10.12 Software Security
10.12 Software Security
Copyright(c), 1995 - Management Analytics - All Rights Reserved
Prior to placing a sensitive application into operation, DOC
operating units will verify that the required user functions are being
performed completely and correctly, and that the specified
administrative, technical and physical safeguards are operationally
adequate and fully satisfy the applicable federal policies, regulations
and standards relating to the protection of the information.
Application Software
An application which processes sensitive data, or requires
protection because of the risk and magnitude of loss or harm that could
result from improper operation, manipulation or disclosure must be
provided protection appropriate to its sensitivity. The following will
be considered as the minimum controls to be applied to sensitive
applications, with additional controls or safeguards to be imposed if
appropriate:
- 1. Security requirements will be defined, and security
specifications approved by the user prior to acquiring
or starting development of applications, or prior to
making a substantial change in existing applications;
- 2. Design reviews will be conducted at periodic intervals
during the developmental process to assure that the
proposed design will satisfy the functional and
security requirements specified by the user;
- 3. New or substantially modified sensitive applications
shall be thoroughly tested prior to implementation to
verify that the user functions and the required
administrative, technical and physical safeguards are
present and are operationally adequate. This is
normally accomplished as part of the certification
process described in Section 10.3 of this document and
Section 3 of the "DOC IT Security Manual";
- 4. Live sensitive data or files will not be used to test
applications software until software integrity has been
reasonably assured by testing with non-sensitive data
or files;
- 5. Sensitive application software will not be placed in a
production status until the system tests have been
successfully completed and the application has been
properly certified and accredited. Accreditation
requirements are described in Section 10.4 of this
document and Section 4 of the "DOC IT Security Manual";
- 6. Current copies of critical application software,
documentation, data bases and other resources required
for its operation, will be maintained at a secure off-
site location to be readily available for use following
an emergency;
- 7. Sensitive applications will be re-tested and
recertified every three years or following major
changes; and
- 8. Sensitive software documentation should be provided the
same degree of protection as that provided for the
software.
Operating System Software
The operating system software employed to process data by multiple
users, including local area networks, should control user access to
resources and capabilities which are required and have been authorized.
It should also have the capability to identify, journal, report and
assign accountability for the functions performed or attempted by a
user, and to deny user access to capabilities or resources which have
not been authorized. Since the operating system has the capability to
perform certain functions which are forbidden to users, it should allow
the user to have access to the authorized resources only, and nothing
more. As a minimum, the operating system:
- 1. Should control all transfers between memory and on-line
storage devices, between a central computer and remote
devices and between on-line storage devices;
- 2. Should control all operations associated with
allocating IT system resources (e.g. memory, peripheral
devices, etc.), memory protection, system interrupts
and changes between the privileged and non-privileged
states;
- 3. Should control programs or utilities which may be used
to maintain and/or modify the operating system, access
control systems, sensitive databases and other software
modules which could effect or compromise the integrity
of the general purpose software or sensitive
applications;
- 4. Should prevent a user program from executing privileged
instructions;
- 5. Should isolate the programs and data areas of one user
from those of other users and the operating system
software;
- 6. Should assure error detection, when accessing memory,
memory bounds, parity, and hardware register checking;
- 7. Should cause the following screen warning message to be
displayed before the log on message, if the system is
capable of being accessed by communication connection:
**WARNING**WARNING**WARNING**WARNING**WARNING**
YOU HAVE ACCESSED A UNITED STATES GOVERNMENT COMPUTER.
USE OF THIS COMPUTER WITHOUT AUTHORIZATION OR FOR
PURPOSES FOR WHICH AUTHORIZATION HAS NOT BEEN EXTENDED
IS A VIOLATION OF FEDERAL LAW AND CAN BE PUNISHED WITH
FINES OR IMPRISONMENT (PUBLIC LAW 99-474). REPORT
SUSPECTED VIOLATIONS TO THE SYSTEM SECURITY OFFICER.
**WARNING**WARNING**WARNING**WARNING**WARNING**
If equipment or software, capable of monitoring
keystrokes, is used on the system for any reason, the
warning screen must be modified to read as follows:
**WARNING**WARNING**WARNING**WARNING**WARNING**
THIS SYSTEM IS FOR THE USE OF AUTHORIZED USERS ONLY.
INDIVIDUALS USING THIS COMPUTER SYSTEM WITHOUT
AUTHORITY, OR IN EXCESS OF THEIR AUTHORITY, ARE SUBJECT
TO HAVING ALL OF THEIR ACTIVITIES ON THIS SYSTEM
MONITORED AND RECORDED BY SYSTEM PERSONNEL. IN THE
COURSE OF MONITORING INDIVIDUALS IMPROPERLY USING THIS
SYSTEM, OR IN THE COURSE OF SYSTEM MAINTENANCE, THE
ACTIVITIES OF AUTHORIZED USERS MAY ALSO BE MONITORED.
ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH
MONITORING AND IS ADVISED THAT IF SUCH MONITORING
REVEALS POSSIBLE EVIDENCE OF CRIMINAL ACTIVITY, SYSTEM
PERSONNEL MAY PROVIDE THE EVIDENCE OF SUCH MONITORING
TO LAW ENFORCEMENT OFFICIALS. REPORT SUSPECTED
VIOLATIONS TO THE SYSTEM SECURITY OFFICER.
**WARNING**WARNING**WARNING**WARNING**WARNING**
The user should then be prompted for a specific
response to continue or exit the system;
- 8. Should be maintained by the minimum number of
authorized persons; and
- 9. Should be copied after each modification with the copy
to be immediately stored at a secure off-site location
for emergency use.
Other General Purpose Software
Other general purpose or utility software may be executed by both
users and the operating system. Many of these perform routine, but
important functions for the users. Others have the capability to
by-pass controls, access databases without approval, duplicate files,
change or reveal passwords and similar actions which, if used
improperly, can compromise the protection of system resources. These
latter programs and utilities should be safeguarded by:
- 1. Password protecting those which are only required by,
or should be reserved for, the exclusive use of system
programmers;
- 2. Password protecting and restricting access to utilities
required to maintain security files;
- 3. Limiting the utility instructions to operators and
others not having need for these capabilities;
- 4. Limiting user privileges for utility and general
purpose programs to "execute only" (except for systems
programmers who need additional privileges);
- 5. Maintaining a current copy of utilities, general
purpose programs and documentation at a properly
secured off-site location for emergency use; and
- 6. Protecting proprietary software in accordance with the
terms and conditions of the contract or license.
10.12.1 Copyrighted Software
Title 17, United States Code, Section 106 gives copyright owners
exclusive rights to reproduce and distribute their material, and Section
504 states that copyright infringers can be held liable for damages to
the copyright owner. Title 18, United States Code provides felony
penalties for software copyright infringement.
It is the responsibility of each DOC employee and supervisor to
protect the government's interests as they perform their duties. This
includes responsibility for assuring that commercial software, acquired
by the government, is used only in accordance with licensing agreements.
Likewise, it is also their responsibility to assure that any proprietary
software is properly licensed before being installed on DOC equipment.
This policy does not apply to software developed by or for a federal
agency and no restrictions apply to its use or distribution within the
federal government.
Supervisors will ensure that the following requirements are made
known to all employees and will be held accountable for conducting
periodic audits to ensure that these policies are being followed:
- 1. Install only commercial software, including shareware,
that has been purchased through the government
procurement process on DOC systems;
- 2. Follow all provisions of the license agreements issued
with the software and register organizational
ownership;
- 3. Do not make any illegal copies of copyrighted software.
Normally the license will allow a single copy to be
made for archival purposes. If the license is for
multiple users, do not exceed the authorized number of
copies;
- 4. At least annually, an inventory of all software on each
individual PC will be audited against the
organization's license agreement records to ensure that
no illegal copies of commercial software are installed
on any equipment.
- 5. Maintain written records of software installed on each
machine and ensure that a license or other proof of
ownership is on file for each piece of software;
- 6. Store licenses, software manuals and procurement
documentation in a secure location (i.e., closed file
cabinet, etc.);
- 7. When upgrades to software are purchased, the old
version should be disposed of in accordance with the
licensing agreement to avoid a potential violation.
Upgraded software is considered a continuation of the
original license, not an additional license;
- 8. Some government owned software licenses do allow
employees to take copies home for use on their
personally owned computers under specific circumstances
(e.g., for government work but not personal business).
Unless the license specifically states that employees
may take copies of software home for installation on
home computers, doing so is a violation of the
copyright law and the individual will be liable.
- 9. All illegal copies of software will be deleted
immediately.
All organizations must acquire special purpose software to inventory
and document all software on all PCs belonging to the organization.
This special purpose software may be a commercial product or the
organization may acquire free software produced by the Software
Publishers Association for this purpose from their operating unit ITSO.
Individual employees should be discouraged from installing their
personally owned software on government equipment. If it is in the best
interest of the DOC organization to allow personally owned software,
authorization must be granted in writing by the immediate supervisor,
showing the justification. Prior to authorization, the employee must
provide the software license and give assurance that copyright
infringement will not occur from installation on government equipment.
Employees not following these procedures shall be held personally liable
for any violations of the copyright laws and subject to the penalties
contained in Title 17 and Title 18 of the United States Code.