-------�
-------�
Information Security Manual for PCs 12/15/89
Each manual is structured to r w the reader, whether manager or staff member, to
tailor it to his/her own part ir security situation by completing one or two
worksheets and by reading s« ted portions of the text. Specifically, each reader
works through a sensitivity evaluation table to determine if he/she has sensitive
information. If not, only Minimal security controls need to be implemented. If the
reader does have sensitive information, he/she uses a worksheet to identify why the
information is sensitive and which of the three security objectives are relevant. The
reader is then referred to later sections of the manual as appropriate. For example,
there is a subs ?tion on safeguards for maintaining the avaflabflrty of critical PC
applications.
Because a common problem in information security is determining exactly who is
re wsible for what aspects of security, each manual devotes a chapter to
information security roles and responsibilities. While the manuals try to be as user
friendly as possible in explaining to readers how to fulfill those responsibilities, the
manuals are not painless. To ensure that information resources are adequately
protected, the manuals describe three different control processes. The processes
establish a st -rture of security checks and balances by approaching security both
from an equipment perspective and from an application or information system
perspective.
-------�
Information Security Manual for PCs
12/15/89
TABLE OF CONTENTS
Section
1. GENERAL INFORMATION.
Page
.1-1
2. PC SECURITY ROLES AND RESPONSIBILITIES 2-1
3. MINIMAL CONTROLS FOR ALL PCs AND PC LANS 3-1
4. DETERMINING THE NEED FOR ADDITIONAL CONTROLS 4-1
5. PERSONNEL SECURITY AND TRAINING 5-1
6. MAINTAINING INFORMATION AVAILABILITY 6-1
7. PRESERVING INFORMATION INTEGRITY.. 7-1
8. PRESERVING INFORMATION CONFIDENTIALITY 8-1
APPENDIX A: POLICY A-1
APPENDIX B: APPLICATION RISK ANALYSIS AND
APPLICATION CERTIFICATION
B-1
APPENDIX C: INSTALLATION RISK ANALYSIS C-1
Hi
-------�
Information Security Manual for PCs 12/15/89
1. GENERAL INFORMATION
1.1 PURPOSE, SCOPE, AND APPLICABILITY
In accordance with the Agency's Information Security Policy, this manual establishes
information security procedures for personal computers (PCs) and provides overall
guidance to EPA managers and staff in implementing those procedures. The
security controls specified in this manual are designed to ensure that information on
PCs is adequately protected and that EPA organizations and employees are in
compliance with all requirements of the policy.
This manual addresses PC security only. A single PC installation is generally
comprised of a microprocessor, a video monitor, and various peripheral devices for
entering, storing, transmitting, and printing data. The PC installation may process in
isolation as a stand-alone personal tool and/or it may function as a smart terminal in
a communications configuration (such as PC to mainframe or in a local area
network). This manual does not apply, however, to other types of microsystems
such as word processors (for example, Lexitrons) or dumb terminals (those that are
not programmable). Information security for these devices is dealt with in the
Agency's comprehensive "Information Security Manual."
Consistent with the Information Security Policy, this manual applies to ajl EPA
organizations and employees that use PCs. It also applies to the personnel of
agents (including contractors and grantees) of the EPA who are involved in
designing, developing, operating, or maintaining Agency information and systems on
PCs.
The specific purposes of this manual are as follows:
- To save organizations money by making sure that only focused, cost-
effective security safeguards (or controls) are implemented
To protect organizations and individuals from the embarrassment of an
unauthorized disclosure or from the disruption that would result if crucial
information were destroyed
To help organizations meet internal control review requirements by providing
them with a sound basis for assuring that automated PC information systems
are adequately protected
To assist staff in developing the system documentation required by the "EPA
System Design and Development Guidance"
1-1
-------�
Information Security Manual for PCs 12/15/89
To help organizations meet the security reporting requirements of the EPA
PC planning process
To enable organizations to undergo successfully any security audits that
may be conducted by the Office of the Inspector General.
1.2 INTRODUCTION TO THE EPA INFORMATION SECURITY PROGRAM
Through the Information Security Policy, the EPA has established a comprehensive,
Agency-wide information security program to adequately safeguard the Agency's
information resources. (The policy, which is Chapter 8 of the EPA's Information
Resources Management Policy Manual, is reproduced here as Appendix A.) The
concept of adequacy means that security controls should be neither overapplied nor
underapplied. Overapplication wastes financial and ADP resources, and
underapplication exposes the information to various security threats.
The policy categorizes information and applications (or systems) as being either
sensitive or not sensitive. Sensitive information means information that requires
protection due to the loss or harm that could result from inadvertent or deliberate
disclosure, alteration, or destruction of the information. Examples of sensitive
information include Confidential Business Information (CBI), Privacy Act Information,
and data critical to the performance of primary Agency missions. A sensitive
application is an application that processes sensitive information, or is an application
that requires protection due to the loss or harm that could result from the improper
operation or deliberate manipulation of the application itself.
In short, information security involves the precautions taken to protect sensitive
information resources from potential loss and misuse. The three major objectives of
the EPA program, as illustrated in Exhibit 1-1 , are to maintain:
Information Availability
Information
Information Confidentiality
The availability objective is associated with information where the loss of the
information would cause serious problems, either because it would be costly to
replace the information or because it would be difficult to function without the
information. Thus, availability involves both the dollar value and the time value (or
"criticality") of the information. An example of an Agency information system or
1-2
-------�
Information Security Manual for PCs
12/15/89
EXHIBIT 1-1
INFORMATION SECURITY OBJECTIVES
Prevent
Information
Loss
AVAILABILITY
CONFIDENTIALITY
Prevent
Information
Corruption
Prevent
Information
Disclosure
1-3
-------�
Information Security Manual for PCs 12/15/89
application where availability is important is the Resource Conservation and
Recovery Information System (RCF "x-).
The integrity objective is associated with information or applications where accuracy
and reliability are of particular concern. In short, integrity is concerned with
protecting information from corruption. An example of an Agency information
system where integrity is important is the Integrated Financial Management System
(IFMS).
The confidentiality c Active is concerned with information where disclosure would
be undesirable or L , /vful. Examples of information of this type include Toxic
Substc ices Control Act (TSCA) Confidential Business Information (CBI) or
personnel files.
As Exhibit 1-1 indicates, a particular application could involve only one objective or
could involve some combination of objectives. For example, a particular data base
could contain information critical to a primary Agency mission and yet contain no
confidential information. In other words, while availability is an objective,
confidentiality is not a factor and the information in the data base could be widely
disseminated without any damage resulting from disclosure. On the other hand,
another data base could be both critical and confidential.
1.3 THE PC SECURITY PROBLEM
The expanding use of personal computers is creating major new opportunities for
productivity improvement at the EPA. At the same time, however, this expanding
use of personal computers is placing new information security responsibilities on
office managers, research personnel, and others not previously recognized as
information processing professionals. This decentralized processing of Agency
information means that mainframe and minicomputer processing installations can no
longer be relied upon to protect all automated Agency operations.
The nature of the PC secure problem is illustrated in Exhibit 1-2. A wide range of
intentional or unintentional ents can threaten information being stored and
processed on a PC. These threats include:
External and environmental threats, such as fire, water damage, or power
failure
1-4
-------�
Information Security Manual for PCs
12/15/89
EXHIBIT 1-2
THE SECURITY PROBLEM
Environmental Threats
Malicious Actions
Hardware & Software Errors
User Error
........ J.....*.1.1^'1.1.!-.-'I1 .T * -, *^T . 1.. T.' .' .^ , ' .Til. '.J . '. ... *.
'I'll'l'lt'l'l^l'l'-l'l'T'l'i*!^ 'g'j'^lf I'-T^I'.!^! 'K3l*l\'.B*l.ifl'*aJl^lJl-J*1 l^T*1
Personnel
Controls
ITY
Software
& Data
Controls
Equipment
& Physical
Controls
Administrative
Controls
INFORMATION
RESOURCES
Programs
Data
Equipment
1-5
-------�
Information Security Manual for PCs 12/15/89
Hardware and software error, such as disk or operating system failure
- Operations error, such as accidental user modification or erasure of data
- Malicious actions, such as theft or data sabotage.
How vulnerable a particular PC is to these threats depends on two basic factors.
The first is the type or nature of information being processed, that is, the relevance of
each of the three security objectives. The second factor is the environment in which
the PC is processing the information, for example, whether the PC is stand-alone or
is part of a network. Information security involves identifying threats and applying
controls to prevent threats from being realized. When threats are realized (for
example, disclosure or damage/loss of information), the three security objectives are
not achieved.
Certain PC characteristics pose special problems in information security. In general,
these include the following:
Personal computer systems software is typically rudimentary and affords
little or no protection to information and programs.
- Personal computers typically lack the built-in hardware mechanisms needed
to isolate users from each other and from certain system functions (such as
reading and writing to memory).
PC information is typically in the form of reports, spreadsheets, lists, and
memoranda. These relatively "final" forms mean that PC data are more
readily accessed and understood by unauthorized users than are data in
larger computer systems.
1.4 STRUCTURE OF THIS MANUAL
PC security manuals are typically organized by type of security and include chapters
on physical security, data security, communications security, and the like. While
such manuals provide good technical discussions of security controls, they typically
overwhelm the reader with a hodgepodge of safeguards that cause uncertainty
about exactly which safeguards should be implemented. In addition, these manuals
often provide little in the way of overall implementation guidance.
This manual is structured in a completely different manner. In essence, it is
organized to allow each reader, whether a manager or staff member, to tailor it to
his/her own particular security situation. In a very real sense, the manual allows
1-6
-------�
Information Security Manual for PCs 12/15/89
.^ _
each reader to work through his/her security problem by completing one or two
worksheets and by reading selected portions of the text.
Following the introductory material presented in this first section, Section 2 concerns
itself with individual and organizational information security responsibilities and
should be read by all EPA managers and staff using PCs. Because it is not easy to
coordinate the diverse elements of an information security program, Section 2
recommends that one management official, the Senior Information Resources
Management Official (SIRMO), be the focal point for information security in each
major EPA organizational unit.
Section 3 describes minimal security controls to be used for all PCs, regardless of
the processing environment or the type of information. Section 3 should also be
read by all EPA managers and staff.
Section 4 is the last section that should be read by all EPA managers and staff.
Section 4 analyzes the need for additional security controls by determining whether
or not the reader has sensitive PC applications.
Based on the determination of sensitivity, the reader is referred to Sections 5-8, as
appropriate. Section 5 highlights key personnel security considerations for those
with sensitive PC applications. Section 6 addresses security procedures for those
needing to maintain availability. Sections 7 and 8 present security procedures for
those needing to preserve integrity and confidentiality, respectively.
1.5 RELATIONSHIP TO OTHER SECURITY PROCEDURES
In this manual, the Office of Information Resources Management (OIRM) is
establishing overall, Agency-wide security procedures for safeguarding EPA PCs.
Other EPA organizations have developed specialized procedures in particular
information security areas. As an important example, the National Data Processing
Division (NDPD) in Research Triangle Park issues technical policies concerning
systems (for example, PC local area networks) supported and approved by it.
These policies are contained in the "NDPD Operational Policies Manual." In addition,
EPA organizations with statutory authority for certain types of information (for
example, the Office of Toxic Substances for TSCA CBI) issue security procedures
dealing exclusively with a certain type of information.
1-7
-------�
Information Security Manual for PCs 12/15/89
Nothing contained in this manual is intended to contradict or replace the specialized
security procedures of these other organizations. Those specialized procedures
expand upon the core procedures presented in this manual. EPA organizations that
issue such procedures must ensure that they are consistent with this manual. EPA
employees must make sure they adhere to all such specialized procedures, as well
as to the procedures presented in this manual.
1-8
-------�
Information Security Manual for PCs 12/15/89
2. PC SECURITY ROLES AND RESPONSIBILITIES
2.1 BACKGROUND
Information security involves much more than technical hardware and software
issues. Above all, a .successful information security program needs strong
organizational and administrative controls. Administrative/managerial factors such
as top management support and employee awareness contribute significantly to
program success. An information security program needs to involve all employees
and to be a part of the day-to-day operations of an organization.
Because of these factors, the Information Security Policy assigns information
security responsibilities to top management, to supervisors, and to employees. This
manual is intended to explain to EPA managers and staff how to comply with these
responsibilities in a way that is not overly burdensome on programs and individuals.
The remainder of this section describes a suggested overall framework for
implementing the Information Security Policy as it relates to PCs.
