A GUIDELINE ON OFFICE AUTOMATION SECURITY
5 DECEMBER 1986
Office Automation Systems (OA systems) are small, microprocessor-based Automated Information Systems that are used for such functions as typing, filing, calculating, sending and receiving electronic mail, and other data processing tasks. They are becoming commonly used by managers, technical employees, and clerical employees to increase efficiency and productivity. Examples of OA systems include personal computers, word processors, and file servers.
This guideline provides security guidance to users of OA systems, to the ADP System Security Officers responsible for their operational security, and to others who are responsible for the security of an OA system or its magnetic storage media at some point during its life-cycle.
This guideline explains how OA system security issues differ from those associated with mainframe computers. It discusses some of the threats and vulnerabilities of OA systems, and some of the security controls that can be used. It also discusses some of the environmental considerations necessary for the safe, secure operation of an OA system.
This guideline suggests some security responsibilities of OA system users, and of ADP System Security Officers. Also described are some of the security responsibilities of the organization that owns or leases the OA system.
In addition, guidance is given to the procurement officer who must purchase OA systems or components, and guidance is also provided to the officer who is responsible for securely disposing of OA systems, components, or the associated magnetic media.
This document is issued as a National Telecommunications and Information Systems Security Advisory Memorandum, and is therefore intended as guidance only. Nothing in this guideline should be construed as encouraging or permitting the circumvention of existing Federal Government or organizational policies.
In recent years, there has been a tremendous increase in the number of Federal Government personnel using Automated Information Systems (AIS) to help with their jobs. In a large number of cases, the AIS involved are small, microprocessor-based systems referred to as "Office Automation Systems," or "OA Systems," for short. These OA Systems can increase efficiency and productivity of those whose jobs include such functions as typing, filing, calculating, and sending and receiving electronic mail. In addition, these systems can be used by technical and other personnel to performs functions such as computing and data processing.
When used wisely, OA Systems can be a boon to the office worker and the engineer alike, helping to get more work done in less time. Not using them in a secure manner, however, can result in the compromise, improper modification, or destruction of classified or sensitive, but unclassified, information (as defined in NTISSP No. 2). It is therefore necessary that OA System users be made aware of: (1) procedures and practices which will aid in the secure usage of these systems, and (2) the consequences of not employing security measures. The objective of this guideline is to address these two issues in the context of protecting classified or sensitive, but unclassified, information.
1.1 Purpose and Scope
This document provides guidance to users, managers, security officers, and procurement officers of Office Automation Systems. Areas addressed include: physical security, personnel security, procedural security, hardware/software security, emanations security (TEMPEST), and communications security for stand-alone OA Systems, OA Systems used as terminals connected to mainframe computer systems, and OA Systems used as hosts in a Local Area Network (LAN). Differentiation is made between those Office Automation Systems equipped with removable storage media only (e.g., floppy disks, cassette tapes, removable hard disks) and those Office Automation Systems equipped with fixed media (e.g., Winchester disks).
This guideline is divided into four parts, which are further subdivided into a total of ten chapters. Part I is the introductory part of this guideline. Chapter 1 gives an introduction, while Chapter 2 discusses the Office Automation security problem and why it is different from security problems involving larger Automated Information Systems.
Part II provides guidance to the users of OA Systems. Chapter 3 details some security responsibilities of all OA System users. Chapter 4 provides guidance to users of stand-alone OA Systems, while Chapter 5 provides guidance to users of connected OA Systems.
Part III provides guidance to those ADP System Security Officers (ADPSSO) who are responsible for the security of OA systems. (Note: throughout this document, the term " security officer" will be used to mean ADPSSO.) Chapter 6 describes some of the responsibilities of security officers. Chapter 7 details some of the threats, vulnerabilities and security controls associated with Office Automation Systems.
Part IV provides guidance to others associated with OA Systems. Chapter 8 is a discussion of some of the security responsibilities incumbent upon the organization that owns an OA System. Chapter 9 provides guidance to procurement officers about addressing security during the procurement phase of the OA System life-cycle. Chapter 10 provides guidance concerning the disposal of Office Automation Systems and/or their components.
There is an Appendix that discusses security markings for the OA System and media used in it, a List of Acronyms that gives expansions for acronyms used in this guideline, and a Glossary that defines terms used in this document.
THE OFFICE AUTOMATION SECURITY PROBLEM
2.0 THE OFFICE AUTOMATION SECURITY PROBLEM
There are three major points to remember about Office Automation Systems when considering security of these systems throughout their life-cycle. These points are:
2.1 Protecting Information From Unauthorized Personnel
United States Government policy requires that classified information not be given to an individual unless he or she has the required clearance and needs the information for the performance of the job*[6,20]. For sensitive, but unclassified, information, no clearance is required; therefore, all access is based solely on need-to-know. These policies must be enforced for information contained within OA Systems as well as for all other information. Therefore, information contained in OA Systems must be protected from compromise, unauthorized modification, and destruction.
Most current Office Automation Systems processing classified or sensitive, but unclassified, information do not provide sufficient hardware/software security controls to prevent a user from accessing information stored anywhere in the system. Simply put, most current OA Systems are based on microprocessors that do not support multiple hardware states. In almost all cases, multiple hardware states are necessary to identify users, limit their actions, or keep them from accessing information for which they are not authorized. (See Section 7.5 of this document for a detailed discussion of this problem.)
In fact, at the time of this writing, no Office Automation Systems have been certified as meeting even the class C1 requirements listed in the Department of Defense Trusted Computer System Evaluation Criteria, (hereafter known as the TCSEC).
Because of the lack of adequate hardware/software security, proper physical, procedural, and personnel access controls must be used to prevent personnel from accessing the system while it contains any information (either in memory or on resident media) for which they are not authorized.
Sensitivity Levels of Magnetic Media
2.2 Sensitivity Levels of Magnetic Media
All information contained on a volume of magnetic storage media should be considered to have the same sensitivity level. This sensitivity level should be at least as restrictive as the highest sensitivity level of any information contained on the media.
The reason for this requirement is simple: under ordinary circumstances, a user of an OA System has no way of knowing exactly what is written where on a volume of media. It is possible that there have been errors made in writing on the disk that result in parts of various files being combined without the user's knowledge.
Therefore, the file becomes fragmented. The more a disk is used, the more fragmented the files become, and the greater the probability of a cross-link. In order to guard against compromise of information due to a cross-link, all information on the disk is considered to have the same sensitivity.
It is also likely that classified or sensitive, but unclassified, information that has been "deleted" from the system is still resident on the media, unless it has been completely written over in an approved manner. (See Reference 4 for guidance on overwriting media.) Therefore, the media and all information on the media should be regarded as having a single sensitivity level.
