-------

-------
Information Security Manual for PCs                                  12/15/89

Each manual is structured to r   w the reader, whether manager or staff member, to
tailor it to his/her own part     ir  security situation by completing one or two
worksheets and by reading s«    ted portions of the text.  Specifically, each reader
works through a sensitivity evaluation  table to determine if he/she has sensitive
information.  If not, only Minimal security controls need to be implemented.  If the
reader does have sensitive information,  he/she uses a worksheet to identify why the
information is sensitive and which of the three security objectives are relevant. The
reader is then referred to later sections  of the manual as appropriate. For example,
there is a subs ?tion on safeguards for maintaining the avaflabflrty of critical PC
applications.

Because a common problem in information security is determining exactly who is
re   wsible for  what aspects  of security,  each  manual devotes  a chapter  to
information security roles and responsibilities.  While the manuals try to be as user
friendly as possible in explaining to readers how to fulfill those responsibilities, the
manuals  are  not painless. To ensure that  information resources are adequately
protected, the manuals describe three different control processes. The processes
establish a st  -rture of security checks  and balances by approaching security both
from  an  equipment perspective  and from an application or information system
perspective.

-------
Information Security Manual for PCs
 12/15/89
                     TABLE OF CONTENTS
Section
1.  GENERAL INFORMATION.
 Page

.1-1
2.  PC SECURITY ROLES AND RESPONSIBILITIES	2-1

3.  MINIMAL CONTROLS FOR ALL PCs AND PC LANS	3-1

4.  DETERMINING THE NEED FOR ADDITIONAL CONTROLS	4-1

5.  PERSONNEL SECURITY AND TRAINING	5-1

6.  MAINTAINING INFORMATION AVAILABILITY	6-1

7.  PRESERVING INFORMATION INTEGRITY..	7-1

8.  PRESERVING INFORMATION CONFIDENTIALITY	8-1

APPENDIX A:   POLICY	A-1
APPENDIX B:   APPLICATION RISK ANALYSIS AND
             APPLICATION CERTIFICATION	
 B-1
APPENDIX C:   INSTALLATION RISK ANALYSIS	C-1
                              Hi

-------
Information Security Manual for PCs	12/15/89

                      1.  GENERAL INFORMATION

1.1   PURPOSE, SCOPE, AND APPLICABILITY

In accordance with the Agency's Information Security Policy, this manual establishes
information security procedures for personal computers (PCs) and provides overall
guidance  to  EPA managers and staff in implementing  those procedures.   The
security controls specified in this manual are designed to ensure that information on
PCs is  adequately protected  and that EPA organizations and employees are  in
compliance with all requirements of the policy.

This manual  addresses PC  security  only.  A single PC installation  is generally
comprised of a microprocessor, a video monitor, and various peripheral devices for
entering, storing, transmitting, and printing data. The PC installation may process in
isolation as a stand-alone personal tool and/or it may function as a smart terminal in
a communications configuration (such as PC to  mainframe or in  a local area
network).   This manual does  not apply, however, to  other types of microsystems
such as word processors (for example, Lexitrons) or dumb terminals (those that are
not  programmable).   Information security  for these  devices  is dealt with  in the
Agency's comprehensive "Information Security Manual."

Consistent with the  Information Security  Policy, this manual applies to ajl  EPA
organizations and employees that use PCs.   It  also applies  to the personnel  of
agents  (including contractors and grantees) of the EPA  who are involved  in
designing, developing, operating, or maintaining Agency information  and systems on
PCs.

The specific purposes of this manual are as follows:
     -   To save organizations money by  making sure that  only focused,  cost-
        effective security safeguards (or controls) are implemented
     •   To protect organizations and individuals from the embarrassment of an
        unauthorized disclosure or from the disruption that would result if crucial
        information were destroyed
     •   To help organizations meet internal control review requirements by providing
        them with a sound basis for assuring that automated PC information systems
        are adequately protected
     •   To assist staff in developing the system documentation  required by the "EPA
        System Design and Development Guidance"
                                    1-1

-------
 Information Security Manual for PCs                                 12/15/89
        To help organizations meet the security reporting requirements of the EPA
        PC planning process
        To enable organizations to undergo successfully any security audits that
        may be conducted by the Office of the Inspector General.
 1.2   INTRODUCTION TO THE EPA INFORMATION SECURITY PROGRAM

 Through the Information Security Policy, the EPA has established a comprehensive,
 Agency-wide information security program to adequately safeguard the Agency's
 information resources.  (The policy, which is Chapter 8 of the EPA's Information
 Resources Management Policy Manual, is reproduced here as Appendix A.)  The
 concept of adequacy means that security controls should be neither overapplied nor
 underapplied.    Overapplication  wastes  financial  and  ADP  resources,  and
 underapplication exposes the information to various security threats.

 The policy categorizes  information  and applications (or systems) as being either
 sensitive or  not sensitive.  Sensitive information means information that requires
 protection due to the loss or harm  that could result from inadvertent or deliberate
 disclosure,  alteration, or destruction of the information.  Examples of sensitive
 information include Confidential Business Information (CBI), Privacy Act Information,
 and data critical to the performance of primary Agency missions. A sensitive
 application is an application that processes sensitive information, or is an application
 that requires protection due to the loss or harm that could result from the improper
 operation or deliberate manipulation  of the application itself.

 In short, information security involves  the  precautions taken to protect sensitive
 information resources from potential loss and misuse. The three major objectives of
 the EPA program, as illustrated in Exhibit 1-1 , are to maintain:
             Information Availability
             Information
             Information Confidentiality

The availability objective is associated with  information where the loss of the
information would  cause serious  problems, either because it would be costly to
replace the information or because it would  be difficult to function without the
information. Thus, availability involves both the dollar value and the time value (or
"criticality") of the information. An example of an Agency information system or
                                    1-2

-------
Information Security Manual for PCs
12/15/89
                                EXHIBIT 1-1

                   INFORMATION SECURITY OBJECTIVES
                    Prevent
                    Information
                    Loss
                                     AVAILABILITY
                                     CONFIDENTIALITY
         Prevent
         Information
         Corruption
                                                Prevent
                                                Information
                                                Disclosure
                                    1-3

-------
Information Security Manual for PCs	12/15/89

application  where  availability is important is  the Resource Conservation  and
Recovery Information System (RCF "x-).

The integrity objective is associated with information or applications where accuracy
and reliability are  of  particular  concern.  In  short, integrity  is concerned  with
protecting information from corruption.  An example  of  an Agency information
system where integrity is important is the Integrated Financial Management System
(IFMS).

The confidentiality c  Active is concerned with information where disclosure would
be undesirable or L  , /vful.  Examples of  information of  this type include Toxic
Substc  ices  Control  Act   (TSCA)  Confidential  Business  Information  (CBI) or
personnel files.

As Exhibit 1-1 indicates, a particular application could involve only one objective or
could involve some combination  of objectives.  For example, a particular data base
could contain information critical to a primary Agency mission and  yet contain no
confidential  information.   In other  words, while  availability  is   an  objective,
confidentiality is not a factor and the information in the data base could be  widely
disseminated without any  damage resulting from disclosure.  On the other hand,
another data base could be both critical and confidential.

1.3   THE PC SECURITY PROBLEM

The expanding use of personal computers is creating major new opportunities for
productivity  improvement at the  EPA.  At the same time, however,  this expanding
use of personal computers is placing new  information  security responsibilities on
office managers,  research personnel,  and  others not previously  recognized as
information  processing professionals.  This decentralized processing of Agency
information means that mainframe and minicomputer processing installations can no
longer be relied upon to protect all automated Agency operations.

The nature of the  PC secure • problem is illustrated in Exhibit 1-2.  A wide range of
intentional or unintentional    ents can threaten  information  being stored  and
processed on a PC. These threats include:
    •  External and environmental threats,  such as fire, water damage, or  power
       failure
                                    1-4

-------
Information Security Manual for PCs
                        12/15/89
                              EXHIBIT 1-2

                       THE SECURITY PROBLEM
                       Environmental Threats

           Malicious Actions
                                             Hardware & Software Errors
     User Error
            ........ J.....*.1.1^'1.1.!-.-'I1 .T * -, *^T . 1.. T.' .' .^ , ' .Til. '.J . '.  ... *.
            'I'll'l'lt'l'l^l'l'-l'l'T'l'i*!^ 'g'j'^lf I'-T^I'.!^! 'K3l*l\'.B*l.ifl'*aJl^lJl-J*1 l^T*1
Personnel
 Controls
                            ITY


                          Software
                           & Data
                          Controls
Equipment
& Physical
 Controls


Administrative
  Controls
                                 INFORMATION
                                 RESOURCES


                                  Programs
                                  Data
                                  Equipment

                                  1-5

-------
Information Security Manual for PCs	12/15/89

     •   Hardware and software error, such as disk or operating system failure
     -   Operations error, such as accidental user modification or erasure of data
     -   Malicious actions, such as theft or data sabotage.

How vulnerable a particular PC is to these threats depends on two basic factors.
The first is the type or nature of information being processed, that is, the relevance of
each of the three security objectives. The second factor is the environment in which
the PC is processing the information, for example, whether the PC is stand-alone or
is part of a  network.  Information security involves identifying threats and applying
controls to  prevent  threats from being realized. When threats  are realized  (for
example, disclosure or damage/loss of information), the three security objectives are
not achieved.

Certain PC characteristics pose special problems in information security. In general,
these include the following:
     •   Personal computer systems software is typically rudimentary and affords
        little or no protection to information and programs.
     -   Personal computers typically lack the built-in hardware mechanisms needed
       to isolate users from each other and from certain system functions (such as
        reading and writing to memory).
     •   PC information is typically in the form of reports, spreadsheets, lists, and
        memoranda.  These relatively "final" forms mean that PC data are more
        readily accessed and understood by unauthorized users than are data in
       larger computer systems.

1.4   STRUCTURE OF THIS MANUAL

PC security  manuals are typically organized by type of security and include chapters
on physical security, data security,  communications security, and the like. While
such manuals provide good technical discussions of security controls, they typically
overwhelm the reader with a hodgepodge of safeguards that cause  uncertainty
about exactly which safeguards should be implemented. In addition, these manuals
often provide little in the way of overall implementation guidance.

This manual is structured  in  a completely  different manner.   In essence,  it is
organized to allow each reader, whether a manager or staff member, to tailor it to
his/her own particular security situation.  In  a very real  sense, the manual allows
                                    1-6

-------
Information Security Manual for PCs                                 12/15/89
.^	       _         •

each reader to work through his/her security problem by completing one  or two
worksheets and by reading selected portions of the text.

Following the introductory material presented in this first section, Section 2 concerns
itself with individual  and organizational  information  security responsibilities and
should be read by all EPA managers and staff using PCs. Because it is not easy to
coordinate  the diverse elements of an information security program,  Section  2
recommends that one management official, the Senior  Information  Resources
Management Official  (SIRMO), be  the focal point for information security in each
major EPA organizational unit.

Section 3 describes minimal security controls to be used for all PCs, regardless of
the  processing environment or the type of information. Section 3 should also be
read by all EPA managers and staff.

Section 4 is the last  section that should be read by all EPA managers and staff.
Section 4 analyzes the need for additional security controls by determining whether
or not the reader has sensitive PC applications.

Based on the determination of sensitivity, the reader is referred to Sections  5-8, as
appropriate. Section 5 highlights key personnel  security  considerations for those
with sensitive PC applications. Section 6 addresses security procedures for those
needing to maintain availability.  Sections 7 and 8 present security procedures for
those  needing to preserve integrity and confidentiality, respectively.

1.5    RELATIONSHIP TO OTHER SECURITY PROCEDURES

In this manual,  the  Office of  Information Resources Management (OIRM)  is
establishing overall, Agency-wide security procedures for safeguarding  EPA PCs.
Other EPA organizations  have  developed specialized procedures in particular
information security areas.  As an important example, the National Data Processing
Division (NDPD)  in Research  Triangle Park issues technical policies  concerning
systems (for example,  PC local area  networks) supported and  approved by  it.
These policies are contained in the "NDPD Operational Policies Manual."  In addition,
EPA organizations  with statutory  authority for certain types of  information (for
example, the Office of Toxic Substances for TSCA CBI) issue security procedures
dealing exclusively with a certain type of information.
                                    1-7

-------
Information Security Manual for PCs	12/15/89

Nothing contained in this manual is intended to contradict or replace the specialized
security procedures of these other organizations.  Those specialized procedures
expand upon the core procedures  presented in this manual.  EPA organizations that
issue such procedures must ensure that they are consistent with this manual. EPA
employees must make sure they adhere to all such specialized procedures, as well
as to the procedures presented in this manual.
                                   1-8

-------
Information Security Manual for PCs                                12/15/89

          2.   PC SECURITY ROLES AND RESPONSIBILITIES

2.1   BACKGROUND

Information security involves much more than technical hardware and software
issues.   Above all,  a .successful information  security program  needs  strong
organizational and administrative controls.  Administrative/managerial factors such
as top management  support and  employee awareness contribute significantly to
program success.  An information security program needs to involve all employees
and to be a part of the day-to-day operations of an organization.

Because of these factors, the Information Security Policy assigns  information
security responsibilities to top management, to supervisors, and to employees. This
manual is intended to explain to EPA managers and staff how to comply with these
responsibilities in a way that is not overly burdensome on programs and individuals.
The  remainder of this  section describes a suggested  overall framework  for
implementing the Information Security Policy as it relates to PCs.

The framework of security roles set forth in this section is not mandatory. While
programs must meet  the requirements of the Information Security Policy, they may
find they are able to do so by creating somewhat different roles than those defined
here.  OIRM recognizes that programs may need to modify the framework to meet
unique  program  needs.   The framework  is  not meant to be  inflexible  and
bureaucratic; instead, its intent is to assist programs and individuals in implementing
adequate protection of sensitive information.

