information Systems 'At Boulder. CO 80303. ^Some elements at Boulder, CO 80303. NIST Special Publication 800-12 An IlltrOdUCtion tO CompUtCr Security: The NIST Handbook Barbara Guttman and Edward Roback COMPUTER SECURITY Computer Systems Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-0001 October 1995 U.S. Department of Commerce Ronald H. Brown, Secretary Technology Administration Mary L. Good, Under Secretary for Technology National Institute of Standards and Technology Arati Prabhakar, Director Reports on Computer Systems Technology The National Institute of Standards and Technology (NIST) has a unique responsibility for computer systems technology within the Federal government. NIST's Computer Systems Laboratory (CSL) devel- ops standards and guidelines, provides technical assistance, and conducts research for computers and related telecommunications systems to achieve more effective utilization of Federal information technol- ogy resources. CSL's responsibilities Include development of technical, management, physical, and ad- ministrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified Information processed In Federal computers. CSL assists agencies in developing security plans and in Improving computer security awareness training. This Special Publication 800 series reports CSL re- search and guidelines to Federal agencies as well as to organizations In industry, government, and academia. National Institute of Standards and Technology Special Publication 800-12 Natl. Inst. Stand. Technol. Spec. Publ. 800-12, 272 pages (Oct. 1995) CODEN: NSPUE2 U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 1995 For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402 Table of Contents I. INTRODUCTION AND OVERVIEW Chapter 1 INTRODUCTION 1.1 Purpose 3 1.2 Intended Audience 3 1.3 Organization 4 1.4 Important Terminology 5 1.5 Legal Foundation for Federal Computer Security Programs 7 Chapter 2 ELEMENTS OF COMPUTER SECURITY 2.1 Computer Security Supports the Mission of the Organization 9 2.2 Computer Security is an Integral Element of Sound Management 10 2.3 Computer Security Should Be Cost-Effective 11 2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit 12 2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations 12 2.6 Computer Security Requires a Comprehensive and Integrated Approach 13 2.7 Computer Security Should Be Periodically Reassessed. 13 2.8 Computer Security is Constrained by Societal Factors. 14 iii Chapter 3 ROLES AND RESPONSIBILITIES 3.1 Senior Management 16 3.2 Computer Security Management 16 3.3 Program and Functional Managers/Application Owners 16 3.4 Technology Providers 16 3.5 Supporting Functions 18 3.6 Users 19 Chapter 4 COMMON THREATS: A BRIEF OVERVIEW 4.1 Errors and Omissions 22 4.2 Fraud and Theft 23 4.3 Employee Sabotage 24 4.4 Loss of Physical and Infrastructure Support 24 4.5 Malicious Hackers 24 4.6 Industrial Espionage 26 4.7 Malicious Code 27 4.8 Foreign Government Espionage 27 4.9 Threats to Personal Privacy 28 II. MANAGEMENT CONTROLS Chapter 5 COMPUTER SECURITY POLICY 5.1 Program Policy 35 5.2 Issue-Specific Policy 37 5.3 System-Specific Policy 40 iv 5.4 Interdependencies 42 5.5 Cost Considerations 43 Chapter 6 COMPUTER SECURITY PROGRAM MANAGEMENT 6.1 Structure of a Computer Security Program 45 6.2 Central Computer Security Programs 47 6.3 Elements of an Effective Central Computer Security Program 51 6.4 System-Level Computer Security Programs 53 6.5 Elements of Effective System-Level Programs 53 6.6 Central and System-Level Program Interactions 56 6.7 Interdependencies 56 6.8 Cost Considerations 56 Chapter 7 COMPUTER SECURITY RISK MANAGEMENT 7.1 Risk Assessment 59 7.2 Risk Mitigation 63 7.3 Uncertainty Analysis 67 7.4 Interdependencies 68 7.5 Cost Considerations 68 Chapter 8 SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE 8.1 Computer Security Act Issues for Federal Systems 71 8.2 Benefits of Integrating Security in the Computer System Life Cycle 72 8.3 Overview of the Computer System Life Cycle 73 V 8.4 Security Activities in the Computer System Life Cycle 74 8.5 Interdependencies 86 8.6 Cost Considerations 86 Chapter 9 i ASSURANCE 9.1 Accreditation and Assurance 90 9.2 Planning and Assurance 92 9.3 Design and Implementation Assurance 92 9.4 Operational Assurance 96 9.5 Interdependencies 101 9.6 Cost Considerations 101 III. OPERATIONAL CONTROLS Chapter 10 PERSONNEL/USER ISSUES 10.1 Staffing 107 10.2 User Administration 110 10.3 Contractor Access Considerations
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages297 Page
-
File Size-