| An
Introduction to Computer Security: The NIST Handbook
Table of Contents
I. INTRODUCTION AND OVERVIEW
Chapter 1
INTRODUCTION
1.1 Purpose 3
1.2 Intended Audience 3
1.3 Organization 4
1.4 Important Terminology 5
1.5 Legal Foundation for Federal Computer Security Programs 7
Chapter 2
ELEMENTS OF COMPUTER SECURITY
2.1 Computer Security Supports the Mission of the Organization 9
2.2 Computer Security is an Integral Element of Sound Management
10
2.3 Computer Security Should Be Cost-Effective 11
2.4 Computer Security Responsibilities and Accountability Should
Be Made Explicit 12
2.5 Systems Owners Have Security Responsibilities Outside Their
Own Organizations 12
2.6 Computer Security Requires a Comprehensive and Integrated Approach
13
2.7 Computer Security Should Be Periodically Reassessed 13
2.8 Computer Security is Constrained by Societal Factors 14
Chapter 3
ROLES AND RESPONSIBILITIES
3.1 Senior Management 16
3.2 Computer Security Management 16
3.3 Program and Functional Managers/Application Owners 16
3.4 Technology Providers 16
3.5 Supporting Functions 18
3.6 Users 20
Chapter 4
COMMON THREATS: A BRIEF OVERVIEW
4.1 Errors and Omissions 22
4.2 Fraud and Theft 23
4.3 Employee Sabotage 24
4.4 Loss of Physical and Infrastructure Support 24
4.5 Malicious Hackers 24
4.6 Industrial Espionage 26
4.7 Malicious Code 27
4.8 Foreign Government Espionage 27
4.9 Threats to Personal Privacy 28
II. MANAGEMENT CONTROLS
Chapter 5
COMPUTER SECURITY POLICY
5.1 Program Policy 35
5.2 Issue-Specific Policy 37
5.3 System-Specific Policy 40
5.4 Interdependencies 42
5.5 Cost Considerations 43
Chapter 6
COMPUTER SECURITY PROGRAM MANAGEMENT
6.1 Structure of a Computer Security Program 45
6.2 Central Computer Security Programs 47
6.3 Elements of an Effective Central Computer Security Program 51
6.4 System-Level Computer Security Programs 53
6.5 Elements of Effective System-Level Programs 53
6.6 Central and System-Level Program Interactions 56
6.7 Interdependencies 56
6.8 Cost Considerations 56
Chapter 7
COMPUTER SECURITY RISK MANAGEMENT
7.1 Risk Assessment 59
7.2 Risk Mitigation 63
7.3 Uncertainty Analysis 67
7.4 Interdependencies 68
7.5 Cost Considerations 68
Chapter 8
SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
8.1 Computer Security Act Issues for Federal Systems 71
8.2 Benefits of Integrating Security in the Computer System Life
Cycle 72
8.3 Overview of the Computer System Life Cycle 73
8.4 Security Activities in the Computer System Life Cycle 74
8.5 Interdependencies 86
8.6 Cost Considerations 86
Chapter 9
ASSURANCE
9.1 Accreditation and Assurance 90
9.2 Planning and Assurance 92
9.3 Design and Implementation Assurance 92
9.4 Operational Assurance 96
9.5 Interdependencies 101
9.6 Cost Considerations 101
III. OPERATIONAL CONTROLS
Chapter 10
PERSONNEL/USER ISSUES
10.1 Staffing 107
10.2 User Administration 110
10.3 Contractor Access Considerations 116
10.4 Public Access Considerations 116
10.5 Interdependencies 117
10.6 Cost Considerations 117
Chapter 11
PREPARING FOR CONTINGENCIES AND DISASTERS
11.1 Step 1: Identifying the Mission- or Business-Critical Functions
120
11.2 Step 2: Identifying the Resources That Support Critical Functions
120
11.3 Step 3: Anticipating Potential Contingencies or Disasters 122
11.4 Step 4: Selecting Contingency Planning Strategies 123
11.5 Step 5: Implementing the Contingency Strategies 126
11.6 Step 6: Testing and Revising 128
11.7 Interdependencies 129
11.8 Cost Considerations 129
Chapter 12
COMPUTER SECURITY INCIDENT HANDLING
12.1 Benefits of an Incident Handling Capability 134
12.2 Characteristics of a Successful Incident Handling Capability
137
12.3 Technical Support for Incident Handling 139
12.4 Interdependencies 140
12.5 Cost Considerations 141
Chapter 13
AWARENESS, TRAINING, AND EDUCATION
13.1 Behavior 143
13.2 Accountability 144
13.3 Awareness 144
13.4 Training 146
13.5 Education 147
13.6 Implementation 148
13.7 Interdependencies 152
13.8 Cost Considerations 152
Chapter 14
SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS
14.1 User Support 156
14.2 Software Support 157
14.3 Configuration Management 157
14.4 Backups 158
14.5 Media Controls 158
14.6 Documentation 161
14.7 Maintenance 161
14.8 Interdependencies 162
14.9 Cost Considerations 163
Chapter 15
PHYSICAL AND ENVIRONMENTAL SECURITY
15.1 Physical Access Controls 166
15.2 Fire Safety Factors 168
15.3 Failure of Supporting Utilities 170
15.4 Structural Collapse 170
15.5 Plumbing Leaks 171
15.6 Interception of Data 171
15.7 Mobile and Portable Systems 172
15.8 Approach to Implementation 172
15.9 Interdependencies 174
15.10 Cost Considerations 174
IV. TECHNICAL CONTROLS
Chapter 16
IDENTIFICATION AND AUTHENTICATION
16.1 I&A Based on Something the User Knows 180
16.2 I&A Based on Something the User Possesses 182
16.3 I&A Based on Something the User Is 186
16.4 Implementing I&A Systems 187
16.5 Interdependencies 189
16.6 Cost Considerations 189
Chapter 17
LOGICAL ACCESS CONTROL
17.1 Access Criteria 194
17.2 Policy: The Impetus for Access Controls 197
17.3 Technical Implementation Mechanisms 198
17.4 Administration of Access Controls 204
17.5 Coordinating Access Controls 206
17.6 Interdependencies 206
17.7 Cost Considerations 207
Chapter 18
AUDIT TRAILS
18.1 Benefits and Objectives 211
18.2 Audit Trails and Logs 214
18.3 Implementation Issues 217
18.4 Interdependencies 220
18.5 Cost Considerations 221
Chapter 19
CRYPTOGRAPHY
19.1 Basic Cryptographic Technologies 223
19.2 Uses of Cryptography 226
19.3 Implementation Issues 230
19.4 Interdependencies 233
19.5 Cost Considerations 234
V. EXAMPLE
Chapter 20
ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM
20.1 Initiating the Risk Assessment 241
20.2 HGA's Computer System 242
20.3 Threats to HGA's Assets 245
20.4 Current Security Measures 248
20.5 Vulnerabilities Reported by the Risk Assessment Team 257
20.6 Recommendations for Mitigating the Identified Vulnerabilities
261
20.7 Summary 266
Cross Reference and General Index 269
|