It is certainly permissible to have some information on a volume of magnetic media that is actually less sensitive than the sensitivity level of the volume; however, due to the fact that it is impossible for the average user of an OA System to tell exactly what is written where, security dictates that this information be treated as having the higher sensitivity level.
If there is a file that is believed to be unsensitive that is stored on a sensitive disk, it is permissible to have a copy of that file printed, manually reviewed, and determined to be unsensitive. This paper copy can then be treated as unsensitive; however, the disk itself should still be considered to be sensitive. This applies to classified information as much as it does to sensitive, but unclassified, information.
OA Systems With Fixed Media
vs. OA Systems With Removable Media
2.3 OA Systems With Fixed Media vs. OA Systems With Removable Media
"Removable media" are any magnetic storage media that are meant to be frequently and easily removed from the OA System by a user. Examples of removable media include floppy disks, cassette tapes, and removable hard disks.
"Fixed media" are any magnetic storage media that are not meant to be removed from the system by a user. Examples of fixed media include fixed disks and nonvolatile memory expansion boards.
An OA System with removable-media-only is one which meets both of the following criteria: (1) the system does not currently use fixed media (e.g., Winchester disks) to store or process information; and (2) other than removable media such as floppy disks or cassette tapes, the OA System must have only volatile memory. (In determining whether or not the OA System contains fixed media, any read-only memory (ROM) the system contains can be ignored.) If either condition is not met, the system should be regarded as containing fixed media.
The sensitivity level of an OA System with removable-media-only can be easily changed, because all classified and sensitive, but unclassified, information can be removed from the system after each use. This is not true of an OA System with fixed media-the sensitivity level of the system cannot be lowered without a great deal of effort, because it is virtually impossible to remove all classified and sensitive, but unclassified, information from the system. Therefore, if it is desired that the OA System be used to process information of several different sensitivity levels, or that it be used by personnel with different levels of clearances, an OA System with removable-media-only should be used. (See Sections 184.108.40.206 and 220.127.116.11 of this guideline for guidance on changing the sensitivity levels of OA Systems.)
GUIDANCE FOR THE OFFICE AUTOMATION SYSTEM USER
RESPONSIBILITIES OF OA SYSTEM USERS
3.0 RESPONSIBILITIES OF OA SYSTEM USERS
One of the most common problems in Information Security is determining exactly who is responsible for what. This is a particularly important issue when Office Automation Systems are involved, since there is much less opportunity for oversight of "average users" by "professional security people." Therefore, it is incumbent upon each person to do his or her part to prevent the compromise of information.
The "average user" of an Office Automation System is the most important person in maintaining OA System security. If security is to be maintained, the user must develop a "security mindset". In view of this, the following general responsibilities of all OA System users are described. It should be remembered that responsibilities discussed in this section apply equally to each user of an OA System, regardless of whether or not that person has been formally designated as the security officer for that OA System.
can be compromised or damaged.
OPERATIONAL SECURITY FOR STAND-ALONE OFFICE
4.0 OPERATIONAL SECURITY FOR STAND-ALONE OFFICE AUTOMATION SYSTEMS
O A Systems With Removable-Media-Only
4.1 O A Systems With Removable-Media-Only
Physical Access to Systems and Media
4.1.1 Physical Access to Systems and Media
Physical access to the OA System at any given time should be limited to those with clearance and need-to-know for all information then contained in the system. It may be necessary to keep the OA System in a separate room or part of a room to keep unauthorized personnel from being able to read information displayed on the screen or on a printer. If the OA System is not in a protected area, special care should be taken to ensure that unauthorized personnel cannot gain access to sensitive, but unclassified, or classified information.
Example: Kelly, who is in charge of office personnel affairs, must process the quarterly promotion list, which contains personnel information that must be protected under the Privacy Act of 1974. The OA System on which he must work, however, is located in the middle of the office, where several people who are not authorized to see the information can see what he is doing. Kelly should therefore take care to ensure that none of his co-workers can see the information he is processing. One way he might do this is to use partitions to surround the OA System and block the view of other employees. A second way is to position the CRT screen and printer in such a way that no one else in the office can see them, and then to ensure that no one is watching what he is doing. A third way is to make sure that the room is empty before doing his work.
It is important to emphasize that these rules also apply for personnel performing maintenance on the OA System. Maintenance, regardless of whether preventive or corrective, should only be done by authorized persons. Maintenance personnel should not be allowed physical access to the OA System until all classified and sensitive, but unclassified, information for which they do not have a clearance and need-to-know has been removed.
Stand-Alone OA System With Removable Media
4.1.2 Using the Stand-Alone OA System With Removable Media
18.104.22.168 Normal Operation
The following procedures should be followed at all times during normal operation of the OA System:
(3) Electronic labels attached by the OA System to information on magnetic storage media should not be trusted to be accurate unless the OA System has been evaluated by the National Computer Security Center and has been found to be a B1 or higher trusted system. While it is a good practice to indicate the apparent sensitivity of information by an electronic label of some sort (e.g., by a character string in the file name or directory name, or by the value of the first byte in the file), these labels should not be trusted to be accurate. Therefore, all data on the media should be treated as being at a single sensitivity level-that which is indicated by the physical label attached to the media.
Example: Suppose that Terry has a file that she believes to contain only Unclassified information, but that is stored on a TOP SECRET floppy disk. Terry therefore copies the file to an Unclassified disk. The previously Unclassified disk should then become TOP SECRET. The reason for this is that there is no way for a user to determine exactly what has been written onto the disk; there is a chance that an error caused TOP SECRET information to be written onto the disk.
Furthermore, software should not be used unless it has been thoroughly tested by someone trustworthy (such as the organizational software distribution office, or the ADPSSO) for errors and malicious logic before it is exposed to operational information. (This is especially true for software obtained from the public domain.)
22.214.171.124 Changing the Sensitivity Level of Information the OA ,System is Processing
OA Systems using removable-media-only contain no fixed media, and therefore can be used to process information of different sensitivity levels. In some instances it may be more cost effective to simply process all information as being at the system high level, and then manually review all output for the proper sensitivity. However, if this is impractical, then the sensitivity level of the OA System may be changed. When a change in the sensitivity level is desired, the following steps should be taken:
126.96.36.199 Preparing Downgraded Extracts
In some instances, it may be necessary to copy some information from a volume of media at one sensitivity level to another volume that is at a lower sensitivity level (e.g., copy a file from a SECRET disk to an Unclassified disk). This is an extremely dangerous practice, and should only be done following the procedures that have been set by the security officer. Users should contact their system's security officer for specific guidance on preparing downgraded extracts of classified or sensitive, but unclassified, information.