2.2   PC SECURITY ROLES:  AN INTRODUCTION

A common problem in information security is determining exactly who is responsible
for what aspects of security. In determining accountability for information security, it
is extremely useful to  start with a framework of owner/user/custodian.  Throughout
this manual, specific  security actions  are cast in terms of this framework, while
oversight and  coordinating actions are the responsibility of management.  The
framework is described in detaP in the next subsection.

It  is  important  to recognize  that there  may  not  always  be  a  one-to-one
correspondence between individuals and roles.  In other words, at times it may be
                                   2-1

-------
 Information Security Manual for PCs  	     12/15/89


 more efficient to have several :-Hividuals shar   e responsibilities of a role.  Again,

 the framework described her     leant to be a uexible implementation tool.


 2.2.1 Owners. Users, and Custodians


 These three roles are defined as follows:

     •   Application (or Information System) Owner:  The owner of the information is
        the  individual or organization  who  creates and roonsors it.   Ownership
        involves  authority  and  responsibility for  the  > lormation,  either in a
        programmatic or administrative  sense.  For example, the Office of Solid
        Waste and Emergency Response is the owner of RCRIS.  The Office of
        Administration  and  Resources Management is the owner of  IFMS.  The
        owner determines the sensitivity  of the application (or information system),
        assigns custody of the application, and decides who wPI  be allowed to use
        the application.  Consulting with the custodian as appropriate, the owner
        specifies and approves security controls, and ensures that the application is
        protected on an ongoing basis.   The owner also determines  backup and
        availability requirements and communicates them to the custodian.

     •   Application (or Information System) User:  Users are  individuals who  are
        authorized by the owner t  acces  an application or collection of information.

     •   PC Custodian: The cui    an is   = individual to whom the PC is assigned.
        This is the perse  respor.  ;ie for v »e PC in the property management sense.


 These roles  are  not  always discrete; the owner can be the principal user and

 custodian of the information. For example, an individual who develops  an end-user

 application for stand-alone  processing on his or her own PC is at once the  PC

 custodian, application owner, and application user.


 2.2.2 The SIRMO as Focal Point


 Because information security covers a variety of information resources and so many

 different employees and supervisors, it is  important to have on* management official

 in each major organizational unit who can coordinate the security program for that

 organization. This individual will serve as a security focal point by identifying all  PC

 owners, custodians,  and users,  and by  disseminating  security-related information

througho'rt the organization. While each Primary Organization Head (as defined in

the polk   atement) may desk   ate whomever he/she  wishes for this coordinating

role, the _.RMO is strongly recommended for this  function.  The designate may

delegate portions  of this PC security function (for example, identifying  PC owners,

users, and custodians) to other  knowledgeable individuals in the organization as
                                   2-2

-------
Information Security Manual for PCs	12/15/89

long as the Primary Organization Head approves and as long as the coordinating
role is retained.

2.2.3 Managerial and Administrative Roles

In addition to owners,  users, custodians and SIRMOs, the implementation of the
security procedures in  this manual also requires the involvement of several other
individuals in five oversight roles. The first four of these roles exist at present while
the remaining role is unique to the security program. The five roles are:
     •  Primary Organization Head
     •  First-fine supervisors
     •  PC Site Coordinators
     •  Local Area Network (LAN) System Administrator
     •  Certifying Official:   Management  Official(s)  appointed by  the Primary
       Organization Head. This official certifies that the security safeguards that are
       in place for each sensitive application are adequate.

2.3  ASSIGNING RESPONSIBILITIES TO THE  SECURITY ROLES:
      IMPLEMENTING  PC SECURITY

Ensuring that PC information resources are adequately  protected involves three
different  management  control processes.   First, basic,  common-sense security
measures need  to be implemented for each  PC, regardless  of whether or not it
processes sensitive information. Second, an application certification process needs
to be established to determine the  sensitivity of each PC  application and to certify
that the security safeguards for each sensitive application are adequate.  Third, an
installation risk analysis process needs to be established to make sure that the
security measures in place for each  PC adequately protect the sensitive applications
stored and processed  on the PC.   The second and third processes establish a
structure of security checks and balances. They approach information security both
from an installation or equipment perspective and from an application (or information
system) perspective.

Each of the three management control processes is described in more detail below.
Table 2-1 then lays out the security responsibilities associated with the processes on
a role-by-role basis.

-------
Information Security Manual for PCs
12/15/89
                          TABLE 2-1
       IMPLEMENTING A MANAGEMENT CONTROL PROCESS FOR
         INFORMATION SECURITY: RESPONSIBILITIES BY ROLE
Role
Primary Organization Head
SIRMO
Application (or Information System Owner)
PC Custodian
Application (or Information System) User
Supervisor
PC Site Coordinator
Certifying Officer
LAN System Administrator
Responsibilities
Implements the organization-wide security pro-
gram. Designates Certifying Offtcer(s).
Coordinates the organization-wide security
program. Identifies PC owners, users, and
custodians.
Determines information sensitivity. Assigns cus-
tody. Initiates application certification process.
Authorizes users. Specifies and approves
security controls. Specifies backup and avail-
ability requirements. Makes sure users and
custodian adhere to security requirements.
Responsible for the security of his/her equip-
ment. Must implement minimal controls.
Performs risk analysis.
Adheres to security requirements of owner.
Reviews application certification form. Ensures
employees fully comply with information
security responsibilities.
Ensures minimal controls are in place. Advises
owner on application certification process.
Certifies sensitive applications. Advises owner
on application certification process.
Coordinates the selection of security safe-
guards for networks.
                            2-4

-------
Information Security Manual for PCs                                  12/15/89
2.3.1   Minimal Controls


Section 3 describes the safeguards that need to be in place to ensure the basic

physical and environmental protection of the PC and its magnetic media. Section 3

also sets forth administrative procedures governing the use of PCs and commercial

software.  Minimal controls are implemented by custodians or users as appropriate

with oversight provided by the cognizant PC Site Coordinator.

2.3.2    Sensitivity Determination,, Automated Application Risk Analysis,.
         and Application Certification


The requirements  of  the certification process,  including the  completion of the
Application  Certification Worksheet, are described in detail in  Appendix  B.   Key

elements of the process are summarized below:

     -   Each Primary  Organization  Head  will designate  one or more Certifying
        Officials for his/her organization.

     •   Each application owner will determine the sensitivity of each of his/her
        applications.   This determination will be  made in  accordance with the
        instructions set forth in Section 4 of this manual.

     -   Each sensitive  application must undergo initial certification, and then review
        or audit leading to recertification  every three  years.  The  certification or
        recertification process will begin with the application owner's completion of
        the Application Certification Worksheet.  The worksheet will capture basic
        information on application sensitivity, security specifications, design reviews,
        and tests of security safeguards.

     -   When the  worksheet is complete, it will be forwarded through the owner's
        immediate   supervisor   to   the   cognizant   Certifying   Official   for
        approval/disapproval.

     -   The worksheet will be used by the application owner to communicate the
        sensitivity  of the application and the required security procedures to the
        users of the application.

     -   It should be noted that in developing the worksheet the owner performs a
        qualitative risk analysis, that is, the owner assesses the relative vulnerabilities
        and threats to the application and then specifies safeguards.


2.3.3  Installation  Risk Analysis Process


All Agency PCs are required to undergo a risk analysis. A risk analysis is a means of

measuring and assessing the relative vulnerabP'rties and threats to an installation. Its

purpose is  to determine how  security safeguards can be   effectively  applied to

minimize potential loss.  In everyday terms, a risk  analysis is a  procedure for

                                     2-5

-------
Information Security Manual for PCs	12/15/89

 identifying what could go wrong, how likely it is that things could go wrong, and what
 can be done to pi ,-vent them from going wrong.

 There are two accepted methods for performing a risk analysis-quantitative and
 qualitative.  For Agency PCs, a qualitative  risk analysis  approach  will  be  used.
 Simply put,  this  method  handles typical  situations quickly  and  efficiently by
 combining the  analysis of risks with safeguard selection. It consists of the following
 basic components:
     •   Determine  what  information  is sensitive  and  non-sensitive.    This
        determination will be made in accordance with the instructions set forth in
        Section 4 of the  manual.   If the PC does  not process  any sensitive
        information, the risk analysis is at an end and only  minimal controls need to
        be implemented. If it does, categorize the sensitive  information, for example,
        "confidential" sensitive.
     •   For each category of sensitive information, determine the level of sensitivity,
        for example, highly confidential.
     •   Decide on an overall set of safeguards or security controls to use.
     •   Tie subsets of those safeguards to particular categories of information and
       to levels of sensitivity.

Implementation of  an installation risk analysis  is the responsibility of the  PC
custodian. By working through this manual, an informal and qualitative risk analysis
is performed.  The custodian need only adhere to the procedures presented in this
document and complete the Risk Analysis Worksheet described in Appendix C.  No
special analytical process has to be undertaken.

Under certain  circumstances, custodians  may feel that more rigorous, quantitative
methods are warranted. OIRM does not wish to prohibit such thorough analyses.
Interested custodians  should  review the last section  of Appendix C for  more
information.
2.4  STREAMLINING THE IMPLEMENTATION OF PC SECURITY

In establishing  these management control processes, OIRM  wants to achieve
adequate PC security throughout the Agency in a way that does not unduly burden
programs and individuals. To that end, organizations may find that the following can
help streamline the management control processes discussed above:
                                   2-6

-------
Information Security Manual for PCs                                  12/15/89
        In some organizations, one individual (or a handful of individuals) may be
        knowledgeable enough  about the organization's PCs and the information
        contained on them to function as a composite or aggregate owner, user, and
        custodian for the organization.   In  other  words, the individual  has the
        requisite knowledge to complete the organization's Application Certification
        and Risk Analysis Worksheets, not just the worksheets for his/her own PC
        and applications.   This  aggregated  approach  is  consistent  with  the
        owner/user/custodian framework and  is   an  acceptable  approach to
        achieving compliance.

        In  identifying applications  for sensitivity determination and certification,
        individuals/organizations may find that some applications are subsystems or
        "children" of  larger or "mother" applications.  Similarly, some applications
        may be so related that the boundaries between them are fuzzy and that for
        the  purposes of  this document  they can be thought of as one.   In
        implementing the certification process, such sensitive applications may be
        combined into a single sensitive application.  A key test of whether or not a
        sensitive application  has been properly delineated is whether or not the
        questions on the certification worksheet can be meaningfully answered.  If
        the responses are full of exceptions and two-part answers, the aggregation
        is probably incorrect.
                                    2-7

-------
Information Security Manual for PCs	12/15/89

        3.  MINIMAL CONTROLS FOR ALL PCs AND PC LANS

3.1   INTRODUCTION

The purposes of this section are:  1) to describe the security measures that need to
be taken to ensure the basic physical and environmental protection of PCs and
magnetic media, and 2) to set forth administrative procedures governing the use of
PCs and commercial software. The dollar value  of the typical PC configuration is
usually several thousand dollars.  All of the measures described in this section can
be implemented at little or no cost, ensuring their overall cost-effectiveness.   The
emphasis here is on common-sense measures that  are justified without a risk
analysis.

The responsibility for making sure these controls are in place rests with custodians
or  users,  as indicated below.  Cognizant PC Site Coordinators  should ensure
compliance with these requirements through periodic, informal inspections.

a2   PHYSICAL CONTROLS

Agency physical security procedures issued by the  Facilities Management and
Services Division (FMSD) state that:
            "AH office equipment-should be locked up when not in use...CaWes and
            anchor pads can  be  used to  secure typewriters, calculators, computer
            peripherals, and the like. See SCR 1-08 for information about locking devices."
            (Directives Volume 4850-1, SCR 1-06, page 7)

Consistent  with these procedures, the following controls for  PCs are required to
prevent theft and physical damage. PC custodians are responsible for ensuring that
these controls are in place.
    -  Locate PCs away from heaviy travelled and easily accessible areas to the
       extent possible.
    •  When possible, install the PC in a locked room, making sure the lock js used
       whenever the room is unoccupied (and not just at night). If the PC cannot be
       installed in a locked room, a locking device such as a locking anchor pad or
       hardened cables can be used. For further information or assistance, contact
       the Security Management Section of FMSD.
    •  AH IBM  PC/AT  and most compatible microcomputers are  delivered with
       standard system locks that  prevent the system from being operated and
       prevent the cover from being removed, guarding against component  theft.
       Use these  locks.  When adding valuable expansion boards  (such as

                                   3-1

-------
Information Security Manual for PCs                                  12/15/89
       additional memory or graphics interfaces) to PCs that do not have factory-
       installed locks, install a cover lock.

       Place computers and peripherals on stable and secure platforms away from
       objects that could fall on them.

       Portable  PCs  require  additional  security considerations  because  their
       portability increases  their vulnerability to theft.  In addition to the physical
       security measures already mentioned, store all  portable PCs in  locked
       cabinets when not in use.  For further information or assistance, contact the
       Security Management Section of FMSD.  Assign a person who tracks the
       location of the  portable PCs on a  regular basis, logs them out for use to
       authorized users, and ensures the  portable PCs have been returned to the
       locked storage  area when not in use.  Moreover, any employee removing a
       portable PC from an EPA buflding for official use must have a property pass.
      ENVIRONMENTAL CONTROLS

PC custodians are responsible for ensuring that the following controls are in place:

    •  PCs are sensitive to surges in electrical power.  To  provide  protection
       against current surges, install a surge protection device. Good quality, multi-
       stage surge protectors are available for under $100.

