Frequently Asked Questions (FAQs)

This FAQ was compiled from questions asked and answered in the Federal Computer Security Program Manager's Forum e-mail list over the past three years. There are no names or organizations associated with the question or the answer. If you would like to add information to a FAQ, please send an e-mail message to fasp@nist.gov. In some cases, we have obtained agency practices that were attached to the answers. The practices are contained in the Federal Agency Security Practices Area page on this site.

Disclaimer:

Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.

Use of NIST Information:

The National Institute of Standards and Technology (NIST) provides these pages as a public service. With the exception of material marked as copyrighted, information presented is considered public information and may be distributed or copied. Use of appropriate byline/photo/image credits is requested.

Audit Trails

Q. What are audit trails?

A. Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. Some security experts make a distinction between an audit trail and an audit log as follows: a log is a record of events made by a particular software package, and an audit trail is an entire history of an event, possibly using several logs. Common usage within the security community does not make use of this distinction.

Q. Under what circumstances are the programs/systems/logs that we capture in monitoring Internet usage considered a System of Records and subject to all requirements of the Privacy Act?

A. The Department of Justice determined that a network/Internet monitoring/logging/audit system is a System of Records for Privacy Act considerations if the system has the capability of attributing data to a person (whether or not it is used for this purpose). See: Federal Register, published Dec 30, 1999, pages 73585-73586, under Privacy Act of 1974.

Authorize Processing (Certification & Accreditation)

Q. What is authorize processing (certification & accreditation)

A. Certification is a comprehensive analysis of information technology systems' technical and non-technical security controls. Accreditation or "authorize processing" is the official management authorization for the operation of a system or application and is based on the certification process as well as other management considerations.

Q. What is an adequate list of mandatory security requirements based on Public Law and other regulation that Civilian agencies should use as a baseline for Certification & Accreditation (C&A)?

A. OMB Circular A-130 requires a management official authorize in writing the use of each general support system or major application based on the implementation of its security plan before beginning or significantly changing processing in the system. Use of the system shall be re-authorized at least every three years. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems provides guidance on the certification and accreditation process.

Q: What is a reasonable cost estimate for a System Certification and Accreditation?

A: OMB Circular A-130 requires federal agencies to plan for security, ensure that appropriate officials are assigned security responsibility, and authorize system processing prior to operations and, periodically, thereafter. This authorization by senior agency officials is sometimes referred to as accreditation. The technical and non-technical evaluation of an IT system that produces the necessary information required by the authorizing official to make a credible, risk-based decision on whether to place the system into operation, is known as certification. The cost of doing a Certification and Accreditation for a system depends on the completeness of the supporting documentation, the sensitivity of the system, and the complexity of the system. Therefore, the costs may vary widely. Those who have input to NIST on this question have reported figures ranging from $80,000 to $500,000. We have no official figures for the entire federal sector. In future C & A activity, we hope to collect more solid metrics for this area based on the new methodology.

Contingency Planning

Q. What is contingency planning, continuity of operations, and disaster recovery?

A. Contingency plans are short-term arrangements an agency makes to carry out its mission. A continuity of operations plan is a long-term strategy for operations during national crisis. Disaster recovery refers to the steps that are taken to continue support for critical functions.

Q. What guidance is available on contingency planning and continuity of operations?

A. NIST Special Publication 800-12 "An Introduction to Computer Security: The NIST Handbook," Chapter 11 contains high-level guidance on contingency planning. NIST is currently updating FIPS PUB 81, "Guidelines for ADP Contingency Planning." For an outline of the sections contained in a continuity of operations (COOP) plan, see the agency practice: "Continuity of Operations Plan (COOP)."

Data Integrity

Q. What is data integrity?

A. Data integrity implies that the data is protected from unauthorized, unanticipated, or unintentional modification.

Q. What Java/Java Script security controls exist?

A. For security implications of active content, see:
http://csrc.nist.gov/publications/03-00.pdf

For policy guidance, see:
http://csrc.nist.gov/publications/02-98.pdf

Documentation

Q. What is documentation?

A. Documentation of an information technology system is important to the security of the system in that it explains how software/hardware is to be used and formalizes security and operational procedures specific to the system. Examples of documentation for a system includes descriptions of the hardware and software, policies, standards, procedures, and approvals and agreements related to automated information system security, backup and contingency activities as well as descriptions of user and operator procedures.

Q. What examples are available of existing Information Assurance requirements verbiage used in contracts for Contractor compliance?

A. The CERT has a Security Improvement Module titled "Security for Information Technology Service Contracts". See: www.cert.org/security-improvement/modules/m03.html.

Q. What are the requirements for Inter-Agency agreements where two agencies share a system and the data transmitted on it? How do you ensure that your data is as secure on their part of the system as it is on your part?

A. U.S. Customs has shared as a security practice the Interconnection Security Agreement (ISA) that formalizes the interconnection of systems owned by two different organizations.