When a User is Finished Using the OA System
188.8.131.52 When a User is Finished Using the OA System
When a user is through using the OA System, remove all removable media from the system and store it in a manner commensurate with information of that sensitivity. Record any audit trail information that may be required. If the system is used by more than one person at different times, it is advisable to power the system off at the conclusion of each person's use.
At the End of the Shift
184.108.40.206 At the End of the Shift
At the end of the shift or workday, the following steps should be taken before leaving.
The OA System should remain powered off during non-duty hours.
A checklist should be maintained that is signed or initialed at the end of each day to verify that the OA System has been properly shut down and removable media have been removed. This will assist in determining accountability for a discovered security problem.
OA Systems With Fixed Media
4.2 OA Systems With Fixed Media
Physical Access to Systems and Media
4.2.1 Physical Access to Systems and Media
Physical access to the system should be restricted to those who are authorized access for all data currently being stored on the system. In addition, these users should be authorized access for all data that has been stored on the system since the system was last declassified. (See Reference 4 for declassification procedures.)
Using the Stand-Alone OA System with Fixed Media
4.2.2 Using the Stand-Alone OA System with Fixed Media
220.127.116.11 Normal Operation
During normal operation of a stand-alone OA System with fixed media, all recommendations given in Section 18.104.22.168 which apply to the operation of an OA System with removable media are still applicable. However, additional vulnerabilities exist with OA Systems containing fixed media and therefore additional precautions must be taken.
Even though only one user can directly access the system at a time, it is likely that information originated by more than one user will be stored on the fixed media. Access to any classified information by a user not possessing a clearance or need-to-know for it is a violation of Executive Order 12356. Access to certain other types of sensitive, but unclassified, information is contrary to the provisions of Section 3 of the Privacy Act of 1974. Systems which do not meet the requirements of at least class C2 cannot provide assurance of protection of information from anyone who gains physical access to the system. Therefore, if the OA System has been evaluated and found to be a class C2 or higher system, then the guidelines detailed in Reference 3 apply. Otherwise, all users should have proper clearance and need-to-know for all data that is stored or processed on the system.
Any removable media which is placed in the OA System automatically acquires the same sensitivity level as the system. However, if the original sensitivity level of the removable media is more restrictive than that of the OA System, the OA System and its fixed media acquire the more restrictive sensitivity level, and should be marked as such.
Example: Suppose that there is an OA System with one fixed disk and one floppy disk drive. The system and its fixed disk are classified SECRET. A previously Unclass-ified floppy disk placed in the system's floppy disk drive becomes classified SECRET. If a TOP SECRET floppy disk is placed in the floppy disk drive, however, the entire OA System and its fixed disk become classified TOP SECRET.
It should not normally be permissible to copy a file from a classified or sensitive, but unclassified, volume of removable storage media to a volume of fixed media with a lower sensitivity level, unless the sensitivity level of fixed media, and of the entire OA System, is immediately raised to the level of the removable media. (The exception to this is discussed in Section 22.214.171.124.)
Example: Suppose that there is a file that is apparently Unclassified, yet it currently resides on a TOP SECRET diskette. If this file is copied to an Unclassified fixed disk, the sensitivity level of the previously Unclassified disk should now be TOP SECRET. The reason for this requirement is that we have no way of being sure exactly what is being copied; therefore, we must assume the worst case: that some TOP SECRET information may be inadvertently copied onto the Winchester disk. Therefore, the sensitivity level of this previously Unclassified disk should be raised.
Furthermore, it should not be permissible to copy a file from a classified or sensitive, but unclassified, volume of fixed media to a volume of removable media with a lower sensitivity. If this does occur, the sensitivity of the removable media should be immediately raised.
Information that individual users wish to protect from other users of the OA System should be stored on removable media. This removable media can then be appropriately protected when it is not in use. This recommendation stems from the fact that OA Systems that do not meet the TCSEC requirements for at least class C1 cannot prevent any system user from gaining access to any location in the system's memory, to include the locations where the hardware/software controls themselves are stored. If the information is removed from the system along with the media it resides on, however, it cannot be accessed by others. (However, users should be very careful, as quite often information is left on the fixed media in the form of scratch files or backup files.) Users should make sure that media they remove from the OA System are properly secured. For example, if a floppy disk is removed, it should be locked away, not left lying on top of a desk or put in an unlocked container. One of the conditions for security is that adequate physical protection must be provided; if it is not, then all information is vulnerable.
Changing the Sensitivity Level of Information
126.96.36.199 Changing the Sensitivity Level of Information the OA System Is Processing
It is not permissible to lower the sensitivity level of the OA System unless it has been declassified using the procedures described in Reference 4.
Unless the OA System meets the requirements of at least class B1 when evaluated against the TCSEC, it should not be used to process multiple sensitivity levels of information simultaneously. In this case, it is not permissible to change the sensitivity level of the information the OA System is processing. Any information which is being processed by the OA System must be regarded as having the same sensitivity level as the system itself, regardless of its apparent sensitivity.
Preparing Downgraded Extracts
188.8.131.52 Preparing Downgraded Extracts
In some instances, it may be necessary to copy some information from a volume of media at one sensitivity level to another volume that is at a lower sensitivity level (e.g., copy a file from a SECRET disk to an Unclassified disk). This should only be done following the procedures that have been set by the security officer. Users should contact their ADPSSO for specific guidance on preparing downgraded extracts of classified or sensitive, but unclassified, information.
When a User is Finished Using the OA System
184.108.40.206 When a User is Finished Using the OA System
If there are any classified or sensitive, but unclassified, files stored on the fixed media that other users of the system should not be able to access, they should be removed from the system[8,9]. First, copy the files to a volume of removable media. Then, remove the information contained in these files from the fixed media by overwriting each location that contained these files with some pattern (e.g., all zeros, then all ones, then a random pattern)[8,9]. The software that is used to do the overwrite should be trusted to a level commensurate with the OA system level of sensitivity.
At the End of the Shift
220.127.116.11 At the End of the Shift
See Section 18.104.22.168. All safeguards described there are equally applicable to OA Systems with fixed media.
In addition, the OA system itself should be physically secured in some way. If the room containing the OA system is approved for open storage of classified information at the highest level of information contained on the OA System, it may be sufficient to secure the room in the appropriate manner. If the room is not approved for open storage of classified information, then the OA System itself should be secured by locking it in an approved cabinet.
SECURITY FOR CONNECTED OFFICE AUTOMATION
5.0 OPERATIONAL SECURITY FOR CONNECTED OFFICE AUTOMATION SYSTEMS
(Note: In addition to the guidance given in this section, all guidance given in Chapter 4 of this guideline is also applicable, and should be followed whenever the OA System is used.)
