Fred Cohen & Associates

10.12 Software Security

Copyright(c), 1995 - Management Analytics - All Rights Reserved

Prior to placing a sensitive application into operation, DOC operating units will verify that the required user functions are being performed completely and correctly, and that the specified administrative, technical and physical safeguards are operationally adequate and fully satisfy the applicable federal policies, regulations and standards relating to the protection of the information.

Application Software

An application which processes sensitive data, or requires protection because of the risk and magnitude of loss or harm that could result from improper operation, manipulation or disclosure must be provided protection appropriate to its sensitivity. The following will be considered as the minimum controls to be applied to sensitive applications, with additional controls or safeguards to be imposed if appropriate:

1. Security requirements will be defined, and security specifications approved by the user prior to acquiring or starting development of applications, or prior to making a substantial change in existing applications;
2. Design reviews will be conducted at periodic intervals during the developmental process to assure that the proposed design will satisfy the functional and security requirements specified by the user;
3. New or substantially modified sensitive applications shall be thoroughly tested prior to implementation to verify that the user functions and the required administrative, technical and physical safeguards are present and are operationally adequate. This is normally accomplished as part of the certification process described in Section 10.3 of this document and Section 3 of the "DOC IT Security Manual";
4. Live sensitive data or files will not be used to test applications software until software integrity has been reasonably assured by testing with non-sensitive data or files;
5. Sensitive application software will not be placed in a production status until the system tests have been successfully completed and the application has been properly certified and accredited. Accreditation requirements are described in Section 10.4 of this document and Section 4 of the "DOC IT Security Manual";
6. Current copies of critical application software, documentation, data bases and other resources required for its operation, will be maintained at a secure off- site location to be readily available for use following an emergency;
7. Sensitive applications will be re-tested and recertified every three years or following major changes; and
8. Sensitive software documentation should be provided the same degree of protection as that provided for the software.

Operating System Software

The operating system software employed to process data by multiple users, including local area networks, should control user access to resources and capabilities which are required and have been authorized. It should also have the capability to identify, journal, report and assign accountability for the functions performed or attempted by a user, and to deny user access to capabilities or resources which have not been authorized. Since the operating system has the capability to perform certain functions which are forbidden to users, it should allow the user to have access to the authorized resources only, and nothing more. As a minimum, the operating system:

1. Should control all transfers between memory and on-line storage devices, between a central computer and remote devices and between on-line storage devices;
2. Should control all operations associated with allocating IT system resources (e.g. memory, peripheral devices, etc.), memory protection, system interrupts and changes between the privileged and non-privileged states;
3. Should control programs or utilities which may be used to maintain and/or modify the operating system, access control systems, sensitive databases and other software modules which could effect or compromise the integrity of the general purpose software or sensitive applications;
4. Should prevent a user program from executing privileged instructions;
5. Should isolate the programs and data areas of one user from those of other users and the operating system software;
6. Should assure error detection, when accessing memory, memory bounds, parity, and hardware register checking;

7. Should cause the following screen warning message to be displayed before the log on message, if the system is capable of being accessed by communication connection:

     **WARNING**WARNING**WARNING**WARNING**WARNING**
     YOU HAVE ACCESSED A UNITED STATES GOVERNMENT COMPUTER. 
     USE OF THIS COMPUTER WITHOUT AUTHORIZATION OR FOR
     PURPOSES FOR WHICH AUTHORIZATION HAS NOT BEEN EXTENDED
     IS A VIOLATION OF FEDERAL LAW AND CAN BE PUNISHED WITH
     FINES OR IMPRISONMENT (PUBLIC LAW 99-474).  REPORT
     SUSPECTED VIOLATIONS TO THE SYSTEM SECURITY OFFICER.
     **WARNING**WARNING**WARNING**WARNING**WARNING**

If equipment or software, capable of monitoring keystrokes, is used on the system for any reason, the warning screen must be modified to read as follows:

