INSTITUTE FOR COMPUTER SCIENCES AND TECHNOLOGY NATIONAL BUREAU OF STANDARDS GAITHERSBURG, MARYLAND 20899 The Institute for Computer Sciences and Technology is a center of technical expertise in information technology. While ICST focuses primarily on helping the Federal government make effective use of computers and information technology, ICST products, services, and technical support are used by the private sector and all levels of government as well. ICST's major activities are: o determining requirements for and participating in the development of national and international voluntary industry standards for computer products and services; o developing testing methodologies to support the development and implementation of standards; o developing guidelines, technology forecasts, and other products to aid in the effective management and application of computers. o disseminating and exchanging information with Federal, State and local governments, industry, professional, and research organizations on computer use and standards needs; o providing technical support for the development of government policies in information technology; o providing direct technical assistance to Federal agencies on a cost reimbursable basis; o carrying out applied research and development, often in cooperation with other government agencies and with industry. COMPUTER SECURITY ACTIVITIES Computer security is a critical component of the overall management of computers. Losses of confidentiality, integrity, and availability of computer data and processing resources can result from both accidental and intentional events. Working with users and industry to determine their requirements for computer security guidance and standards, ICST identifies and develops cost-effective methods to protect computers and data against all types of losses. These methods include both automated techniques that are integrated into computers and terminals as well as sound management practices. ICST products include guidance, standards, technical reports, conferences, teleconferences, workshops, advice, and technical support activities. HOW TO ORDER PUBLICATIONS These publications are available through the Government Printing Office (GPO) and the National Technical Information Service (NTIS). The source and price for each publication are indicated. Orders for publications should include title of publication, NBS publication number (Spec. Pub. 000, Tech. Note 000, etc.) and NTIS or GPO number. Your may order at the price listed; however, prices are subject to change without notice. Submit payment in the form of postal money order, express money order or check made out to the Superintendent of Documents for GPO-stocked documents or to the National Technical Information Service for NTIS- stocked documents. Mailing addresses are: Superintendent of Documents U.S. Government Printing Office Washington, DC 20402 National Technical Information SErvice 5285 Port Royal Road Springfield, VA 22161 Telephone numbers for information are: GPO Order Desk (202) 783-3238 NTIS Orders (703) 487-4780 NTIS Information (703) 487-4600 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (FIPS) Federal Information Processing Standards Publications (FIPS PUBS) are developed by the Institute for Computer Sciences and Technology (ICST) and issued under the provisions of the Federal Property and Administrative Services Act of 1949, as amended; Public Law 89-306 (79 Stat. 1127); Executive Order 11717 (38 FR 12315); and Part 6 of Title 15 of the Code of Federal Regulations (CFR). FIPS PUBS are sold by the National Technical Information Service (NTIS), U.S. Department of Commerce. A list of current FIPS covering all ICST program areas is available from: Standards Processing Coordinator (ADP) Institute for Computer Sciences and Technology Technology Building, B-64 National Bureau of Standards Gaithersburg, MD 20899 Phone: (30l) 975-2817 FIPS PUB 31 GUIDELINES FOR ADP PHYSICAL SECURITY AND RISK MANAGEMENT June 1974 Provides guidance to Federal organizations in developing physical security and risk management programs for their ADP facilities. Covers security analysis, natural disasters, failure of supporting utilities, system reliability, procedural measures and controls, protection of off-site facilities, contingency plans security awareness, and security audit. Can be used as a checklist for planning and evaluating security of computer systems. FIPS PUB 39 GLOSSARY FOR COMPUTER SYSTEMS SECURITY February 1974 A reference document containing approximately 170 terms and definitions pertaining to privacy and computer security. FIPS PUB 41 COMPUTER SECURITY GUIDELINES FOR IMPLEMENTING THE PRIVACY ACT OF 1974 May 1975 Provides guidance in the selection of technical and related procedural