OA System as a Terminal
5.1 Using an OA System as a Terminal Connected to Another Automated Information System
When an OA System is used as a terminal, all of the normal rules for connecting terminals to AIS should apply. For example, these rules should include never leaving the OA System unattended while it is connected to another AIS, unless a software locking mechanism is used which prevents anyone, not passing an authentication check, from interacting with the remote AIS.
Office Automation Systems Versus "Dumb Terminals"
5.1.1 Office Automation Systems Versus "Dumb Terminals
Office Automation Systems used as terminals can cause security problems that do not occur when "dumb terminals" (i.e., those that are not programmable) are used. Among these are the possibility of malicious communications software in the OA System, and the ability of the OA System to store such things as passwords.
Users of OA Systems should be wary of untested communications software. The organization owning the OA System should take any steps practicable to ensure that communications software used with their systems does exactly what its documentation claims, and nothing else. In general, at least one copy of the software should be tested, either by someone within the organization or by someone outside of the organization who can adequately test software.
If communications software is used that contains malicious code, the communications software can cause information (including the user's password) to be compromised, can corrupt information flowing between the OA System and other AIS, or can cause service to be denied completely. Worse still, it can do much of this without the knowledge of the person using the software. Therefore, it is very important not to use communications software packages that have not been approved for use by a responsible security officer.
Under no circumstances should a user's password for any remote AIS ever be stored in an OA System. While it may seem convenient to program the OA System to execute the login routine on a mainframe computer system for you, it is important to remember that the OA System can also execute the same routine for someone else. This can result in another user of the OA System being logged into a remote AIS as you!
Example: Suppose that Janet programs her personal computer so that when she is communicating with the AIS called MAINFRAME and presses the CONTROL and BREAK keys at the same time, her PC sends out her user-identifier and password to MAINFRAME. In other words, the PC executes Janet's login routine on MAINFRAME for her. She thus saves the keystrokes involved in typing the information each time she logs in, and doesn't even have to remember her password!
The problem occurs when Pat sees what Janet does, and decides to take advantage of this "user-friendliness." When Joe is not around, Pat simply connects Janet's PC to MAINFRAME, presses the CONTROL and BREAK keys simultaneously, and is now logged onto MAINFRAME as Janet. Once this happens, there is no way to prevent the compromise of information, since MAINFRAME has no way of knowing that it is not really Janet at the other end of the terminal!
In summary, storing a password in an OA System is the same as writing it down on a piece of paper-if anyone ever finds it, the security that was to be provided by that password has been defeated.
Consequences of Removable Media vs. Fixed Media
5.1.2 Consequences of Removable Media vs. Fixed Media
Because the sensitivity level of an OA System with fixed media cannot be easily changed, it is difficult to use one of these systems as a terminal to a wide variety of other AIS, particularly if each of these remote AIS is processing information of different sensitivity levels. Therefore, once an OA System with fixed media is connected to an AIS processing classified information, that OA System should be considered to be classified. It should NOT be connected at a later time as a terminal to an AIS that is not approved to process information classified at the same or a higher level.
An AIS with removable-media-only, however, can more easily be used as a terminal to, for example, a SECRET host at 2:00 pm and an Unclassified host at 4:30 pm, because its sensitivity level can be changed. If you are using an OA System with removable-media-only, and it is necessary to connect to an AIS that is processing a different sensitivity level of information than the last AIS that the OA System was connected to, the sensitivity level of your OA System should be changed in accordance with Section 22.214.171.124 of this guideline.
OA Systems Used as Hosts
5.2 OA Systems Used as Hosts on Local Area Networks
Suppose that there is an OA System attached to a Local Area Network (LAN). It is important for both the user and the security officer to understand that, as a general rule, any person who can access any other component of that LAN can access any information contained in that OA System. This includes any information that is stored on both fixed and removable media that are currently contained in the system, and applies regardless of whether the person is accessing the OA System from its keyboard or over a network. Therefore, the problem of compromise of information to an unauthorized individual is greatly increased any time an OA System is connected to a network. For this reason, the user should NEVER leave the OA System while it is logged in to the LAN.
Removable Media vs. Fixed Media
5.2.1 Consequences of Removable Media vs. Fixed Media
If some information in the OA System is stored on removable media, those media can be removed from the system so that the information cannot be accessed by a remote user. If the information is stored on fixed media, it cannot be easily removed from the system, and the owner of the information should be aware of its vulnerability to compromise.
Suppose that there is an OA System that does not meet the class B1 requirements and that is used as a LAN host. Any information that should not be shared with every user of the LAN should be stored on removable media, and these media kept out of the OA System when this information is not needed.
If the OA System meets the requirements of class B1 or higher, then these media may be left in the system.
Controlling Access to System Resources
5.2.2 Controlling Access to System Resources
In order to prevent the compromise of information, access to the resources of the LAN and of each OA System connected to it should be controlled. These controls may include physical, procedural, and hardware/software features, or some combination thereof.
One way to ensure that information is not compromised is to provide such hardware/software features as access control, identification and authentication, and audit. If these features are provided, and the network as a whole can be trusted to prevent users from gaining access to information for which they are not authorized, then the other controls needed for security (e.g., procedural controls, physical access controls) are similar to those required for stand-alone OA Systems.
However, since the hardware/software controls necessary to provide security in a LAN are often unavailable, procedural controls should be implemented. These include:
Instead of keeping unauthorized personnel away from a single OA System, it is now necessary to keep them away from all OA Systems that are connected to the LAN. Some of these OA Systems may be located or may have peripheral devices (e.g., shared laser printers) that are located in public areas. Therefore, each user must help to ensure that no one is using any part of the LAN without authorization. Further, each user should pick up any human-readable output from any shared devices as soon as possible. For example, printouts should not be left in the printer room for six or eight hours if the room is not sufficiently protected to keep unauthorized personnel from gaining access to classified or sensitive, but unclassified, information. A good rule of thumb is, if you don't want others to read a sensitive file, do not leave it where it can be seen.
GUIDANCE FOR ADP SYSTEM SECURITY OFFICERS
RESPONSIBILITIES OF THE ADPSSO
There should be one individual who is responsible for the security of each Office Automation System[5,11]. This individual may be one of the users of the system itself, or he/she may be a person who has responsibility for the security of all OA Systems within the organization. (It should not be the OA System manager, due to the potential lack of accountability.) Regardless of who the individual is, the ADPSSO has certain responsibilities which must be carried out in order to ensure that the OA security policy is enforced. These include:
7.1 Threats, Vulnerabilities, and Controls: an Overview
The security officer of any OA System should have a familiarity with some of the security issues involved with that system. This chapter will give the security officer that familiarity.
