- CSRC Home
- About CSD
- Projects / Research
- news & events
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.1
The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems2 are noted in the text. This document provides advice and guidance; no penalties are stipulated.
The handbook was written primarily for those who have computer security responsibilities and need assistance understanding basic concepts and techniques. Within the federal government,3 this includes those who have computer security responsibilities for sensitive systems.
For the most part, the concepts presented in the handbook are also applicable to the private sector.4 While there are differences between federal and private-sector computing, especially in terms of priorities and legal constraints, the underlying principles of computer security and the available safeguards -- managerial, operational, and technical -- are the same. The handbook is therefore useful to anyone who needs to learn the basics of computer security or wants a broad overview of the subject. However, it is probably too detailed to be employed as a user awareness guide, and is not intended to be used as an audit guide.
Definition of Sensitive Information
Many people think that sensitive information only requires protection from unauthorized disclosure. However, the Computer Security Act provides a much broader definition of the term "sensitive" information.
any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
The above definition can be contrasted with the long-standing confidentiality-based information classification system for national security information (i.e., CONFIDENTIAL, SECRET, and TOP SECRET). This system is based only upon the need to protect classified information from unauthorized disclosure; the U.S. Government does not have a similar system for unclassified information. No governmentwide schemes (for either classified or unclassified information) exist which are based on the need to protect the integrity or availability of information.
The first section of the handbook contains background and overview material, briefly discusses of threats, and explains the roles and responsibilities of individuals and organizations involved in computer security. It explains the executive principles of computer security that are used throughout the handbook. For example, one important principle that is repeatedly stressed is that only security measures that are cost-effective should be implemented. A familiarity with the principles is fundamental to understanding the handbook's philosophical approach to the issue of security.
The next three major sections deal with security controls: Management Controls5(II), Operational Controls (III), and Technical Controls (IV). Most controls cross the boundaries between management, operational, and technical. Each chapter in the three sections provides a basic explanation of the control; approaches to implementing the control, some cost considerations in selecting, implementing, and using the control; and selected interdependencies that may exist with other controls. Each chapter in this portion of the handbook also provides references that may be useful in actual implementation.
Finally, an example is presented to aid the reader in correlating some of the major topics discussed in the handbook. It describes a hypothetical system and discusses some of the controls that have been implemented to protect it. This section helps the reader better understand the decisions that must be made in securing a system, and illustrates the interrelationships among controls.
To understand the rest of the handbook, the reader must be familiar with the following key terms and definitions as used in this handbook. In the handbook, the terms computers and computer systems are used to refer to the entire spectrum of information technology, including application and support systems. Other key terms include:
Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
Integrity: In lay usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two facets: data integrity and system integrity. "Data integrity is a requirement that information and programs are changed only in a specified and authorized manner."6 System integrity is a requirement that a system "performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system."7 The definition of integrity has been, and continues to be, the subject of much debate among computer security experts.
Availability: A "requirement intended to assure that systems work promptly and service is not denied to authorized users."8
Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals.
Location of Selected Security Topics
Because this handbook is structured to focus on computer security controls, there may be several security topics that the reader may have trouble locating. For example, no separate section is devoted to mainframe or personal computer security, since the controls discussed in the handbook can be applied (albeit in different ways) to various processing platforms and systems. The following may help the reader locate areas of interest not readily found in the table of contents:
The executive principles discussed in the next chapter explain the need for computer security. In addition, within the federal government, a number of laws and regulations mandate that agencies protect their computers, the information they process, and related technology resources (e.g., telecommunications).9The most important are listed below.
Note that many more specific requirements, many of which are agency specific, also exist.
Federal managers are responsible for familiarity and compliance with applicable legal requirements. However, laws and regulations do not normally provide detailed instructions for protecting computer-related assets. Instead, they specify requirements -- such as restricting the availability of personal data to authorized users. This handbook aids the reader in developing an effective, overall security approach and in selecting cost-effective controls to meet such requirements.
Auerbach Publishers (a division of Warren Gorham & Lamont). Data Security Management. Boston, MA. 1995.
British Standards Institute. A Code of Practice for Information Security Management, 1993.
Caelli, William, Dennis Longley, and Michael Shain. Information Security Handbook. New York, NY: Stockton Press, 1991.
Fites, P., and M. Kratz. Information Systems Security: A Practitioner's Reference. New York, NY: Van Nostrand Reinhold, 1993.
Garfinkel, S., and G. Spafford. Practical UNIX Security. Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
Institute of Internal Auditors Research Foundation. System Auditability and Control Report. Altamonte Springs, FL: The Institute of Internal Auditors, 1991.
National Research Council. Computers at Risk: Safe Computing in the Information Age. Washington, DC: National Academy Press, 1991.
Pfleeger, Charles P. Security in Computing. Englewood Cliffs, NJ: Prentice Hall, 1989.
Russell, Deborah, and G.T. Gangemi, Sr. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
Ruthberg, Z., and Tipton, H., eds. Handbook of Information Security Management. Boston, MA: Auerbach Press, 1993.
1. It is recognized that the computer security field continues to evolve. To address changes and new issues, NIST's Computer Security Laboratory publishes the ITL Bulletin series. Those bulletins which deal with security issues can be thought of as supplements to this publication.
3. In the Computer Security Act of 1987, Congress assigned responsibility to NIST for the preparation of standards and guidelines for the security of sensitive federal systems, excluding classified and "Warner Amendment" systems (unclassified intelligence-related), as specified in 10 USC 2315 and 44 USC 3502(2).