Fred Cohen & Associates

7.5 CRITERIA CONTROL OBJECTIVE FOR ASSURANCE

Copyright(c) Management Analytics, 1995 - All Rights Reserved

The control objective for assurance is: "Systems that are used to process or handle classified or other sensitive information must be designed to guarantee correct and accurate interpretation of the security policy and must not distort the intent of that policy. Assurance must be provided that correct implementation and operation of the policy exists throughout the system's life-cycle."

A basis for this objective can be found in the following sections of DoD Directive 5200.28:

DoD Directive 5200.28 (IV.B.1) stipulates: "Generally, security of an ADP system is most effective and economical if the system is designed originally to provide it. Each Department of Defense Component undertaking design of an ADP system which is expected to process, store, use, or produce classified material shall: From the beginning of the design process, consider the security policies, concepts, and measures prescribed in this Directive." [Denning75]
DoD Directive 5200.28 (IV.C.5.a) states: "Provision may be made to permit adjustment of ADP system area controls to the level of protection required for the classification category and type(s) of material actually being handled by the system, provided change procedures are developed and implemented which will prevent both the unauthorized access to classified material handled by the system and the unauthorized manipulation of the system and its components. Particular attention shall be given to the continuous protection of automated system security measures, techniques and procedures when the personnel security clearance level of users having access to the system changes." [Denning75]
DoD Directive 5200.28 (VI.A.2) states: "Environmental Control. The ADP System shall be externally protected to minimize the likelihood of unauthorized access to system entry points, access to classified information in the system, or damage to the system." [Denning75]

DoD Manual 5200.28-M (Section I 1-102b) states: "Component's Designated Approving Authorities, or their designees for this purpose . . . will assure: . . . . . . . . . . . . . . . . .

(5) Supervision, monitoring, and testing, as appropriate, of changes in an approved ADP System which could affect the security features of the system, so that a secure system is maintained. . . . . . . . . . . . . . . . . .
(7) Proper disposition and correction of security deficiencies in all approved ADP Systems, and the effective use and disposition of system housekeeping or audit records, records of security violations or security-related system malfunctions, and records of tests of the security features of an ADP System.
(8) Conduct of competent system ST&E, timely review of system ST&E reports, and correction of deficiencies needed to support conditional or final approval or disapproval of an ADP System for the processing of classified information.
(9) Establishment, where appropriate, of a central ST&E coordination point for the maintenance of records of selected techniques, procedures, standards, and tests used in the testing and evaluation of security features of ADP Systems which may be suitable for validation and use by other Department of Defense Components." [DoD-5000.29]

DoD Manual 5220.22-M (Section XIII 103a) requires: "the initial approval, in writing, of the cognizant security office prior to processing any classified information in an ADP system. This section requires reapproval by the cognizant security office for major system modifications made subsequent to initial approval. Reapprovals will be required because of (i) major changes in personnel access requirements, (ii) relocation or structural modification of the central computer facility, (iii) additions, deletions or changes to main frame, storage or input/output devices, (iv) system software changes impacting security protection features, (v) any change in clearance, declassification, audit trail or hardware/software maintenance procedures, and (vi) other system changes as determined by the cognizant security office." [DoD-5200.28]

A major component of assurance, life-cycle assurance, as described in DoD Directive 7920.l, is concerned with testing ADP systems both in the development phase as well as during operation (17). DoD Directive 5215.1 (Section F.2.C.(2)) requires "evaluations of selected industry and government-developed trusted computer systems against these criteria." [DoD-5200.1-R]