Handbook for Trustworthy Information Systems: Section 9

• Who can invoke change mechanisms for object, process, and user security levels?
• Who (creator, current owner, system administrator, etc.) can grant access permissions to a record after the record is created?
• Is there a help desk or group that offers advice and can respond to security incidents in a timely manner?
• Is system performance monitoring used to analyze system performance logs in real time to look for availability problems, including active attacks, and system and network slowdowns and crashes?
• Is there a list of all internal and external user groups and the types of data created and/or accessed?
• Have all positions been reviewed with respect to appropriate security levels?
• What are the procedures for the destruction of controlled-access hardcopies?
• How is information purged from the system?
• How is reuse of hardware, software, and storage media prevented?

2A. User Identification / Authorization

1. User identification and access procedures should be established and documented. Users should be

1. "A process used to verify the integrity of transmitted data, especially a message." (a)
2. “The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual." (b)
3. "The process of confirming an asserted identity with a specified, or understood, level of confidence. The mechanism can be based on something the user knows, such as a password, something the user possesses, such as a “smart card,” something intrinsic to the person, such as a fingerprint, or a combination of two or more of these." (h) authenticated

prior to being granted access.

Did you know?

"Agencies shall limit access to computerized information resources and computer systems to authorized users." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

"Agencies shall identify and control each point of access to computerized information or computer systems by an appropriate security method." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

"Agencies shall establish and use appropriate authentication methods to ensure each user is identified prior to granting access to computerized information resources." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

2. Each user should be assigned a unique identifier and 1. "A character string used to authenticate an identity. Knowledge of the password and its associated user ID is considered proof of authorization to use the capabilities associated with that user ID." (a) password. Identifiers and passwords should not be used more than once within a system. Use of access scripts with embedded passwords should be limited and controlled.

Did you know?

"Authorized users of computerized information resources shall not disclose their means of authentication." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

Consider This:

Upon successful 1. To enter information before gaining access to a computer system. At the minimum, log-in typically requires a username and password. log-in, users should be notified of date and time of last successful log-in, location of last log-in, and each unsuccessful log-in attempt on user identifier since last successful entry.

Where identification codes in human-readable form are considered too great a security liability, other forms should be employed such as encoded security cards or 1. An authentication technique relying on measurable physical characteristics of the user that can be automatically checked. An example is a fingerprint scanner. (b) biometric-based devices.

3. Password rules should include standard practices such as minimum password length, expiration dates, and a limited number of log-on attempts. System administrators should determine what level and frequency of log-on error constitutes a misuse problem which, in turn, would trigger the notification of security personnel.

4. Users should be restricted to only the level of access necessary to perform their job duties.

5. Permission to alter disposition/retention codes, and/or to create, modify, and delete records should be granted only to authorized users with proper clearance. Modification of record identifiers is not allowed.

6. Access to 1. "The private key is the part of the key pair that is used by the person to sign an electronic document. It must be kept secure as it is the identity of the person in the electronic environment." (c)
2. "One of the two keys used in an asymmetric encryption system. For secure communication, the private key should be known only to its creator." (a) private keys for 1. "An authentication mechanism that enables the creator of a message to attach a code that acts as a signature. The signature guarantees the source and integrity of the message." (a)
2. "In Minnesota, a digital signature is defined to be an asymmetric cryptosystem. . . . A digital signature is a reliable electronic method of signing electronic documents that provides the recipient with a way to verify the sender, determine that the content of the document has not been altered since it was signed, and prevent the sender from repudiating that fact that he or she signed and sent the electronic document. A digital signature is made up of a key pair consisting of a private key and a public key. . . . A signature looks like a random series of numbers and alphabetical characters. Each signature is unique because it uses the content of the electronic document to create the character string." (c) digital signatures should be limited to authorized individuals.

Did you know?

"Each agency that chooses to use digital signature technology must establish a digital signature implementation and use policy." (Minnesota Department of Administration, Office of Technology, Minnesota State Agency Digital Signature Implementation and Use Standard. IRM Standard 18, Version 1. 19 November 1999.) Refer to Bibliography.

"An individual must protect and not disclose or make available his or her digital signature private key or password to other persons, including fellow state employees, managers, and supervisors." (Minnesota Department of Administration, Office of Technology, Minnesota State Agency Digital Signature Implementation and Use Standard. IRM Standard 18, Version 1. 19 November 1999.) Refer to Bibliography.

"When conducting State business, an employee must only use a digital signature key pair and certificate purchased with state funds. Employees must not use a State digital signature key pair for personal business." (Minnesota Department of Administration, Office of Technology, Minnesota State Agency Digital Signature Implementation and Use Standard. IRM Standard 18, Version 1. 19 November 1999.) Refer to Bibliography.