    -  Do not install the PC in direct sunlight or in a location with extremes of hot
       and cold temperatures (less than 50 degrees Fahrenheit or greater than 100
       degrees Fahrenheit).  Do not leave  a portable PC  in a parked car, which
       would also subject it to temperature extremes.

    -  Computer equipment (and media) are sensitive to contamination from dirt,
       smoke, or magnetic fields. Do not eat or drink in the immediate vicinity of the
       PC. Per the Agency's smoking policy, do not smoke in the vicinity of the PC.
       (Smoke is drawn into the vents and through the disk units, covering the units
       with tar. Tar reduces the life of the disk and the read head.)

    -  To  avoid problems from dust and possible overhead water leaks, protect
       computer equipment with inexpensive plastic covers when not in use. Install
       the PC as far as practical from overhead water pipes or sprinkler heads.

    -  Control  static electrical charges by placing  antistatic mats under the
       computer  or  workstation or by  using antistatic sprays.  (Laundry fabric
       softeners containing antistatic ingredients can be used for this purpose, and
       they are quite inexpensive  when compared to special  purpose antistatic
       sprays). Because the problem of static electricity is increased when the air is
       extremely  dry, it can be reduced by the  use  of humidifiers  if these are
       available.
                                   3-2

-------
Information Security Manual for PCs                                 12/15/89
3.4   MAGNETIC MEDIA CONTROLS


At present, virtually all information on microcomputers is stored on magnetic media
in the following forms:

     •   Diskettes

     -   Fixed disks inside the computer

     -   Cartridge tapes

     -   Removable disk cartridges (for example, Bernoulli cartridges).


PC users need to treat the magnetic media with special care.   Flexible diskettes are
especially susceptible to damage.

     -   Keep all magnetic media away from all electrical devices and magnets  to
        avoid magnetic fields.  This  includes magnetic paper  clip holders, building
        passes or credit  cards with magnetized strips, PC hard  drive units, and
        telephones. For example, if a diskette is left on a desk and a telephone is
        placed over the diskette,  data on the diskette may be destroyed when the
        telephone rings.

     •   Do not flex diskettes.  Bending the media can damage the delicate surfaces
        and destroy data.

     •   Store diskettes in their jackets as  soon as  they are removed from the
        computer.  The jackets are  made of a special material that is intended  to
        protect the diskette. Cartridge tapes and removable disk cartridges should
        also be stored in their original containers.

     •   Never touch the surface of the diskette platter.

     -   Do not write on a flexible diskette with a pencil or hard-tipped pen.  Use only
        a soft-tipped marker.

     -   Keep diskettes in a disk file container when  not in use.   Dust and other
        particulate materials can scratch and damage the disk.

     •   To prevent permanent loss of data on the fixed disk drive, ajl files need to be
        backed up and the heads need to be parked before a PC is moved.  Some
        portable PCs  also may require that the heads be parked and/or  a disk
        inserted into the disk drive when transporting the portable.
3.5   BACKUPS

When it comes to making backups of data and programs, it unfortunately seems that
experience is the best teacher. A user often needs to lose a key file before realizing
the importance of regular backups.


                                   3-3

-------
Information Security Manual for PCs	12/15/89


For certain types of applications (discussed later in Sections 4 and 6), routine and
systematic backups are of particular importance and this manual sets forth specific
backup procedures. As a minimal control, however, users should be in the habit of
regularly backing up their work. While a precise set of criteria for determining how
often to make these backups cannot be provided, how active the data file is and how
long it took to create are  key factors to consider.  The appropriate backup method
can vary and can include floppy disks, cartridge tapes, removable disk cartridges, or
remote hosts such as minicomputers.

Users  should note that if they are using their PC as a terminal for processing data
and  programs stored at  another site (such as a minicomputer, LAN file server,  or
mainframe facility), that site may already be backing up the data on a regular basis.
Consult the manager  of the remote facility or the LAN System Administrator for
information.


3.6   SOFTWARE COPYRIGHTS/LICENSES AND MASTER COPIES

Owners and users who purchase commercial software must follow the procedures
below.  Supervisors are  responsible for ensuring that their employees  adhere  to
these procedures.

    -  Commercial software is typically under copyright and accompanied by a
       licensing agreement which specifies whether  copies may be made.  EPA
       employees  must  adhere  to these licensing  agreements.  Unauthorized
       duplication  of software is strictly prohibited and is  not condoned by the
       Agency under any circumstances. In general, there are two types of licenses
       - single-machine and site. A single-machine license allows the user to install
       the master copy of the software on his/her PC only. With a site license, the
       software may be installed on more than one PC, typically for a higher fee.  A
       copyright means  that any unauthorized  duplicating,  selling,  or  other
       distribution of the software is a crime. Willful violations of U.S. copyright law
       can result in significant penalties (civil damages of up to $50,000 in addition
       to actual damages plus criminal penalties of up to one year in jaP and/or a
       $10,000 fine).

    •  Software purchased by the EPA must be used exclusively on PCs owned by
       the EPA.

    •  Software licensing  agreements  should  be  signed  upon  receipt  and
       immediately filed with the vendor. A copy of the agreement containing the
       registration number should be filed in a safe place. Returning the agreement
       to the  vendor wll register the purchase and  may result in  free user
       assistance, free or reduced price software upgrades and other  advantages.
       Registration of the software wPI also provide the basis for getting assistance
       from the manufacturer if the software is lost, stolen, or damaged.


                                  3-4

-------
Information Security Manual for PCs                                 12/15/89
       Already established OIRM procedures concerning master copies of PC
       software state that each Primary Organization Head needs to establish a
       central  repository  for  the   organization's  master  copies  to  ensure
       accountability and control.  The WIC can be used for this purpose if an
       organization executes an Operational Service Agreement for Archiving of PC
       software.
3.7   UNAUTHORIZED USE OF PERSONAL COMPUTERS AND SOFTWARE

EPA PCs and associated software are for official EPA business only.  Appropriation
of EPA-owned software for personal use, whether done by unauthorized copying or
by actual removal of the master software, is prohibited. Use of Agency computers is
not allowed for personal business of any kind, even if it is done on the employee's
own time. Training and practice on EPA PCs should be done using work-related
examples. Employees who use EPA PCs and software for other than official Agency
business are subject to disciplinary action ranging from a reprimand to dismissal.

3.8   NON-EPA SOFTWARE AND VIRUSES

Computer viruses have received a great deal of attention in the press.  While some of
the coverage is sensational, it is clear that the problem is real and  that risk does
exist. The threat of viruses has made the need for regular backups (per Section 3.5)
even greater.

In general, a computer virus is an extra program hidden within an apparently normal
program or software package referred to as the virus "host" or "Trojan Horse". Like a
biological virus,  the computer virus  has  two  important characteristics -  it can
replicate itself and it can cause harm or mischief.  This replicating ability means that a
virus can quickly spread via shared diskettes, networks, electronic bulletin boards, or
file servers as programs or files are stored, executed, uploaded or downloaded.
Potentially infected  host software includes operating system tools  such  as an editor
or file utility, data base management software, or spreadsheet macro languages.

Some viruses are relatively harmless and only flash a message on the monitor before
destroying themselves. Others are truly malicious and modify or destroy programs
and data  To detect  and  combat viruses, a number  of specialized programs or
software "vaccines" have  been  developed.  Because  various computer viruses
operate in different  ways, no single vaccine is currently effective against all of them.
Indeed, some of the vaccines have harbored viruses themselves.
                                   3-5

-------
Information Security Manual for PCs         	12/15/89

Under these circumstances,  it  is not possible to develop a  set of generic,
straightforward  procedures  to ensure the integrity of non-EPA or public domain
software.   Consequently, EPA employees should not install non-EPA or  public
domain software on their PCs without the express approval of their SIRMO  or the
SIRMO's designate. In addition, EPA employees and contractors who use PCs or
LANs supported and approved by the National Data Processing Division (NDPD) are
also subject to the virus prevention policies set for"i  in the "NDPD Operational
Policies Manual  Those policies include recommendations related to new software,
backups, and regular checks for program/file size changes.

Readers may also wish to consult the additional guidance presented in the National
Institute  of Standards  and Technology Special  Publication  500-166, entitled
"Computer Virui   and Related Threats: A Management Guide." The publication,
which was issued  in August 1989, provides  general guidance for managing the
threats of computer viruses and unauthorized use. It deals with different computing
configurationr such as personal computers and networks. A copy is available in the
EPA Headquarters library or through the Governmentr nnting Office.
                                   3-6

-------
information Security Manual for PCs         	            12/15/89

     4.  DETERMINING THE NEED FOR ADDITIONAL CONTROLS

The minimal controls described in Section 3 are required for al! Agency PCs. The
purpose of this section  is to determine whether or not additional  controls are
necessary.

Application owners use this section to evaluate the  sensitivity of each of his/her
applications.   Determining  sensitivity  is an  owner  responsibility.   If sensitive
applications are owned, Section 6-8 need to be consulted, to develop the information
required for the application  certification process and the Application Certification
Worksheet (see Appendix B).

Application  users  review  this section to  develop a  working  understanding  of
information sensitivity. Users can also use this section to determine the sensitivity of
applications not yet evaluated by the owner (that is, existing applications that are
undergoing certification). Section 6-8 should then be reviewed, as appropriate.

PC Custodians and LAN System Administrators review this section to develop a
working  understanding of information sensitivity.   Custodians then combine this
understanding with owner sensitivity designations to determine the number and type
of sensitive applications being processed by users of his/her installation, and to
identify the installation processing environment.  Sections 6-8 then need to be used
to determine what security controls must be in place and to develop the information
needed for the Risk Analysis Worksheet (see Appendix C). This process constitutes
a qualitative risk analysis and will ensure that adequate disaster recovery/continuity
of operations plans are formulated.
4.1   DETERMINING SENSITIVITY AND THE TYPE OF INFORMATION

The reader should review Section 2.4 before proceeding.  That section contains
information on combining applications for sensitivity determination purposes.

The questions presented in the sensitivity evaluation table on the next page (Table 4-
1) are designed to determine whether a particular application is sensitive.  To use the
table, first read through all 11 questions presented in columns (1) - (11) of the table.
                                   4-1

-------

Name of
Application/
Information
•EXAMPLE-









QUESTIONS
(i)
National
Security
Information?










(2)
Critical to
Performing •
Primary
Agency
MlMbn?
YES









(3)
Lie Critical?










(4)
Financial
Wh*r*
MltUM Could
CauMLou?










(5)
tutomated
/•clslotv
Making
Application?










(6)
Subject loth*
Privacy Act?
YES









(7)
Confidential
Butlneu
Information?










(8)
Enforcement
Confidential?










(»)
Budgetary
Prior to OMB
Releaee?










(10)
High
Value?










(11)
Other
SeniMve?










OBJECTIVE/LEVEL
f
HOH









I
HOH









|
MEDIUM









                                                                                                                                                                                                     i
                                                                                                                                                                                                     o
                                                                                                                                                                                          H
                                                                                                                                                                                          00
                                                                                                                                                                                          m
                                                                                                                                                                                          3
                                                                                                                                                                                          30

                                                                                                                                                                                          EH
                                                                                                                                                                                 0)
                                                                                                                                                                                 3

                                                                                                                                                                                 0)
                                                                                                                                                                                                      (0
                                                                                                                                                                                          H
NOTES:

 OuMten(2)


 QuMtion(3)

 OuMton (4)

 QuMton (5)


 OuMtion (10)



 Question (11)
Answer YES it disablement or unavailability of the application, or the loss, compromise, or undesired alteration of the information could Jeopardize the Agency's ability to perform a primary
mission.

Answer YES if the loss of information or disruption of the application could jeopardize human life or welfare.

Relates to check Issuance, funds transfer, etc., where misuse could cause toss.

Answer YES if the application makes unsupervised automated decisions based on programmed criteria (for example, issuing checks, ordering supplies, or performing similar asset
accounting/control functions) and if the wrong automated decision could cause toss.

Answer YES if this is an application/information of "High Value* to the Agency or a particular organization. The term "High Value* must be defined by the owner of the information or
application. While a precise set of criteria for determining High Value cannot be provided, the cost of replacing the information and the problems that would result from doing without the
information are primary factors to consider.

Answer YES if: (1) you answered NO to all other questions, and (2) this is an application/information whose loss would acutely embarrass the Agency, subject the Agency to litigation, or
impair the long-run ability of the Agency to fulfill its mission.
s
en
oo
to

-------
Information Security Manual for PCs	12/15/89

If  all  questions can be answered "No" for all applications, the remainder of this
manual does not apply. If any question can be answered "Yes" for any application,
continueto determine how to protect the sensitive application(s) by completing the
table.  (After completing the table, make sure to have it reviewed as described in
Section 4.4.1

The table has been designed as a worksheet for use in evaluating sensitivity. To use
the table, list in  the first column the  name  of each application or collection  of
information for which at least one question can be answered "Yes".  For each listed
application or collection of information, answer each question.  A sample entry is
provided.  (Leave the last three columns (security objectives)  blank for the time
being; use of these columns is explained below.)

4.2   DETERMINING RELEVANT SECURITY OBJECTIVES AND THE DEGREE
      OF SENSITIVITY

The next step is to determine how sensitive each sensitive application is and which
security objectives are relevant.  Table 4-2 on the  next page maps each type of
information to its  corresponding objective(s) and sensitivity level (that is, high versus
medium).  (Cases of no or minimal sensitivity are covered by the minimal controls
specified in Section 3.)

