10.12 Software Security

10.12 Software Security

Copyright(c), 1995 - Management Analytics - All Rights Reserved

Prior to placing a sensitive application into operation, DOC operating units will verify that the required user functions are being performed completely and correctly, and that the specified administrative, technical and physical safeguards are operationally adequate and fully satisfy the applicable federal policies, regulations and standards relating to the protection of the information.

Application Software

An application which processes sensitive data, or requires protection because of the risk and magnitude of loss or harm that could result from improper operation, manipulation or disclosure must be provided protection appropriate to its sensitivity. The following will be considered as the minimum controls to be applied to sensitive applications, with additional controls or safeguards to be imposed if appropriate:

Operating System Software

The operating system software employed to process data by multiple users, including local area networks, should control user access to resources and capabilities which are required and have been authorized. It should also have the capability to identify, journal, report and assign accountability for the functions performed or attempted by a user, and to deny user access to capabilities or resources which have not been authorized. Since the operating system has the capability to perform certain functions which are forbidden to users, it should allow the user to have access to the authorized resources only, and nothing more. As a minimum, the operating system:

Other General Purpose Software

Other general purpose or utility software may be executed by both users and the operating system. Many of these perform routine, but important functions for the users. Others have the capability to by-pass controls, access databases without approval, duplicate files, change or reveal passwords and similar actions which, if used improperly, can compromise the protection of system resources. These latter programs and utilities should be safeguarded by:

10.12.1 Copyrighted Software

Title 17, United States Code, Section 106 gives copyright owners exclusive rights to reproduce and distribute their material, and Section 504 states that copyright infringers can be held liable for damages to the copyright owner. Title 18, United States Code provides felony penalties for software copyright infringement.

It is the responsibility of each DOC employee and supervisor to protect the government's interests as they perform their duties. This includes responsibility for assuring that commercial software, acquired by the government, is used only in accordance with licensing agreements. Likewise, it is also their responsibility to assure that any proprietary software is properly licensed before being installed on DOC equipment. This policy does not apply to software developed by or for a federal agency and no restrictions apply to its use or distribution within the federal government.

Supervisors will ensure that the following requirements are made known to all employees and will be held accountable for conducting periodic audits to ensure that these policies are being followed:

All organizations must acquire special purpose software to inventory and document all software on all PCs belonging to the organization. This special purpose software may be a commercial product or the organization may acquire free software produced by the Software Publishers Association for this purpose from their operating unit ITSO.

Individual employees should be discouraged from installing their personally owned software on government equipment. If it is in the best interest of the DOC organization to allow personally owned software, authorization must be granted in writing by the immediate supervisor, showing the justification. Prior to authorization, the employee must provide the software license and give assurance that copyright infringement will not occur from installation on government equipment. Employees not following these procedures shall be held personally liable for any violations of the copyright laws and subject to the penalties contained in Title 17 and Title 18 of the United States Code.