methods for protecting personal data in automated information systems. Discusses categories of risks and the related safeguards for physical security, information management practices, and system controls to improve system security.FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.) FIPS PUB 46 DATA ENCRYPTION STANDARD January 1977 Specifies an algorithm to be implemented in electronic hardware devices and used for the cryptographic protection of sensitive, but unclassified, computer data. The algorithm uniquely defines the mathematical steps required to transform computer data into a cryptographic cipher and the steps required to transform the cipher back to its original form. FIPS PUB 48 GUIDELINES ON EVALUATION OF TECHNIQUES FOR AUTOMATED PERSONAL IDENTIFICATION April 1977 Discusses the performance of personal identification devices, how to evaluate them and considerations for their use within the context of computer system security. FIPS PUB 65 GUIDELINE FOR AUTOMATIC DATA PROCESSING RISK ANALYSIS August 1979 Presents a technique for conducting a risk analysis of an ADP facility and related assets. Provides guidance on collecting, quantifying, and analyzing data related to the frequency of caused by adverse events. This guideline describes the characteristics and attributes of a computer system that must be known for a risk analysis and gives an example of the risk analysis process. FIPS PUB 73 GUIDELINES FOR SECURITY OF COMPUTER APPLICATIONS June 1980 Describes the different security objectives for a computer application, explains the control measures that can be used, and identifies the decisions that should be made at each stage in the life cycle of a sensitive computer application. For use in planning, developing and operating computer systems which require protection. Fundamental security controls such a data validation, user identity verification, authorization, journalling, variance detection, and encryption are discussed. FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.) FIPS PUB 74 GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA ENCRYPTION STANDARD April 1981 Provides guidance for the use of cryptographic techniques when such techniques are required to protect sensitive or valuable computer data. For use in conjunction with FIPS PUB 46 and FIPS PUB 81. FIPS PUB 81 DES MODES OF OPERATION December 1980 Defines four modes of operation for the Data Encryption Standard which may be used in a wide variety of applications. The modes specify how data will be encrypted (cryptographically occurrence and the damage protected) and decrypted (returned to original form). The modes included in this standard are the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. FIPS PUB 83 GUIDELINE ON USER AUTHENTICATION TECHNIQUES FOR COMPUTER NETWORK ACCESS CONTROL September 1980 Provides guidance in the selection and implementation of techniques for authenticating the users of remote terminals in order to safeguard against unauthorized access to computers and computer networks. Describes use of passwords, identification tokens, verification by means of personal attributes, identification of remote devices, role of encryption in network access control, and computerized authorization techniques. FIPS PUB 87 GUIDELINES FOR ADP CONTINGENCY PLANNING March 1981 Describes what should be considered when developing a contingency plan for an ADP facility. Provides a suggested structure and format which may be used as a starting point from which to design a plan to fit each specific operation. FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.) FIPS PUB 88 GUIDELINE ON INTEGRITY ASSURANCE AND CONTROL IN DATABASE APPLICATIONS August 1981 Provides explicit advice on achieving database integrity and security control. Identifies integrity and security problems and discusses procedures and methods which have proven effective in addressing these problems. Provides an explicit, step-by-step procedure for examining and verifying the accuracy and completeness of a database. FIPS PUB 94 GUIDELINE ON ELECTRICAL POWER FOR ADP INSTALLATIONS September 1982 Provides information on factors in the electrical environment that affect the operation of ADP systems. Describes the fundamentals of power, grounding, life-safety, static electricity, and lightning protection requirements, and provides a checklist for evaluating ADP sites. FIPS PUB 102 GUIDELINE FOR COMPUTER SECURITY CERTIFICATION AND ACCREDITATION September 1983 Describes how to establish and how to carry out a certification and accreditation program for computer security. Certification consists of a technical evaluation of a sensitive system to see how well it meets its security requirements. Accreditation is the official management authorization for the