For each application, determine the relevant security objective(s)  and sensitivity
level(s) based on the type of information the  application/collection contains.   Note
that  the time value  of  critical  information/applications must be evaluated  to
determine sensitivity level,  and the approximate dollar  value   of  high  value
information/applications must be estimated to determine  sensitivity level.  Most  life
critical  and mission critical applications will probably  involve high  level sensitivity.
Most high value PC applications will probably involve medium level sensitivity.

ft may be helpful  to make notes about security objectives and sensitivity levels in the
last three columns of the Table 4-1 worksheet.  A sample entry is provided.  In
instances where  an application  turns out to be at  both the high and medium
sensitivity levels vis-a-vis an objective, the higher level dominates. For example, an
application  that  contained  both  National Security  Information   (high  level
confidentiality) and Privacy Act information (medium level confidentiality) would be of
high level confidentiality.

                                     4-3

-------
Information Security Manual for PCs                                  12/15/89
                                  TABLE 4-2

              DETERMINING RELEVANT SECURITY OBJECTIVES
                        AND DEGREE OF SENSITIVITY
                                   Availability     Integrity     Confidentiality
                                  High  Med.    High  Med.   High   Med.
  Type of Information               Level  Level   Level Level   Level  Level

  •   National Security Information                                 x

  •   Critical to Performing a
     Primary Agency Mission
     -Must be Available Continu-
     ously or Within 1 Day            x             x
     -Must be Available
     Within 1-5 Days                       x       x

  •   Life Critical
     -Must be Available Continu-
     ously or Within 1 Day            x
     -Must be Available
     Within 1-5 Days                       x

  •   Financial Where Misuse
     Could Cause Loss                             x

  •   Automated Decision-
     Making Application                             x

  •   Subject to the Privacy Act                                           x

  •   Confidential
     Business Information                                               x

  •   Enforcement Confidential                                            x

  •   Budgetary Prior to
     OMB Release                                                      x

  •   High Value
     -Very High Value*               x
     -Other High Value                     x

 •   Other**                               xxx
  'While a precise set of criteria for distinguishing between "very high value" and "other high value"
 cannot be provided, the cost of replacing the information is the primary factor to consider. Clearly, an
 automated information system that cost $3,000,000 or more to develop and program would be of "very
 high value."
  " Reader must determine which objectives are relevant based on characteristics of information/
 application.
                                    4-4

-------
Information Security Manual for PCs	    12/15/89

By completing the Table 4-1 worksheet, a security profile is developed that includes
information  on types of sensitive applications, security objectives, and sensitivity
levels.  The security profile contains the basic  information that owners need to
completethe top of the Application Certification Worksheet.  It also contains the basic
information  that custodians need to complete the top of  the Risk Analysis
Worksheet.

4.3   DETERMINING THE PROCESSING ENVIRONMENT

Several of the  procedural controls specified in Section 6-8 are described in terms of
the environment in which the application or information is being processed. In using
those sections, be  alert to procedures that depend on three key environmental
characteristics.  As a  result,  answer the  following  questions  for later  use in
implementing procedural controls.
     -   Is the PC a single user device or is it shared among multiple users?
     •   Is the information/application stored on removable media (like a floppy
        diskette) or non-removable media (like a fixed disk) or both (like a fixed disk
        with a floppy disk backup)?
     •   Does  the PC process  in isolation  or does  it communicate with other
        hardware?   If it does communicate, which of the following communications
        configurations applies:
            Remotely Accessible by Modem (Dial-Up Capability)?
            PC to Resource Server?
            Local Area Network or LAN?

The security measures  needed to maintain security in these different environments
will be described in later sections. Regarding LANs, LAN System Administrators
must note that the  National Data Processing Division (NDPD)  issues policies (for
example, governing access control or backup frequency) for Agency LANs. These
policies are contained in Section 310 of the "NDPD Operational Policies Manual."
These  policies are typically more detailed and technically  oriented  than the
procedures  presented here.  LAN System Administrators must make sure that they
also comply with applicable NDPD policies.
                                    4-5

-------
Information Security Manual for PCs                                  12/15/89

4.4    VALIDATING SENSITIVITY RESULTS

Determinations of sensitivity and degree of sensitivity must always be reviewed by
the cognizant supervisor.  Because implementing security safeguards can involve
considerable expense and investment  of staff time, management review  of these
determinations is important.

Management review is also important because some of these determinations can
involve an element  of judgment and an organizational perspectve is important.
Critical or high value information is not  as easily identified as Confidential Business
Information or Privacy Act  data.  There  may be a tendency for  individuals to
overdesignate their  applications  as  critical or high  value.   SIRMC   >hould  be
consulted when employees and supervisors need guidance in making  a sensitivity
determination.

4.5    USING THE REST OF THIS MANUAL

The next s  tion, Section 5, discusses personnel security.  This section needs to be
read by all EPA managers and staff who  have sensitive applications or information.

The remainder of the manual,  Sections 6-8, is organized by information security
objective:

     •  If availability is a security objective, review Section 6.
     •  If integrity is a security objective, review Section 7.
     •  If confidentiality is a security objective, review Section 8.
If more than one security objt  /e is applicable (for example, an application where
both avaflabPity pnd confidentiality are relevant), make sure to read the section
pertaining to each applicable objective.

In  discussing procedural controls, Sections 6-8 reference hardware and software
security products that are available under the PC contract.  Information on products
and prices was current as of December  1989. Because the Agency periodically
updates contract offerings and prices, the reader should consult with his/her PC Site
Coordinator prior to placing an order.
                                    4-6

-------
Information Security Manual for PCs	    12/15/89

              5.  PERSONNEL SECURITY AND TRAINING
5.1   INTRODUCTION

Given the large number of PC Custodians and users in the Agency, PC security is as
much a people issue as it is a technical  issue.  SIRMOs need to make sure that
cognizant supervisors in their organizations adhere to the following procedures.

5.2   SCREENING AND CLEARANCE

Federal  regulations require clearance  of  all persons involved in the design,
development,  maintenance, and operation of sensitive automated systems and
facilities.  These requirements apply to Federal employees and to the personnel of
agents (including contractors and grantees) of the EPA who have access to sensitive
EPA information.  Determinations of the degree of sensitivity of each position are
accomplished  by the program offices.  The level of screening required should then
vary from minimal  checks to full background investigations,  depending upon the
sensitivity of the information to be handled by the individual in the position and the
potential  risk and magnitude of loss or harm that could be caused by the individual.
The responsibility for the implementation and oversight of the personnel clearance
program  rests with the Office of the Inspector  General (OIG) and the Personnel
Management  Division, and EPA organizations  should consult  with them when
obtaining clearances or designating sensitive positions.

5.3   SEPARATION OF DUTIES

An individual has a harder time concealing errors and irregularities if he/she does
not control  all aspects  of an activity or transaction.  For example,  by separating the
functions of cash handling and bookkeeping, the bookkeeper cannot get to the cash
and the cash register clerk cannot adjust the books to hide cash shortages.

Given the very definition  of personal computing, it is often  impractical to separate
duties. The same individual often collects data, programs the application, tests the
application, enters  data and generates  the reports.  To minimize the potential  for
fraud, abuse, or sabotage, however, these duties should be performed by separate
individuals to the maximum extent practicable.  When it is not possible to have each
duty performed by a  different  individual, try to separate  the following:  (1) data
                                   5-1

-------
information Security Manual for PCs	12/15/89

 collection/entry duties from application programming/maintenance duties, and (2)
 application programming duties from application testing duties.

 In the case of PC-based financial applications (relating to check issuance, funds
 transfer, and  the like) where misuse could cause loss, separation of duties is
 mandatory. For example, the task of preparing payment vouchers  must be kept
 separate from the task of approving payments.  For such financial applications, other
 preventive measures include  periodically rotating jobs and  asking people to take
 vacations of one to two weeks.  Because the perpetrator of a fraud often has to
 manipulate accounts on a daily basis to avoid detection, these measures may be a
 strong deterrent.

 5.4   TERMINATION/SEPARATION

 In the event an employee has to be removed or laid off, it is a good idea to rotate the
 employee to a non-sensitive  position prior  to giving the employee  notice of the
 action.  While this may seem extreme, angry and demoralized employees have been
 known to sabotage programs, erase data bases, or plant computer viruses.

 Regardless of the type of separation (resignation, removal, etc.), supervisors need to
make sure  the following  are performed  for personnel  separating from sensitive
positions:
     •   Change or cancel all passwords, codes, user IDs, and locks associated with
        the separating individual.
     -   Collect all keys, badges, and similar Hems.
     •   Reconcile any financial accounts over which the employee had  control.

The  SIRMO or his/her designate should then certify that these procedures have
been accomplished by signing and dating a short statement that says: "Information
security procedures for separating employee    (name)    have been completed."
These statements should be kept on file for inspection by OIRM or the Office of the
Inspector General.

5.5    TRAINING

OIRM is in  the process  of  coordinating the  development of a comprehensive
information security training program for the Agency to supplement the procedures

                                   5-2

-------
Information Security Manual for PCs                                  12/15/89

in this manual.   Details and requirements of the program will  be issued under
separate  cover.    These  requirements will  include  mandatory  basic security
awareness training for every employee.  The program will include both information
security  awareness training for all employees and training in  accepted security
practices for those involved in the  management, use, or operation  of sensitive
information. The program will identify and reference, as appropriate, existing training
in the information security area, such as  training  done  by the National Data
Processing Division.
                                     5-3

-------
Information Security Manual for PCs	12/15/89


            6.  MAINTAINING INFORMATION AVAILABILITY

6.1   INTRODUCTION


This  section  sets  forth security procedures  for  owners,  users,  LAN System

Administrators, and custodians  of  applications  of high-level and  medium-level

availability (as determined in Section 4). This section is to be used as follows:

     •   Owners  develop the security specifications  and the  tests needed for
        application certification based on the procedures presented here.

     •   Users make sure they are in compliance with owner security specifications
        based on these procedures.  In  addition, users consult these procedures
        when an owner has designated an  application as sensitive, but has not yet
        identified his/her security specifications.

     •   Custodians and LAN System Administrators  use these procedures to make
        sure that applications can be recovered in the event of a processing disaster
        and can be run elsewhere if necessary.  They also use these procedures to
        develop the information required for the risk analysis outlined in Appendix C.


The  remainder  of this section  describes  threats,  safeguards,  and recovery
procedures related to achieving the objective of maintaining availability. Subsection

6.2 catalogs and describes specific threats to information availability.  Subsections

6.3 and 6.4 specify security measures for medium availability applications and high

availability applications, respectively.  The last subsection describes some steps that

can be taken to recover from a processing disaster.


6.2   THREATS TO APPLICATION AND INFORMATION AVAILABILITY


Specific threats to data availability include:

     •   Then

     •   Damage to magnetic media

     •   Hardware failure: inability to restart

     •   Hardware failure: failure during use

     •   Accidental data destruction or other operator errors

     -   Sabotage (deliberate data destruction)

     -   Failure of users to back-up data and programs.
                                    6-1

-------
Information Security Manua for PCs	      12/15/89

The threats of theft and damage to magnetic media were addressed in Section 3.
The remaining threats are described below.

6.2.1  Hardware Failure:  Inability To Restart

Because of the generally high reliability of microcomputers, users tend to become
overconfident and do not protect themselves from system faflures.

In some cases, microcomputer systems are incapable of being restarted (booted)
because of a hardware failure.

If the inability to start the system is caused by a failure of the hard disk drive and it is
necessary to repair or replace the drive, the data on the drive  will probably be
unavailable even after the system has been repaired.

6.2.2  Hardware Failure: Failure During Use

Although microcomputers do not often break down, the hardware can fail during use
for a variety of reasons.  The rmst com-  ~>n problem is a disruption or surge of
electric power, but the  failure of almost    / internal component can cause the
system to crash.

In i   Jition to the problems that may be encountered if the  system cannot be booted,
failure during use will result in a disruption of ongoing processing.  If the system
crashes while in use, all data in the volatile, random  access memory (RAM) will be
lost.  In addition, if data files are open at  the time of  the failure,  they may be
corrupted.

6.r.3 Accidental  Data Destruction

The most common way that data are accidentally destroyed  is by users issuing
incorrect commands. For example, ft is possible for users to destroy all of the data
on a disk by inadvertently reformatting it.  This can  be especially damaging if the
hard disk is reformatted.  Res can also be inadvertently deleted.  It is also possible
to c  -»y a file on top of an existing file if the name of the existing file is used as the
destination of a copy command.

Da'  can also be accidentally destroyed by software malfunctions or incompatibility.
A particularly serious potentia problem is caused by an incompatibility between
versions 2.x and 3.x of PC/MS DOS. Specifically, if a system containing a 20 mb or

                                    6-2

-------
Information Security Manual for PCs	12/15/89

larger fixed disk formatted under version 3.x of DOS is booted from a diskette that
contains a 2.x operating  system, the File Allocation Table of the hard disk will  be
damaged when data are  written to the hard disk.  If this happens, it might not  be
possible to access data stored on the hard disk.

6.2.4 Sabotage

Data can be deliberately destroyed by malicious  individuals, who may be either
authorized or unauthorized users.  Such destruction can be the result of vandalism
by those outside the office, but it can also be an act by an employee who has been
dismissed or disciplined,  an act by an individual who is hostile to the mission of  an
office, or  an act by an individual hostile to the implementation of a new computer
system. Examples include:
     •  An employee may oppose the implementation of performance monitoring
       software.
     -  An individual may use the data overwriting programs in PC utilities packages
       to erase files or disks.
     •  A dismissed employee may plant a "virus" in an organization's software prior
       to departure.
     •  An individual may feel that the automation of the individual's duties may
       make him or her more expendable.
     •  An individual may believe that the implementation of  a system intended to
       make his or her job easier will actually make  his or her job  more difficult.

