Computers at Risk Safe Computing in the Information Age (1991) / Chapter Skim
Currently Skimming:
The Need to Establish an Information Security Foundation
The Need to Establish an Information Security Foundation
Pages 179-205
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 179... ...
These actions form the basis for the mission of the ISF: · Defining requirements and evaluation criteria for users of commercial systems, including private sector users and government processors of sensitive but unclassified information. A major part of this effort is the development and promulgation of the Generally Accepted 179
|
From page 180... ...
However, current efforts fall short of what is needed to accomplish the tasks at hand, and the dominant missions of existing agencies and organizations limit the scope of their involvement in addressing the issues of computer security and trustworthiness. In particular, relevant government agencies are poorly suited to represent the needs of nongovernmental system users (although they may take some input from major system users and generate publications of interest to users)
|
From page 181... ...
· It should have a strong user presence, through membership and participation in its governance. · It must have defined relationships to existing governmental organizations, particularly NIST and NSA, but also other organizations relevant to its missions, such as the Defense Advanced Research Projects Agency (DARPA)
|
From page 182... ...
By the same token, the FASB is independent of both the American Institute of CPAs and the Securities and Exchange Commission, even though its "clout" comes from the fact that both institutions accept FASB pronouncements as the prune authority for purposes of preparing financial statements in accordance with generally accepted accounting principles.... The FASB is the latest in a line of accounting standard-setting bodies that go back to the stock market crash of 1929 and the consequent Securities Acts of 1933 and 1934.
|
From page 183... ...
As a result, the NCSC's influence on commercial and civilian government use of computers has been greatly reduced. Starting in 1985, internal reorganizations within the NSA have merged the separate and distinct charter of the NCSC with NSA's traditional communications security role.
|
From page 184... ...
, it has so far not undertaken either to specify evaluation criteria for the civil government or to evaluate commercial products against any criteria, or to offer guidelines for system-level evaluation.2 Such guidelines would have to describe how to judge the effectiveness of security safeguards against an anticipated threat. Finally, its relations with NSA, on which it relies for technical assistance and with which it has an agreement not to compete with the Orange Book process, have not given NIST the scope to act with substantial independence.
|
From page 185... ...
in the private sector are security specialists or practitioners and their relatively new professional societies (discussed in Chapter Appendix 7.21. Security practitioners are the principal force promoting computer and system security within organizations, but they operate under a variety of constraints.
|
From page 186... ...
. ~ ne reams or tne government environment suggest that accelerating the development and deployment of computer and communications security requires a greater role for the commercial sector.3 A NEW NOT-FOR-PROFIT ORGANIZATION Given the limitations of private and public organizations, the committee concludes that the proposed Information Security Foundation will be most likely to succeed as a private not-for-profit organization.
|
From page 187... ...
The appeal to users is that ISF would provide, through the GSSP and related evaluation processes, a mechanism for making vendors more responsive to users' needs for systems that are more trustworthy and a forum designed to identify and alleviate user problems. Vendors would get a more responsive evaluation mechanism and broader guidance for developing trusted systems than they have had in the NCSC.
|
From page 188... ...
The committee believes that GSSP is a vital foundation for increasing customer awareness and vendor accountability, and by extension for building an effective evaluation program. A critical pacing factor would be vendor demand for evaluations.
|
From page 189... ...
For example, the first increment of funds could derive from basic subscription fees paid by all members. This funding would be used to establish the base of research and criteria development needed for the foundation to function efficiently.
|
From page 190... ...
Vendor funding would permit the organization to respond quickly with appropriate levels of qualified individuals and would provide a critical incentive to complete the evaluation process expeditiously yet thoroughly by working with vendors throughout the entire development process. The evaluations could be completed and available as the products enter the marketplace (instead of years later)
|
From page 191... ...
For these reasons and because this alternative echoes the weaknesses of the NIST alternative, the second alternative described is unlikely to succeed. However, if industry were to resist a nongovernmental entity, then a single federal computer security evaluation organization would offer improvements over what is currently available, and it could fulfill the additional missions (development of GSSP or broader educational efforts)
|
From page 192... ...
government has actively supported and directed the advance of computer security since the dawn of computer development; its involvement with communications security dates back to the Revolutionary War. The government's long history of involvement in computer and communications security illustrates how public institutions can nurture new technology and stimulate associated markets; it also shows where work remains to be done.
|
From page 193... ...
The overall policy responsibility for communications security matters was originally assigned to the U.S. Communications Security (COMSEC)
|
From page 194... ...
, which created the National Communications Security Committee, split the responsibility for communications security, giving NSA authority over the protection of classified and national security-related information and the National Telecommunications and Information Administration, a part of the Department of Commerce not related to the National Bureau of Standards (NBS) , responsibility for protecting unclassified and non-national security information.
|
From page 195... ...
In late 1985 a reorganization at NSA created the Deputy Directorate for Information Security, merging the COMSEC and Computer Security functions and encompassing the NCSC. Since it was becoming clear that the technologies needed to develop communications security systems and computer security systems were becoming inextricably linked, this merger was viewed by many as a positive force.
|
From page 196... ...
, under the new National Security Council Policy Coordinating Committee for National Security Telecommunications and Information Systems. The National Institute of Standards and Technology The other government agency with a longstanding interest in enhancing computer and communications security is the National Institute of Standards and Technology (NIST; formerly the National Bureau of Standards, (NBS)
|
From page 197... ...
in certain areas. The MOU calls for NIST to draw on NSA's expertise and products "to the greatest extent possible" in developing telecommunications security standards for protecting sensitive but unclassified computer data, and to draw on NSA's guidelines for
|
From page 198... ...
In particular, it has sponsored none of the fundamental operating system research needed to develop or evaluate trusted computer systems, although NBS monitored the research and development activities of the 1970s and held an invitational Rancho Santa Fe Access Control workshop in 1972. NIST continues to participate in the DOD Computer Security Initiative through joint sponsorship of the ''NBS" (now National)
|
From page 199... ...
and the Office of Management and Budget (OMB; which influences government procurement and has a general interest in the efficient use of information and systems) , set the operating climate for computer and communications security
|
From page 200... ...
Because of these commonalities, many of NIST's activities, while nominally aimed at meeting civilian government needs, are relevant to industry. A third group of government entities involved with computer and communications security are the investigating and prosecuting agencies, including the Federal Bureau of Investigation (responsible for major federal law enforcement and also for counterintelligence)
|
From page 201... ...
. APPENDIX 7.2- SECURITY PRACTITIONERS Many organizations rely on a security specialist or practitioner for guidance on computer and communications security problems and practices.
|
From page 202... ...
These are the individuals responsible for selecting, recommending, and implementing security technology and procedures. Several professional societies provide guidelines, continuing education, and other tools and techniques to computer and communications security practitioners.
|
From page 203... ...
· Telecommunications security protection of information in transit via telecommunications media and control of the use of telecommunications resources. · Organization architecture-structure for organization of employees to achieve information security goals.
|
From page 204... ...
Because this profession is new, still evolving, and diverse in composition, it is not clear that it can have the impact on security that, say, certified public accountants have on accounting. That assumption is based in part on the absence to date of generally accepted computer and communications security principles and mature standards of practice in this arena, as well as the absence of the kind of legal accountability that other professions have achieved.
|
From page 205... ...
7. The MOU states that NIST will "recognize the NSA-certified rating of evaluated trusted systems under the Trusted Computer Security Evaluation Criteria Program without requiring additional evaluation," and it also makes many references to coordination with NSA to avoid duplication of effort or conflict with existing technical standards aimed at protecting classified information.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.