operation of the system and is based on the certification process. FIPS PUB 112 STANDARD ON PASSWORD USAGE May 1985 This standard defines ten factors to be considered in the design, implementation and use of access control systems that are based on passwords. It specifies minimum security criteria for such systems and provides guidance for selecting additional security criteria for password systems which must meet higher security requirements. FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.) FIPS PUB 113 STANDARD ON COMPUTER DATA AUTHENTICATION May 1985 This standard specifies a Data Authentication Algorithm (DAA) which, when applied to computer data, automatically and accurately detects unauthorized modifications, both intentional and accidental. Based on the Data Encryption Standard (DES), this standard is compatible with requirements adopted by the Department of Treasury and the banking community to protect electronic fund transfer transactions. SPECIAL PUBLICATIONS AND OTHER REPORTS These publications present the results of ICST studies, investigations, and research on computer security and risk management issues. Publications are sold by either the Government Printing Office or the National Technical Information Service as noted for each entry. SPECIAL PUBLICATIONS NBS SPEC PUB 500-137 SECURITY FOR DIAL-UP LINES By Eugene F. Troy May 1986 Ways to protect computers from intruders via dial- up telephone lines are discussed in this guide. Highlighted are hardware devices which can be fitted to computers or used with their dial-up terminals to provide communications protection for non-classified computer systems. Six different types of hardware devices and the ways that they can be used to protect dial-up computer communications are described. Also discussed are techniques that can be added to computer operating systems or incorporated into system management or administrative procedures. SPECIAL PUBLICATIONS (Cont.) NBS SPEC PUB 500-134 GUIDE ON SELECTING ADP BACKUP PROCESS ALTERNATIVES By Irene Isaac November 1985 Discusses the selection of ADP backup processing support in advance of events that cause the loss of data processing capability. Emphasis is placed on management support at all levels of the organization for planning, funding, and testing of an alternate processing strategy. The alternative processing methods and criteria for selecting the most suitable method are presented, and a checklist for evaluating the suitability of alternatives is provided. NBS SPEC PUB 500-133 TECHNOLOGY ASSESSMENT; METHODS FOR MEASURING THE LEVEL OF COMPUTER SECURITY By William Neugent, John Gilligan, Lance Hoffman, and Zella G. Ruthberg October 1985 The document covers methods for measuring the level of computer security, i.e. technical tools or processes which can be used to help establish positive indications of security adequacy in computer applications, systems, and installations. The report addresses individual techniques and approaches, as well as broader methodologies which permit the formulation of a composite measure of security that uses the results of these individual techniques and approaches. NBS SPEC PUB 500-121 GUIDANCE ON PLANNING AND IMPLEMENTING COMPUTER SYSTEMS RELIABILITY By Lynne S. Rosenthal January 1985 This report presents guidance to managers and planners on the basic concepts of computer system reliability and on the implementation of a management program to improve system reliability. Topics covered include techniques for quantifying and evaluating data to measure system reliability, designing systems for reliability, and recovery of a computer system after it has failed or produced erroneous output. An appendix contains references and a list of selected readings. SPECIAL PUBLICATIONS (Cont.) NBS SPEC PUB 500-120 SECURITY OF PERSONAL COMPUTER SYSTEMS - A MANAGEMENT GUIDE By Dennis D. Steinauer This publication provides practical advice on the following issues: physical and environmental protection system and data access control; integrity of software and data; backup and contingency planning; auditability; communications protection. References to additional information, a self-audit checklist, and a guide to security products for personal computers are included in the appendices. NBS SPEC PUB 500-109 OVERVIEW OF COMPUTER SECURITY CERTIFICATION AND ACCREDITATION By Zella G. Ruthberg and William Neugent April 1984 This publication is a summary of and a guide to FIPS PUB 102, Guideline to Computer Security Certification and Accreditation. It is oriented toward the needs of ADP policy managers, information resource managers, ADP technical managers, and ADP staff in understanding the certification and accreditation process. NBS SPEC PUB 500-85 EXECUTIVE GUIDE TO ADP CONTINGENCY PLANNING