The framework of security roles set forth in this section is not mandatory. While
programs must meet the requirements of the Information Security Policy, they may
find they are able to do so by creating somewhat different roles than those defined
here. OIRM recognizes that programs may need to modify the framework to meet
unique program needs. The framework is not meant to be inflexible and
bureaucratic; instead, its intent is to assist programs and individuals in implementing
adequate protection of sensitive information.
2.2 PC SECURITY ROLES: AN INTRODUCTION
A common problem in information security is determining exactly who is responsible
for what aspects of security. In determining accountability for information security, it
is extremely useful to start with a framework of owner/user/custodian. Throughout
this manual, specific security actions are cast in terms of this framework, while
oversight and coordinating actions are the responsibility of management. The
framework is described in detaP in the next subsection.
It is important to recognize that there may not always be a one-to-one
correspondence between individuals and roles. In other words, at times it may be
2-1
-------�
Information Security Manual for PCs 12/15/89
more efficient to have several :-Hividuals shar e responsibilities of a role. Again,
the framework described her leant to be a uexible implementation tool.
2.2.1 Owners. Users, and Custodians
These three roles are defined as follows:
Application (or Information System) Owner: The owner of the information is
the individual or organization who creates and roonsors it. Ownership
involves authority and responsibility for the > lormation, either in a
programmatic or administrative sense. For example, the Office of Solid
Waste and Emergency Response is the owner of RCRIS. The Office of
Administration and Resources Management is the owner of IFMS. The
owner determines the sensitivity of the application (or information system),
assigns custody of the application, and decides who wPI be allowed to use
the application. Consulting with the custodian as appropriate, the owner
specifies and approves security controls, and ensures that the application is
protected on an ongoing basis. The owner also determines backup and
availability requirements and communicates them to the custodian.
Application (or Information System) User: Users are individuals who are
authorized by the owner t acces an application or collection of information.
PC Custodian: The cui an is = individual to whom the PC is assigned.
This is the perse respor. ;ie for v »e PC in the property management sense.
These roles are not always discrete; the owner can be the principal user and
custodian of the information. For example, an individual who develops an end-user
application for stand-alone processing on his or her own PC is at once the PC
custodian, application owner, and application user.
2.2.2 The SIRMO as Focal Point
Because information security covers a variety of information resources and so many
different employees and supervisors, it is important to have on* management official
in each major organizational unit who can coordinate the security program for that
organization. This individual will serve as a security focal point by identifying all PC
owners, custodians, and users, and by disseminating security-related information
througho'rt the organization. While each Primary Organization Head (as defined in
the polk atement) may desk ate whomever he/she wishes for this coordinating
role, the _.RMO is strongly recommended for this function. The designate may
delegate portions of this PC security function (for example, identifying PC owners,
users, and custodians) to other knowledgeable individuals in the organization as
2-2
-------�
Information Security Manual for PCs 12/15/89
long as the Primary Organization Head approves and as long as the coordinating
role is retained.
2.2.3 Managerial and Administrative Roles
In addition to owners, users, custodians and SIRMOs, the implementation of the
security procedures in this manual also requires the involvement of several other
individuals in five oversight roles. The first four of these roles exist at present while
the remaining role is unique to the security program. The five roles are:
Primary Organization Head
First-fine supervisors
PC Site Coordinators
Local Area Network (LAN) System Administrator
Certifying Official: Management Official(s) appointed by the Primary
Organization Head. This official certifies that the security safeguards that are
in place for each sensitive application are adequate.
2.3 ASSIGNING RESPONSIBILITIES TO THE SECURITY ROLES:
IMPLEMENTING PC SECURITY
Ensuring that PC information resources are adequately protected involves three
different management control processes. First, basic, common-sense security
measures need to be implemented for each PC, regardless of whether or not it
processes sensitive information. Second, an application certification process needs
to be established to determine the sensitivity of each PC application and to certify
that the security safeguards for each sensitive application are adequate. Third, an
installation risk analysis process needs to be established to make sure that the
security measures in place for each PC adequately protect the sensitive applications
stored and processed on the PC. The second and third processes establish a
structure of security checks and balances. They approach information security both
from an installation or equipment perspective and from an application (or information
system) perspective.
Each of the three management control processes is described in more detail below.
Table 2-1 then lays out the security responsibilities associated with the processes on
a role-by-role basis.
-------�
Information Security Manual for PCs
12/15/89
TABLE 2-1
IMPLEMENTING A MANAGEMENT CONTROL PROCESS FOR
INFORMATION SECURITY: RESPONSIBILITIES BY ROLE
Role
Primary Organization Head
SIRMO
Application (or Information System Owner)
PC Custodian
Application (or Information System) User
Supervisor
PC Site Coordinator
Certifying Officer
LAN System Administrator
Responsibilities
Implements the organization-wide security pro-
gram. Designates Certifying Offtcer(s).
Coordinates the organization-wide security
program. Identifies PC owners, users, and
custodians.
Determines information sensitivity. Assigns cus-
tody. Initiates application certification process.
Authorizes users. Specifies and approves
security controls. Specifies backup and avail-
ability requirements. Makes sure users and
custodian adhere to security requirements.
Responsible for the security of his/her equip-
ment. Must implement minimal controls.
Performs risk analysis.
Adheres to security requirements of owner.
Reviews application certification form. Ensures
employees fully comply with information
security responsibilities.
Ensures minimal controls are in place. Advises
owner on application certification process.
Certifies sensitive applications. Advises owner
on application certification process.
Coordinates the selection of security safe-
guards for networks.
2-4
-------�
Information Security Manual for PCs 12/15/89
2.3.1 Minimal Controls
Section 3 describes the safeguards that need to be in place to ensure the basic
physical and environmental protection of the PC and its magnetic media. Section 3
also sets forth administrative procedures governing the use of PCs and commercial
software. Minimal controls are implemented by custodians or users as appropriate
with oversight provided by the cognizant PC Site Coordinator.
2.3.2 Sensitivity Determination,, Automated Application Risk Analysis,.
and Application Certification
The requirements of the certification process, including the completion of the
Application Certification Worksheet, are described in detail in Appendix B. Key
elements of the process are summarized below:
- Each Primary Organization Head will designate one or more Certifying
Officials for his/her organization.
Each application owner will determine the sensitivity of each of his/her
applications. This determination will be made in accordance with the
instructions set forth in Section 4 of this manual.
- Each sensitive application must undergo initial certification, and then review
or audit leading to recertification every three years. The certification or
recertification process will begin with the application owner's completion of
the Application Certification Worksheet. The worksheet will capture basic
information on application sensitivity, security specifications, design reviews,
and tests of security safeguards.
- When the worksheet is complete, it will be forwarded through the owner's
immediate supervisor to the cognizant Certifying Official for
approval/disapproval.
- The worksheet will be used by the application owner to communicate the
sensitivity of the application and the required security procedures to the
users of the application.
- It should be noted that in developing the worksheet the owner performs a
qualitative risk analysis, that is, the owner assesses the relative vulnerabilities
and threats to the application and then specifies safeguards.
2.3.3 Installation Risk Analysis Process
All Agency PCs are required to undergo a risk analysis. A risk analysis is a means of
measuring and assessing the relative vulnerabP'rties and threats to an installation. Its
purpose is to determine how security safeguards can be effectively applied to
minimize potential loss. In everyday terms, a risk analysis is a procedure for
2-5
-------�
Information Security Manual for PCs 12/15/89
identifying what could go wrong, how likely it is that things could go wrong, and what
can be done to pi ,-vent them from going wrong.
There are two accepted methods for performing a risk analysis-quantitative and
qualitative. For Agency PCs, a qualitative risk analysis approach will be used.
Simply put, this method handles typical situations quickly and efficiently by
combining the analysis of risks with safeguard selection. It consists of the following
basic components:
Determine what information is sensitive and non-sensitive. This
determination will be made in accordance with the instructions set forth in
Section 4 of the manual. If the PC does not process any sensitive
information, the risk analysis is at an end and only minimal controls need to
be implemented. If it does, categorize the sensitive information, for example,
"confidential" sensitive.
For each category of sensitive information, determine the level of sensitivity,
for example, highly confidential.
Decide on an overall set of safeguards or security controls to use.
Tie subsets of those safeguards to particular categories of information and
to levels of sensitivity.
Implementation of an installation risk analysis is the responsibility of the PC
custodian. By working through this manual, an informal and qualitative risk analysis
is performed. The custodian need only adhere to the procedures presented in this
document and complete the Risk Analysis Worksheet described in Appendix C. No
special analytical process has to be undertaken.
Under certain circumstances, custodians may feel that more rigorous, quantitative
methods are warranted. OIRM does not wish to prohibit such thorough analyses.
Interested custodians should review the last section of Appendix C for more
information.
2.4 STREAMLINING THE IMPLEMENTATION OF PC SECURITY
In establishing these management control processes, OIRM wants to achieve
adequate PC security throughout the Agency in a way that does not unduly burden
programs and individuals. To that end, organizations may find that the following can
help streamline the management control processes discussed above:
2-6
-------�
Information Security Manual for PCs 12/15/89
In some organizations, one individual (or a handful of individuals) may be
knowledgeable enough about the organization's PCs and the information
contained on them to function as a composite or aggregate owner, user, and
custodian for the organization. In other words, the individual has the
requisite knowledge to complete the organization's Application Certification
and Risk Analysis Worksheets, not just the worksheets for his/her own PC
and applications. This aggregated approach is consistent with the
owner/user/custodian framework and is an acceptable approach to
achieving compliance.
In identifying applications for sensitivity determination and certification,
individuals/organizations may find that some applications are subsystems or
"children" of larger or "mother" applications. Similarly, some applications
may be so related that the boundaries between them are fuzzy and that for
the purposes of this document they can be thought of as one. In
implementing the certification process, such sensitive applications may be
combined into a single sensitive application. A key test of whether or not a
sensitive application has been properly delineated is whether or not the
questions on the certification worksheet can be meaningfully answered. If
the responses are full of exceptions and two-part answers, the aggregation
is probably incorrect.
2-7
-------�
Information Security Manual for PCs 12/15/89
3. MINIMAL CONTROLS FOR ALL PCs AND PC LANS
3.1 INTRODUCTION
The purposes of this section are: 1) to describe the security measures that need to
be taken to ensure the basic physical and environmental protection of PCs and
magnetic media, and 2) to set forth administrative procedures governing the use of
PCs and commercial software. The dollar value of the typical PC configuration is
usually several thousand dollars. All of the measures described in this section can
be implemented at little or no cost, ensuring their overall cost-effectiveness. The
emphasis here is on common-sense measures that are justified without a risk
analysis.
The responsibility for making sure these controls are in place rests with custodians
or users, as indicated below. Cognizant PC Site Coordinators should ensure
compliance with these requirements through periodic, informal inspections.
a2 PHYSICAL CONTROLS
Agency physical security procedures issued by the Facilities Management and
Services Division (FMSD) state that:
"AH office equipment-should be locked up when not in use...CaWes and
anchor pads can be used to secure typewriters, calculators, computer
peripherals, and the like. See SCR 1-08 for information about locking devices."
(Directives Volume 4850-1, SCR 1-06, page 7)
Consistent with these procedures, the following controls for PCs are required to
prevent theft and physical damage. PC custodians are responsible for ensuring that
these controls are in place.
- Locate PCs away from heaviy travelled and easily accessible areas to the
extent possible.
When possible, install the PC in a locked room, making sure the lock js used
whenever the room is unoccupied (and not just at night). If the PC cannot be
installed in a locked room, a locking device such as a locking anchor pad or
hardened cables can be used. For further information or assistance, contact
the Security Management Section of FMSD.
AH IBM PC/AT and most compatible microcomputers are delivered with
standard system locks that prevent the system from being operated and
prevent the cover from being removed, guarding against component theft.
Use these locks. When adding valuable expansion boards (such as
3-1
-------�
Information Security Manual for PCs 12/15/89
additional memory or graphics interfaces) to PCs that do not have factory-
installed locks, install a cover lock.
Place computers and peripherals on stable and secure platforms away from
objects that could fall on them.
Portable PCs require additional security considerations because their
portability increases their vulnerability to theft. In addition to the physical
security measures already mentioned, store all portable PCs in locked
cabinets when not in use. For further information or assistance, contact the
Security Management Section of FMSD. Assign a person who tracks the
location of the portable PCs on a regular basis, logs them out for use to
authorized users, and ensures the portable PCs have been returned to the
locked storage area when not in use. Moreover, any employee removing a
portable PC from an EPA buflding for official use must have a property pass.
