This FAQ was compiled from questions asked and answered in the Federal Computer Security Program Manager's Forum e-mail list over the past three years. There are no names or organizations associated with the question or the answer. If you would like to add information to a FAQ, please send an e-mail message to fasp@nist.gov. In some cases, we have obtained agency practices that were attached to the answers. The practices are contained in the Federal Agency Security Practices Area page on this site.
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.
Use of NIST Information:The National Institute of Standards and Technology (NIST) provides these pages as a public service. With the exception of material marked as copyrighted, information presented is considered public information and may be distributed or copied. Use of appropriate byline/photo/image credits is requested.
A. Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. Some security experts make a distinction between an audit trail and an audit log as follows: a log is a record of events made by a particular software package, and an audit trail is an entire history of an event, possibly using several logs. Common usage within the security community does not make use of this distinction.
A. The Department of Justice determined that a network/Internet monitoring/logging/audit system is a System of Records for Privacy Act considerations if the system has the capability of attributing data to a person (whether or not it is used for this purpose). See: Federal Register, published Dec 30, 1999, pages 73585-73586, under Privacy Act of 1974.
A. Certification is a comprehensive analysis of information technology systems' technical and non-technical security controls. Accreditation or "authorize processing" is the official management authorization for the operation of a system or application and is based on the certification process as well as other management considerations.
A. OMB Circular A-130 requires a management official authorize in writing the use of each general support system or major application based on the implementation of its security plan before beginning or significantly changing processing in the system. Use of the system shall be re-authorized at least every three years. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems provides guidance on the certification and accreditation process.
A: OMB Circular A-130 requires federal agencies to plan for security, ensure that appropriate officials are assigned security responsibility, and authorize system processing prior to operations and, periodically, thereafter. This authorization by senior agency officials is sometimes referred to as accreditation. The technical and non-technical evaluation of an IT system that produces the necessary information required by the authorizing official to make a credible, risk-based decision on whether to place the system into operation, is known as certification. The cost of doing a Certification and Accreditation for a system depends on the completeness of the supporting documentation, the sensitivity of the system, and the complexity of the system. Therefore, the costs may vary widely. Those who have input to NIST on this question have reported figures ranging from $80,000 to $500,000. We have no official figures for the entire federal sector. In future C & A activity, we hope to collect more solid metrics for this area based on the new methodology.
A. Contingency plans are short-term arrangements an agency makes to carry out its mission. A continuity of operations plan is a long-term strategy for operations during national crisis. Disaster recovery refers to the steps that are taken to continue support for critical functions.
A. NIST Special Publication 800-12 "An Introduction to Computer Security: The NIST Handbook," Chapter 11 contains high-level guidance on contingency planning. NIST is currently updating FIPS PUB 81, "Guidelines for ADP Contingency Planning." For an outline of the sections contained in a continuity of operations (COOP) plan, see the agency practice: "Continuity of Operations Plan (COOP)."
A. Data integrity implies that the data is protected from unauthorized, unanticipated, or unintentional modification.
A. For security implications of active content, see:
http://csrc.nist.gov/publications/03-00.pdf
For policy guidance, see:
http://csrc.nist.gov/publications/02-98.pdf
A. Documentation of an information technology system is important to the security of the system in that it explains how software/hardware is to be used and formalizes security and operational procedures specific to the system. Examples of documentation for a system includes descriptions of the hardware and software, policies, standards, procedures, and approvals and agreements related to automated information system security, backup and contingency activities as well as descriptions of user and operator procedures.
A. The CERT has a Security Improvement Module titled "Security for Information Technology Service Contracts". See: www.cert.org/security-improvement/modules/m03.html.
A. U.S. Customs has shared as a security practice the Interconnection Security Agreement (ISA) that formalizes the interconnection of systems owned by two different organizations.
A. To ensure that hardware and software function as intended, there should be controls used to monitor the installation of, and updates to, hardware, operating system software, and other software. The controls may also be used to ensure that only authorized software is installed on the system. Such controls may include a hardware and software configuration policy that grants managerial approval to modifications and requires that changes be documented. Other controls include products and procedures used in auditing for or preventing illegal use of shareware or copyrighted software.
A. Identification and authentication is a technical measure that prevents unauthorized people) or unauthorized processes) from entering an information technology system. Identification is the means by which a user provides a claimed identity to the system. The most common form of identification is the user ID. Authentication is the means of establishing the validity of a user's claimed identity to the system. There are three means of authenticating a user's identity, which can be used alone or in combination: something the individual knows e.g., password, personal identification number; something the individual possesses e.g., a smart card, ATM card; and something the individual is e.g., fingerprint, voice pattern. For additional information on identification and authentication see the ITL Bulletin on Advanced Authentication Technology.
A. See FIPS Publication 181 "Automated Password Generator".
A. An incident response capability provides help when an adverse event in a computer system or network causes a failure of a security mechanism or an attempted breach of those mechanisms. The capability should be able to respond quickly and to share information concerning common vulnerabilities and threats.
A. See NIST Special Publication 800-3, "Establishing a Computer Security Incident Response Capability (CSIRC). Also, see the Incident Response Capability section of the FASP Area for several examples of agency incident handling policies.
A. There are five basic phases to the development of a computer system: initiation, development/acquisition, implementation, operation, and disposal phase.