By James K. Shaw and Stuart W. Katzke July 1981 This document provides, in the form of questions and answers, the background, and basic essential information required to understand the developmental process for automatic data processing (ADP) contingency plans. The primary intended audience consists of executives and managers who depend on ADP resources and services, yet may not be directly responsible for the daily management or supervision of data processing activities or facilities. SPECIAL PUBLICATIONS (Cont.) NBS SPEC PUB 500-67 THE SRI HIERARCHICAL DEVELOPMENT METHODOLOGY (HDM) AND ITS APPLICATION TO THE DEVELOPMENT OF SECURE SOFTWARE By Karl N. Levitt, Peter Neumann, and Lawrence Robinson October 1980 Describes the SRI Hierarchical Development Methodology for designing large software systems such as operating systems and data management systems that must meet stringent security requirements. NBS SPEC PUB 500-61 MAINTENANCE TESTING FOR THE DATA ENCRYPTION STANDARD By Jason Gait August 1980 Describes four tests that can be used by manufacturers and users to check the operation of data encryption devices. These tests are simple, efficient, and independent of the implementation of the Data Encryption Standard (FIPS 46). NBS SPEC PUB 500-57 AUDIT AND EVALUATION OF COMPUTER SECURITY II: SYSTEM VULNERABILITIES AND CONTROLS Edited by Zella G. Ruthberg April 1980 Proceedings of the second NBS/GAO workshop to develop improved computer security audit procedures. Covers eight sessions: three sessions on managerial and organizational vulnerabilities and controls and five technical sessions on terminals and remote peripherals, communication components, operating systems, applications and non-integrated data files, and data base management systems. NBS SPEC PUB 500-54 A KEY NOTARIZATION SYSTEM FOR COMPUTER NETWORKS By Miles E. Smid October 1979 Describes a system for key notarization, which can be used with an encryption device, to improve data security in computer networks. The key notarization system can be used to communicate securely between two users, communicate via encrypted mail, protect personal files, and provide a digital signature capability. SPECIAL PUBLICATIONS (Cont.) NBS SPEC PUB 500-50 COMPUTERS, PERSONNEL ADMINISTRATION, AND CITIZEN RIGHTS By Alan F. Westin July 1979 Reports on the impact of computers on citizen rights in the field of personnel record keeping. This study traces the changing patterns of employment and personnel administration and examines the trends in computer use in personnel administration. It recommends policy actions to guide the management of personnel systems that respect citizen rights. NBS SPEC PUB 500-33 CONSIDERATIONS IN THE SELECTION OF SECURITY MEASURES OF AUTOMATIC DATA PROCESSING SYSTEMS By Michel J. Orceyre and Robert H. Cortney, Jr. Edited by Gloria R. Bolotsky Details methods and techniques for protecting data processed by computer and transmitted via telecommunications lines. This report identifies the controls that can be instituted to protect ADP systems when risks and potential losses have been identified. NBS SPEC PUB 500-27 COMPUTER SECURITY AND THE DATA ENCRYPTION STANDARD Edited by Dennis Branstad February 1978 Includes papers and summaries of presentations made at a l978 conference on computer security. Subject areas are physical security, risk assessment, software security, computer network security, applications and implementation of the Data Encryption Standard. NBS SPEC PUB 500-25 AN ANALYSIS OF COMPUTER SECURITY SAFEGUARDS FOR DETECTING AND PREVENTING INTENTIONAL COMPUTER MISUSE By Brian Ruder and J. D. Madden January 1978 Analyzes 88 computer safeguard techniques that could be applied to recorded actual computer misuse cases. Presents a model for use in classifying and evaluating safeguards as mechanisms for detecting and preventing misuse. SPECIAL PUBLICATIONS (Cont.) NBS SPEC PUB 500-24 PERFORMANCE ASSURANCE AND DATA INTEGRITY PRACTICES By Robert L. Patrick January 1978 Details practices and methods that have been successful in preventing or reducing computer system failures caused by programming and data errors. The methods described cover large data processing applications, scientific computing applications, programming techniques and systems design. NBS SPEC PUB 500-21 DESIGN ALTERNATIVES FOR COMPUTER NETWORK SECURITY (VOL. 1) THE NETWORK SECURITY CENTER: A SYSTEM LEVEL APPROACH TO COMPUTER NETWORK SECURITY (VOL. 2) By Gerald D. Cole and Frank Heinrich January 1978 This two-volume study covers network security requirements and design and implementation requirements of a special computer dedicated to network security. The approach utilizes a dedicated minicomputer to check authentication of network users, and, to some extent, to check