ENVIRONMENTAL CONTROLS
PC custodians are responsible for ensuring that the following controls are in place:
PCs are sensitive to surges in electrical power. To provide protection
against current surges, install a surge protection device. Good quality, multi-
stage surge protectors are available for under $100.
- Do not install the PC in direct sunlight or in a location with extremes of hot
and cold temperatures (less than 50 degrees Fahrenheit or greater than 100
degrees Fahrenheit). Do not leave a portable PC in a parked car, which
would also subject it to temperature extremes.
- Computer equipment (and media) are sensitive to contamination from dirt,
smoke, or magnetic fields. Do not eat or drink in the immediate vicinity of the
PC. Per the Agency's smoking policy, do not smoke in the vicinity of the PC.
(Smoke is drawn into the vents and through the disk units, covering the units
with tar. Tar reduces the life of the disk and the read head.)
- To avoid problems from dust and possible overhead water leaks, protect
computer equipment with inexpensive plastic covers when not in use. Install
the PC as far as practical from overhead water pipes or sprinkler heads.
- Control static electrical charges by placing antistatic mats under the
computer or workstation or by using antistatic sprays. (Laundry fabric
softeners containing antistatic ingredients can be used for this purpose, and
they are quite inexpensive when compared to special purpose antistatic
sprays). Because the problem of static electricity is increased when the air is
extremely dry, it can be reduced by the use of humidifiers if these are
available.
3-2
-------�
Information Security Manual for PCs 12/15/89
3.4 MAGNETIC MEDIA CONTROLS
At present, virtually all information on microcomputers is stored on magnetic media
in the following forms:
Diskettes
- Fixed disks inside the computer
- Cartridge tapes
- Removable disk cartridges (for example, Bernoulli cartridges).
PC users need to treat the magnetic media with special care. Flexible diskettes are
especially susceptible to damage.
- Keep all magnetic media away from all electrical devices and magnets to
avoid magnetic fields. This includes magnetic paper clip holders, building
passes or credit cards with magnetized strips, PC hard drive units, and
telephones. For example, if a diskette is left on a desk and a telephone is
placed over the diskette, data on the diskette may be destroyed when the
telephone rings.
Do not flex diskettes. Bending the media can damage the delicate surfaces
and destroy data.
Store diskettes in their jackets as soon as they are removed from the
computer. The jackets are made of a special material that is intended to
protect the diskette. Cartridge tapes and removable disk cartridges should
also be stored in their original containers.
Never touch the surface of the diskette platter.
- Do not write on a flexible diskette with a pencil or hard-tipped pen. Use only
a soft-tipped marker.
- Keep diskettes in a disk file container when not in use. Dust and other
particulate materials can scratch and damage the disk.
To prevent permanent loss of data on the fixed disk drive, ajl files need to be
backed up and the heads need to be parked before a PC is moved. Some
portable PCs also may require that the heads be parked and/or a disk
inserted into the disk drive when transporting the portable.
3.5 BACKUPS
When it comes to making backups of data and programs, it unfortunately seems that
experience is the best teacher. A user often needs to lose a key file before realizing
the importance of regular backups.
3-3
-------�
Information Security Manual for PCs 12/15/89
For certain types of applications (discussed later in Sections 4 and 6), routine and
systematic backups are of particular importance and this manual sets forth specific
backup procedures. As a minimal control, however, users should be in the habit of
regularly backing up their work. While a precise set of criteria for determining how
often to make these backups cannot be provided, how active the data file is and how
long it took to create are key factors to consider. The appropriate backup method
can vary and can include floppy disks, cartridge tapes, removable disk cartridges, or
remote hosts such as minicomputers.
Users should note that if they are using their PC as a terminal for processing data
and programs stored at another site (such as a minicomputer, LAN file server, or
mainframe facility), that site may already be backing up the data on a regular basis.
Consult the manager of the remote facility or the LAN System Administrator for
information.
3.6 SOFTWARE COPYRIGHTS/LICENSES AND MASTER COPIES
Owners and users who purchase commercial software must follow the procedures
below. Supervisors are responsible for ensuring that their employees adhere to
these procedures.
- Commercial software is typically under copyright and accompanied by a
licensing agreement which specifies whether copies may be made. EPA
employees must adhere to these licensing agreements. Unauthorized
duplication of software is strictly prohibited and is not condoned by the
Agency under any circumstances. In general, there are two types of licenses
- single-machine and site. A single-machine license allows the user to install
the master copy of the software on his/her PC only. With a site license, the
software may be installed on more than one PC, typically for a higher fee. A
copyright means that any unauthorized duplicating, selling, or other
distribution of the software is a crime. Willful violations of U.S. copyright law
can result in significant penalties (civil damages of up to $50,000 in addition
to actual damages plus criminal penalties of up to one year in jaP and/or a
$10,000 fine).
Software purchased by the EPA must be used exclusively on PCs owned by
the EPA.
Software licensing agreements should be signed upon receipt and
immediately filed with the vendor. A copy of the agreement containing the
registration number should be filed in a safe place. Returning the agreement
to the vendor wll register the purchase and may result in free user
assistance, free or reduced price software upgrades and other advantages.
Registration of the software wPI also provide the basis for getting assistance
from the manufacturer if the software is lost, stolen, or damaged.
3-4
-------�
Information Security Manual for PCs 12/15/89
Already established OIRM procedures concerning master copies of PC
software state that each Primary Organization Head needs to establish a
central repository for the organization's master copies to ensure
accountability and control. The WIC can be used for this purpose if an
organization executes an Operational Service Agreement for Archiving of PC
software.
3.7 UNAUTHORIZED USE OF PERSONAL COMPUTERS AND SOFTWARE
EPA PCs and associated software are for official EPA business only. Appropriation
of EPA-owned software for personal use, whether done by unauthorized copying or
by actual removal of the master software, is prohibited. Use of Agency computers is
not allowed for personal business of any kind, even if it is done on the employee's
own time. Training and practice on EPA PCs should be done using work-related
examples. Employees who use EPA PCs and software for other than official Agency
business are subject to disciplinary action ranging from a reprimand to dismissal.
3.8 NON-EPA SOFTWARE AND VIRUSES
Computer viruses have received a great deal of attention in the press. While some of
the coverage is sensational, it is clear that the problem is real and that risk does
exist. The threat of viruses has made the need for regular backups (per Section 3.5)
even greater.
In general, a computer virus is an extra program hidden within an apparently normal
program or software package referred to as the virus "host" or "Trojan Horse". Like a
biological virus, the computer virus has two important characteristics - it can
replicate itself and it can cause harm or mischief. This replicating ability means that a
virus can quickly spread via shared diskettes, networks, electronic bulletin boards, or
file servers as programs or files are stored, executed, uploaded or downloaded.
Potentially infected host software includes operating system tools such as an editor
or file utility, data base management software, or spreadsheet macro languages.
Some viruses are relatively harmless and only flash a message on the monitor before
destroying themselves. Others are truly malicious and modify or destroy programs
and data To detect and combat viruses, a number of specialized programs or
software "vaccines" have been developed. Because various computer viruses
operate in different ways, no single vaccine is currently effective against all of them.
Indeed, some of the vaccines have harbored viruses themselves.
3-5
-------�
Information Security Manual for PCs 12/15/89
Under these circumstances, it is not possible to develop a set of generic,
straightforward procedures to ensure the integrity of non-EPA or public domain
software. Consequently, EPA employees should not install non-EPA or public
domain software on their PCs without the express approval of their SIRMO or the
SIRMO's designate. In addition, EPA employees and contractors who use PCs or
LANs supported and approved by the National Data Processing Division (NDPD) are
also subject to the virus prevention policies set for"i in the "NDPD Operational
Policies Manual Those policies include recommendations related to new software,
backups, and regular checks for program/file size changes.
Readers may also wish to consult the additional guidance presented in the National
Institute of Standards and Technology Special Publication 500-166, entitled
"Computer Virui and Related Threats: A Management Guide." The publication,
which was issued in August 1989, provides general guidance for managing the
threats of computer viruses and unauthorized use. It deals with different computing
configurationr such as personal computers and networks. A copy is available in the
EPA Headquarters library or through the Governmentr nnting Office.
3-6
-------�
information Security Manual for PCs 12/15/89
4. DETERMINING THE NEED FOR ADDITIONAL CONTROLS
The minimal controls described in Section 3 are required for al! Agency PCs. The
purpose of this section is to determine whether or not additional controls are
necessary.
Application owners use this section to evaluate the sensitivity of each of his/her
applications. Determining sensitivity is an owner responsibility. If sensitive
applications are owned, Section 6-8 need to be consulted, to develop the information
required for the application certification process and the Application Certification
Worksheet (see Appendix B).
Application users review this section to develop a working understanding of
information sensitivity. Users can also use this section to determine the sensitivity of
applications not yet evaluated by the owner (that is, existing applications that are
undergoing certification). Section 6-8 should then be reviewed, as appropriate.
PC Custodians and LAN System Administrators review this section to develop a
working understanding of information sensitivity. Custodians then combine this
understanding with owner sensitivity designations to determine the number and type
of sensitive applications being processed by users of his/her installation, and to
identify the installation processing environment. Sections 6-8 then need to be used
to determine what security controls must be in place and to develop the information
needed for the Risk Analysis Worksheet (see Appendix C). This process constitutes
a qualitative risk analysis and will ensure that adequate disaster recovery/continuity
of operations plans are formulated.
4.1 DETERMINING SENSITIVITY AND THE TYPE OF INFORMATION
The reader should review Section 2.4 before proceeding. That section contains
information on combining applications for sensitivity determination purposes.
The questions presented in the sensitivity evaluation table on the next page (Table 4-
1) are designed to determine whether a particular application is sensitive. To use the
table, first read through all 11 questions presented in columns (1) - (11) of the table.
4-1
-------�
Name of
Application/
Information
EXAMPLE-
QUESTIONS
(i)
National
Security
Information?
(2)
Critical to
Performing
Primary
Agency
MlMbn?
YES
(3)
Lie Critical?
(4)
Financial
Wh*r*
MltUM Could
CauMLou?
(5)
tutomated
/clslotv
Making
Application?
(6)
Subject loth*
Privacy Act?
YES
(7)
Confidential
Butlneu
Information?
(8)
Enforcement
Confidential?
(»)
Budgetary
Prior to OMB
Releaee?
(10)
High
Value?
(11)
Other
SeniMve?
OBJECTIVE/LEVEL
f
HOH
I
HOH
|
MEDIUM
i
o
H
00
m
3
30
EH
0)
3
0)
(0
H
NOTES:
OuMten(2)
QuMtion(3)
OuMton (4)
QuMton (5)
OuMtion (10)
Question (11)
Answer YES it disablement or unavailability of the application, or the loss, compromise, or undesired alteration of the information could Jeopardize the Agency's ability to perform a primary
mission.
Answer YES if the loss of information or disruption of the application could jeopardize human life or welfare.
Relates to check Issuance, funds transfer, etc., where misuse could cause toss.
Answer YES if the application makes unsupervised automated decisions based on programmed criteria (for example, issuing checks, ordering supplies, or performing similar asset
accounting/control functions) and if the wrong automated decision could cause toss.
Answer YES if this is an application/information of "High Value* to the Agency or a particular organization. The term "High Value* must be defined by the owner of the information or
application. While a precise set of criteria for determining High Value cannot be provided, the cost of replacing the information and the problems that would result from doing without the
information are primary factors to consider.
Answer YES if: (1) you answered NO to all other questions, and (2) this is an application/information whose loss would acutely embarrass the Agency, subject the Agency to litigation, or
impair the long-run ability of the Agency to fulfill its mission.
s
en
oo
to
-------�
Information Security Manual for PCs 12/15/89
If all questions can be answered "No" for all applications, the remainder of this
manual does not apply. If any question can be answered "Yes" for any application,
continueto determine how to protect the sensitive application(s) by completing the
table. (After completing the table, make sure to have it reviewed as described in
Section 4.4.1
The table has been designed as a worksheet for use in evaluating sensitivity. To use
the table, list in the first column the name of each application or collection of
information for which at least one question can be answered "Yes". For each listed
application or collection of information, answer each question. A sample entry is
provided. (Leave the last three columns (security objectives) blank for the time
being; use of these columns is explained below.)
4.2 DETERMINING RELEVANT SECURITY OBJECTIVES AND THE DEGREE
OF SENSITIVITY
The next step is to determine how sensitive each sensitive application is and which
security objectives are relevant. Table 4-2 on the next page maps each type of
information to its corresponding objective(s) and sensitivity level (that is, high versus
medium). (Cases of no or minimal sensitivity are covered by the minimal controls
specified in Section 3.)