Hardware & Systems Software Maintenance

Q. How does hardware and systems software maintenance relate to security?

A. To ensure that hardware and software function as intended, there should be controls used to monitor the installation of, and updates to, hardware, operating system software, and other software. The controls may also be used to ensure that only authorized software is installed on the system. Such controls may include a hardware and software configuration policy that grants managerial approval to modifications and requires that changes be documented. Other controls include products and procedures used in auditing for or preventing illegal use of shareware or copyrighted software.

Identification & Authentication

Q. What is identification and authentication?

A. Identification and authentication is a technical measure that prevents unauthorized people) or unauthorized processes) from entering an information technology system. Identification is the means by which a user provides a claimed identity to the system. The most common form of identification is the user ID. Authentication is the means of establishing the validity of a user's claimed identity to the system. There are three means of authenticating a user's identity, which can be used alone or in combination: something the individual knows e.g., password, personal identification number; something the individual possesses e.g., a smart card, ATM card; and something the individual is e.g., fingerprint, voice pattern. For additional information on identification and authentication see the ITL Bulletin on Advanced Authentication Technology.

Q. What are the pro's and con's for using an automated password generating tool?

A. See FIPS Publication 181 "Automated Password Generator".

Incident Response Capability

Q. What is an incident response capability?

A. An incident response capability provides help when an adverse event in a computer system or network causes a failure of a security mechanism or an attempted breach of those mechanisms. The capability should be able to respond quickly and to share information concerning common vulnerabilities and threats.

Q. What reference materials are available for Internet Incident Response?

A. See NIST Special Publication 800-3, "Establishing a Computer Security Incident Response Capability (CSIRC). Also, see the Incident Response Capability section of the FASP Area for several examples of agency incident handling policies.

Life Cycle

Q. What is the system life cycle and how does in pertain to information technology security?

A. There are five basic phases to the development of a computer system: initiation, development/acquisition, implementation, operation, and disposal phase.

In the initiation phase the need for a system is expressed and the purpose of the system is documented. A sensitivity assessment should be performed which looks at the information to be processed and the security it will require. During the development/acquisition phase the security requirements should be developed at the same time system planners define the requirements of the system. In the implementation phase the system's security features should be configured, enabled, the system should be tested, installed, and the system authorized for processing. In the operation/maintenance phase the system is almost always being continuously modified by the addition of hardware and software and numerous other events. The security of the system should be documented, reviewed, risk based choices made, and re-authorized to process when major changes are made. In the disposal phase the disposition of information, hardware and software is made.

Q. Where can I find recent IT-security oriented configuration guidance for: Windows NT/2000/2000 Professional, Cisco Routers, MS Exchange 5.x, MS Office 97/2000 executable-content security, Electronic Mail security, Public Web Servers, MS IIS 4.0, or Apache Web Server 1.3.3 (on Red Hat Linux 5.1)?

A. Guidance on securely configuring some operating systems can be found from the National Security Agency at www.nsa.gov/snac/ and from NIST at csrc.nist.gov/publications. IT Security configuration guidance is also available from some product vendors, IT security periodicals, and IT security training courses. CERT, CERIS, and the Center for Internet Security are all good resources as well.

Logical Access Controls

Q. What are logical access controls?

A. Logical access controls are the system-based mechanisms used to specify who or what is to have access to a specific system resource and the type of access that is permitted. A good example is the access control lists and access control software that a system contains.

Q. What options are there for securing desktop system hard disks with passwords (and still be able to override them when needed

A. Example of products: Encryption Plus(r) Hard Disk is a software program with 192-bit data encryption for the entire hard drive. It features centralized administration capability, including key recovery.

Q. Where can I find samples of log-on banner messages?

A. See pages 43 and 64 of NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems" for a an example of a warning banner.

Network Security

Q. What is network security?

A. Network security is the secure communication capability that allows one user or system to connect to another user or system. For examples of network security practices ranging from securing domain name servers to deploying firewalls, see the Network Security section of the FASP Area.

Q. Where can I find a copy of a policy dealing with email spamming?

A. Information on e-mail spamming is provided at the following URL: http://www.ftc.gov/bcp/conline/pubs/alerts/inbxalrt.htm. See the sample policy posted in the Network Security section of the FASP area.

Q. Should Instant Messaging be allowed, allowed under controlled conditions, or prohibited within an organization?

A. Organizations have taken varying steps to manage the use of instant messaging (IM) and Internet Relay Chat (IRC). Some agencies have blocked IM and IRC use at the firewall due to the inability to centrally control new vulnerabilities presented by the software manufacture. Other organizations allow the use of IM internally. There are several products that can be configured for internal use only; A Lotus Notes' product called SameTime and the Jabber Inc. product, called Jabber. An article describing IM and the security challenges it introduces can be found at: http://www.infosecuritymag.com/2002/aug/cover.shtml.

