Page 90 - DCAP516_COMPUTER_SECURITY
P. 90
Computer Security
Notes 1. Mandatory Security Policy: Enforces access control rules based directly on an individual’s
clearance, authorization for the information and the confidentiality level of the information
being sought. Other indirect factors are physical and environmental. This policy must also
accurately reflect the laws, general policies and other relevant guidance from which the
rules are derived.
2. Marking: Systems designed to enforce a mandatory security policy must store and preserve
the integrity of access control labels and retain the labels if the object is exported.
3. Discretionary Security Policy: Enforces a consistent set of rules for controlling and limiting
access based on identified individuals who have been determined to have a need-to-know
for the information.
Accountability
Individual accountability regardless of policy must be enforced. A secure means must exist to
ensure the access of an authorized and competent agent which can then evaluate the accountability
information within a reasonable amount of time and without undue difficulty. There are three
requirements under the accountability objective:
1. Identification: The process used to recognize an individual user.
2. Authentication: The verification of an individual user’s authorization to specific categories
of information.
3. Auditing: Audit information must be selectively kept and protected so that actions affecting
security can be traced to the authenticated individual.
Assurance
The computer system must contain hardware/software mechanisms that can be independently
evaluated to provide sufficient assurance that the system enforces the above requirements. By
extension, assurance must include a guarantee that the trusted portion of the system works only
as intended. To accomplish these objectives, two types of assurance are needed with their
respective elements:
1. Assurance Mechanisms
2. Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis,
Trusted Facility Management and Trusted Recovery
3. Life-cycle Assurance: Security Testing, Design Specification and Verification, Configuration
Management and Trusted System Distribution
4. Continuous Protection Assurance: The trusted mechanisms that enforce these basic
requirements must be continuously protected against tampering and/or unauthorized
changes.
Documentation
Within each class there is additional documentation set which addresses the development,
deployment and management of the system rather than its capabilities. This documentation
includes: Security Features User’s Guide, Trusted Facility Manual, Test Documentation and
Design Documentation.
84 LOVELY PROFESSIONAL UNIVERSITY