"The agency must revoke the ex officio digital signature key pair whenever there is a change in the person occupying the office." (Minnesota Department of Administration, Office of Technology, Minnesota State Agency Digital Signature Implementation and Use Standard. IRM Standard 18, Version 1. 19 November 1999.) Refer to Bibliography.

7. Lists of all current and past authorized users along with their privileges and responsibilities should be maintained. The current list should be reviewed on a regular schedule to ensure the timely removal of authorizations for former employees, and the adjustment of clearances for workers with new job duties.

8. Personnel duties and access restrictions should be arranged such that no individual with an interest in record content will be responsible for administering system security, quality controls, audits, or integrity-testing functions. No individual should have the ability to single-handedly compromise the system's security and operations.

2B. Internal System Security

1. Access to system documentation should be controlled and monitored.

2. Access to output and 1. A device capable of storing data such as disk drives and tape drives. (b) storage devices should be controlled and monitored.

3. Controls should be in place to ensure proper security levels of data when 1. "The process of creating a backup copy of computer files, especially for long-term storage." (i) archiving, purging, or moving from system to system. Controls should be in place for the transportation or mailing of media or printed output.

4. Procedures should be implemented to ensure the complete sanitization and secure disposal of hardware, software, and storage media when outdated or supplanted by newer versions, units, etc. Documentation should include date, equipment identifiers, methods, and personnel names.

5. Insecurity-detection mechanisms should be constantly monitoring the system. Failsafes and processes to minimize the failure of primary security measures should be in place at all times.

6. Security procedures and rules should be reviewed on a routine basis to maintain currency.

7. Measures should be in place to guard the system's physical security. Items to consider include:

a. access to rooms with terminals, servers, wiring, backup media

b. data interception

c. mobile/portable units such as laptops

d. structural integrity of building

e. fire safety

f. supporting services such as electricity, heat, air conditioning, water, sewage, etc.

8. Security administration personnel should undergo training to ensure full understanding of the security system's operation.

2C. External System Security

1. In cases of remote access to the system, especially through public telephone lines, additional security measures should be employed. Possible action could include the use of 1. Any apparatus, such as a keyboard, that allows data to be fed or entered into a computer. (b) input device checks, caller identification checks (phone caller identification), call backs, and security cards.

2. For records originating outside the system, the system should be capable of verifying their origin and integrity. At a minimum, the system should:

a. verify the identity of the sender or source

b. verify the integrity of, or detect errors in, the transmission or informational content of the record

c. detect changes in the record since the time of its creation or the application of a digital signature

d. detect any 1. "Code embedded within a program that causes a copy of itself to be inserted in one or more other programs. In addition to propagation, the virus usually performs some unwanted function." (a) viruses or 1. "Program that can replicate itself and send copies from computer to computer across network connections. Upon arrival, the worm may be activated to replicate and propagate again. In addition to propagation, the worm usually performs some unwanted function." (a) worms present

Did you know?

"Organizations conducting business over the Internet need robust security controls to ensure data integrity, data confidentiality, and system availability. Data integrity controls help protect the accuracy and completeness of data, both in storage and while in transit. Confidentiality controls help ensure that sensitive data, such as credit card numbers, cannot be seen by unauthorized individuals. Finally, system availability controls help minimize the amount of time when citizens cannot use the system to conduct business." (Office of the Legislative Auditor, Financial-Related Audit: Department of Public Safety, Web-Based Motor Vehicle Registration Renewal System as of April 2001. August 2001, Report No. 01-43.) http://www.auditor.leg.state.mn.us/

"It is a sad reality that unscrupulous individuals discover new discover new security exploits daily and use that knowledge to penetrate organizations with many layers of preventative defenses. This inherent security administration problem is why every organization must vigilantly monitor its systems for signs of attack. Since time is of the essence when under attack, every organization must also have decisive incident response procedures. Those that do not may fail to discover that they are completely unsecured until extensive damage has been done." (Office of the Legislative Auditor, Financial-Related Audit: Department of Public Safety, Web-Based Motor Vehicle Registration Renewal System as of April 2001. August 2001, Report No. 01-43.) http://www.auditor.leg.state.mn.us/

"Agencies shall take appropriate preventative actions to protect their computer information from corruption by viruses." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

"Agencies shall monitor and evaluate, on an ongoing basis, the effectiveness of security tools and virus protection being used within their agency. Security tools and virus protection systems which are not found to be effective shall be updated in a timely manner." (Minnesota Department of Administration, Office of Technology, Computerized Information Resources Security Standards for State Agencies. IRM Standard 16, Version 1. June 1998.) Refer to Bibliography.

go to Criteria › ›:  1  2  3  4  5

Go to Table of Contents

‹ ‹back: Section 9

TIS Handbook last updated July 2002, Version 4.