International review of criminal policy - Nos. 43 and 44/Security measures

C. Security measures

198. EDP security is considered to consist of seven essential components: administrative and organizational security; personnel security; physical security; communication-electronic security; hardware and software security; operations security; and contingency planning.

1. Administrative and organizational security

199. Administrative security involves the development of an overall security policy and the establishment of procedures for its implementation. While specific security administrative practices will vary considerably depending on the size and nature of the work performed by an organization, minimum requirements include the following:

1. The development of procedures to ensure that risks are identified;
2. The definition of individual security duties and the appropriate assignment of responsibilities;
3. The designation of restricted areas;
4. The establishment of authorization procedures;
5. The identification of external and contractual dependencies;
6. The preparation of contingency plans.

200. Second only to the necessity for the established policy and procedures for EDP security is the requirement for an effective organization to administer it. It is essential that senior management be aware of EDP security requirements and of the fact that a close working relationship must be cultivated between automated system management and the group responsible for overall security.

2. Personnel security

201. Personnel security includes specifying security requirements in job descriptions and ensuring that incumbents meet these requirements and are provided with adequate security motivation and training. It involves supervising access to and control over system resources through appropriate personnel identification and authorization measures. It further requires attention to hiring and employment termination procedures. External service or support personnel such as maintenance and cleaning staff or contract programmers who have unsupervised access to restricted areas should be subject to the same personnel security measures as regular employees.

3. Physical security

202. All EDP facilities should be provided with physical protection in order to ensure security commensurate with the sensitivity of the data being processed and the service being provided. The following factors should be borne in mind when physical security measures are chosen:

1. Site planning (e.g. location and layout, building construction, heating, lighting, fencing and shielding);
2. Control of access to restricted areas (e.g. perimeter security, visitor control, key and badge control, guard staffs and intrusion alarms)
3. Protection against physical damage (e.g. fire, flooding, explosion, wind, earthquake and physical attack);
4. Protection against power and environmental failures (e.g. air-conditioning, water-cooling, power-monitoring, un-interruptable power-sources and dust control);
5. Protection of EDP media and supplies (e.g. waste disposal, storage containers, transportation, postal procedures and packaging).

The close relationship between the physical, environmental and hardware aspects of EDP security makes coordination between computer system and traditional security staff essential, particularly during the planning and design stages of new systems and facilities.

4. Communications-electronic security

203. Telecommunication are almost invariably a fundamental component of automated systems, and their use has the effect of extending the geography of the security concern and of complicating service availability. As the communication facets multiply, so do the possibilities of crossed communication between lines, misrouting of information and the wire-tapping of, and monitoring of electromagnetic radiation from hardware. Some possible countermeasures for communications and electronic threats include electronic screening, filtering encryption and specially designed terminals. However, the inherent complexity of communications systems requires that each case be approached individually. As dependence on communications become greater, so too does the probability that the ability to provide the automated service could be lost because of a failure in the communication system.

5. Hardware and software security

204. Hardware security relates to those protective features implemented through the architectural characteristics of the data-processing equipment, as well as the support and control procedures necessary to maintain the operational integrity of those features.

205. Computer systems security features, whether implemented in hardware, software or micro-programmed firmware, can be addressed in five categories:

1. Identification mechanisms to identify authorized users;
2. Isolation features that ensure that users of the system are restricted from accessing devices, software and data to which they are not entitled;
3. Access control features that provide for selected sharing of system resources by removing or negating isolation measures for authorized cases;
4. Surveillance and detection measures, which assist in the detection of security violations, usually implemented by software;
5. Response techniques to counter the harm of security violations, such as redundant components and circuits, and error correction logic.

6. Operations security

206. Operations security relates to the policy and produces that are necessary to ensure that the required operational capability is always available and that security exposures within the environment are acceptable. Once an environment has been selected that presents minimal inherent weaknesses, the vulnerabilities within the environment should be reduced as much as is practicable. The most important step in this process is to ensure that responsibilities are clearly assigned. The concept of separation of duties and the concept of least privilege are helpful in this regard. In shared systems, the separation of duties concept means that no single individual can subvert controls on the system and the least privilege concept ensures that no one is granted a capability for which there is no well-substantiated operational necessity.

207. The considerations involved in establishing and maintaining an adequate security program are, briefly, as follows:

1. Identification of the EDP assets (data, software, hardware, media, services and supplies) requiring protection;
2. Establishment of the value of each of the assets;
3. Identification of the threat associated with each of the assets;
4. Identification of the vulnerability of the EDP system to these threats;
5. Assessment of the risk exposure associated with each asset (probability of frequency of occurrence multiplied by impact of occurrence);
6. Selection and implementation of security measures;
7. Audit and refinement of the EDP security program on a continuing basis.

208. It is generally recognized that absolute security is an unrealistic goal. An adversary with sufficient motivation, resources and ingenuity can compromise the most sophisticated security safeguards. An optimum security policy is one in which the cost of implementing protective mechanisms has been balanced against the reduction in risk achieved. Although security measures can be costly, experience has shown that adequate security is inexpensive compared to the potential consequence of failure to provide appropriate protection.

7. Contingency planning

209. Every EDP system has been developed to perform some type of service or to fulfill a role. The plans for achieving the goals associated with that role are, in most instances, based on normal operating conditions. However no amount of precautionary work can preclude the occurrence of situations that produce unexpected disruptions in routing operations. Contingency planning is therefore a basic requirement in the EDP security program, regardless of the sensitivity of the information processed or the size of the installation providing the service.