For each application, determine the relevant security objective(s) and sensitivity
level(s) based on the type of information the application/collection contains. Note
that the time value of critical information/applications must be evaluated to
determine sensitivity level, and the approximate dollar value of high value
information/applications must be estimated to determine sensitivity level. Most life
critical and mission critical applications will probably involve high level sensitivity.
Most high value PC applications will probably involve medium level sensitivity.
ft may be helpful to make notes about security objectives and sensitivity levels in the
last three columns of the Table 4-1 worksheet. A sample entry is provided. In
instances where an application turns out to be at both the high and medium
sensitivity levels vis-a-vis an objective, the higher level dominates. For example, an
application that contained both National Security Information (high level
confidentiality) and Privacy Act information (medium level confidentiality) would be of
high level confidentiality.
4-3
-------�
Information Security Manual for PCs 12/15/89
TABLE 4-2
DETERMINING RELEVANT SECURITY OBJECTIVES
AND DEGREE OF SENSITIVITY
Availability Integrity Confidentiality
High Med. High Med. High Med.
Type of Information Level Level Level Level Level Level
National Security Information x
Critical to Performing a
Primary Agency Mission
-Must be Available Continu-
ously or Within 1 Day x x
-Must be Available
Within 1-5 Days x x
Life Critical
-Must be Available Continu-
ously or Within 1 Day x
-Must be Available
Within 1-5 Days x
Financial Where Misuse
Could Cause Loss x
Automated Decision-
Making Application x
Subject to the Privacy Act x
Confidential
Business Information x
Enforcement Confidential x
Budgetary Prior to
OMB Release x
High Value
-Very High Value* x
-Other High Value x
Other** xxx
'While a precise set of criteria for distinguishing between "very high value" and "other high value"
cannot be provided, the cost of replacing the information is the primary factor to consider. Clearly, an
automated information system that cost $3,000,000 or more to develop and program would be of "very
high value."
" Reader must determine which objectives are relevant based on characteristics of information/
application.
4-4
-------�
Information Security Manual for PCs 12/15/89
By completing the Table 4-1 worksheet, a security profile is developed that includes
information on types of sensitive applications, security objectives, and sensitivity
levels. The security profile contains the basic information that owners need to
completethe top of the Application Certification Worksheet. It also contains the basic
information that custodians need to complete the top of the Risk Analysis
Worksheet.
4.3 DETERMINING THE PROCESSING ENVIRONMENT
Several of the procedural controls specified in Section 6-8 are described in terms of
the environment in which the application or information is being processed. In using
those sections, be alert to procedures that depend on three key environmental
characteristics. As a result, answer the following questions for later use in
implementing procedural controls.
- Is the PC a single user device or is it shared among multiple users?
Is the information/application stored on removable media (like a floppy
diskette) or non-removable media (like a fixed disk) or both (like a fixed disk
with a floppy disk backup)?
Does the PC process in isolation or does it communicate with other
hardware? If it does communicate, which of the following communications
configurations applies:
Remotely Accessible by Modem (Dial-Up Capability)?
PC to Resource Server?
Local Area Network or LAN?
The security measures needed to maintain security in these different environments
will be described in later sections. Regarding LANs, LAN System Administrators
must note that the National Data Processing Division (NDPD) issues policies (for
example, governing access control or backup frequency) for Agency LANs. These
policies are contained in Section 310 of the "NDPD Operational Policies Manual."
These policies are typically more detailed and technically oriented than the
procedures presented here. LAN System Administrators must make sure that they
also comply with applicable NDPD policies.
4-5
-------�
Information Security Manual for PCs 12/15/89
4.4 VALIDATING SENSITIVITY RESULTS
Determinations of sensitivity and degree of sensitivity must always be reviewed by
the cognizant supervisor. Because implementing security safeguards can involve
considerable expense and investment of staff time, management review of these
determinations is important.
Management review is also important because some of these determinations can
involve an element of judgment and an organizational perspectve is important.
Critical or high value information is not as easily identified as Confidential Business
Information or Privacy Act data. There may be a tendency for individuals to
overdesignate their applications as critical or high value. SIRMC >hould be
consulted when employees and supervisors need guidance in making a sensitivity
determination.
4.5 USING THE REST OF THIS MANUAL
The next s tion, Section 5, discusses personnel security. This section needs to be
read by all EPA managers and staff who have sensitive applications or information.
The remainder of the manual, Sections 6-8, is organized by information security
objective:
If availability is a security objective, review Section 6.
If integrity is a security objective, review Section 7.
If confidentiality is a security objective, review Section 8.
If more than one security objt /e is applicable (for example, an application where
both avaflabPity pnd confidentiality are relevant), make sure to read the section
pertaining to each applicable objective.
In discussing procedural controls, Sections 6-8 reference hardware and software
security products that are available under the PC contract. Information on products
and prices was current as of December 1989. Because the Agency periodically
updates contract offerings and prices, the reader should consult with his/her PC Site
Coordinator prior to placing an order.
4-6
-------�
Information Security Manual for PCs 12/15/89
5. PERSONNEL SECURITY AND TRAINING
5.1 INTRODUCTION
Given the large number of PC Custodians and users in the Agency, PC security is as
much a people issue as it is a technical issue. SIRMOs need to make sure that
cognizant supervisors in their organizations adhere to the following procedures.
5.2 SCREENING AND CLEARANCE
Federal regulations require clearance of all persons involved in the design,
development, maintenance, and operation of sensitive automated systems and
facilities. These requirements apply to Federal employees and to the personnel of
agents (including contractors and grantees) of the EPA who have access to sensitive
EPA information. Determinations of the degree of sensitivity of each position are
accomplished by the program offices. The level of screening required should then
vary from minimal checks to full background investigations, depending upon the
sensitivity of the information to be handled by the individual in the position and the
potential risk and magnitude of loss or harm that could be caused by the individual.
The responsibility for the implementation and oversight of the personnel clearance
program rests with the Office of the Inspector General (OIG) and the Personnel
Management Division, and EPA organizations should consult with them when
obtaining clearances or designating sensitive positions.
5.3 SEPARATION OF DUTIES
An individual has a harder time concealing errors and irregularities if he/she does
not control all aspects of an activity or transaction. For example, by separating the
functions of cash handling and bookkeeping, the bookkeeper cannot get to the cash
and the cash register clerk cannot adjust the books to hide cash shortages.
Given the very definition of personal computing, it is often impractical to separate
duties. The same individual often collects data, programs the application, tests the
application, enters data and generates the reports. To minimize the potential for
fraud, abuse, or sabotage, however, these duties should be performed by separate
individuals to the maximum extent practicable. When it is not possible to have each
duty performed by a different individual, try to separate the following: (1) data
5-1
-------�
information Security Manual for PCs 12/15/89
collection/entry duties from application programming/maintenance duties, and (2)
application programming duties from application testing duties.
In the case of PC-based financial applications (relating to check issuance, funds
transfer, and the like) where misuse could cause loss, separation of duties is
mandatory. For example, the task of preparing payment vouchers must be kept
separate from the task of approving payments. For such financial applications, other
preventive measures include periodically rotating jobs and asking people to take
vacations of one to two weeks. Because the perpetrator of a fraud often has to
manipulate accounts on a daily basis to avoid detection, these measures may be a
strong deterrent.
5.4 TERMINATION/SEPARATION
In the event an employee has to be removed or laid off, it is a good idea to rotate the
employee to a non-sensitive position prior to giving the employee notice of the
action. While this may seem extreme, angry and demoralized employees have been
known to sabotage programs, erase data bases, or plant computer viruses.
Regardless of the type of separation (resignation, removal, etc.), supervisors need to
make sure the following are performed for personnel separating from sensitive
positions:
Change or cancel all passwords, codes, user IDs, and locks associated with
the separating individual.
- Collect all keys, badges, and similar Hems.
Reconcile any financial accounts over which the employee had control.
The SIRMO or his/her designate should then certify that these procedures have
been accomplished by signing and dating a short statement that says: "Information
security procedures for separating employee (name) have been completed."
These statements should be kept on file for inspection by OIRM or the Office of the
Inspector General.
5.5 TRAINING
OIRM is in the process of coordinating the development of a comprehensive
information security training program for the Agency to supplement the procedures
5-2
-------�
Information Security Manual for PCs 12/15/89
in this manual. Details and requirements of the program will be issued under
separate cover. These requirements will include mandatory basic security
awareness training for every employee. The program will include both information
security awareness training for all employees and training in accepted security
practices for those involved in the management, use, or operation of sensitive
information. The program will identify and reference, as appropriate, existing training
in the information security area, such as training done by the National Data
Processing Division.
5-3
-------�
Information Security Manual for PCs 12/15/89
6. MAINTAINING INFORMATION AVAILABILITY
6.1 INTRODUCTION
This section sets forth security procedures for owners, users, LAN System
Administrators, and custodians of applications of high-level and medium-level
availability (as determined in Section 4). This section is to be used as follows:
Owners develop the security specifications and the tests needed for
application certification based on the procedures presented here.
Users make sure they are in compliance with owner security specifications
based on these procedures. In addition, users consult these procedures
when an owner has designated an application as sensitive, but has not yet
identified his/her security specifications.
Custodians and LAN System Administrators use these procedures to make
sure that applications can be recovered in the event of a processing disaster
and can be run elsewhere if necessary. They also use these procedures to
develop the information required for the risk analysis outlined in Appendix C.
The remainder of this section describes threats, safeguards, and recovery
procedures related to achieving the objective of maintaining availability. Subsection
6.2 catalogs and describes specific threats to information availability. Subsections
6.3 and 6.4 specify security measures for medium availability applications and high
availability applications, respectively. The last subsection describes some steps that
can be taken to recover from a processing disaster.
6.2 THREATS TO APPLICATION AND INFORMATION AVAILABILITY
Specific threats to data availability include:
Then
Damage to magnetic media
Hardware failure: inability to restart
Hardware failure: failure during use
Accidental data destruction or other operator errors
- Sabotage (deliberate data destruction)
- Failure of users to back-up data and programs.
6-1
-------�
Information Security Manua for PCs 12/15/89
The threats of theft and damage to magnetic media were addressed in Section 3.
The remaining threats are described below.
6.2.1 Hardware Failure: Inability To Restart
Because of the generally high reliability of microcomputers, users tend to become
overconfident and do not protect themselves from system faflures.
In some cases, microcomputer systems are incapable of being restarted (booted)
because of a hardware failure.
If the inability to start the system is caused by a failure of the hard disk drive and it is
necessary to repair or replace the drive, the data on the drive will probably be
unavailable even after the system has been repaired.
6.2.2 Hardware Failure: Failure During Use
Although microcomputers do not often break down, the hardware can fail during use
for a variety of reasons. The rmst com- ~>n problem is a disruption or surge of
electric power, but the failure of almost / internal component can cause the
system to crash.
In i Jition to the problems that may be encountered if the system cannot be booted,
failure during use will result in a disruption of ongoing processing. If the system
crashes while in use, all data in the volatile, random access memory (RAM) will be
lost. In addition, if data files are open at the time of the failure, they may be
corrupted.
6.r.3 Accidental Data Destruction
The most common way that data are accidentally destroyed is by users issuing
incorrect commands. For example, ft is possible for users to destroy all of the data
on a disk by inadvertently reformatting it. This can be especially damaging if the
hard disk is reformatted. Res can also be inadvertently deleted. It is also possible
to c -»y a file on top of an existing file if the name of the existing file is used as the
destination of a copy command.
Da' can also be accidentally destroyed by software malfunctions or incompatibility.
A particularly serious potentia problem is caused by an incompatibility between
versions 2.x and 3.x of PC/MS DOS. Specifically, if a system containing a 20 mb or
6-2
-------�
Information Security Manual for PCs 12/15/89
larger fixed disk formatted under version 3.x of DOS is booted from a diskette that
contains a 2.x operating system, the File Allocation Table of the hard disk will be
damaged when data are written to the hard disk. If this happens, it might not be
possible to access data stored on the hard disk.
6.2.4 Sabotage
Data can be deliberately destroyed by malicious individuals, who may be either
authorized or unauthorized users. Such destruction can be the result of vandalism
by those outside the office, but it can also be an act by an employee who has been
dismissed or disciplined, an act by an individual who is hostile to the mission of an
office, or an act by an individual hostile to the implementation of a new computer
system. Examples include:
An employee may oppose the implementation of performance monitoring
software.
- An individual may use the data overwriting programs in PC utilities packages
to erase files or disks.
A dismissed employee may plant a "virus" in an organization's software prior
to departure.