In computer security terminology, a threat is a person, thing, or event that can exploit a vulnerability of the system. Examples of threats include a maintenance man who wants information to sell, a wiretapper, or a business competitor.
A vulnerability is an area in which an attack, if made, is likely to be successful. Examples of vulnerabilities include lack of identification and authentication schemes, lack of physical access controls, and lack of communications security controls.
If a threat and a vulnerability coincide, then a penetrator can cause a violation of the system's security policy. For example, suppose that there is a maintenance person (the threat) who is secretly working for an unscrupulous contractor. In addition, there is a vulnerability in that lack of physical access controls allows maintenance personnel to work on the OA System without supervision. In this case, information may be corrupted, causing a disruption in the normal work routine.
A security control is a step that is taken in an attempt to reduce the probability of exploitation of a vulnerability. This control may take one of many forms: an operational procedure, a hardware/software security feature, the use of encryption, or several others.
There are many possible threats to the information being stored by an Office Automation System, as well as to the system itself. The system may be stolen or destroyed. Information stored on the system may be compromised; that is, it may be exposed to a user or process that does not have proper authorization to see it. Information may also be corrupted or destroyed altogether by a malicious user. Another threat might be the interference with the system's ability to process information correctly. It is the purpose of this document to educate the security officer and the user as to the proper defenses against each of these threats. The following is a breakdown of some of the security issues involved in combating each of several types of threats.
Physical and Personnel Security
7.2 Physical and Personnel Security
Physical and Personnel Security Threats
7.2.1 Physical and Personnel Security Threats and Vulnerabilities
In many instances, there is a danger that classified or other sensitive, but unclassified, data being processed in an OA System will be exposed to someone without a proper clearance or authorization for it. This is particularly true if the OA System is not physically located in an appropriate area, or if an OA System is directly accessible to external users by a communications line.
(An "appropriate area" is one that is approved for the highest level of information that has ever been processed or stored on the OA System.)
For the purposes of determining the level of security needed for an OA
System, the following rule should be used: Any information that can be accessed using the communications capability of an OA System should be regarded as being processed by that OA System. This may mean that a more stringently controlled area is needed for a particular OA System, or that certain communications should not be allowed.
Regardless of the physical area in which the OA System is located, it is possible that all or part of the machine can be stolen or modified. The theft of a hardware part of the system may result in damage being done to the owning organization, since many times it is possible to recover residual information directly from the hardware.
Physical Access Controls
7.2.2 Physical Access Controls
The OA System should be located in an area that is approved for data as sensitive as the highest level of information it has stored or processed since all of its fixed media and semiconductor media were last declassified. Further, any other AIS or AIS component that can access the OA System should also be located in an area that is approved for this highest sensitivity of information.
Example: Suppose that an OA System is used to process TOP SECRET data. This system should be stored in an area that is approved to store at least TOP SECRET material. (This requirement holds even if some or most of the information processed on the system is classified at a lower level than TOP SECRET.) Any other AIS or AIS component that is logically connected to this OA System must also be kept in an area that is approved for TOP SECRET data.
Regardless of the physical area in which it is located, the OA System should be marked with the most restrictive sensitivity of information that may be processed on it. (See the Appendix of this Guideline for detailed guidance on the marking of OA Systems.)
The OA System itself should be protected in such a way that sufficient protection is provided against theft or destruction of the system or its components. Possible precautions that can be taken include locking the OA System and its peripheral devices to a table, locking it in a cabinet, or keeping it in a locked room or vault. Any apparent theft or destruction of the OA System or any of its components (to include software) should be reported immediately to the security officer.
Personnel Security Controls
7.2.3 Personnel Security Controls
Executive Order 12356 states that "A person is eligible for access to classified information provided that a determination of trustworthiness has been made by agency heads or designated officials and provided that such access is essential to the accomplishment of lawful and authorized Government purposes". The Privacy Act of 1974 states that no agency may disclose privacy information to any person without the prior written consent of the person to whom the information pertains, except for a limited set of purposes. In order to meet these and other policy-based requirements, only personnel who possess the proper clearances, formal access approvals, and need-to-know for all information then contained in the OA system should be allowed physical access to the system. Under ideal circumstances, maintenance or configuration changes that must be done by vendor or support personnel should only be done by personnel who are cleared for and have a need-to-know for all information then contained in the system. If this is not possible, then vendor or support personnel should be escorted by someone who is cleared and has a need-to-know for all information on the system. If the OA system or parts of it must be sent to another location for repair, care should be taken to ensure that no one without the proper clearances and need-to-know for information previously contained (or possibly contained) in the system at any given time has access to the OA System at that time.
7.3 Communications Security
Communications Security Threats
7.3.1 Communications Security Threats and Vulnerabilities
Communications Security vulnerabilities are those that can be exploited whenever an Office Automation system has the capability to electronically send information to or receive information from another AIS. These vulnerabilities exist primarily in two areas: (a) interception of information during transmission, and (b) non-detection of improper messages and message headers received by the OA System. Whenever an OA System is used to electronically send information to or receive information from another computer system, there is a chance that the information will be compromised by being intercepted while en route. Therefore, steps should be taken to ensure that no information is compromised during transmittal.
In addition to the problem of compromise, an OA System receiving information from another system should have some amount of assurance that the message and its header are authentic-that is, the receiving OA System is not being tricked into believing a false header. The integrity of messages and control information is crucial to the secure operation of a network. If a message were to be received with a phony header that was not detected, it could cause the system or a human using that system to take some action that would violate the security policy. Therefore, any forged messages or message playback should be detected by the OA System or by the network it is connected to.
For additional information, please contact your organization's Computer Security Office. Additional information is available from NSA, 9800 Savage Road, Ft. George G. Meade, MD 20755-6000, Attention:
Communications Security Controls
7.3.2 Communications Security Controls
Regardless of whether the system is being used as a terminal attached to a mainframe or as a host attached to a local area network, either encryption or physically protected communications media should be used whenever the OA System is used for the communication of classified information. This protection must be sufficient for the highest classification of data that will be transmitted over the communications media.
Encryption should be used to protect information from being compromised any time it is not possible to physically protect the communications media. In addition, cryptographic techniques may be considered even when communications media can be physically protected to the desired level. This is because the use of encryption will not only help prevent compromise of information by interception, it will also help prevent spoofing. Cryptographic checksums can be used to verify the integrity of the message and its sender.