authorization. The study focuses on use of the Data Encryption Standard to protect network data and recommends procedures for generating, distributing and protecting encryption keys. NBS SPEC PUB 500-20 VALIDATING THE CORRECTNESS OF HARDWARE IMPLEMENTATIONS OF THE NBS DATA ENCRYPTION STANDARD By Jason Gait November 1977 Describes the design and operation of the NBS testbed that is used for the validation of hardware implementations of the Data Encryption Standard (DES). This report provides the full specification of the DES algorithm, a complete listing of the DES test set and a detailed description of the interface to the testbed. SPECIAL PUBLICATIONS (Cont.) NBS SPEC PUB 500-19 AUDIT AND EVALUATION OF COMPUTER SECURITY Edited by Zella Ruthberg and Robert McKenzie October 1977 Reports on the recommendations of audit and computer experts to improve computer security audit procedures. Subjects covered include audit standards, administrative and physical controls, program and data integrity, and audit tools and techniques. NBS SPEC PUB 500-10 A DATA BASE MANAGEMENT APPROACH TO PRIVACY ACT COMPLIANCE By Elizabeth Fong June 1977 Discusses how commercially available data base management systems can be used to implement Privacy Act requirements for the handling of personal data. NBS SPEC PUB 500-9 THE USE OF PASSWORDS FOR CONTROLLED ACCESS TO COMPUTER RESOURCES By Helen Wood May 1977 Describes the need for and uses of passwords. Password schemes are categorized according to selection technique, lifetime, physical characteristics and information content. Password protection and cost considerations are discussed. A glossary and annotated bibliography are included. NBS SPEC PUB 500-2 ACCESSING INDIVIDUAL RECORDS FROM PERSONAL DATA FILES USING NONUNIQUE IDENTIFIERS By Gwendolyn B. Moore, John L. Kuhns, Jeffrey L. Treffzs and Christine A. Montgomery February 1977 Analyzes methodologies for retrieving personal information using nonunique identifiers such as name, address, etc. This study presents statistical data for judging the accuracy and efficiency of various methods. OTHER REPORTS NBSIR 86-3386 WORK PRIORITY SCHEME FOR EDP AUDIT AND COMPUTER SECURITY REVIEW By Zella Ruthberg and Bonnie Fisher August 1986 This publication describes a methodology for prioritizing the work performed EDP auditors and computer security reviewers. Developed at an invitational workshop attended by government and private sector experts, the work plan enables users to evaluate computer systems for both EDP audit and security review functions and to develop a measurement of the risk of the systems. Based on this measure of risk, the auditor can then determine where to spend review time. SUBJECT INDEX Contingency Planning Physical Security FIPS PUB 87 FIPS PUB 31 SPEC PUB 500-85 Power, Grounding, and Life Database Security Safety FIPS PUB 88 FIPS PUB 94 Encryption Privacy FIPS PUB 46 FIPS PUB 41 FIPS PUB 74 SPEC PUB 500-10 FIPS PUB 81 SPEC PUB 500-50 FIPS PUB 113 SPEC PUB 500-20 SPEC PUB 500-27 Risk Management SPEC PUB 500-54 SPEC PUB 500-61 FIPS PUB 31 FIPS PUB 65 Evaluation of Computer Security Software and Operating Systems FIPS PUB 102 SPEC PUB 500-19 SPEC PUB 500- 2 SPEC PUB 500-57 SPEC PUB 500- 24 SPEC PUB 500-109 SPEC PUB 500- 25 SPEC PUB 500-133 SPEC PUB 500- 67 NBSIR 86-3386 SPEC PUB 500- 121 SPEC PUB 500- 134 General Computer Security FIPS PUB 39 User Authenticat- ion FIPS PUB 73 FIPS PUB 112 FIPS PUB 48 SPEC PUB 500-24 FIPS PUB 83 SPEC PUB 500-25 SPEC PUB 500- 9 SPEC PUB 500-33 SPEC PUB 500-120 SPEC PUB 500-137 Network Security SPEC PUB 500-21 SPEC PUB 500-33 SPEC PUB 500-54 PRICE LIST PUBLICATION ORDERING NUMBER PRICE FIPS PUB 31 $11.95 FIPS PUB 39 $ 9.95 FIPS PUB 41 $ 9.95 FIPS PUB 46 $ 9.95 FIPS PUB 48 $ 9.95 FIPS PUB 65 $ 9.95 FIPS PUB 73 $11.95 FIPS PUB 74 $ 9.95 FIPS PUB 81 $ 9.95 FIPS PUB 83 $ 9.95 FIPS PUB 87 $ 9.95 FIPS PUB 88 $11.95 FIPS PUB 94 $16.95 FIPS PUB 102 $11.95 FIPS PUB 112 $11.95 FIPS PUB 113 $ 9.95 SPEC PUB 2 PB 263123 $11.95 SPEC PUB 9 PB 266323 $11.95 SPEC PUB 10 SN 003-003-01787-6 $ 4.50 SPEC PUB 19 PB 272971 $22.95 SPEC PUB 20 PB 113524 $ 9.95 SPEC PUB 21 PB 276772 $11.95 SPEC PUB 24PB 276400 $11.95 SPEC PUB 25PB 275514 $11.95 SPEC PUB 27PB 277695 $16.95 SPEC PUB 33PB 282511 $ 9.95 SPEC PUB 50PB 298299 $34.95 SPEC PUB 54SN 003-003- 02130-0 $ 4.50 SPEC PUB 57SN 003-003- 02178-4 $ 7.00 SPEC PUB 61PB 221211 $ 9.95 SPEC PUB 67SN 003-003- 02258-6 $ 4.25 SPEC PUB 85PB 165226 $ 9.95 SPEC PUB 109 SN 003-003- 02567-4 $ 1.50 SPEC PUB 120 SN 003-003- 02627-1 $ 3.00 SPEC PUB 121 SN 003-003- 02628-0 $ 2.25 SPEC PUB 133 SN 003-003- 02686-7 $ 8.00 SPEC PUB 134 SN 003-003- 02701-4 $ 1.75 SPEC PUB 137 SN 003-003- 02723-5 $ 3.75 NBSIR 86-3386 PB 247897 $11.95 Downloaded From P-80 International Information Systems 304-744-2253