An individual may feel that the automation of the individual's duties may
make him or her more expendable.
An individual may believe that the implementation of a system intended to
make his or her job easier will actually make his or her job more difficult.
6.2.5 Failure to Backup Data and Programs
When it comes to regular and systematic backup, it unfortunately seems that
experience is the best teacher. A user often needs to lose a key file before he/she
realizes the importance of regular backups. Failure to perform regular backups is
probably the most common and the most serious threat to availability.
6.3 PROCEDURES TO MAINTAIN MEDIUM-LEVEL AVAILABILITY
This subsection applies to applications that can be unavailable for a period of only
one-to-five days and/or applications that are of "other high value."
6-3
-------�
Information Security Manual for PCs 12/15/89
6.3.1 Lock-up Media
To avoid theft, store media in a locked cabinet or room.
6.3.2 Write Protection
Whenever possible, write-protect files and programs to avoid accidental destruction.
6.3.3 Isolated Storage
Isolate the critical/high value application on its own storage media to the extent
possible. For an application residing on a floppy diskette, this means dedicating the
diskette to the one sensitive application. For an application residing on a fixed disk,
this could mean dedicating a separate subdirectory or partition to the software.
Such isolation speeds the backup process (discussed below).
6.3.4 Backups
In general, the most important step to be taken to protect information availability is to
implement a regular schedule of backups. Backups are performed to provide for
easy recovery from a disaster. If information has been backed up, and if the backup
is safely stored, the information will be recoverable - no matter what happens. Note,
however, that transactions that have occurred since the last backup may have been
lost and may need to be re-input.
DATA BACKUPS
Each PC user needs to establish a backup loop to protect his/her data and files.
The backup loop is a systematic way of creating multiple generations of copies. The
frequency and number of backup generations made and stored should be a direct
function of the value of the information and the cost of regenerating it. In general, two
to five generations are recommended. Two examples involving diskettes are
provided below:
A two-generation scheme for a floppy disk would be performed as follows:
- On the first day, the data on the original diskette would be copied to
Diskette 1.
- On the second day, the data on the original diskette would be copied
to Diskette 2.
6-4
-------�
Information Security Manual for PCs 12/15/89
- On the third day, the data would be copied to Diskette 1, writing over
the backup from the first day.
A five-generation scheme for a fixed disk system would be performed as
follows:
- On Monday of the first week, the data on the fixed disk would be
copied to a set of diskettes designated as Set 1.
- On Tuesday, the data could be copied to Set 2. Wednesday's backup
would be copied to Set 3, Thursday's to Set 4, and Friday's to Set 5.
- On Monday of the second week, the data would be copied to Set 1,
writing over the Monday backup from the previous week.
Under a five-generation scheme, the user has a significant level of protection. Even
if the original data and one or two of the backups were destroyed, only one or two
days of work would be lost.
The backup loop does not have to involve diskettes. As discussed below, tape
backup systems or Bernoulli boxes can be more efficient. Moreover, if the PC is
connected to a LAN file server or remote host (such as a mainframe computer), the
remote device may provide backup protection. Consult the manager of the remote
facility or the LAN System Administrator for information.
Backup copies stored in the general vicinity of the original data protect against
problems such as a system crash or an accidental erasure of data. They do not.
however, protect against a threat such as a fire which could affect an entire floor or
building. As a result, each month a copy should be taken out of the backup loop
and stored in a physically separate location. This archival copy would probably not
be completely current in the event of a major disaster, but it would have great data
recovery utility. To prevent archival copies from piling up, the copy that has been in
archives should replace the one taken out of the backup loop. There may also be
advantages in retaining several generations of the archival copies.
For Headquarters employees, the WIC is recommended as an off-site location. The
WIC does charge a fee for storing backup copies, and participating organizations
execute an Operational Service Agreement for Archiving of PC Software with the
WIC. If the PC is connected to a remote host or file server, it may be possible to use
the remote device as the off-site location. Consult the manager of the remote facility
or the LAN System Administrator for assistance.
6-5
-------�
Information Security Manual for PCs 12/15/89
When files get large, users are tempted to employ the incremental backup approach.
An incremental backup focuses only on what has been changed and includes only
those files that have been modified since the last backup. The advantage of an
incremental backup is that it can be performed faster than the full backups discussed
above. The disadvantage of incremental backups is that no single backup will
contain all of the files and data. If the original files are destroyed or lost, it will be
necessary to reconstruct the data from the most recent full backup and all of the
incremental backups that have been performed since. In addition to being
inconvenient, this process of reconstructing the files is risky. If the last full backup or
any of the incremental backups has anything wrong with it, it may be impossible to
perform a fully successful recovery.
Because of these difficulties, incremental backups are not recommended. Instead, if
the data files are so large that the backup process fills about 15 diskettes, consider
using a streaming tape backup system or a Bernoulli Box. A streaming tape backup
system is available under the PC contract for about $500. The Bernoulli Box, which
is available for about $800 (10 megabyte) or about $1200 (20 megabyte) under the
PC contract, makes backups straightforward and quick. It also provides certain
access controls, for example, partitioning software. If the PC is also used for
confidential processing, the box becomes more cost effective. In addition, if
software as well as data are stored on Bernoulli disks, and a second PC with a
Bernoulli Box is available, each PC can be a backup facility for the other.
SOFTWARE BACKUPS
Backups should not be limited to data and files. End user applications (software
developed or maintained locally) should also be backed up and stored at the off-site
storage facBrty. Source program files, loadable versions of all software, and required
compier or interpreter programs should be included.
6.3.5 Continuity of Operations
Backup computing facilities must be identified for critical applications and an
agreement for use of the backup facility shall be executed. The agreement for the
backup facility should not be an informal and vague oral agreement, but instead
must involve a memorandum between the PC custodians identifying all conditions
(for example, the amount of machine time to be made available).
6-6
-------�
Information Security Manual for PCs 12/15/89
6.4 PROCEDURES TO MAINTAIN HIGH-LEVEL AVAILABILITY
This subsection applies to applications that must be available continuously or within
one day, and/or applications that are of very high value. All of the procedures set
forth in Section 6.3 also apply here. The following additional procedures will be
followed to maintain high-level availability.
6.4.1 Uninterruptible Power
Obtain an Uninterruptible Power Supply (UPS) device to provide virtually complete
surge protection, a filter for line noise, and power in the event of an outage. A UPS is
available for approximately $1100 under the PC contract.
6.4.2 Manual Fallback
Identify and formalize manual data processing procedures to be followed in the
event of a complete disaster in which the application is made unavailable.
6.4.3 More Frequent Backups
Consider preparing full backups for off-site storage on a weekly or even daily basis.
6.5 SUGGESTIONS FOR RECOVERING FROM A DISASTER
In the event of a problem or disaster, it is often best to stop using the PC and seek
help from the PC Site Coordinator. The following may then help restore availability:
It may be possible to recover data stored on the undamaged portions of the
damaged medium using the DOS DEBUG facility or some other hexadecimal
editor. This will be a difficult task and should only be undertaken by
individuals with a thorough understanding of their systems.
Commercially available utility packages (such as the Norton Utilities package
available under the PC contract for about $100) can help in recovering data
and in unformatting an accidentally formatted disk.
If backups have been made, data and software that is not copy-protected
can be restored from the backups. Contact the manufacturers of copy-
protected software to investigate their policy for replacing damaged
software.
If summary data have been damaged, but detailed records or other audit
trais were undamaged, it may be possible to recreate the summary data
from the detailed records. In some cases it might even be possible to
recreate detailed records if sufficient audit trail information is available.
6-7
-------�
Information Security Manual for PCs 12/15/89
7. PRESERVING INFORMATION INTEGRITY
7.1 INTRODUCTION
This section sets forth security procedures for owners, users, LAN System
Administrators, and custodians of applications of high-level and medium-level
integrity (as determined in Section 4). This section is to be used as follows:
- Owners develop the security specifications and the tests needed for
application certification based on the procedures presented here.
Users make sure they are in compliance with owner security specifications
based on these procedures. In addition, users may consult these
procedures when an owner has designated an application as sensitive, but
has not yet identified his/her security specifications.
Custodians and LAN System Administrators use these procedures to
determine what security measures must be in place at his/her installation to
maintain integrity. They also use these procedures to develop the
information required for the risk analysis outlined in Appendix C.
The remainder of this section discusses threats to integrity and procedures to
safeguard and recover system integrity. The next subsection catalogs and
describes specific threats to information integrity. Subsections 7.3 and 7.4 specify
security measures for applications of medium-level integrity and high-level integrity,
respectively. The last subsection describes some steps that can be taken to recover
from data corruption.
72 THREATS TO INTEGRITY
7.2.1 Deliberate Distortion of Information: Fraud and Sabotage
Data integrity can be damaged by the deliberate actions of system users or other
individuals with access to the system. Such damage could take the form of a virus.
These actions could be motivated by revenge (for example, by recently disciplined or
reprimanded employees) or could be intended to perpetrate or cover up fraudulent
activities, mismanagement, or waste.
Fraudulent activities include embezzlement or any other deception intended to cause
the deprivation of property or some lawful right. Fraud could be intended to prevent
or influence enforcement actions or other operations of the Agency.
7-1
-------�
Information Security Manual for PCs 12/15/89
7.2.2 Accidental Damage
Accidental damage to data integrity results when individuals inadvertently and
unknowingly modify data, erase files, input incorrect data, or introduce program
bugs.
Accidental threats to data integrity overlap with the issues discussed under data
availability. The distinction is based on whether the data distortion is discovered. If
so, the distortion would generally be considered to consist of a loss of data and
would, therefore, represent an availability problem. When the damage remains
undetected, decisions may be made or other actions may be taken based upon
incorrect information, resulting in a failure of data integrity.
7.2.3 Other Considerations
In addition to the above, information integrity can also be affected by flaws in
software applications design and development (for example, incorrect algorithms or
mathematical formulae). A review of all of the system design issues that are relevant
to data integrity is beyond the scope of this manual. Instead, the reader is referred
to the three volume set of "EPA System Design and Development Guidance" issued
by OIRM. This comprehensive set of standards includes references to security at
appropriate points in the software design/development process. For more explicit
guidance on designing security into applications, the reader is also referred to
Federal Information Processing Standard (FIPS) PUB 73 and to the Agency's
"Information Security Manual." FIPS PUB 73 is available in the Headquarters library
or through the National Technical Information Service (NTIS).
This manual will limit itself to a consideration of threats to data integrity involving
deliberate and accidental actions of users and involving other events that can occur
during system use.
7.3 PROCEDURES TO MAINTAIN MEDIUM-LEVEL INTEGRITY
The security measures needed to ensure integrity represent a mix of those
associated with maintaining availability flod those associated with preserving
confidentiality. Availability and confidentiality are almost opposites; backup copies of
a data base made to enhance availability can aggravate the problem of preventing
7-2
-------�
Information Security Manual for PCs 12/15/89
the disclosure of data stored in the data base. In a very real sense, however,
integrity is the objective in the middle.
Integrity involves elements of the availability objective because if data are corrupted
or partially destroyed, intact backup copies are essential. On the other hand,
integrity involves elements of the confidentiality objective because preventing fraud
and sabotage are largely problems of controlling access.
7.3.1 Availability-Related Procedures
Adhere to all of the procedures described in Section 6.3, with the exception of those
associated with continuity of operations. This will ensure that backups are created.
7.3.2 Confidentiality-Related Procedures
Adhere to the access control procedures described in Sections 8.3.2 and 8.3.3.
Also, follow the password management practices outlined in Section 8.3.1. In
addition, for PCs in a LAN, adhere to the procedures outlined in the following three
paragraphs.
In a LAN, all points can read traffic on the network, in addition, all points have
access to common storage media. Indeed, the ability to share printers or storage
(file servers) is often a key reason why networks are created.
The LAN System Administrator is responsible for coordinating the selection of
security safeguards for the network to ensure overall effectiveness. LANs
sometimes have security packages available as part of their operating systems.
These may be considered in selecting safeguards for the network.
If all network users have access to all information processed on the network,
establish a formal list of those authorized users (an administrative control). To the
extent possible, bolster this administrative control by keeping each PC on the
network under lock and key when not in use. Require users to provide a password
when logging on to the network.
7.3.3 Audit Trails and User Accovntflbflfty Tracking
If fraud and sabotage are threats, audit trais and operator tracking should be
incorporated into the application software. The software should be designed to
automatically insert the operator identifiers into each record based upon a password
7-3
-------�
Information Security Manual for PCs 12/15/89
supplied during the system sign-on process. Data integrity and user accountability
would be further enhanced if the application software and data base were compiled
and encrypted to prevent the password mechanism from being bypassed.