The term "physically protected communications media" means that the media (e.g., the communications lines) cannot be accessed by a system penetrator (that is, they are immune to a hostile wiretap, either active or passive), and that TEMPEST considerations do not raise a significant problem in the specific environment. An example of physically protected communications lines is communication cables that are physically located within a secure area and are used to connect OA Systems in a LAN.
7.4 Emanations Security
Under certain circumstances, it is possible to detect what information is being processed by a computer system by analyzing the electromagnetic emanations coming from the system. This could result in the compromise of classified or sensitive, but unclassified, information. To prevent this, OA Systems that process classified information must be protected in accordance with the National Policy on the Control of Compromising Emanations. For specific applications see NACSI 5004, "TEMPEST Countermeasures for Facilities Within the United States (U)", and NACSI 5005, "TEMPEST Countermeasures for Facilities Outside the United States (U)". (Note: The entire OA System must be protected. Connecting a TEMPEST approved CPU, monitor, printer, and keyboard together with an unapproved cable or without due regard for proper RED/BLACK separation and installation criteria can result in the failure of the entire system to meet the TEMPEST requirements.)
7.5 Hardware/Software Security
Hardware/Software Threats and Vulnerabilities
7.5.1 Hardware/Software Threats and Vulnerabilities
Hardware/Software vulnerabilities are those that can be exploited because of the inability of the OA System's hardware, software, and firmware to prevent users from accessing data in or controlled by the system. The threats to exploit these vulnerabilities generally fall into one of three general categories: compromise of classified or sensitive, but unclassified, data; unauthorized modification or destruction of data; and denial of services to authorized users. More specifically, an unauthorized user can access data, can modify data, or can deny use of the data or even the OA System itself to authorized users.
If an OA System is networked, the vulnerability of data is greatly increased. First, a user of one OA System may be able to access another AIS, and data that was previously inaccessible is vulnerable to attack. Second, an unauthorized user may be able to access the OA System from a remote location, and thus evade the physical and procedural controls that have been set up to protect the OA System locally.
7.5.2 Hardware/Software Controls
Most current OA System architectures do not provide the hardware features which are needed to implement separate address spaces (or "domains") for the operating system and applications programs. They also do not provide the privileged instructions that are necessary to prevent applications programs from directly performing security-relevant operations, nor do they provide memory protection features to prevent unauthorized access to sensitive parts of the system[16,21,23].
The limitations of these single-state OA Systems prevent them from providing effective hardware/software security features. For example, a knowledgeable user can access any memory location directly by using assembly language-type commands. (The memory locations which he/she can access in this manner include not only the system's own semiconductor memory, but also everything currently accessible to any part of the system, such as floppy disks, fixed disks, and cassette tapes.) In this manner, a user can read, modify, and/or destroy any information contained in the OA System-including security critical entities such as password files and encryption information. The system cannot protect itself from an unauthorized user.
There are currently a number of hardware and software packages available on the market that claim to provide security for data resident on the system. On all current OA Systems that support only a single processor state, it is easy to circumvent these packages. For example, a user may be able to bypass a security package by booting the system with a different copy of the operating system-one that does not have the security features on it[16,21]. A user may additionally be able to use one of the commercially-available utilities packages to bypass security controls[16,21].
Despite their weaknesses, some current hardware/software packages do have uses. Packages which provide such mechanisms as user identification and authentication, discretionary access controls, and audit trails can provide a degree of protection that is certainly better than that provided by an OA System without them. In addition, hardware/software controls can help to prevent accidents. If these controls are used, it is much less likely that a non-malicious user of the OA System will accidentally gain access to, modify, or delete information belonging to other users. A user will have to make a determined effort to gain access to information belonging to other users.
There are currently some microprocessors available that provide the hardware features necessary to support hardware/software security controls (e.g., multiple processor states). OA Systems that are based on these microprocessors and that have the necessary security mechanisms can be evaluated against the TCSEC. With the proper hardware/software security features added on, it is possible for the OA System to reach the class B1 level, when evaluated against the TCSEC. In addition, if OA Systems are designed with hardware/software security as an initial consideration, they would be able to achieve any trust level defined by the TCSEC.
In summary, hardware/software controls should not be relied upon by themselves to provide separation of users from information in most current OA Systems. However, as long as these controls do not lull the user into a false sense of security, they will not harm and may assist in raising the overall level of Office Automation security.
7.6 Magnetic Media
7.6.1 Magnetic Remanence: Threats, Vulnerabilities, and Controls
Magnetic remanence is the residue remaining on magnetic storage media after a file has been overwritten or the media have been degaussed. Many times, after a file has been overwritten or media have been degaussed, it is still possible for someone with physical possession of the media to recover the information that was formerly present. This magnetic remanence, therefore, is a major vulnerability of any OA System employing magnetic storage media. The threat corresponding to this vulnerability is that persons may come into possession of magnetic media which contain classified or sensitive, but unclassified, information for which they are not authorized. The general control to combat this is for all magnetic media to be properly cleared or declassified before being released for reuse. The following sections give general guidance in the areas of clearing and declassifying magnetic storage media. For more detailed guidance, please see the Department of Defense Magnetic Remanence Security Guideline .
Clearing and Declassification of Magnetic Media
7.6.2 Clearing and Declassification of Magnetic MediA
Clearing of magnetic media refers to a procedure by which the classified information recorded on the media is removed, but the totality of declassification is lacking. Clearing is a procedure used when magnetic media will remain within the physical protection of the facility in which it was previously used. Declassification refers to a procedure by which all classified information recorded on magnetic media can be totally removed. Declassification is required when magnetic media which have ever contained classified data are to be released outside of a controlled environment.
Clearing of Magnetic Media
126.96.36.199 Clearing of Magnetic Media
Certain types of removable media (e.g., magnetic tapes, floppy disks, cassettes, and magnetic cards) may be cleared by overwriting the entire media one time with any one character. Floppy disks may be cleared by applying a vendor's formatting program that overwrites each location with a given character.
Fixed media (e.g., Winchester disks) should be cleared by overwriting at least one time with any one character. One way to do this is by applying a vendor-supplied formatting program that overwrites each location on the disk with a given character, if it can be shown that this program actually works as advertised. The user should beware: some programs that purport to overwrite all locations do not actually do this.
Cleared media may be reused within the controlled facility or released for destruction; however, they should be marked and controlled at the level of the most restrictive sensitivity of information ever recorded.
Declassification of Magnetic Media
188.8.131.52 Declassification of Magnetic Media
Certain types of removable media can be declassified using a degaussing device that has been approved for declassifying media of that type. (A list of approved devices is maintained by NSA.)
