|
|
|
Level 3 Requirements The suggested controls required to adequately safeguard a Level 3 system include all of the requirements for Levels 1 and 2, plus the following.
Determine Detailed Security Procedures The matrix model and suggested security requirements described above illustrate a very general simple approach for documenting the security implementation requirements. To proceed with the implementation, specific, detailed security protections must be determined, starting with who gets what access, and when. Management, LAN personnel, and security officials, working with key users, must determine the detailed security protections. Procedures for maintaining these protections must be formalized (e.g., who reviews audit logs; who notifies the LAN administrator of departed personnel) to complete the security implementation requirements phase. DEVELOP AN INTEGRATED SECURITY APPROACH The final step is the development of an integrated security approach for a LAN/WAN environment. The approach involves the culmination of areas described above into one integrated comprehensive approach. Areas discussed below that are included within the integrated approach are: the use of PC/LAN questionnaires, the role of the Computer System Security Plan, risk assessment, annual review and training, and annual management reporting and budgeting. Role of the PC/LAN Questionnaire Security programs require the gathering of a considerable amount of information from managers, technical staff, and users. Interviews are one way, and these are often used with the technical staff. Another way to obtain information is with a PC questionnaire, which is a particularly good method for reaching a reasonable segment of the user community, quickly and efficiently. With minor updating, these surveys can be used periodically to provide a current picture of the security environment. A PC/LAN questionnaire is suggested for Level 1 reviews and to support Level 2 and 3 risk assessments. In other words, a questionnaire can be the focus of an informal risk assessment and can be a major element in a formal risk assessment. A PC/LAN questionnaire, for example, can collect the information to help identify applications and general purpose systems, identify sensitivity and criticality, and determine specific additional security needs relating to security training, access controls, backup and recovery requirements, input/output controls, and many other aspects of security. This questionnaire can be passed out to a representative sampling of PC users, from novices to experienced users, asking them to take 15 to 20 minutes to fill out the form. The aggregated results of this questionnaire should provide a reasonable number of indicators to assess the general status of PC computing practices within the LAN/WAN environment. Role of the Computer System Security Plan A Computer Systems Security Plan (CSSP) is suggested for development of Level 2 and Level 3 LANs and WANs. CSSPs are an effective tool for organizing LAN security. The CSSP format provides simplicity, uniformity, consistency, and scalability. The CSSP is to be used as the risk management plan for controlling all recurring requirements, including risk updates, personnel screening, training, etc. Risk Assessment Risk assessment includes the identification of informational and other assets of the system, threats that could affect the confidentiality, integrity, or availability of the system, system vulnerabilities/susceptibility to the threats, potential impacts from threat activity, identification of protection requirements to control the risks, and selection of appropriate security measures. Risk assessment for general purpose systems, including LANs/WANs, are suggested for use at least every five years, or more often when there are major operational, software, hardware, or configuration changes. Annual Review and Training Session An ideal approach would be to conduct a yearly LAN/WAN meeting where LAN/WAN management, security, and end-user personnel can get together and review the security of the system. LAN/WAN meetings are an ideal way to satisfy both the security needs/updates of the system and the training/orientation needs of the individuals who are associated with the system. The process can be as simple as reviewing the CSSP, item by item, for additions, changes, and deletions. General discussion on special security topics such as planned network changes and management concerns can round out the agenda. A summary of the meeting is useful for personnel who were unable to attend, for managers, and for updating the management plan. An often overlooked fact is that LAN/WAN security is only as good as the security being practiced. Information and system security is dependent on each user. Users need to be sensitized, trained, and monitored to ensure good security practices. Update Management/Budget Plan The management/budget plan is the mechanism for getting review and approval of security requirements in terms of specific projects, descriptions, responsibilities, schedule, and costs. This plan should be updated yearly to reflect the annual review findings.
|