7.5 CRITERIA CONTROL OBJECTIVE FOR ASSURANCE
Copyright(c) Management Analytics, 1995 - All Rights Reserved
The control objective for assurance is: "Systems that are used to
process or handle classified or other sensitive information must be
designed to guarantee correct and accurate interpretation of the
security policy and must not distort the intent of that policy.
Assurance must be provided that correct implementation and operation of
the policy exists throughout the system's life-cycle."
A basis for this objective can be found in the following sections of
DoD Directive 5200.28:
- DoD Directive 5200.28 (IV.B.1) stipulates: "Generally, security of
an ADP system is most effective and economical if the system is designed
originally to provide it. Each Department of Defense Component
undertaking design of an ADP system which is expected to process, store,
use, or produce classified material shall: From the beginning of the
design process, consider the security policies, concepts, and measures
prescribed in this Directive." [Denning75]
- DoD Directive 5200.28 (IV.C.5.a) states: "Provision may be made to
permit adjustment of ADP system area controls to the level of protection
required for the classification category and type(s) of material
actually being handled by the system, provided change procedures are
developed and implemented which will prevent both the unauthorized
access to classified material handled by the system and the unauthorized
manipulation of the system and its components. Particular attention
shall be given to the continuous protection of automated system security
measures, techniques and procedures when the personnel security
clearance level of users having access to the system changes." [Denning75]
- DoD Directive 5200.28 (VI.A.2) states: "Environmental Control. The
ADP System shall be externally protected to minimize the likelihood of
unauthorized access to system entry points, access to classified
information in the system, or damage to the system." [Denning75]
DoD Manual 5200.28-M (Section I 1-102b) states:
"Component's Designated Approving Authorities, or their designees
for this purpose . . . will assure:
. . . . . . . . . . . . . . . . .
- (5) Supervision, monitoring, and testing, as appropriate, of
changes in an approved ADP System which could affect the
security features of the system, so that a secure system is
maintained.
. . . . . . . . . . . . . . . . .
- (7) Proper disposition and correction of security
deficiencies in all approved ADP Systems, and the effective
use and disposition of system housekeeping or audit records,
records of security violations or security-related system
malfunctions, and records of tests of the security features
of an ADP System.
- (8) Conduct of competent system ST&E, timely review of
system ST&E reports, and correction of deficiencies needed
to support conditional or final approval or disapproval of
an ADP System for the processing of classified information.
- (9) Establishment, where appropriate, of a central ST&E
coordination point for the maintenance of records of
selected techniques, procedures, standards, and tests used
in the testing and evaluation of security features of ADP
Systems which may be suitable for validation and use by
other Department of Defense Components." [DoD-5000.29]
DoD Manual 5220.22-M (Section XIII 103a) requires: "the initial
approval, in writing, of the cognizant security office prior to
processing any classified information in an ADP system. This section
requires reapproval by the cognizant security office for major system
modifications made subsequent to initial approval. Reapprovals will be
required because of (i) major changes in personnel access requirements,
(ii) relocation or structural modification of the central computer
facility, (iii) additions, deletions or changes to main frame, storage
or input/output devices, (iv) system software changes impacting security
protection features, (v) any change in clearance, declassification,
audit trail or hardware/software maintenance procedures, and (vi) other
system changes as determined by the cognizant security office." [DoD-5200.28]
A major component of assurance, life-cycle assurance, as described
in DoD Directive 7920.l, is concerned with testing ADP systems both in
the development phase as well as during operation (17). DoD Directive
5215.1 (Section F.2.C.(2)) requires "evaluations of selected industry
and government-developed trusted computer systems against these
criteria." [DoD-5200.1-R]