6.2.5 Failure to Backup Data and Programs

When  it comes to  regular and systematic backup, it unfortunately  seems that
experience is the best teacher. A user often needs to lose a key file before he/she
realizes the importance of regular backups. Failure to perform regular backups is
probably the most common and the most serious threat to availability.

6.3   PROCEDURES TO MAINTAIN MEDIUM-LEVEL AVAILABILITY

This subsection applies to applications that can be unavailable for a period of only
one-to-five days and/or applications that are of "other high value."
                                    6-3

-------
Information Security Manual for PCs	12/15/89

6.3.1  Lock-up Media

To avoid theft, store media in a locked cabinet or room.

6.3.2  Write Protection

Whenever possible, write-protect files and programs to avoid accidental destruction.

6.3.3  Isolated Storage

Isolate the critical/high value application on its own storage media to the extent
possible.  For an application residing on a floppy diskette, this means dedicating the
diskette to the one sensitive application.  For an application residing on a fixed disk,
this could mean  dedicating a separate subdirectory or partition to the software.
Such isolation speeds the backup process (discussed below).

6.3.4  Backups

In general, the most important step to be taken to protect information availability is to
implement a regular schedule of backups.  Backups are performed to provide for
easy recovery from a disaster. If information has been backed up, and if the backup
is safely stored, the information will be recoverable - no matter what happens. Note,
however, that transactions that have occurred since the last backup may have  been
lost and may need to be re-input.

DATA BACKUPS

Each PC user needs to establish a backup loop  to  protect his/her data and files.
The backup loop is a systematic way of creating multiple generations of copies. The
frequency and number of backup generations made  and stored should be a direct
function of the value of the information and the cost of regenerating it. In general, two
to five generations are recommended.   Two examples involving  diskettes are
provided below:
    •  A two-generation scheme for a floppy disk would be performed as follows:
          -   On the first day, the data on the original diskette would be copied to
             Diskette 1.
          -   On the second day, the data on the  original diskette would be copied
            to Diskette 2.
                                    6-4

-------
Information Security Manual for PCs	                    12/15/89

          -  On the third day, the data would be copied to Diskette 1,  writing over
             the backup from the first day.
     •   A five-generation scheme for a fixed disk system  would be performed as
        follows:
          -  On Monday of the first week, the data on the fixed disk would be
             copied to a set of diskettes designated as Set 1.
          -  On Tuesday, the data could be copied to Set 2. Wednesday's backup
             would be copied to Set 3, Thursday's to Set 4, and Friday's to Set 5.
          -  On Monday of the second week, the data would be copied to Set 1,
             writing over the Monday backup from the previous week.

Under a five-generation scheme, the user has a significant level of protection. Even
if the original data and one  or two of the backups were destroyed, only one or two
days of work would  be lost.

The backup  loop does not have to involve diskettes.  As discussed below, tape
backup systems or Bernoulli boxes can be more efficient. Moreover,  if the PC is
connected to a LAN file server or remote host (such as a mainframe computer), the
remote device may  provide  backup protection. Consult the manager of the remote
facility or the LAN System Administrator for information.

Backup copies stored in the general vicinity of the original  data protect against
problems such as a system crash or an accidental erasure of data.  They do  not.
however, protect against a threat such as a fire which could affect an entire floor or
building. As  a result, each  month a copy should be taken out of the backup loop
and stored in a physically separate location. This archival copy would probably not
be completely current in the event of a major disaster, but it would have great data
recovery utility. To prevent  archival copies from piling up, the copy that  has been in
archives should replace the one taken out of the backup loop. There may also be
advantages in retaining several generations of the archival copies.

For Headquarters employees,  the WIC is recommended as an off-site location.  The
WIC does charge a fee for  storing backup copies, and participating organizations
execute an Operational Service Agreement for Archiving of PC Software with the
WIC.   If the PC is connected to a remote host or file server, it may be possible to use
the remote device as the off-site location. Consult the manager of the remote facility
or the LAN System Administrator for assistance.
                                   6-5

-------
Information Security Manual for PCs	12/15/89

When files get large, users are tempted to employ the incremental backup approach.
An incremental backup focuses only on what has been changed and includes only
those files  that have been modified since the last backup.  The advantage of an
incremental backup is that it can be performed faster than the full backups discussed
above.  The disadvantage of incremental  backups is that no single  backup will
contain all  of the files and data.  If the original files are destroyed or lost, it will be
necessary to reconstruct the  data from the most recent full backup and all of the
incremental backups that have been  performed since.   In addition  to  being
inconvenient, this process of reconstructing  the files is risky. If the last full backup or
any of the incremental backups has anything  wrong with it, it may be impossible to
perform a fully successful recovery.

Because of these difficulties, incremental backups are not recommended.  Instead, if
the data files are so large that the backup process fills  about 15 diskettes, consider
using a streaming tape backup system or a  Bernoulli Box.  A streaming tape backup
system is available under the PC contract for about $500.  The Bernoulli Box, which
is available for about $800 (10 megabyte) or about $1200 (20 megabyte)  under the
PC contract, makes backups straightforward and  quick.  It also provides certain
access controls, for example, partitioning  software.  If the PC is also used for
confidential  processing, the box becomes more  cost effective.  In  addition, if
software as well as data are  stored on Bernoulli  disks, and a second PC with a
Bernoulli Box is available, each PC can be a  backup facility for the other.

SOFTWARE BACKUPS

Backups should not be limited to data and files.  End user applications (software
developed or maintained locally) should also be backed up and stored at the off-site
storage facBrty. Source program files, loadable versions of all software, and required
compier or interpreter programs should be included.

6.3.5  Continuity of Operations

Backup computing facilities must  be identified for  critical applications and  an
agreement for use  of the backup facility shall be executed. The agreement for the
backup facility should not be an informal and vague  oral agreement,  but instead
must involve  a memorandum  between the  PC custodians identifying all conditions
(for example, the amount of machine time to be made available).
                                   6-6

-------
Information Security Manual for PCs	12/15/89


6.4   PROCEDURES TO MAINTAIN HIGH-LEVEL AVAILABILITY

This subsection applies to applications that must be available continuously or within
one day, and/or applications that are of very high value. All of the procedures set
forth in Section 6.3 also apply here. The following additional procedures will be
followed to maintain high-level availability.

6.4.1 Uninterruptible Power

Obtain an Uninterruptible Power Supply (UPS) device to provide virtually complete
surge protection, a filter for line noise, and power in the event of an outage. A UPS is
available for approximately $1100 under the PC contract.

6.4.2 Manual Fallback

Identify and formalize manual data processing procedures to be followed  in the
event of a complete disaster in which the application is made unavailable.

6.4.3 More Frequent Backups

Consider preparing full backups for off-site storage on a weekly or even daily basis.

6.5   SUGGESTIONS FOR  RECOVERING FROM A DISASTER

In the event of a problem or disaster, it is often best to stop using the PC and seek
help from the PC Site Coordinator. The following may then help restore availability:

     •   It may be possible to recover data stored on the undamaged portions of the
        damaged medium using the DOS DEBUG facility or some other hexadecimal
        editor.  This will be a  difficult  task and should only be undertaken by
        individuals with a thorough understanding of their systems.

     •   Commercially available utility packages (such as the Norton Utilities package
        available under the PC contract for about $100) can help in recovering data
        and in unformatting an accidentally formatted disk.

     •   If backups have been made, data and software that is not copy-protected
        can be restored from the backups.  Contact the  manufacturers of copy-
        protected  software  to  investigate  their  policy  for  replacing damaged
        software.

     •   If summary data have been damaged, but detailed records  or other audit
        trais were  undamaged, it may be possible  to recreate the summary data
        from the detailed records.   In some cases it might  even be possible to
        recreate detailed records if sufficient audit trail information is available.
                                    6-7

-------
Information Security Manual for PCs	12/15/89

             7.  PRESERVING INFORMATION INTEGRITY

7.1   INTRODUCTION

This  section sets forth  security procedures for owners,  users,  LAN  System
Administrators,  and  custodians  of applications of high-level and  medium-level
integrity (as determined in Section 4). This section is to be used as follows:
     -  Owners develop  the security specifications and the tests needed  for
       application certification based on the procedures presented here.
     •  Users make sure  they are in compliance with owner security  specifications
       based on these  procedures.   In  addition,  users may consult these
       procedures when  an owner has designated an application as  sensitive, but
       has not yet identified his/her security specifications.
     •  Custodians  and  LAN System Administrators use  these procedures to
       determine what security measures must be in place at his/her installation to
       maintain  integrity.   They also use  these procedures  to  develop the
       information required for the risk analysis outlined in Appendix C.

The remainder  of this section discusses threats to integrity and procedures to
safeguard  and recover  system integrity.   The  next  subsection catalogs  and
describes specific threats to information integrity. Subsections 7.3 and 7.4 specify
security measures for applications of medium-level integrity and high-level integrity,
respectively.  The last subsection describes some steps that can be taken to recover
from data corruption.

72   THREATS TO INTEGRITY

7.2.1  Deliberate Distortion of Information: Fraud and Sabotage

Data integrity can be damaged by the deliberate actions of system users or other
individuals with access to  the system.  Such damage could take the form of a virus.
These actions could be motivated by revenge (for example, by recently disciplined or
reprimanded employees)  or could be intended to perpetrate or cover  up fraudulent
activities, mismanagement, or waste.

Fraudulent activities include embezzlement or any other deception intended to cause
the deprivation of property or some lawful right. Fraud could be intended to prevent
or influence enforcement actions or other operations of the Agency.
                                   7-1

-------
Information Security Manual for PCs	12/15/89

7.2.2 Accidental Damage

Accidental damage to  data  integrity results when individuals  inadvertently and
unknowingly modify data, erase files, input  incorrect data, or introduce program
bugs.

Accidental threats  to data integrity overlap with the issues discussed under data
availability. The distinction is based on whether the data distortion is discovered.  If
so, the  distortion would generally be considered to consist of a loss of data and
would,  therefore, represent an  availability problem. When the  damage remains
undetected, decisions may be made or other actions may be taken based upon
incorrect information, resulting in a failure of data integrity.

7.2.3 Other Considerations

In addition to the above, information integrity can also  be affected by flaws in
software applications design and development (for example, incorrect algorithms or
mathematical formulae). A review of all of the system design issues that are relevant
to data  integrity is beyond the scope of this manual.  Instead, the reader is referred
to the three volume set of "EPA System Design and Development Guidance" issued
by OIRM.  This comprehensive set of standards includes  references to  security at
appropriate points  in the software design/development process.  For more  explicit
guidance on designing security into applications, the reader is also referred to
Federal  Information  Processing  Standard (FIPS) PUB 73 and to  the Agency's
"Information Security Manual."  FIPS PUB 73 is available in the Headquarters library
or through the National Technical Information Service (NTIS).

This manual will limit itself to a consideration of threats to data integrity involving
deliberate and accidental actions of users and involving other events that can occur
during system use.

7.3   PROCEDURES TO MAINTAIN MEDIUM-LEVEL INTEGRITY

The  security measures  needed to  ensure  integrity  represent a  mix of those
associated with maintaining  availability flod those associated with  preserving
confidentiality. Availability and confidentiality are almost opposites; backup copies of
a data base made  to enhance availability can aggravate the problem of preventing
                                    7-2

-------
Information Security Manual for PCs	12/15/89

the disclosure  of data stored in  the data base.   In a very real  sense,  however,
integrity is the objective in the middle.

Integrity involves elements of the availability objective because if data are corrupted
or partially  destroyed, intact backup copies are essential.  On  the  other hand,
integrity involves elements of the  confidentiality objective because preventing fraud
and sabotage are largely problems of controlling access.

7.3.1   Availability-Related Procedures

Adhere to all of the procedures described in Section 6.3, with the exception of those
associated with continuity of operations.  This will ensure that backups are created.

7.3.2  Confidentiality-Related Procedures

Adhere to  the  access control procedures described in Sections  8.3.2 and 8.3.3.
Also, follow the password management practices outlined in Section 8.3.1.  In
addition, for PCs in a LAN, adhere to the procedures outlined in the following three
paragraphs.

In a LAN, all points can read traffic on the network,  in addition, all points  have
access to common storage media.  Indeed, the ability to share printers or storage
(file servers) is often a key reason why networks are created.

The LAN System Administrator  is  responsible for  coordinating  the  selection of
security safeguards  for the  network  to  ensure  overall effectiveness.   LANs
sometimes  have security packages available as  part of their operating  systems.
These may be considered in selecting safeguards for the network.

If all  network users  have  access  to all information processed  on the network,
establish a formal list of those authorized users (an administrative control). To the
extent possible, bolster this administrative  control  by keeping each PC on the
network under lock and key when not in use. Require users to provide a password
when logging on to the network.

7.3.3   Audit Trails and User Accovntflbflfty Tracking

If fraud and sabotage are threats, audit trais and operator tracking should  be
incorporated into the application software.  The  software should be designed to
automatically insert the operator identifiers into each record based upon a password

                                    7-3

-------
Information Security Manual for PCs	12/15/89


supplied during the system sign-on process. Data integrity and user accountability
would be further enhanced if the application software and data base were compiled
and encrypted to prevent the password mechanism from being bypassed.


7.4   PROCEDURES TO MAINTAIN HIGH-LEVEL INTEGRITY

Ail  of the procedures set forth  in Section  7.3 also  apply here.   In addition, the

procedures listed below will be followed.

7.4.1  Uninterruptible Power

Obtain an Uninterruptible Power Supply (UPS) device to provide virtually complete
surge protection, a filter for line noise, and power in the event of an outage. A UPS is
available for about $1100 under the PC contract.

7.4.2  Manual Fallback

Identify and formalize manual procedures to be followed in the event of a complete
disaster.