In the initiation phase the need for a system is expressed and the purpose of the system is documented. A sensitivity assessment should be performed which looks at the information to be processed and the security it will require. During the development/acquisition phase the security requirements should be developed at the same time system planners define the requirements of the system. In the implementation phase the system's security features should be configured, enabled, the system should be tested, installed, and the system authorized for processing. In the operation/maintenance phase the system is almost always being continuously modified by the addition of hardware and software and numerous other events. The security of the system should be documented, reviewed, risk based choices made, and re-authorized to process when major changes are made. In the disposal phase the disposition of information, hardware and software is made.
A. Guidance on securely configuring some operating systems can be found from the National Security Agency at www.nsa.gov/snac/ and from NIST at csrc.nist.gov/publications. IT Security configuration guidance is also available from some product vendors, IT security periodicals, and IT security training courses. CERT, CERIS, and the Center for Internet Security are all good resources as well.
A. Logical access controls are the system-based mechanisms used to specify who or what is to have access to a specific system resource and the type of access that is permitted. A good example is the access control lists and access control software that a system contains.
A. Example of products: Encryption Plus(r) Hard Disk is a software program with 192-bit data encryption for the entire hard drive. It features centralized administration capability, including key recovery.
A. See pages 43 and 64 of NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems" for a an example of a warning banner.
A. Network security is the secure communication capability that allows one user or system to connect to another user or system. For examples of network security practices ranging from securing domain name servers to deploying firewalls, see the Network Security section of the FASP Area.
A. Information on e-mail spamming is provided at the following URL: http://www.ftc.gov/bcp/conline/pubs/alerts/inbxalrt.htm. See the sample policy posted in the Network Security section of the FASP area.
A. Organizations have taken varying steps to manage the use of instant messaging (IM) and Internet Relay Chat (IRC). Some agencies have blocked IM and IRC use at the firewall due to the inability to centrally control new vulnerabilities presented by the software manufacture. Other organizations allow the use of IM internally. There are several products that can be configured for internal use only; A Lotus Notes' product called SameTime and the Jabber Inc. product, called Jabber. An article describing IM and the security challenges it introduces can be found at: http://www.infosecuritymag.com/2002/aug/cover.shtml.
A. The prevailing practice within the federal agencies is not on limiting Internet access but on ensuring that employees are well informed of their organization's policy regarding their use of the Internet. Many agencies make Internet access available to all employees because it has been determined that the majority of the work force can benefit from such access. In other agencies, approval is restricted and granted on a case by case basis. When developing Internet, personal usage policy, or rules of behavior, the Human Resource component should be involved to ensure the policy is consistent with other personnel policy. See the Personnel Security section of the FASP Area for examples of agency personal use policies.
A. Guidance is available from:
A. Personnel security involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their job. The greatest harm/disruption to a system comes from the actions of individuals, both intentional and unintentional.
A. For an example, see the Personnel Security section in the FASP area. The practice titled "Personnel Security" contains an access form in the back of the document.
A. A good example of an agency policy on investigative requirements is contained in the practice titled, "Investigative Requirements for Contractor Employees" in the Personnel Security section in the FASP Area.
A. There are no federal level restrictions on hiring foreign nationals to work on unclassified systems. There may be Departmental or Agency Policy written to restrict the use of Foreign Nationals. The foreign national must have the appropriate documents in order to be employed. Also, some work may be of such sensitivity that a suitability investigation may be required.
A. For personal use examples see several examples provided in the Personnel Security section in the FASP Area.
A. Physical security protects the facility housing system resources, the system resources themselves, and the facilities used to support their operation. Physical security, as it pertains to computer security, should cover the following areas: access controls, fire safety, failure of supporting utilities, structural collapse, interception of data, and mobile and portable systems.
A. See:
A. Look at GSA's Fire Safety website for contacts and information. Also, check with your agency's Safety Officer or Fire Engineer.
A. The production, input/output controls are the security procedures in place that support the operations of the information technology system. Some examples are: user support; procedures to ensure unauthorized individuals cannot read, copy, alter, or steal printed or electronic information; internal/external labeling of tapes, and procedures for restricting access to output products.
A. There are several agency practices on policy and guidance available in the Production, Input/Output Controls section of the FASP Area.
A. Program management as it relates to information technology (IT) security is the management of the overall scope of the IT security program.
A. NIST has developed several guidance documents. NIST Special Publication 800-12, "An Introduction to Computer Security: The NIST Handbook" offers guidance on all areas of a Federal security IT program. NIST Special Publication 800-14, "Generally Accepted Principles and Practices for Securing Information Technology Systems" (.pdf format) contains what should be done in securing IT resources. Additionally, the Program Management section in the FASP area contains examples of agency security program plans and handbooks.
A. See the new OPM "Job Family Position Classification Standard for Administrative Work in the Information Technology Group, GS-2200" on http://www.opm.gov. Training requirements can be found in NIST Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model."
A. Many Federal agencies publish their security policy documents on their Intranet. This allows agency employees to access the latest version of those policies while on the agency's internal network.
A. Review of security controls is the routine evaluation, assessment, audit, or review of the security controls placed on an information technology system. Such reviews can be performed by your facility or by a third party. The type and rigor of reviews should be commensurate with the acceptable level of risk established for the system.
A. Management of all affected organizations must be informed and concur about the testing, in advance. Also, the system and network administrators should be informed in writing that testing will be done (specific dates/times do not necessarily need to be provided) so that outside authorities are not notified under the assumption that an external attack is in progress. The person(s) doing the testing must be proficient in the use of the tool(s) being used.
A. Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
A. See:
A. The NIST Computer Security Division contains useful resources on the Computer Security Resource Center (CSRC) web site. Additionally NSA's National INFOSEC Education and Training Program offers information about information technology security education.
A. A system security plan documents the security requirements of the system and describes the controls that are in place or planned.