7.4 PROCEDURES TO MAINTAIN HIGH-LEVEL INTEGRITY
Ail of the procedures set forth in Section 7.3 also apply here. In addition, the
procedures listed below will be followed.
7.4.1 Uninterruptible Power
Obtain an Uninterruptible Power Supply (UPS) device to provide virtually complete
surge protection, a filter for line noise, and power in the event of an outage. A UPS is
available for about $1100 under the PC contract.
7.4.2 Manual Fallback
Identify and formalize manual procedures to be followed in the event of a complete
disaster.
7.4.3 More Frequent Backups
Consider preparing backups for off-site storage on a weekly or even daily basis.
7.5 SUGGESTIONS FOR RECOVERING FROM A DISASTER
In the event of a problem or disaster it is often best to stop using the machine and
seek help from the PC Site Coordinator. The following may then help restore
integrity:
It may be possible to recover data stored on the undamaged portions of the
damaged medium using the DOS DEBUG facility or some other hexadecimal
editor. This w3l be a difficult task and should only be undertaken by
individuals with a thorough understanding of their systems.
Commercially available utility packages (such as the Norton Utilities package
available under the PC contract for about $100) can help in recovering data
and in unformatting an accidentally formatted disk.
If backups have been made, data and software that is not copy-protected
can be restored from the backups. Contact the manufacturers of copy-
protected software to investigate their policy for replacing damaged
software.
7-4
-------�
Information Security Manual for PCs 12/15/89
If summary data have been damaged, but detailed records or other audit
trails were undamaged, it may be possible to recreate the summary data
from the detailed records. In some cases it might even be possible to
recreate detailed records if sufficient audit trail information is available.
7-5
-------�
Information Security Manual for PCs 12/15/89
8. PRESERVING INFORMATION CONFIDENTIALITY
8.1 INTRODUCTION
This section sets forth security procedures for owners, users, LAN System
Administrators, and custodians of confidential applications and information. This
section is to be used as follows:
Owners develop the security specifications and the tests needed for
application certification based on the procedures presented here.
Users make sure they are in compliance with owner security specifications
based on these procedures, in addition, users may consult these
procedures when an owner has designated an application as sensitive, but
has not yet identified his/her security specifications.
- Custodians use these procedures to determine what security measures
must be in place to protect the confidential information being stored and
processed by users of his/her installation. They also use these procedures
to develop the information required for the risk analysis outlined in Appendix
C.
LAN System Administrators must note (per Section 8.3.3) that no confidential
data may be loaded on to a LAN or made available via a LAN unless
specifically approved in writing by the Director of OIRM.
The remainder of this section discusses threats to information confidentiality and
procedures for safeguarding against disclosure. The next subsection catalogs and
describes specific threats to confidentiality. Subsections 8.3 and 8.4 specify security
measures for applications of medium level confidentiality and high level
confidentiality, respectively. Features of the processing environment are particularly
important for preserving confidentiality, and are discussed in those subsections as
appropriate.
Unlike Sections 6 and 7, there is no separate discussion here of steps to recover
from a breach of confidentiality. Once information has been disclosed, there is little
the individual can do to remedy the situation. Instead, the breach must be reported
to appropriate Agency officials, as described in the Information Security Policy.
82 THREATS TO APPLICATION AND INFORMATION CONFIDENTIALITY
Specific threats to information confidentiality are largely problems of access control.
Note that the threats described below apply to confidential information in its various
8-1
-------�
Information Security Manual for PCs 12/15/89
forms, that is, in the computer, in hard copy, on removable media like diskettes, and
on printer ribbons.
Magnetic media containing confidential data can be accessed by individuals
from whom the data should be restricted. If the computer is not in a secure
area, intruders can start the system containing the information and browse
information on the fixed disk. If diskettes containing confidential information
are not secured, unauthorized individuals can install them on a computer
and browse their contents.
- Unauthorized individuals can see data on a computer screen or printout if
confidential data are processed in an unsecured area or if printouts are not
protected in storage.
- Confidential data can be deciphered from printer ribbons that have been
used to print confidential reports.
Unauthorized individuals can access confidential data across a local area
network or other communications device if confidential data are stored or
processed on a microcomputer that can be accessed remotely.
Files erased from a magnetic disk using only the standard DOS "DEL" or
"ERASF commands are not actually erased from the computer disk-they
are only marked for deletion, and the space on which they are written is
freed for use by later files. For this reason, until they have been overwritten,
they can be "unerased" using commercially available utility programs.
Some software systems use work files that are temporarily stored on disk.
Although the systems usually delete these files when they are finished with
them, the deleted files may be recoverable using commercially available
utility programs. Similarly, information could be left in the volatile (RAM)
memory of the computer if the computer is not turned off after confidential
data have been processed.
Individuals authorized to access confidential information could deliberately
share printed reports or magnetic media containing confidential data with
unauthorized individuals.
8.3 PROCEDURES TO PRESERVE MEDIUM-LEVEL CONFIDENTIALITY
Preserving confidentiality involves controlling access to information and applications.
How easy or difficult it is to control access is highly dependent on the three key
environmental characteristics (single user versus shared, stand-alone versus
communicating, removable versus non-removable media). The simplest situation
consists of a single user who does stand-alone processing and stores all confidential
information on floppy disks. When the PC is shared or in a communicating
configuration, the security situation becomes more complicated.
8-2
-------�
Information Security Manual for PCs 12/15/89
The procedures that follow are presented largely in terms of processing
environment. Following a short subsection on controls that apply to all
environments, more complicated environments are discussed. The security controls
required fall into the following categories:
- Physical, such as door locks
Administrative, such as lists which specify who is allowed access to a given
PC
System-Based, such as password protection
Information-Based, that is, rendering information unusable (even if it is
obtained) through scrambling or encryption techniques. As an example,
some commercial software (for example, Lotus 1-2-3 Version 2) contain data
encryption capabilities. The Lotus 1-2-3 data encryption capability enables
users to password-protect their Lotus spreadsheets. The encrypted
spreadsheets cannot be accessed without the assigned password and data
in them are encoded to prevent the data files from being read through DOS
functions or other utilities.
It should be noted that EPA organizations with statutory authority for certain types of
confidential information may issue security procedures dealing exclusively with a
particular type of information (for example, TSCA, or FIFRA CBI). Because of
statutory requirements, some of those procedures may be more stringent than those
required here. EPA employees must make sure that they also adhere to all pertinent
organizational standards and procedures.
8.3.1 Procedures for all Environments
Discourage traffic in the area where the computer is located when it is in use.
Unauthorized individuals should be kept out of the area so that they cannot
view data that might appear on the computer screen.
Log off or otherwise inactivate the PC whenever leaving it.
Store hard-copy reports and removable media containing confidential data in
locked cabinets or rooms.
Printer ribbons used to print confidential data should be considered
confidential as well. Destroy exhausted ribbons so that they cannot be
deciphered by an unauthorized individual.
Be careful when disposing of disks, diskettes, or tapes that contain
confidential data. Before these media are thrown away or recycled, they
must be degaussed, overwritten, or shredded. (Degaussing erases data
through demagnetization.) The WIPEDISK program m the Norton Utilities
package (available under the PC contract for about $100) destroys all data
on the disk by overwriting them.
8-3
-------�
Information Security Manual for PCs 12/15/89
When erasing individual files on diskettes or fixed disks, use an overwriting
program like WIPEFILE in the Norton Utilities package. These overwriting
programs are effective. Be careful not to erase needed files.
(It should be noted that programs designed to purge and overwrite individual
files (like WIPEFILE) may only overwrite the most recent generation of a file.
This would also destroy previous generations of the file if they were
physically located in the same disk addresses as the last generation of the
file. If the previous generations were located elsewhere on the disk, or if the
last generation file is smaller than the previous generations, the previous
generations may not be entirely overwritten by the file destruction utility.
Recovery of these undestroyed fragments, however, would be extremely
difficult and tedious for even the most knowledgeable intruder, and it is
unlikely that more than small fragments of the sensitive information could be
recovered.)
- If passwords are selected as a control measure (based on the procedural
guidance below), make sure passwords are selected and handled as
follows:
- Passwords are at least six characters long
- Passwords contain at least one alpha and one numeric character
- Passwords are not composed of names or similar personal types of
information
- Passwords are not shared
- Passwords are changed at least quarterly
- Passwords are not written out and left where an unauthorized person
could find them
- Passwords are not incorporated into automated logon procedures in
batch files or application programs (for example, Crosstalk), and they
are not defined under function keys.
Passwords can either be incorporated into applications systems or
implemented through add-on circuit boards. While application-based
password schemes may prevent casual intruders, they usually do not
prevent the knowledgeable intruder unless special steps are taken (for
example, encryption). Knowledgeable intruders may be able to avoid the
passwords altogether or may scan application listings to determine the
password. For this reason, the more sophisticated hardware-based
password schemes are recommended. Cylock, available under the PC
contract for about $300, is hardware based.
8.3.2 Procedures for Stand-Alone Processing
This part applies to PCs that process in isolation and do not communicate with any
other equipment.
8-4
-------�
Information Security Manual for PCs 12/15/89
CONFIDENTIAL DATA ON REMOVABLE MEDIA ONLY; SINGLE USER OR SHARED
USER PC
Clear the system of confidential information after each confidential processing
session. Power off the unit to clear any volatile memory, that is, random access
memory.
CONFIDENTIAL DATA ON NON-REMOVABLE MEDIA; SINGLE OR SHARED USER
PC
Keep the computer under lock and key when it is not being used, that is, keep it in a
locked cabinet and/or a locked room.
If all users of a shared PC have access to all information processed on the PC,
establish a formal list of those authorized users (an administrative control). Limit
access to those on this authorized list. If this is not the case, users must be
protected from each other via either a password scheme or encryption. Encryption
software (Datasafe) is available under the PC contract for under $100.
8.3.3 Procedures for Communicating PCs
This section applies to PCs that are connected to other equipment such as
autoanswer modems, other PCs, or resource servers.
AUTOANSWER MODEM; SINGLE USER OR SHARED PC
PCs are sometimes used as host systems. An autoanswer modem allows a person
to use the system remotely. Keep the computer under lock and key when it is not in
use, that is, keep it in a locked room or a locked cabinet. Use a password scheme
that requires both a traditional user identifier and a password logon process. Under
no circumstances should users share passwords.
TERMINAL EMULATION
At times, a PC is used as a terminal device to a large host system. In this situation,
security controls are the responsibility of the host system. The host should control
access and the extent to which data are sent (uploaded) or received (downloaded).
The PC user needs to make sure he/she adheres to all host-imposed security
requirements. In addition, the PC must never store host telephone numbers, logon
sequences, or passwords in the PC itself.
8-5
-------�
Information Security Manual for PCs 12/15/89
LOCAL AREA NETWORKS; SINGLE USER OR SHARED PC
No confidential data may be loaded on to a LAN r made available via a LAN unless
specifically approved in writing by the Director of OIRM.
8.4 PROCEDURES TO PRESERVE HIGH-LEVEL CONFIDENTIALITY
The EPA has only one type of information in this category - National Security
Information (NSI). The amount of NSI possessed by the Agency is extremely small,
and the need to computerize any of it would be very infrequent.
Because of the small quantity of NSI in the Agency and because NSI involves special
stjurity considerations (emanations security and TEMPEST devices), NSI should
not be placed on PCs without the express approval of the Director, OIRM.
8-6
-------�
Information Security Manual for PCs 12/15/89
APPENDIX A
INFORMATION SECURITY*
1. PURPOSE. This document establishes a comprehensive, Agency-wide
security program to safeguard Agency information resources. This document sets
forth the Agency's information security policy for both manual and automated
systems and assigns individual and organizational responsibiities for implementing
and administering the program.
2. SCOPE AND APPLICABILITY. This document applies to all EPA
organizations and their employees. It also applies to the facilities and personnel of
agents (including contractors and grantees) of the EPA who are involved in
designing, developing, operating or maintaining Agency information and information
systems.
3. BACKGROUND
a. Information is an Agency asset, just as property, funds and personnel
are Agency assets. The EPA is highly dependent upon its information
resources to carry out program and administrative functions in a timely,
efficient and accountable manner.
b. The EPA relies on its information collection authority under various
enabling statutes to fulfill effectively its environmental missions. The
waiingness of the regulated community and State and local agencies to
supply requested information in a cooperative and timely fashion
depends on their confidence that the information w«l be adequately
protected.
c. The Agency's information resources are exposed to potential loss and
misuse from a variety of accidental and deliberate causes. This
potential loss and misuse can take the form of destruction, disclosure,
alteration, delay or undesired manipulation. Moreover, the Agency can
be subject to acute embarrassment and litigation if certain business or
personal information is inadvertently or maliciously disclosed.