7.4.3  More Frequent Backups

Consider preparing backups for off-site storage on a weekly or even daily basis.


7.5   SUGGESTIONS FOR RECOVERING FROM A DISASTER

In the event of a problem or disaster it is often best to stop using the machine and
seek help from the PC  Site Coordinator.  The following may then help restore

integrity:

    •  It may be possible to recover data stored on the undamaged portions of the
       damaged medium using the DOS DEBUG facility or some other hexadecimal
       editor.  This  w3l be a difficult task and should only be undertaken  by
       individuals with a thorough understanding of their systems.

    •  Commercially available utility packages (such as the Norton Utilities package
       available under the PC contract for about $100) can help in recovering data
       and in unformatting an accidentally formatted disk.

    •  If backups have been made, data and software that is not copy-protected
       can be restored  from the backups.  Contact the manufacturers of copy-
       protected  software  to  investigate  their policy  for  replacing damaged
       software.


                                  7-4

-------
Information Security Manual for PCs                                 12/15/89
       If summary data have been damaged, but detailed records or other audit
       trails were undamaged,  it may be possible to recreate the summary data
       from the detailed records.  In some cases it might even be possible to
       recreate detailed records if sufficient audit trail information is available.
                                    7-5

-------
Information Security Manual for PCs                                 12/15/89


         8.  PRESERVING INFORMATION CONFIDENTIALITY

8.1   INTRODUCTION


This section sets forth  security procedures  for owners,  users,  LAN System

Administrators,  and custodians of confidential applications and information.  This
section is to be used as follows:

     •  Owners  develop  the security specifications  and the  tests needed for
       application certification based on the procedures presented here.

     •  Users make sure they are in compliance with owner security specifications
       based on these  procedures,   in addition, users  may  consult  these
       procedures when an owner has designated an application as sensitive, but
       has not yet identified his/her security specifications.

     -  Custodians use these  procedures to determine what security measures
       must be in place  to protect the confidential information being stored and
       processed by users of his/her installation.  They also use these procedures
       to develop the information required for the risk analysis outlined in Appendix
       C.

     •  LAN System Administrators must note (per Section 8.3.3) that no confidential
       data may be loaded on to a LAN or made available  via a LAN  unless
       specifically approved in writing by the Director of OIRM.


The remainder  of this section discusses threats to information  confidentiality and

procedures for safeguarding against disclosure. The next subsection catalogs and
describes specific threats to confidentiality. Subsections 8.3 and 8.4 specify security

measures  for  applications of  medium  level  confidentiality  and  high  level

confidentiality, respectively.  Features of the processing environment are particularly

important for preserving confidentiality, and are discussed in those subsections as

appropriate.

Unlike Sections 6 and 7, there is no separate discussion here of steps to recover

from a breach of confidentiality.  Once information  has been disclosed, there is little

the individual can do to remedy the situation.  Instead, the breach must be reported

to appropriate Agency officials, as described in the Information Security Policy.



82   THREATS TO APPLICATION AND INFORMATION CONFIDENTIALITY


Specific threats to information confidentiality are largely problems of access control.

Note that the threats described below apply to confidential information in its various
                                   8-1

-------
Information Security Manual for PCs	12/15/89


forms, that is, in the computer, in hard copy, on removable media like diskettes, and
on printer ribbons.

     •  Magnetic media containing confidential data can be accessed by individuals
       from whom the data should be restricted. If the computer is not in a secure
       area, intruders can start the system containing the information  and browse
       information on the fixed disk.  If diskettes containing confidential information
       are not secured, unauthorized individuals can install them  on  a computer
       and browse their contents.

     -  Unauthorized individuals can see data on a computer screen or printout if
       confidential data are processed in an unsecured area or if printouts are not
       protected in storage.

     -  Confidential data can be deciphered from printer ribbons that have been
       used to print confidential reports.

     •  Unauthorized individuals can  access confidential data across a local area
       network or other communications device if confidential data are stored or
       processed on a microcomputer that can be accessed remotely.

     •  Files erased from a magnetic disk  using only the standard DOS "DEL" or
       "ERASF commands  are not actually erased from the computer disk-they
       are only marked for  deletion, and the space on which they are written is
       freed for use by later files.  For this reason, until they have been overwritten,
       they can be "unerased" using commercially available utility programs.

     •  Some software systems use work files that are temporarily  stored on disk.
       Although the systems usually delete these files when they are finished with
       them, the  deleted files may be recoverable  using commercially available
       utility programs. Similarly,  information could be left in the volatile (RAM)
       memory of the computer if the computer is not turned off after confidential
       data have been processed.

     •  Individuals authorized to access confidential information could deliberately
       share printed reports  or magnetic media containing confidential data with
       unauthorized individuals.
8.3   PROCEDURES TO PRESERVE MEDIUM-LEVEL CONFIDENTIALITY


Preserving confidentiality involves controlling access to information and applications.

How easy or difficult it is to control access is highly dependent  on the three key

environmental characteristics  (single  user versus  shared,  stand-alone  versus

communicating, removable versus non-removable media).  The simplest situation

consists of a single user who does stand-alone processing and stores all confidential

information on  floppy  disks.   When the  PC is shared or in a communicating

configuration, the security situation becomes more complicated.
                                   8-2

-------
Information Security Manual for PCs                                 12/15/89


The  procedures that follow are  presented largely  in  terms  of processing
environment.    Following a short subsection  on  controls that  apply  to all
environments, more complicated environments are discussed.  The security controls
required fall into the following categories:

     -   Physical, such as door locks

     •   Administrative, such as lists which specify who is allowed access to a given
        PC

     •   System-Based, such  as password protection

     •   Information-Based, that is, rendering information unusable  (even  if it is
        obtained) through scrambling or encryption techniques.   As an example,
        some commercial software (for example, Lotus 1-2-3 Version 2) contain data
        encryption capabilities. The Lotus 1-2-3 data encryption capability enables
        users  to password-protect their Lotus  spreadsheets.   The encrypted
        spreadsheets cannot be accessed without the assigned password  and data
        in them are encoded to prevent the data files from being read through DOS
        functions or other utilities.

It should be noted that EPA organizations with statutory authority for certain types of
confidential information may issue security  procedures dealing exclusively with a
particular type of information (for example, TSCA, or  FIFRA CBI).  Because of
statutory requirements, some of those procedures may be more stringent than those
required here. EPA employees must make sure that they also adhere to all pertinent

organizational standards and procedures.

8.3.1  Procedures for all Environments

     •   Discourage traffic in the area where the computer is located when it is in use.
        Unauthorized individuals should be kept out of the area so that they cannot
        view data that might appear on the computer screen.

     •   Log off or otherwise inactivate the PC whenever leaving it.

     •   Store hard-copy reports and removable media containing confidential data in
        locked cabinets or rooms.

     •   Printer  ribbons  used to  print  confidential data should  be considered
        confidential as well.   Destroy exhausted ribbons so  that they cannot be
        deciphered by an unauthorized individual.

     •   Be  careful  when  disposing  of  disks,  diskettes, or tapes that contain
        confidential data.  Before these media are  thrown away or recycled, they
        must be degaussed, overwritten, or shredded.   (Degaussing erases data
        through  demagnetization.) The WIPEDISK program m the Norton  Utilities
        package (available under the PC contract for about $100) destroys all data
        on the disk by overwriting them.


                                   8-3

-------
Information Security Manual for PCs                                 12/15/89
     •   When erasing individual files on diskettes or fixed disks, use an overwriting
        program like WIPEFILE in the Norton Utilities package.  These overwriting
        programs are effective. Be careful not to erase needed files.

     •   (It should be noted that programs designed to purge and overwrite individual
        files (like WIPEFILE) may only overwrite the most recent generation of a file.
        This  would also destroy previous generations  of  the file  if they were
        physically located in the same disk addresses as the last generation of the
        file.  If the previous generations were located elsewhere on the disk, or if the
        last  generation file is  smaller than  the previous generations, the previous
        generations may not  be entirely overwritten by the  file destruction utility.
        Recovery of these undestroyed fragments, however, would  be extremely
        difficult  and tedious for even the most  knowledgeable intruder, and  it  is
        unlikely that more than small fragments of the sensitive information could be
        recovered.)

     -   If passwords are selected as a control measure (based on the procedural
        guidance below),  make sure passwords are  selected and  handled as
        follows:

          -  Passwords are at least six characters long

          -  Passwords contain at least one alpha and one numeric character

          -  Passwords are not composed of names or similar personal types  of
             information

          -  Passwords are not shared

          -  Passwords are changed at least quarterly

          -  Passwords are not written out and left where an unauthorized person
             could find them

          -  Passwords are not incorporated into automated logon procedures  in
             batch files or application programs  (for example, Crosstalk), and they
             are not defined under function keys.

        Passwords  can  either be  incorporated  into  applications systems  or
        implemented through  add-on  circuit  boards.  While  application-based
        password schemes may prevent  casual intruders,  they usually do not
        prevent the knowledgeable  intruder unless special  steps  are taken (for
        example, encryption).   Knowledgeable intruders may be able to avoid the
        passwords altogether  or may scan application listings to determine the
        password.   For this  reason,  the more sophisticated hardware-based
        password schemes are recommended.   Cylock,  available under the PC
        contract for about $300, is hardware based.

8.3.2 Procedures for Stand-Alone Processing

This part applies to PCs that process in isolation  and do not communicate with any

other equipment.
                                   8-4

-------
Information Security Manual for PCs	12/15/89

CONFIDENTIAL DATA ON REMOVABLE MEDIA ONLY; SINGLE USER OR SHARED
USER PC

Clear the  system of confidential  information after each confidential processing
session.  Power off the unit to clear any volatile memory, that is, random access
memory.

CONFIDENTIAL DATA ON NON-REMOVABLE MEDIA; SINGLE OR SHARED USER
PC

Keep the computer under lock and key when it is not being used, that is, keep it in a
locked cabinet and/or a locked room.

If all users of a shared PC have access to all information processed on the PC,
establish a formal list of those authorized users (an administrative control).  Limit
access to those on this authorized list.  If this is not the case,  users must be
protected from each other via either a password scheme or  encryption. Encryption
software (Datasafe) is available under the PC contract for under $100.

8.3.3  Procedures for Communicating PCs

This section  applies  to  PCs that are  connected  to  other equipment such as
autoanswer modems, other PCs, or resource servers.

AUTOANSWER MODEM; SINGLE USER OR SHARED PC

PCs are sometimes used as host systems. An autoanswer modem allows a person
to use the system remotely. Keep the computer under lock and key when it is not in
use, that is, keep it in a locked room or a locked cabinet.  Use a password scheme
that requires both a traditional user identifier and a password logon process.  Under
no circumstances should users share passwords.

TERMINAL EMULATION

At times, a PC is used as a terminal device to a large host system.  In this situation,
security controls are the responsibility of the host system. The host should control
access and the extent to which data are sent (uploaded) or received (downloaded).
The PC user needs to make sure he/she adheres to all  host-imposed security
requirements. In addition, the PC must never store host telephone numbers, logon
sequences, or passwords in the PC itself.
                                  8-5

-------
Information Security Manual for PCs                                12/15/89

LOCAL AREA NETWORKS; SINGLE USER OR SHARED PC

No confidential data may be loaded on to a LAN  r made available via a LAN unless
specifically approved in writing by the Director of OIRM.

8.4   PROCEDURES TO PRESERVE HIGH-LEVEL CONFIDENTIALITY

The EPA has only one type of information in  this  category -  National  Security
Information (NSI). The amount of NSI possessed by the Agency is extremely small,
and the need to computerize any of it would be very infrequent.

Because of the small quantity of NSI in the Agency and because NSI involves special
stjurity considerations (emanations  security and TEMPEST devices), NSI should
not be placed on PCs without the express approval of the Director, OIRM.
                                 8-6

-------
Information Security Manual for PCs	12/15/89

                              APPENDIX A
                       INFORMATION SECURITY*

 1.     PURPOSE.   This document establishes  a comprehensive, Agency-wide
 security program to safeguard Agency information resources. This document sets
 forth the Agency's information  security  policy for both manual and automated
 systems and assigns individual and organizational responsibiities for implementing
 and administering the program.

 2.     SCOPE  AND  APPLICABILITY.    This  document  applies to   all  EPA
 organizations and their employees.  It also applies to the facilities and personnel of
 agents (including  contractors  and grantees) of the  EPA who  are  involved in
 designing, developing, operating or  maintaining Agency information and information
 systems.

 3.     BACKGROUND

       a.     Information is an Agency asset, just as property, funds and personnel
             are Agency assets. The EPA is highly dependent upon its information
             resources to carry out program and administrative functions in a timely,
             efficient and accountable manner.

       b.     The EPA relies on its information collection authority under various
             enabling statutes to fulfill effectively its  environmental missions.  The
             waiingness  of the regulated community and State and local agencies to
             supply  requested  information  in a  cooperative and timely fashion
             depends on their confidence that the information w«l be adequately
             protected.

       c.     The Agency's information resources are exposed to potential loss and
             misuse from a variety of accidental and deliberate causes.   This
             potential loss and misuse can take the form of destruction, disclosure,
             alteration, delay or undesired manipulation. Moreover, the Agency can
             be subject  to acute embarrassment and litigation if certain business or
             personal information is inadvertently or maliciously disclosed.
 'Source: EPA Information Resources Management Policy Manual, Chapter 8.
                                    A-1

-------
Information Security Manual for PCs	12/15/89

       d.     As a result, it is essential that an overall program be established to
             preserve and adequately protect the Agency's information resources.
             At the  same time,  it  is equally essential that the program  not
             unnecessarily restrict information sharing with other Federal agencies,
             universities, the public and State and local environmental authorities.
             Such  information  sharing  has historically played a  vital  role in  the
             overall fulfilment of the Agency environmental mission.

       e.     The management, control and responsibflfty for information resources
             within EPA are decentralized.  Consequently, the management and
             responsibility for  information security are  also  decentralized.   An
             important example of this is the expanding use of personal computers,
             networking, distributed data  bases and telecommunications.  These
             trends  place  new  responsibilities  on  office  managers,  research
             personnel  and  others  not  previously  considered   information
             processing professionals.  The "computer  center" cannot be relied
             upon to protect Agency operations.  Controls must  be implemented
             and maintained where they are most effective.

       f.     In determining responsibPrties for  information security, it is  useful to
             define a framework of owner/custodian/user. Owners are those who
             create or maintain information.  Custodians are typically suppliers of
             information services who possess, store, process and transmit  the
             information.  These roles are  often not discrete; the owner is  often the
             principal custodian and user of the information.