Q. What Internet access controls are agencies implementing?

A. The prevailing practice within the federal agencies is not on limiting Internet access but on ensuring that employees are well informed of their organization's policy regarding their use of the Internet. Many agencies make Internet access available to all employees because it has been determined that the majority of the work force can benefit from such access. In other agencies, approval is restricted and granted on a case by case basis. When developing Internet, personal usage policy, or rules of behavior, the Human Resource component should be involved to ensure the policy is consistent with other personnel policy. See the Personnel Security section of the FASP Area for examples of agency personal use policies.

Q. Where can I find guidance on the secure use of Personal Electronic Devices (PED) and Personal Digital Assistants (PDA)?

A. Guidance is available from:

Personnel Security

Q. What is personnel security?

A. Personnel security involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their job. The greatest harm/disruption to a system comes from the actions of individuals, both intentional and unintentional.

Q. What needs to be on a Computer System Access form for contractors or employees?

A. For an example, see the Personnel Security section in the FASP area. The practice titled "Personnel Security" contains an access form in the back of the document.

Q. What is appropriate for an agency policy on background investigations and security clearances for employees and contractors with access to and control of sensitive data and mission critical systems?

A. A good example of an agency policy on investigative requirements is contained in the practice titled, "Investigative Requirements for Contractor Employees" in the Personnel Security section in the FASP Area.

Q. What are the restrictions on hiring of foreign nationals/aliens to work on Federal systems?

A. There are no federal level restrictions on hiring foreign nationals to work on unclassified systems. There may be Departmental or Agency Policy written to restrict the use of Foreign Nationals. The foreign national must have the appropriate documents in order to be employed. Also, some work may be of such sensitivity that a suitability investigation may be required.

Q. What are some examples of a written policy on personal use of the Internet?
What written procedures exist for addressing suspected abuse of government information technology resources? How should suspected abuse be dealt with? How does the 'guilty party' get notified that there is a potential problem?

A. For personal use examples see several examples provided in the Personnel Security section in the FASP Area.

Physical Security

Q. What is physical security?

A. Physical security protects the facility housing system resources, the system resources themselves, and the facilities used to support their operation. Physical security, as it pertains to computer security, should cover the following areas: access controls, fire safety, failure of supporting utilities, structural collapse, interception of data, and mobile and portable systems.

Q. What security concerns must I consider when traveling with a laptop computer?

A. See:

Q. Where can I find guidance on approved fire suppression methods for Computer/Data Centers?

A. Look at GSA's Fire Safety website for contacts and information. Also, check with your agency's Safety Officer or Fire Engineer.

Production, Input/Output Controls

Q. What is production, input/output controls?

A. The production, input/output controls are the security procedures in place that support the operations of the information technology system. Some examples are: user support; procedures to ensure unauthorized individuals cannot read, copy, alter, or steal printed or electronic information; internal/external labeling of tapes, and procedures for restricting access to output products.

Q. What policies/guidance exist for sanitizing media or hard disks?

A. There are several agency practices on policy and guidance available in the Production, Input/Output Controls section of the FASP Area.

Program Management

Q. What is program management?

A. Program management as it relates to information technology (IT) security is the management of the overall scope of the IT security program.

Q. Where can I find detailed information on planning/documenting/implementing information technology (IT) security in a Federal agency?

A. NIST has developed several guidance documents. NIST Special Publication 800-12, "An Introduction to Computer Security: The NIST Handbook" offers guidance on all areas of a Federal security IT program. NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems" (.pdf format) contains what should be done in securing IT resources. Additionally, the Program Management section in the FASP area contains examples of agency security program plans and handbooks.

Q. Where can I find job-specific ADP competencies (for all positions)? Potential use is to develop baseline ADP skills, then develop training requirements, and then evaluation criteria.

A. See the new OPM "Job Family Position Classification Standard for Administrative Work in the Information Technology Group, GS-2200" on http://www.opm.gov. Training requirements can be found in NIST Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model."

Q. What guidance is available for publishing/distributing an agency's security policy electronically or on the web?

A. Many Federal agencies publish their security policy documents on their Intranet. This allows agency employees to access the latest version of those policies while on the agency's internal network.

Review of Security Controls

Q. What is review of security controls?

A. Review of security controls is the routine evaluation, assessment, audit, or review of the security controls placed on an information technology system. Such reviews can be performed by your facility or by a third party. The type and rigor of reviews should be commensurate with the acceptable level of risk established for the system.

Q. What issues are involved in using utilities such as crack and Satan on our agency?

A. Management of all affected organizations must be informed and concur about the testing, in advance. Also, the system and network administrators should be informed in writing that testing will be done (specific dates/times do not necessarily need to be provided) so that outside authorities are not notified under the assumption that an external attack is in progress. The person(s) doing the testing must be proficient in the use of the tool(s) being used.

Risk Management

Q. What is risk management?

A. Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

Q. What risk assessment products are available to help agencies perform risk assessments?