'Source: EPA Information Resources Management Policy Manual, Chapter 8.
A-1
-------�
Information Security Manual for PCs 12/15/89
d. As a result, it is essential that an overall program be established to
preserve and adequately protect the Agency's information resources.
At the same time, it is equally essential that the program not
unnecessarily restrict information sharing with other Federal agencies,
universities, the public and State and local environmental authorities.
Such information sharing has historically played a vital role in the
overall fulfilment of the Agency environmental mission.
e. The management, control and responsibflfty for information resources
within EPA are decentralized. Consequently, the management and
responsibility for information security are also decentralized. An
important example of this is the expanding use of personal computers,
networking, distributed data bases and telecommunications. These
trends place new responsibilities on office managers, research
personnel and others not previously considered information
processing professionals. The "computer center" cannot be relied
upon to protect Agency operations. Controls must be implemented
and maintained where they are most effective.
f. In determining responsibPrties for information security, it is useful to
define a framework of owner/custodian/user. Owners are those who
create or maintain information. Custodians are typically suppliers of
information services who possess, store, process and transmit the
information. These roles are often not discrete; the owner is often the
principal custodian and user of the information.
4. AUTHORITIES
a. OMB Circular A-130, Management of Federal Information Resources.
5. POLICY. It is EPA policy to protect adequately sensitive information and
sensitive applications, maintained in any medium (e.g., paper, computerized data
bases, etc.), from improper use, alteration or disclosure, whether accidental or
deliberate. Information and applications will be protected to the extent required by
applicable law and regulation in accordance with the degree of their sensitivity in
order to ensure the cost-effectiveness of the security program.
A-2
-------�
Information Security Manual for PCs 12/15/89
a. Information security measures will be applied judiciously to ensure that
automated systems operate effectively and accurately and to ensure
the continuity of operation of automated information systems and
facilities that support critical agency functions.
b. As required by OMB Circular No. A-130, all automated installations will
undergo a periodic risk analysis to ensure that appropriate, cost-
effective safeguards are in place. This risk analysis will be conducted
on new installations, on existing installations undergoing significant
change and on existing installations at least every five years.
c. Appropriate administrative, physical, and technical safeguards shall be
incorporated into all new ADP application systems (including PC-based
applications) and major modifications to existing systems.
d. As required by OMB A-130, all new applications will undergo a control
review leading to formal certification. Existing sensitive applications will
be recertified every three years.
e. Access to sensitive personnel information and employment
applications w9l be limited to appropriate personnel in accordance with
procedures established by the Office of Personnel Management and
monitored by the EPA Office of the Inspector General.
f. Appropriate ADP security requirements will be incorporated into
specifications for the acquisition of ADP related services and products.
g. An information security awareness and training program will be
established so that all Agency and contractor personnel are aware of
their information security responsibilities.
h. Information security must be a major factor in evaluating the use of
microcomputers. Microcomputer systems software is typically
rudimentary and affords little or no protection to information and
programs. Consequently, networked microcomputers, the ability to
download data from larger, protected computers onto microcomputers
and microcomputer data processing generally present problems in
information security (for example, problems of access control or
control over the dissemination of information). An EPA employees and
A-3
-------�
Information Security Manual for PCs 12/15/89
managers must be aware of the information security implications of
storing and processing sensitive information on microcomputers,
whether networked or stand-alone.
i. Therefore, it is EPA policy to discourage the use of microcomputers for
storing or processing sensitive information, unless cognizant EPA
employees and managers have made sure that adequate information
security measures are in use. If adequate information security cannot
be maintained, an alternative system configuration must be used.
j. Information security violations wil be promptly reported to appropriate
officials, including the Inspector General.
6. RESPONSIBILITIES
a. The Office of Information Resources Management is responsible for:
(1) Developing and issuing an information security policy in
accordance with all applicable Federal laws, regulations, and
executive orders.
(2) Ensuring that all Agency organizational units are in compliance
with the information security program.
(3) Establishing training criteria and coordinating the development
of an information security training and awareness program.
(4) Providing guidance on selecting and implementing safeguards.
(5) Participating as it deems appropriate, in management and
internal control reviews conducted by the Office of the
Comptroller to ensure compliance with the information security
program.
b. Each "Primary Organization Head" (defined by EPA Order 1000.24 as
the Deputy Administrator, Assistant Administrators, Regional
Administrators, the Inspector General and the General Counsel) is
responsible for:
A-4
-------�
Information Security Manual for PCs 12/15/89
(1) Ensuring that sensitive information and applications within the
organization are adequately protected.
(2) Establishing an organization-wide program for information
security consistent with organizational mission and Agency
policy, including assigning responsibility for the security of each
installation to a management official(s) knowledgeable in
information technology and security.
(3) Assure annually the Assistant Administrator for Administration
and Resources Management that organizational information
resources are adequately protected. This wit be done as part of
the internal control review process required under OMB Circular
No. A-123 (revised) and implemented under EPA Order
1000.24.
(4) Making sure that all automated installations within the
organization undergo a periodic "risk analysis" to ensure that
appropriate, cost-effective safeguards are in place.
(5) Ensuring the continuity of operations of automated information
systems and facilities that support critical functions.
(6) Making sure that appropriate safeguards are incorporated into
all new organizational application systems and major
modifications to existing systems, that all new organizational
applications undergo an information security review leading to
formal certification and that existing sensitive applications are
recertified every three years.
(7) Making sure that Federal employees and contractor personnel
understand their security responsibilities and that organizational
security regulations are property distributed.
(8) Making sure that all organizational procurements of ADP
equipment, software and services incorporate adequate security
provisions.
A-5
-------�
Information Security Manual for PCs 12/15/89
c. The Director, Facilities Management and Services Division, is
sponsible for:
(1) Establishing and implementing physical security standards,
guidelines and procedures in accordance with EPA information
security policy.
(2) Establishing and implementing standards and procedures for
National Security Information in accordance with EPA
information security policy and all applicable Federal laws,
r"iulatk>ns and executive orders.
d. The Procurement and Contracts Management Division and the Grants
Administration Division are responsible for:
(1) Ensuring that Agency grant and contract policies, solicitations
and award documents contain provisions concerning the
information security responsibilities of contractors and grantees
that have been promulgated by OIRM.
(2) Establishing procedures to ensure that contractors and
grantees are in compliance with their information security
responsibilities. Project Officers are responsible for ensuring
contractor compliance with security requirements on individual
contracts. Violations shall be reported to the contracting officer,
Inspector General and appropriate OIRM official. Specific
violations involving National Security Information shall be
reported to the Director, FMSD and the Contracting Officer.
e. The Office of the Inspector General is responsible for:
(1) Esta hing and implementing personnel security standards,
guidelines and procedures in accordance with EPA information
r rrty policy and all applicable Federal laws and regulations.
(2) C ducting or arranging investigations of known or suspected
personnel security violations as it deems appropriate.
A-6
-------�
Information Security Manual for PCs 12/15/89
f. The Office of the Comptroller is responsible for:
(1) Allowing OIRM to review written internal control reports so that
OIRM is aware of the status of information security weaknesses.
g. Each EPA Manager and Supervisor is responsible for:
(1) Making sure their employees are knowledgeable of their
information security responsibBities.
(2) Ensuring that their employees adhere to the organizational
information security program established by the applicable
Primary Organization Head.
h. Each EPA Employee, Contractor and Grantee is responsible for:
(1) Complying fully with his/her information security responsibilities.
(2) Limiting his/her access only to information and systems he/she
is authorized to see and use.
(3) Adhering to all Agency and organizational information security
policies, standards and procedures.
(4) Reporting information security violations to appropriate officials.
Violations involving National Security Information shall also be
reported to the Director, FMSD.
7. DEFINITIONS.
a. "Applications Security" means the set of controls that makes an
information system perform in an accurate and reliable manner, only
those functions it was designed to perform. The set of controls
includes the following: programming, access, source document, input
data, processing storage, output and audit trail.
b. "Confidential Business Information" includes trade secrets, proprietary,
commercial/financial information, and other information that is afforded
protection from disclosure under certain circumstances as described in
A-7
-------�
Information Security Manual for PCs 12/15/89
statutes administered by the Agency. Business information is entitled
to confidentia1 treatment if: (1) business asserts a confidentiality claim,
(2) business shows it has taken its own measures to protect the
information, (3) the information is not publicly available or (4)
disclosure is not required by statute and the disclosure would either
cause competitive harm or impair the Agency's ability to obtain
necessary information in the future.
c. "Information" means any communication or reception of knowledge
such as facts, data or opinions, including numerical, graphic, or
narrative forms, whether oral or maintained in any medium, including
computerized data bases (e.g., floppy disk and hard disk), papers,
microform (microfiche or microfilm), or magnetic tape.
d. "Information Security" encompasses three different "types" of security:
applications security, installation security and personnel security. In
total, information security involves the precautions taken to protect the
confidentiality, integrity and availability of information.
e. "Information System" means the organized collection, processing,
transmission and dissemination of information in accordance with
defined procedures, whether automated or manual.
f. "Installation" means the physical location of one or more information
systems, whether automated or manual. An automated installation
consists of one or more computer or office automation systems
including related peripheral and storage units, central processing units,
telecommunications and operating and support system software.
Automated installations may range in size from large centralized
computer centers to stand-alone personal computers.
g. "Installation Security" includes the use of locks, badges and similar
measures to control access to the installation and the measures
required for the protection of the structure housing the installation from
accident, fire and environmental hazards. In addition to the above
physical security measures, installation security also involves ensuring
continuity of operations through disaster planning.
A-8
-------�
information Security Manual for PCs 12/15/89
h. "National Security Information" means information that is classified as
Top Secret, Secret, or Confidential under Executive Order 12356 or
predecessor orders.
i. "Personnel Security" involves making a determination of an applicant's
or employee's loyalty and trustworthiness by ensuring that personnel
investigations are completed commensurate with position sensitivity
definitions according to the degree and level of access to sensitive
information.
j. "Privacy" is the right of an individual to control the collection, storage
and dissemination of information about himself/herself to avoid the
potential for substantial harm, embarrassment, inconvenience or
unfairness.
k. "Risk Analysis" is a means of measuring and assessing the relative
vulnerabilities and threats to a collection of sensitive data and the
people, systems and installations involved in storing and processing
that data. Its purpose is to determine how security measures can be
effectively applied to minimize potential loss. Risk analyses may vary
from an informal, quantitative review of a microcomputer installation to
a formal, fully quantified review of a major computer center.
I. "Sensitive Information" means information that requires protection due
to the risk and magnitude of loss or harm that could result from
inadvertent or deliberate disclosure, alteration or destruction of the
information. For the purposes of this program, information is
categorized as being either sensitive or not sensitive. Because
sensitivity is a matter of degree, certain sensitive information is further
defined as being "highly" sensitive.
Highly Sensitive: This is information whose loss would seriously
affect the Agency's ability to function, threaten
the national security or jeopardize human life
and welfare. Specifically, information of this
type includes National Security Information,
information critical to the performance of a
primary Agency mission, information that is life
A-9
-------�
information Security Manual for PCs 12/15/89
critical and financial information related to
check issuance, funds transfer and similar
asset accounting/control functions.
Other Sensitive: This is information whose loss would acutely
embarrass the Agency, subject the Agency to
litigation or impair the long-run ability of the
Agency to fulfill its mission. Information of this
type includes Privacy Act information,
Confidential Business Information,
enforcement confidential information,
information that the Freedom of Information
Act exempts from disclosure, budgetary data
prior to release by OMB and information of
high value to the Agency or a particular
organization (see below).
The sensitivity if any, of all other information, shall be determined by the
organizational owner of the information. Whfle a precise set of criteria
for determining the sensitivity of this other information cannot be
provided, the cost of replacing the information and the problems that
would result from doing without the information are primary factors to
consider in determining sensitivity.
m. "Sensitive Applications (or Systems)" are applications which process
highly sensitive or sensitive information or are applications that require
protection because of the loss or harm which could result from the
improper operation or deliberate manipulation of the application itself.
Automated decision-making applications are highly sensitive if the
wrong automated decision could cause serious loss.