4.     AUTHORITIES

       a.     OMB Circular A-130, Management of Federal Information Resources.

5.     POLICY.  It is  EPA policy to protect adequately sensitive  information and
sensitive applications, maintained in  any medium (e.g., paper, computerized data
bases, etc.), from improper use,  alteration or disclosure, whether accidental  or
deliberate.  Information and applications will be protected  to the extent required by
applicable law and regulation in accordance with the degree of their sensitivity in
order to ensure the cost-effectiveness of the security program.
                                     A-2

-------
Information Security Manual for PCs                                  12/15/89

       a.     Information security measures will be applied judiciously to ensure that
             automated systems operate effectively and accurately and to ensure
             the  continuity of operation of automated  information systems and
             facilities that support critical agency functions.

       b.     As required by OMB Circular No. A-130, all automated installations will
             undergo a periodic risk analysis to  ensure that  appropriate,  cost-
             effective safeguards are in place.  This risk analysis will be conducted
             on new installations,  on existing installations undergoing significant
             change and on existing installations at least every five years.

       c.     Appropriate administrative, physical, and technical safeguards shall be
             incorporated into all new ADP application systems (including PC-based
             applications) and major modifications to existing systems.

       d.     As required by OMB A-130, all new applications will undergo a control
             review leading to formal certification. Existing sensitive applications will
             be recertified every three years.

       e.     Access to   sensitive   personnel  information   and  employment
             applications w9l be limited to appropriate personnel  in accordance with
             procedures established by the Office  of Personnel Management and
             monitored by the EPA Office of the Inspector General.

       f.      Appropriate  ADP   security  requirements  will be  incorporated into
             specifications for the acquisition of ADP related services and products.

       g.     An  information  security awareness  and training program  will be
             established so that all Agency and contractor personnel are aware of
             their information security responsibilities.

       h.     Information security must be a major factor in evaluating the use of
             microcomputers.   Microcomputer  systems software  is  typically
             rudimentary  and affords little or no  protection to  information and
             programs.   Consequently, networked  microcomputers, the ability to
             download data from larger, protected computers onto microcomputers
             and microcomputer data processing  generally present problems in
             information security (for  example, problems of  access control  or
             control over the dissemination of information). An EPA employees and

                                     A-3

-------
Information Security Manual for PCs	12/15/89

             managers must be aware of the information security implications of
             storing  and  processing sensitive  information on  microcomputers,
             whether networked or stand-alone.

      i.      Therefore, it is EPA policy to discourage the use of microcomputers for
             storing  or  processing  sensitive information, unless cognizant EPA
             employees and managers have made sure that adequate information
             security measures are in use. If adequate information security cannot
             be maintained, an alternative system configuration must be used.

      j.      Information security violations wil be promptly reported to appropriate
             officials, including the Inspector General.
6.    RESPONSIBILITIES

      a.    The Office of Information Resources Management is responsible for:

            (1)   Developing  and  issuing  an  information  security  policy  in
                  accordance with all applicable Federal laws, regulations, and
                  executive orders.

            (2)   Ensuring that all Agency organizational units are in compliance
                  with the information security program.

            (3)   Establishing training criteria and coordinating the development
                  of an information security training and awareness program.

            (4)   Providing guidance on selecting and implementing safeguards.

            (5)   Participating as it deems  appropriate,  in  management and
                  internal  control reviews  conducted  by the  Office  of the
                  Comptroller to ensure compliance with the information security
                  program.

      b.    Each "Primary Organization Head" (defined by EPA Order 1000.24 as
            the  Deputy  Administrator,  Assistant   Administrators,  Regional
            Administrators, the Inspector General and the General Counsel)  is
            responsible for:
                                    A-4

-------
Information Security Manual for PCs     	12/15/89

             (1)    Ensuring that sensitive information and applications within the
                   organization are adequately protected.

             (2)    Establishing  an  organization-wide  program  for  information
                   security  consistent with  organizational  mission and Agency
                   policy, including assigning responsibility for the security of each
                   installation  to  a  management  official(s)  knowledgeable  in
                   information technology and security.

             (3)    Assure annually the Assistant Administrator for Administration
                   and  Resources  Management that  organizational  information
                   resources are adequately protected.  This wit be done as part of
                   the internal control review process required under OMB Circular
                   No.  A-123  (revised) and  implemented  under  EPA  Order
                   1000.24.

             (4)    Making  sure that  all  automated installations  within  the
                   organization undergo a periodic "risk analysis" to ensure that
                   appropriate, cost-effective safeguards are in place.

             (5)    Ensuring the continuity of operations of automated information
                   systems and facilities that support critical functions.

             (6)    Making sure that appropriate safeguards are incorporated into
                   all  new  organizational  application  systems  and   major
                   modifications to existing  systems, that all  new organizational
                   applications undergo an information security review leading to
                   formal certification and that  existing sensitive applications are
                   recertified every three years.

             (7)    Making sure that Federal employees and contractor personnel
                   understand their security responsibilities and that organizational
                   security regulations are property distributed.

             (8)    Making sure that  all organizational procurements  of ADP
                   equipment, software and services incorporate adequate security
                   provisions.
                                     A-5

-------
Information Security Manual for PCs                                  12/15/89
       c.     The  Director,  Facilities  Management  and  Services  Division,  is
               sponsible for:

             (1)    Establishing and implementing  physical  security standards,
                   guidelines and procedures in accordance with EPA information
                   security policy.

             (2)    Establishing and implementing standards  and procedures for
                   National  Security  Information   in  accordance  with  EPA
                   information  security  policy  and  all  applicable Federal laws,
                   r"iulatk>ns and executive orders.

       d.     The Procurement and Contracts Management Division and the Grants
             Administration Division are responsible for:

             (1)    Ensuring that Agency grant and contract policies, solicitations
                   and  award documents  contain provisions concerning  the
                   information security responsibilities of contractors and grantees
                   that have been promulgated by OIRM.

             (2)    Establishing  procedures  to ensure  that  contractors  and
                   grantees  are  in  compliance with  their information  security
                   responsibilities.  Project Officers are responsible  for ensuring
                   contractor compliance with security requirements  on individual
                   contracts. Violations shall be reported to the contracting officer,
                   Inspector  General and appropriate OIRM  official.   Specific
                   violations  involving National Security  Information  shall  be
                   reported to the Director, FMSD and the Contracting Officer.

       e.     The Office of the Inspector General is responsible for:

             (1)    Esta   hing and implementing  personnel security standards,
                   guidelines and procedures in accordance with EPA information
                   r   rrty policy and all applicable Federal laws and regulations.

             (2)    C   ducting or arranging  investigations  of known or suspected
                   personnel security violations as it deems appropriate.
                                     A-6

-------
Information Security Manual for PCs	12/15/89

       f.      The Office of the Comptroller is responsible for:

             (1)    Allowing OIRM to review written internal control reports so that
                   OIRM is aware of the status of information security weaknesses.

       g.     Each EPA Manager and Supervisor is responsible for:

             (1)    Making  sure  their  employees are  knowledgeable  of their
                   information security responsibBities.

             (2)    Ensuring that  their  employees adhere  to  the  organizational
                   information security program  established  by the applicable
                   Primary Organization Head.

       h.     Each EPA Employee, Contractor and Grantee is responsible for:

             (1)    Complying fully with his/her information security responsibilities.

             (2)    Limiting his/her access only to information and systems he/she
                   is authorized to see and use.

             (3)    Adhering to all Agency and organizational information security
                   policies, standards and procedures.

             (4)    Reporting information security violations to appropriate officials.
                   Violations involving National Security  Information shall also be
                   reported to the Director, FMSD.
7.     DEFINITIONS.

       a.     "Applications  Security"  means the set of controls that makes an
             information system perform in an accurate and reliable manner, only
             those functions it was designed  to  perform.   The set of controls
             includes the following: programming, access, source document, input
             data, processing storage, output and audit trail.

       b.     "Confidential Business Information" includes trade secrets, proprietary,
             commercial/financial information, and other information that is afforded
             protection from disclosure under certain circumstances as described in
                                     A-7

-------
Information Security Manual for PCs                                  12/15/89

             statutes administered by the Agency. Business information is entitled
             to confidentia1 treatment if:  (1) business asserts a confidentiality claim,
             (2) business  shows it has taken its own measures  to  protect the
             information,  (3)  the  information is not  publicly available  or (4)
             disclosure is not required by statute and the disclosure would either
             cause  competitive harm or impair the Agency's ability to obtain
             necessary information in the future.

      c.     "Information" means any communication or reception of knowledge
             such as facts,  data or opinions,  including numerical, graphic,  or
             narrative forms, whether oral or maintained in any medium,  including
             computerized data bases (e.g., floppy  disk and  hard disk), papers,
             microform (microfiche or microfilm), or magnetic tape.

      d.     "Information Security" encompasses three different "types" of security:
             applications security, installation security and personnel security.  In
             total, information security involves the precautions taken to protect the
             confidentiality, integrity and availability of information.

      e.     "Information System"  means the organized collection, processing,
             transmission and  dissemination  of  information in accordance with
             defined procedures, whether automated or manual.

      f.      "Installation" means the physical location of one or more  information
             systems, whether automated or  manual.  An automated installation
             consists of one  or more  computer or office automation  systems
             including related peripheral and storage units, central processing units,
             telecommunications  and operating  and support system software.
             Automated installations  may range in size  from large  centralized
             computer centers to stand-alone personal computers.

      g.     "Installation Security" includes the use of locks,  badges  and similar
             measures  to  control access to  the installation  and  the measures
             required for the protection of the structure housing the installation from
            accident, fire and environmental  hazards.  In addition to the above
            physical security measures, installation security also involves ensuring
            continuity of operations through disaster planning.
                                     A-8

-------
information Security Manual for PCs	                        12/15/89

       h.     "National Security Information" means information that is classified as
             Top  Secret, Secret, or Confidential under Executive Order 12356 or
             predecessor orders.

       i.     "Personnel Security" involves making a determination of an applicant's
             or employee's loyalty and trustworthiness by ensuring that personnel
             investigations are completed commensurate with position sensitivity
             definitions  according to the degree  and level of access to  sensitive
             information.

       j.     "Privacy" is the right of an individual to control the collection, storage
             and  dissemination of information about himself/herself to avoid the
             potential for substantial  harm, embarrassment, inconvenience or
             unfairness.

       k.     "Risk Analysis"  is a means of measuring and assessing the relative
             vulnerabilities and threats to a  collection of sensitive data and the
             people, systems and  installations involved in storing and  processing
             that data.  Its purpose is to determine how security measures can be
             effectively applied to minimize potential loss.  Risk analyses may vary
             from an informal, quantitative  review of a microcomputer installation to
             a formal, fully quantified review of a major computer center.

       I.     "Sensitive Information" means information that requires protection due
             to the  risk and magnitude of  loss  or  harm that could result  from
             inadvertent or deliberate disclosure, alteration  or destruction of the
             information.   For  the  purposes  of this  program, information  is
             categorized as  being either sensitive  or not  sensitive.   Because
             sensitivity is a matter of degree, certain sensitive information is further
             defined as being "highly" sensitive.

             Highly Sensitive:      This is information whose loss would seriously
                                  affect the Agency's ability to function, threaten
                                  the national  security  or jeopardize human life
                                  and welfare.   Specifically,  information of this
                                  type includes National  Security Information,
                                  information  critical to the performance  of  a
                                  primary Agency mission,  information that is life

                                      A-9

-------
information Security Manual for PCs	12/15/89

                                  critical  and  financial information  related  to
                                  check issuance, funds  transfer and  similar
                                  asset accounting/control functions.

             Other Sensitive:       This is information whose loss would acutely
                                  embarrass the Agency, subject the Agency to
                                  litigation or impair the long-run ability of the
                                  Agency to fulfill its mission.  Information of this
                                  type   includes   Privacy  Act   information,
                                  Confidential      Business       Information,
                                  enforcement     confidential     information,
                                  information  that the Freedom  of Information
                                  Act exempts from disclosure, budgetary data
                                  prior to release by OMB and  information of
                                  high value  to  the  Agency  or a  particular
                                  organization (see below).

             The sensitivity if any, of all other information, shall be determined by the
             organizational owner of the information. Whfle a precise set of criteria
             for determining the sensitivity of this  other information cannot be
             provided, the cost of replacing the information and the problems that
             would result from doing without the information  are primary factors to
             consider in determining sensitivity.

      m.    "Sensitive Applications (or Systems)" are applications which process
             highly sensitive or sensitive information or are applications that require
             protection because of the loss or harm which  could result from the
             improper operation or deliberate manipulation of the application itself.
             Automated  decision-making  applications are highly sensitive  if  the
             wrong automated decision could cause serious loss.