If a fixed medium (for example, a hard, or Winchester, disk) is operative, an approved method of declassifying the disk pack is to employ an overwrite procedure which must overwrite all addressable locations at least three times by writing any character, then its complement (e.g., binary ones and binary zeros) alternately.
When fixed media become inoperative, it is impossible to declassify the media by the overwrite method. In this case, there are two alternate procedures that may be used: (1) disassemble the disk pack, and degauss each platter with the appropriate approved degaussing equipment; and (2) courier the inoperative media to the vendor's facility, have the magnetic media (e.g., disk platters) removed in sight of the courier and returned to the courier for destruction at the secure site. The vendor can then install new platters and repair any other problems with the disk unit. See Reference 4 for a detailed discussion of each of these alternatives.
Destruction of Magnetic Media
7.6.3 Destruction of Magnetic Media
Magnetic media that have contained classified or sensitive, but unclassified, information and are no longer useful should be destroyed. Prior to destruction, all labels or other markings that are indicative of classified or other sensitive, but unclassified, use should be removed.
Detailed methods for destruction of different types of magnetic media are given in Reference 4.
7.6.4 Media Encryption
Cryptography has important applications in an Office Automation environment, since in many cases it is impossible to physically protect magnetic media from all individuals who lack either the clearance or need-to-know for all information contained on the media. (For example, if an OA System with fixed media is shared by two or more users, there quite often is information for which one user does not have a need-to-know that needs to be stored in the system.) In these cases, the use of cryptography to help prevent compromise of classified or sensitive, but unclassified, information should be considered.
In many cases, information security can be enhanced if the information is stored on the media in encrypted form. There are two strategies which can be used: bulk file encryption and integral file encryption. Each of these strategies has its advantages and disadvantages; see Reference 23 for a description of each.
7.7 Environmental Considerations
Office Automation Systems are generally designed to be used in the "typical" office environment. Therefore, they seldom require special environmental controls such as air conditioning or air contamination controls. However, an OA System and its media can be seriously damaged or even destroyed by such things as electrical surges, fire, water, crumbs of food, termites, chemicals, or dust. Since destruction of the system and/or information represents a serious loss to the organization, it is imperative that steps be taken to help prevent unnecessary damage to the OA System. The following discussion is adapted from NBS Special Publication 500-120, Reference 23.
Electrical Power Quality
7.7.1 Electrical Power Quality
Surges in electrical power can cause a great deal of damage to an OA System, and can cause information stored within to be permanently inaccessible. Furthermore, frequent power outages cause the loss of use of the system and its resources. Therefore, if the local power supply quality is unusually poor (e.g., large fluctuations in voltage or frequency, voltage spikes, or frequent outages), then such devices as surge protectors, battery backup, or uninterruptible power supply systems should be considered. In addition, disconnecting the system should be considered during intense electrical storms.
7.7.2 Air Contaminants
The general cleanliness of the area in which OA Systems are operated has an effect on reliability, both of the equipment and of the magnetic storage media. Although it is generally not necessary to install special-purpose air purifiers for the OA System, cutting down or eliminating such contaminants as smoke and dust can only help the OA System and its media. The best guidance that can be given in this area is to keep smoke, dust, cigar and cigarette ashes, and similar airborne contaminants as far away from the OA System as possible.
7.7.3 Fire Damage
Fire and excess heat can cause the destruction of an OA System in a very short time. Therefore, any Office Automation equipment in the office should be kept as far away from any open flames or other heat sources as possible. In addition to this, all users of the system should be familiar with procedures to be followed in case a fire should break out. Fire protection equipment (e.g., extinguishers) should be present and conveniently located so that the damage caused by a fire is limited as much as possible.
7.7.4 Static Electricity
Another way in which Office Automation equipment can be damaged is by static electricity. If the climate in a particular area results in the presence of large amounts of static electricity, the use of anti-static sprays, carpets or pads should be considered. In addition, since static electricity can quite often build up in personnel, particularly when carpeting is used, personnel can be instructed to discharge any built-up static charge by simply touching a grounded object, such as a metal desk or doorknob.
Other Environmental Considerations
7.7.5 Other Environmental Considerations
There are other ways in which Office Automation equipment can be damaged by environmental hazards. One of these is by the spillage of food or liquid onto the equipment or media. Spilling a soft drink on a keyboard, for example, can cause damage that requires extensive repair or replacement of the keyboard. Spilling water or crumbs of food onto a floppy disk can cause it to be unusable, possibly resulting in the loss of information stored on it. Therefore, keep all food and drinks away from Office Automation equipment and media.
Preparing Downgraded Extracts
7.8 Preparing Downgraded Extracts
In some instances, it is operationally necessary to copy information from a volume of media at one sensitivity level to another volume that is at a lower sensitivity level. If the OA System does not meet the requirements of at least Class B1, this is always dangerous, as classified or sensitive, but unclassified, information could be compromised without the user's knowledge. Therefore, any decision to permit the electronic downgrading of information should be made only after the risks of compromise have been carefully considered. The person or organization making the decision should be willing to accept the risk that classified or other sensitive, but unclassified, information will be compromised.
Each ADPSSO is responsible for enforcing the procedures by which downgrading of information can be done. The ADPSSO may also be responsible for developing these procedures; however, they may be dictated by organizational policy. The following method is appropriate in some instances; however, the reader should again be warned that the possibility of information compromise exists when this is done:
Of course, it is still possible that information could have been copied onto the new media without being detected. However, if it is necessary that downgrading be permitted, this is a risk that must be taken.
GUIDANCE FOR OTHERS
RESPONSIBILITIES OF THE ORGANIZATION
8.0 RESPONSIBILITIES OF THE ORGANIZATION OWNING* THE OA SYSTEM
Good Information Security begins at the top levels of an organization. If the organization has a commitment to Information Security, there is a far better chance of a security program succeeding. In order to foster good Office Automation System Security, and in turn good Information Security, the following conditions should exist within the organization (e.g., Department, Agency) that "owns" the OA system.
SECURITY IN THE PROCUREMENT
9.0 REQUIRING SECURITY IN THE PROCUREMENT OF OFFICE AUTOMATION
Security is an important consideration throughout the entire life-cycle of an Office Automation System. If security is not considered during the initial system specifications and Request for Proposal (RFP), it may not be designed into the OA System, and will remain a problem throughout the system life-cycle. Often, when deciding upon what OA System to buy, security is ignored in favor of performance and compatibility with other AIS. Security does not have to be incompatible with other goals; therefore, ignoring it because of them is not valid.
OMB Circular A-130 requires that a risk analysis be done by the person or organization responsible for the security of any AIS before procurement of the system is begun. (Risk analyses are also required at other times during the system life-cycle; see Reference 13 for further guidance.) This requirement applies as much to OA Systems as to any other AIS.