8. PROCEDURES AND GUIDELINES. Standards, procedures and guidelines for
the Agency information security program will be identified and issued under separate
cover in the "Information Security Manual." This manual will identify and reference,
as appropriate, existing procedures in the information security area, such as the
"Privacy Act Manual," the "National Security Information Security Handbook," and
Confidential Business Information manuals like the TSCA Security Manual."
A-10
-------�
Information Security Manual for PCs 12/15/89
9. PENALTIES FOR UNAUTHORIZED DISCLOSURE OF INFORMATION.
a. EPA employees are subject to appropriate penalties if they knowingly,
willfully or negligently disclose sensitive information to unauthorized
persons. Penalties may include, but are not limited to, a letter of
warning, a letter of reprimand, suspension without pay, dismissal, loss
or denial of access to sensitive information (including National Security
Information), or other penalties in accordance with applicable law and
Agency rules and regulations, which can include criminal or civil
penalties. Each case will be handled on an individual basis with a full
review of all the pertinent facts. The severity of the security violation or
the pattern of violation will determine the action taken.
b. Non-EPA personnel who knowingly, willfully or negligently disclose
sensitive information to unauthorized persons will be subject to
appropriate laws and sanctions.
A-11
-------�
Information Security Manual for PCs 12/15/89
APPENDIX B
APPLICATION RISK ANALYSIS AND
APPLICATION CERTIFICATION
A. THE CERTIFICATION PROCESS
Owners should review Section 2.4, which contains information on combining
applications for certification purposes, before proceeding with this Appendix.
Owners should also note that in working through this Appendix a qualitative risk
analysis is performed, that is, relative vulnerabilities and threats are assessed and
safeguards are specified.
1. New Applications
Each new sensitive application must undergo initial certification, and then re-
certification every three years. This certification must take place prior to the
application being put into use or production. For sensitive PC applications, the
certification or recertification will begin with the application owner's completion of the
Certification Worksheet, Exhibit B-1. The form and specific instructions for
completing it are described below. The Certifying Official, PC Site Coordinator, and
PC custodian will be available to answer owner questions on an as needed basis.
After completing the worksheet, the owner will forward it to his/her immediate
supervisor for review. The supervisor will review the worksheet for completeness
and then forward it to the designated Certifying Official.
The Certifying Official will either certify that the application is adequately safeguarded
or deny certification by marking the appropriate box on the worksheet and returning
it to the supervisor. A Certifying Official may conclude that safeguards are adequate
if the application is protected in accordance with the procedures set forth in Sections
6-8 of this manual. When certifying the application, the Certifying Official must mark
the appropriate box on the worksheet and sign the one-page certification statement
shown as Exhibit B-2. These documents must be retained on file for inspection by
OIRM, auditors, or the Office of the Inspector General.
Recertification of the operational application should be based on reviews or audits
that test and evaluate the adequacy of implemented safeguards and that identify any
B-1
-------�
Information Security Manual for PCs
12/15/89
EXHIBIT B-1
CERTIFICATION WORKSHEET AND EXAMPLE
SENSITIVE APPLICATION CERTIFICATION WORKSHEET
1. APPLICATION TITLE
RCRA Settlement Offers
3. TYPE(S) OF INFORMATION
Enforcement confidential;
high value
5. PROCESSING ENVIRONMENT
Standalone; non-removable and
removable media; shared user; Room 1123,
West Tower, Washington, D.C.
2. OWNER
Ima Safe
OSWER, OSW
4. SENSITIVITY LEVEL & OBJECTIVE
Confidential: Medium Level
Availability: Medium Level
6. DESCRIPTION
Database application that tracks
settlement offers by case. All
users of PC may see confidential
data.
7. SECURITY SPECIFICATIONS/REQUIREMENTS
a. Controls to Maintain Availability
- Back-up database to diskettes in accordance with the procedures manual.
- Identify backup computing facility.
b. Controls to Maintain Integrity
(Minimal controls only)
c. Controls to Maintain Confidentiality
- Keep PC and removable media in a locked room.
- Establish a formal list of authorized users.
8. EVIDENCE OF ADEQUACY/DESIGN REVIEW
Check to make sure door lock installed.
Check to see that formal list of authorized users created.
Are backups created by user?
Memorandum outlining agreement for backup facility.
9. TEST S. NARIO AND RESULT
LOCK installed on 6-15-89.
List developed on 6-5-89.
Local backups kept in adjacent office; archival backup stored in Crystal City.
Memorandum with PC custodian in same branch executed 6-15-89.
10. X CERTIFIED NOT CERTIFIED
B-2
-------�
Information Security Manual for PCs 12/15/89
EXHIBIT B-2
CERTIFICATION STATEMENT
I have carefully examined the information presented on the Certification Worksheet
for (application name) . dated . Based on my authority and judgement,
and weighing any remaining risks against operational requirements, I authorize con-
tinued operation of (application name) under the restrictions/conditions listed
below.
(List any Restrictions and Special Conditions QL enter "None")
(Signature and Date)
B-3
-------�
Information Security Manual for PCs 12/15/89
new vulnerabilities. These reviews or audits should be considered part of
vulnerability assessments and internal control reviews conducted in accordance with
OMB Circular No. A-123.
2. Existing Applications
Each existing sensitive application must also undergo initial certification (and
recertification every three years) in accordance with all of the instructions above.
However, to avoid overwhelming organizations, initial certification may take place on
a phased basis over the next two years. All initial certifications of existing systems
should be complete by the end of FY 1991. More sensitive applications (as defined
in Section 4) need to be certified first and as expedttiously as possible (by the end of
1990). Because of their overall organizational knowledge, SIRMOs may be able to
quickly prioritize applications for certification.
B. THE CERTIFICATION WORKSHEET
The certification worksheet should be completed by the application owner as follows.
The numbers below correspond to the numbered blocks on the worksheet. The
worksheet has been filled in to provide an example of what is expected.
1. Application Title: Provide the name of the information system or application.
2. Owner: List the application owner and organization.
3. Type of Information: Indicate the type of sensitive information (for example,
CBI or high value) in terms of Section 4 of this manual.
4. Sensitivity Level and Objective: Provide the relevant security objective (for
example, availability) and the associated sensitivity level (for example, high
level).
5. Processing Environment: Describe the processing environment in terms of
shared versus single user PC, removable versus non-removable storage
media, and standalone processing versus communicating with other
equipment. Also indicate the physical and geographic location of the
system.
6. Description: Provide a brief functional description of the application.
B-4
-------�
information Security Manual for PCs 12/15/89
7(a)-(c). Security Specifications/Requirements: Express the needed
availability, integrity, and/or confidentiality security controls in terms of
Sections 6-8 of this manual.
8. Evidence of Adequacy/Design Review: Indicate how the owner will ensure
that the security specifications are being implemented.
9. Test Scenario and Results: Describe how the owner will satisfy
himself/herself that the safeguards work or that the procedures are being
followed.
10. Certifying blocks to be checked by the Certifying Officer as appropriate.
The application owner should note that the worksheet could also be used as a set of
security procedures for the application's users. In other words, the worksheet can
be used to communicate the sensitivity of the application and the security
procedures to the user.
B-5
-------�
Information Security Manual for PCs 12/15/89
APPENDIX C
INSTALLATION RISK ANALYSIS
A. BACKGROUND
A risk analysis is a means of measuring and assessing the relative vulnerabilities and
threats to an installation. Its purpose is to determine how security safeguards can be
effectively applied to minimize potential loss. In everyday terms, risk analysis is
simply a procedure for identifying what could go wrong, how likely it is that things
could go wrong, and what can be done to prevent them from going wrong.
Risk analyses may vary from an informal, qualitative review of a microcomputer or
minicomputer installation, to a formal, fully quantified review of a major computer
center. For all Agency installations, including PCs, a qualitative approach may be
used.
B. APPLICABILITY AND REQUIRED SCHEDULE
Ail Agency PCs are required to undergo a risk analysis. A risk analysis shall be
performed:
At the time the equipment is installed.
- Whenever a significant change occurs to the installation. Significant
changes include:
- Physically moving the equipment to another location
- Going from a single user to multiple users, or vice versa
- Altering the communication configuration, for example, adding a dial-
up capability or becoming part of a LAN.
At least every five years, if no significant change to the installation
necessitating an earlier analysis has occurred. Existing PCs that have not
undergone a risk analysis during the last five years must undergo one by the
end of 1990.
C-1
-------�
Information Security Manual for PCs
12/15/89
EXHIBIT C-1
RISK ANALYSIS WORKSHEET AND EXAMPLE
1. PC LOCATION
Room 1123, West Tower
Washington, DC
OSW
2. CUSTODIAN & EQUIPMENT TYPE
R.U. Secure
IBM PC/AT
3. TYPE(S) OF INFORMATION
Enforcement confidential;
high value
4. NUMBER OF SENSITIVE
APPLICATIONS
1
5. PROCESSING ENVIRONMENT
Standalone; non-removable and
removable media; shared user
6. SENSITIVITY LEVEL & OBJECTIVE
Confidential: Medium Level
Availability: Medium Level
7. CONTROLS TO MAINTAIN AVAILABILITY
Remind users to backup data in accordance with the procedures manual.
Execute a memorandum with another PC custodian outlining agreement
for backup computing.
8. CONTROLS TO PRESERVE INTEGRITY
(Minimal controls only.)
9. CONTROLS TO PRESERVE CONFIDENTIALITY
Install a door lock.
Make sure application owner has established a list of authorized users.
10. COMMENTS
The procedures for all environ-
ments described in Section 8.3.1
have been implemented, except
those related to passwords.
11. MINIMAL CONTROLS IN PLACE?
x YES
NO
C-2
-------�
Information Security Manual for PCs 12/15/89.
C. RISK ANALYSIS WORKSHEET
To perform the qualitative risk analysis required by this manual, the PC custodian
should complete the worksheet shown as Exhibit C-1 as follows. The numbers
below correspond to the numbered blocks on the worksheet. The worksheet has
been filled in for a hypothetical PC to provide an example of what is expected. Note
that the example involves the same application as that presented in Appendix B in
order to highlight the differences in security perspective between owner and
custodian.
1. Location and Equipment Type: Provide the physical and geographic
location and the organization for the PC.
2. Custodian and Equipment Type: List the person to whom the PC is
assigned and the type of equipment.
3. Type of Information: Indicate the type of sensitive information (for example,
CBI or high value) in terms of Section 4 of this manual. If the installation
does not process any sensitive information, the risk analysis is at an end
and only the minimal controls set forth in Section 3 need to be
implemented.
4. Number of Sensitive Applications: Indicate the number of sensitive
applications processed on the PC.
5. Processing Environment: Describe the processing environment in terms of
shared versus single user PC, removable versus non-removable storage
media, and stand-alone processing versus communicating with other
equipment.
6. Sensitivity Level and Objective: Provide the relevant security objective (for
example, availability) and the associated sensitivity level (for example, high
level).
7. Controls to Maintain Availability: Express the needed availability controls in
terms of Section 6 of this manual.
8. Controls to Preservee Integrity: Express the needed integrity controls in
terms of Section 7 of this manual.
C-3
-------�
Information Security Manual for PCs 12/15/89
9. Controls to Preserve Confidentiality: Express the needed confidentiality
controls in terms of Section 8 of this manual.
10. Comments: Self-explanatory.
11. Minimal Controls in Place: Indicate whether or not the minimal physical
and environmental controls described in Section 3 are in place.
D. QUANTITATIVE RISK ANALYSIS
Detailed instructions for performing a quantitative risk analysis are contained in the
Agency's "Information Security Manual."
In essence, a quantitative risk analysis is an exercise in cost/benefit analysis.
Specifically, it involves the following steps:
Identify the asset to be protected (equipment, application, data, etc.).
Determine the threats to the asset:
- Natural, such as flood or earthquake
- Man-made, such as fraud or accidental error
- Determine the probability the threat wil be realized and the dollar loss
(replacement cost, damages, etc.) if the threat is realized. Manipulate the
two numbers to obtain the annual loss expectancy (ALE).
Calculate the cost of security safeguards.
- Compare the cost of safeguards with the ALE, and implement those controls
that are cost-effective.
A simple example involving protecting a database from fire follows:
- Asset is data base with a replacement cost $20,000.
- Threat is fire.
Rate of occurrence of fire is once every 50 years.
Annual probabiity of fire is 2%.
Annual Loss Expectancy is $400 (.02 x $20,000).
Cost of safeguard (fire extinguisher) is $100 with a life of 5 years, or
$20/year.
C-4
-------�
Information Security Manual for PCs 12/15/89
Obtain the fire extinguisher because it is cost-effective ($20 versus $400).
C-5
-------� |