8.    PROCEDURES AND GUIDELINES. Standards, procedures and guidelines for
the Agency information security program will be identified and issued under separate
cover in the "Information Security Manual."  This manual will identify and reference,
as appropriate, existing procedures in the  information security area, such as the
"Privacy Act Manual," the "National Security Information  Security Handbook," and
Confidential Business Information manuals like the TSCA Security Manual."

                                    A-10

-------
Information Security Manual for PCs	12/15/89

9.     PENALTIES FOR UNAUTHORIZED DISCLOSURE OF INFORMATION.

       a.     EPA employees are subject to appropriate penalties if they knowingly,
             willfully or negligently disclose sensitive  information to  unauthorized
             persons.   Penalties may include, but are not limited to, a letter of
             warning, a letter of reprimand, suspension without pay, dismissal, loss
             or denial of access to sensitive information (including National Security
             Information), or other penalties in accordance with applicable law and
             Agency rules  and regulations, which can include criminal  or civil
             penalties.  Each case will be handled on  an individual basis with a full
             review of all the pertinent facts. The severity of the security violation or
             the pattern of violation will determine the action taken.

       b.     Non-EPA personnel who knowingly, willfully or negligently disclose
             sensitive  information to  unauthorized persons  will  be  subject  to
             appropriate laws and sanctions.
                                     A-11

-------
Information Security Manual for PCs	                         12/15/89

                               APPENDIX B
                  APPLICATION RISK ANALYSIS AND
                    APPLICATION CERTIFICATION

A.     THE CERTIFICATION PROCESS

Owners  should review Section 2.4, which  contains  information  on combining
applications for certification  purposes,  before  proceeding with this Appendix.
Owners should also note that in working through this Appendix a qualitative risk
analysis is performed, that is, relative vulnerabilities and threats are assessed and
safeguards are specified.

1.    New Applications

Each new sensitive application must undergo  initial  certification, and  then re-
certification  every  three years.  This certification  must take  place  prior to the
application being put into use or production. For sensitive PC applications, the
certification or recertification will begin with the application owner's completion of the
Certification Worksheet, Exhibit B-1.   The form and specific instructions for
completing it are described below. The Certifying Official, PC Site Coordinator, and
PC custodian will be available to answer owner questions on an as needed basis.

After completing the worksheet, the owner  will forward it to his/her immediate
supervisor for review.  The supervisor will review the worksheet for completeness
and then forward it to the designated Certifying Official.

The Certifying Official will either certify that the application is adequately safeguarded
or deny certification by marking the appropriate box on the worksheet and returning
it to the supervisor.  A Certifying Official may conclude that safeguards are adequate
if the application is protected in accordance with the procedures  set forth in Sections
6-8 of this manual.  When certifying the application,  the Certifying Official must mark
the appropriate box on the worksheet and sign the  one-page certification statement
shown as Exhibit B-2. These documents must be retained on file for inspection by
OIRM, auditors, or the Office of the Inspector General.

Recertification  of the operational application should be based on reviews or audits
that test and evaluate the adequacy of implemented  safeguards and that identify any
                                    B-1

-------
Information Security Manual for PCs
12/15/89
                           EXHIBIT B-1
             CERTIFICATION WORKSHEET AND EXAMPLE
SENSITIVE APPLICATION CERTIFICATION WORKSHEET
1. APPLICATION TITLE
RCRA Settlement Offers
3. TYPE(S) OF INFORMATION
Enforcement confidential;
high value
5. PROCESSING ENVIRONMENT
Standalone; non-removable and
removable media; shared user; Room 1123,
West Tower, Washington, D.C.
2. OWNER
Ima Safe
OSWER, OSW
4. SENSITIVITY LEVEL & OBJECTIVE
Confidential: Medium Level
Availability: Medium Level
6. DESCRIPTION
Database application that tracks
settlement offers by case. All
users of PC may see confidential
data.
7. SECURITY SPECIFICATIONS/REQUIREMENTS
a. Controls to Maintain Availability
- Back-up database to diskettes in accordance with the procedures manual.
- Identify backup computing facility.
b. Controls to Maintain Integrity
(Minimal controls only)
c. Controls to Maintain Confidentiality
- Keep PC and removable media in a locked room.
- Establish a formal list of authorized users.
8. EVIDENCE OF ADEQUACY/DESIGN REVIEW
Check to make sure door lock installed.
Check to see that formal list of authorized users created.
Are backups created by user?
Memorandum outlining agreement for backup facility.
9. TEST S. NARIO AND RESULT
LOCK installed on 6-15-89.
List developed on 6-5-89.
Local backups kept in adjacent office; archival backup stored in Crystal City.
Memorandum with PC custodian in same branch executed 6-15-89.
10. X CERTIFIED 	 NOT CERTIFIED
                              B-2

-------
Information Security Manual for PCs	               12/15/89


                               EXHIBIT B-2

                       CERTIFICATION STATEMENT
 I have carefully examined the information presented on the Certification Worksheet
 for  (application name) . dated	.  Based on my authority and judgement,
 and weighing any remaining risks against operational requirements, I authorize con-
 tinued operation of    (application name)   under the restrictions/conditions listed
 below.

             (List any Restrictions and Special Conditions QL enter "None")
                                          (Signature and Date)
                                   B-3

-------
Information Security Manual for PCs                                  12/15/89

new  vulnerabilities.   These reviews  or  audits  should be  considered  part  of
vulnerability assessments and internal control reviews conducted in accordance with
OMB Circular No. A-123.

2.    Existing Applications

Each existing  sensitive  application  must  also  undergo initial  certification (and
recertification every three years) in accordance with all of the instructions above.
However, to avoid overwhelming organizations, initial certification may take place on
a phased basis over the next two years. All initial certifications of existing systems
should be complete by the end of FY 1991.  More sensitive applications (as  defined
in Section 4) need to be certified first and as expedttiously as possible (by the end of
1990). Because of their overall organizational knowledge, SIRMOs may be able to
quickly prioritize applications for certification.

B.    THE CERTIFICATION WORKSHEET

The certification worksheet should be completed by the application owner as follows.
The numbers below  correspond  to the numbered blocks on the worksheet.  The
worksheet has been filled in to provide an example of what is expected.

    1. Application Title:  Provide the name of the information system or application.

    2. Owner:  List the application owner and organization.

    3. Type of Information:  Indicate the type of sensitive information (for example,
       CBI or high value) in terms of Section 4 of this manual.

    4. Sensitivity Level and Objective:  Provide  the relevant security objective (for
       example, availability) and the associated sensitivity level (for example, high
       level).

    5. Processing Environment:  Describe the processing environment in terms of
       shared  versus single user  PC,  removable versus non-removable storage
       media,  and  standalone  processing  versus  communicating  with  other
       equipment.   Also  indicate the  physical  and  geographic location  of the
       system.

    6.  Description: Provide a brief functional description of the application.

                                     B-4

-------
information Security Manual for PCs	12/15/89

    7(a)-(c).      Security Specifications/Requirements:   Express  the needed
        availability,  integrity, and/or confidentiality security controls  in  terms of
        Sections 6-8 of this manual.

    8.  Evidence of Adequacy/Design Review: Indicate how the owner will ensure
        that the security specifications are being implemented.

    9.  Test Scenario  and  Results:    Describe how  the  owner  will satisfy
        himself/herself that the safeguards work  or that the procedures are being
        followed.

    10.  Certifying blocks to be checked by the Certifying Officer as appropriate.

The application owner should note that the worksheet could also be used as a set of
security procedures for the application's users. In other words, the worksheet can
be used  to communicate  the sensitivity of the application  and  the  security
procedures to the user.
                                     B-5

-------
Information Security Manual for PCs	12/15/89

                              APPENDIX C
                    INSTALLATION RISK ANALYSIS

A.    BACKGROUND

A risk analysis is a means of measuring and assessing the relative vulnerabilities and
threats to an installation.  Its purpose is to determine how security safeguards can be
effectively applied to minimize potential loss.  In everyday terms, risk analysis is
simply a procedure for identifying what could go wrong, how likely it is that things
could go wrong, and what can be done to prevent them from going wrong.

Risk analyses may vary from an informal, qualitative review of a microcomputer or
minicomputer installation, to a formal, fully quantified review of a major computer
center.  For all Agency installations, including PCs, a qualitative approach may  be
used.

B.    APPLICABILITY AND REQUIRED SCHEDULE

Ail Agency PCs are required to  undergo a risk analysis.  A risk analysis shall  be
performed:
    •  At the time the equipment is installed.
    -  Whenever  a  significant  change occurs to  the installation.   Significant
       changes include:
          -  Physically moving the equipment to another location
          - Going from a single user to multiple users, or vice versa
          - Altering  the communication configuration,  for example, adding a dial-
            up capability or becoming part of a LAN.
    •  At least every  five years, if no  significant  change  to the installation
       necessitating  an earlier analysis has occurred.  Existing PCs that have not
       undergone a risk analysis during the last five years must undergo one by the
       end of 1990.
                                    C-1

-------
Information Security Manual for PCs
                            12/15/89
                            EXHIBIT C-1

              RISK ANALYSIS WORKSHEET AND EXAMPLE
  1. PC LOCATION
    Room 1123, West Tower
    Washington, DC
    OSW
2.  CUSTODIAN & EQUIPMENT TYPE
   R.U. Secure
   IBM PC/AT
  3. TYPE(S) OF INFORMATION
    Enforcement confidential;
    high value
4.  NUMBER OF SENSITIVE
   APPLICATIONS
      1
 5. PROCESSING ENVIRONMENT
    Standalone; non-removable and
    removable media; shared user
6.  SENSITIVITY LEVEL & OBJECTIVE
   Confidential:    Medium Level
   Availability:     Medium Level
 7. CONTROLS TO MAINTAIN AVAILABILITY
    • Remind users to backup data in accordance with the procedures manual.
    • Execute a memorandum with another PC custodian outlining agreement
      for backup computing.
 8. CONTROLS TO PRESERVE INTEGRITY
    (Minimal controls only.)
 9. CONTROLS TO PRESERVE CONFIDENTIALITY
    •  Install a door lock.
    •  Make sure application owner has established a list of authorized users.
 10. COMMENTS
    The procedures for all environ-
    ments described in Section 8.3.1
    have been implemented, except
    those related to passwords.
11. MINIMAL CONTROLS IN PLACE?
      x  YES
NO
                               C-2

-------
Information Security Manual for PCs	                12/15/89.

C.    RISK ANALYSIS WORKSHEET

To perform the qualitative risk analysis  required by this manual, the PC custodian
should complete the worksheet shown as Exhibit C-1 as follows.  The numbers
below correspond to the numbered blocks on the worksheet.  The worksheet has
been filled in for a hypothetical PC to provide an example of what is expected. Note
that the example involves the same application as that presented in Appendix B in
order to  highlight the differences  in  security  perspective between owner  and
custodian.

     1.  Location and Equipment Type:  Provide the physical and geographic
         location and the organization for the PC.

     2.  Custodian and  Equipment Type:  List the person to whom the PC is
         assigned and the type of equipment.

     3.  Type of Information: Indicate the type of sensitive information (for example,
         CBI or high value) in terms of Section 4 of this manual. If the installation
         does not process any sensitive information, the risk analysis is at an end
         and  only the  minimal controls  set forth  in  Section  3  need  to be
         implemented.

     4.  Number  of Sensitive Applications:   Indicate the number of  sensitive
         applications processed on the PC.

     5.  Processing Environment: Describe the processing environment in terms of
         shared versus single user PC, removable  versus non-removable storage
         media, and  stand-alone  processing  versus  communicating  with other
         equipment.

     6.  Sensitivity Level and Objective:  Provide the relevant security objective (for
         example, availability) and the associated sensitivity level (for example,  high
         level).

     7.   Controls to Maintain Availability: Express the needed availability controls in
         terms of Section 6 of this manual.

     8.   Controls to Preservee Integrity:  Express the needed integrity controls in
         terms of Section 7 of this manual.
                                    C-3

-------
 Information Security Manual for PCs       	12/15/89

      9.  Controls to Preserve Confidentiality:  Express the needed confidentiality
         controls in terms of Section 8 of this manual.
     10.  Comments: Self-explanatory.
     11.  Minimal Controls in Place:  Indicate whether or not the minimal physical
         and environmental controls described in Section 3 are in place.

 D.    QUANTITATIVE RISK ANALYSIS
 Detailed instructions for performing a quantitative risk analysis are contained in the
 Agency's "Information Security Manual."
 In essence, a quantitative risk analysis is an exercise in cost/benefit analysis.
 Specifically, it involves the following steps:
     •   Identify the asset to be protected (equipment, application, data, etc.).
     •   Determine the threats to the asset:
          -  Natural, such as flood or earthquake
          -  Man-made, such as fraud or accidental error
     -   Determine the probability the threat wil  be realized and the  dollar  loss
        (replacement cost, damages,  etc.) if the threat is  realized.  Manipulate the
       two numbers to obtain the annual loss expectancy (ALE).
     •  Calculate the cost of security safeguards.
     -  Compare the cost of safeguards with the ALE, and implement those controls
       that are cost-effective.
A simple example involving protecting a database from fire follows:
     -  Asset is data base with a replacement cost $20,000.
     -  Threat is fire.
     •  Rate of occurrence of fire is once every 50 years.
     •  Annual probabiity of fire is 2%.
     •  Annual Loss Expectancy is $400 (.02 x $20,000).
     •  Cost  of  safeguard (fire extinguisher) is $100 with  a life of 5 years, or
       $20/year.
                                     C-4

-------
Information Security Manual for PCs                                 12/15/89
       Obtain the fire extinguisher because it is cost-effective ($20 versus $400).
                                     C-5

-------