     **WARNING**WARNING**WARNING**WARNING**WARNING**
     THIS SYSTEM IS FOR THE USE OF AUTHORIZED USERS ONLY.
     INDIVIDUALS USING THIS COMPUTER SYSTEM WITHOUT
     AUTHORITY, OR IN EXCESS OF THEIR AUTHORITY, ARE SUBJECT
     TO HAVING ALL OF THEIR ACTIVITIES ON THIS SYSTEM
     MONITORED AND RECORDED BY SYSTEM PERSONNEL. IN THE
     COURSE OF MONITORING INDIVIDUALS IMPROPERLY USING THIS
     SYSTEM, OR IN THE COURSE OF SYSTEM MAINTENANCE, THE
     ACTIVITIES OF AUTHORIZED USERS MAY ALSO BE MONITORED.
     ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH
     MONITORING AND IS ADVISED THAT IF SUCH MONITORING
     REVEALS POSSIBLE EVIDENCE OF CRIMINAL ACTIVITY, SYSTEM
     PERSONNEL MAY PROVIDE THE EVIDENCE OF SUCH MONITORING
     TO LAW ENFORCEMENT OFFICIALS.  REPORT SUSPECTED
     VIOLATIONS TO THE SYSTEM SECURITY OFFICER.
     **WARNING**WARNING**WARNING**WARNING**WARNING**

The user should then be prompted for a specific response to continue or exit the system;

8. Should be maintained by the minimum number of authorized persons; and
9. Should be copied after each modification with the copy to be immediately stored at a secure off-site location for emergency use.

Other General Purpose Software

Other general purpose or utility software may be executed by both users and the operating system. Many of these perform routine, but important functions for the users. Others have the capability to by-pass controls, access databases without approval, duplicate files, change or reveal passwords and similar actions which, if used improperly, can compromise the protection of system resources. These latter programs and utilities should be safeguarded by:

1. Password protecting those which are only required by, or should be reserved for, the exclusive use of system programmers;
2. Password protecting and restricting access to utilities required to maintain security files;
3. Limiting the utility instructions to operators and others not having need for these capabilities;
4. Limiting user privileges for utility and general purpose programs to "execute only" (except for systems programmers who need additional privileges);
5. Maintaining a current copy of utilities, general purpose programs and documentation at a properly secured off-site location for emergency use; and
6. Protecting proprietary software in accordance with the terms and conditions of the contract or license.

10.12.1 Copyrighted Software

Title 17, United States Code, Section 106 gives copyright owners exclusive rights to reproduce and distribute their material, and Section 504 states that copyright infringers can be held liable for damages to the copyright owner. Title 18, United States Code provides felony penalties for software copyright infringement.

It is the responsibility of each DOC employee and supervisor to protect the government's interests as they perform their duties. This includes responsibility for assuring that commercial software, acquired by the government, is used only in accordance with licensing agreements. Likewise, it is also their responsibility to assure that any proprietary software is properly licensed before being installed on DOC equipment. This policy does not apply to software developed by or for a federal agency and no restrictions apply to its use or distribution within the federal government.

Supervisors will ensure that the following requirements are made known to all employees and will be held accountable for conducting periodic audits to ensure that these policies are being followed:

1. Install only commercial software, including shareware, that has been purchased through the government procurement process on DOC systems;
2. Follow all provisions of the license agreements issued with the software and register organizational ownership;
3. Do not make any illegal copies of copyrighted software. Normally the license will allow a single copy to be made for archival purposes. If the license is for multiple users, do not exceed the authorized number of copies;
4. At least annually, an inventory of all software on each individual PC will be audited against the organization's license agreement records to ensure that no illegal copies of commercial software are installed on any equipment.
5. Maintain written records of software installed on each machine and ensure that a license or other proof of ownership is on file for each piece of software;
6. Store licenses, software manuals and procurement documentation in a secure location (i.e., closed file cabinet, etc.);
7. When upgrades to software are purchased, the old version should be disposed of in accordance with the licensing agreement to avoid a potential violation. Upgraded software is considered a continuation of the original license, not an additional license;
8. Some government owned software licenses do allow employees to take copies home for use on their personally owned computers under specific circumstances (e.g., for government work but not personal business). Unless the license specifically states that employees may take copies of software home for installation on home computers, doing so is a violation of the copyright law and the individual will be liable.
9. All illegal copies of software will be deleted immediately.

All organizations must acquire special purpose software to inventory and document all software on all PCs belonging to the organization. This special purpose software may be a commercial product or the organization may acquire free software produced by the Software Publishers Association for this purpose from their operating unit ITSO.

Individual employees should be discouraged from installing their personally owned software on government equipment. If it is in the best interest of the DOC organization to allow personally owned software, authorization must be granted in writing by the immediate supervisor, showing the justification. Prior to authorization, the employee must provide the software license and give assurance that copyright infringement will not occur from installation on government equipment. Employees not following these procedures shall be held personally liable for any violations of the copyright laws and subject to the penalties contained in Title 17 and Title 18 of the United States Code.