This risk analysis, which may be anything from a very informal review to a fully quantified risk analysis, should help identify potential security problems. These problems can then be addressed before and during the procurement of the system.
(Note: At this point, it is helpful to remind procurement officers and security officers that the prospective vendor's security claims should be verified to the greatest extent possible. Many times, mechanisms or features claimed by vendors are either not present, or are so easily subvertible that they are of little use.)
The following guidelines should be considered when writing system specifications and Requests for Proposal.
Processing Classified Information
9.1 Processing Classified Information: Policy Requirements
If the OA System will be processing classified information, it must comply with the appropriate national TEMPEST policy directive[13,14]. The Request for Proposal must state that the system is to meet this policy. Furthermore, if in addition to processing classified information the OA System is to have a communications capability, then appropriate Communications Security (COMSEC) measures, as approved by the National Security Agency, must be taken. The RFP and the system specification should require the capability to adapt to whatever COMSEC measures will be used to protect the system's communications (e.g., compatibility with cryptographic devices).
Processing Classified Information:
9.2 Physical Environment of the OA System
An OA System is generally considered to be a high-dollar asset. If the OA System will be kept in an area that does not provide an adequate level of protection against theft, then the purchase of devices that lock the system to a table or in a closet should be considered. Also, the use of OA Systems with the capability for removable-media-only may be considered if there is a high probability of vandalism to the system. If a system with fixed media were to be vandalized, the information stored on the fixed media since the last backup could also be lost, while information contained on removable media can be protected by locking up the media. The probability of vandalism cannot be appreciably lowered by this method, but the damage caused by a vandal can be significantly lessened by protecting the information.
If the OA System will be used to process classified information, and will be kept in an area that is not approved for open storage of information of that sensitivity, an OA System with removable-media-only should be used. This will lessen the chance of compromise of information if an unauthorized user were able to access the system, as classified or sensitive, but unclassified, information could be removed from the system and secured when the system is unattended.
A GSA-approved, tamper-resistant cabinet in which the entire system can be secured should be purchased if the system will be used to process classified information, will contain fixed media, and will be kept in an area that is not approved for open storage of classified information. Given this scenario, this cabinet is the only way in which the security requirements of the system can be satisfied.
Identification of Non-Volatile Components
9.3 Identification of Non-Volatile Components
All components of the proposed OA System that are non-volatile (i.e., that retain information after power has been removed) should be identified prior to procurement. If the OA System is identified as having only removable media, and there is non-volatile memory that has not been identified as such, then the OA System has been incorrectly identified, since it contains a type of fixed media.
System Communications Capabilities
9.4 System Communications Capabilities
If it is known at the time of procurement that the OA System is to be connected with other OA Systems to form a Local Area Network (LAN), then the security requirements of the entire LAN must be considered first. If the procurement is to be of the entire LAN (i.e., of all of its components), then the issues in this chapter must be addressed for the LAN as a whole, as well as for each of its components. Individual nodes of the LAN may have different security requirements than other nodes on the LAN.
If the procurement is to be for an OA System which is to be attached to an existing LAN, then the security requirements and mechanisms of the existing LAN must be examined prior to writing the specifications of the OA System. The new OA System should support all security mechanisms that already exist in the LAN, and should not allow a violation of the LAN's security policy.
(Note: The LAN should enforce a security policy, as any AIS should. This particular security policy should be driven by the owning organization's overall Information Security Policy, and the particular environment in which it operates. See Chapter 8.0 of this guideline for a further discussion of security policies.)
If the OA System must be alternately connected as a terminal to several different AIS that process different sensitivity levels of information, the procurement should specify that only OA Systems using removable-media-only shall be considered. Since the sensitivity level of an OA System with fixed media cannot be easily lowered, switching between AIS with different sensitivity levels of information is impractical, if not impossible, for these systems.
Shared-Use / Multi-User Systems
9.5 Shared-Use Systems and Multi-User Systems
A "shared-use system" is an OA System that is used by more than one person, but not by more than one at a time. A "multi-user system" is an OA System that can be used by more than one person at a time. Whenever an OA System is to be shared by more than one person, either serially or simultaneously, there are security concerns which should be addressed that do not occur if the OA System is used exclusively by one person.
Shared-Use Systems Processing
9.5.1 Shared-Use Systems Processing One Sensitivity Level of Information
If the system is to be shared by several users, and not all users will have the necessary clearances and need-to-know for all information that will ever be processed or controlled by that OA System, the possibility of acquiring an OA System that uses removable-media-only should be investigated. With this type of system, information can be removed and locked away to prevent its compromise.
If a system with fixed media is procured and used, any information that is stored on fixed media may be accessible to all users of the system. If some users of the OA System do not have a need-to-know for some of the information stored on it, this access is contrary to the provisions of the Privacy Act of 1974  (See Section 3, paragraph (b) of Reference 20). Therefore, if a system that contains fixed media is to be used in this situation, it should meet the requirements of at least class C2, when evaluated against the TCSEC.
Shared-Use Systems Processing Information
9.5.2 Shared-Use Systems Processing Information of Multiple
In many cases, it is desirable to send machine-readable copies of information processed on one OA System to another site for use (e.g., copy a file from one OA System onto a floppy disk, and then use that floppy disk in another OA System). If this is the case, and if the OA System will be used to process several different sensitivity levels of information (e.g., Unclassified through TOP SECRET; personnel, medical, and financial), an OA System that uses removable-media-only should be used. An OA System with fixed media should not be used, since the sensitivity level of the system may not be lowered, and since any removable media which is inserted into an OA System with fixed media must be regarded as having the same sensitivity level as the system itself.
Shared-Use Systems and Multi-User Systems
9.5.3 Shared-Use Systems and Multi-User Systems With Fixed Media
If the OA System is to utilize fixed media, and it is desired that users with differing clearances and/or need-to-know be able to access the system, hardware/software security should be specified in the RFP. Specifically, if some users of the OA System do not have a clearance and/or a need-to-know for some of the information to be processed on the system, the RFP should follow the guidance given in References 2 and 3. It is possible that no vendor will be able to respond to the RFP, because there are currently no OA Systems available that meet these requirements. If this occurs, the planned mode of operation of the OA System should be revised to reflect the security capabilities of those systems that are available.
Multi-User Systems Processing Information
9.5.4 Multi-User Systems Processing Information of Multiple Sensitivity Levels
If it is desired that the OA System be able to simultaneously process and store information of different sensitivity levels, and the system must be trusted to maintain the separation of information by sensitivity level, the specifications should require a system that meets the recommendations given in References 2 and 3. If no vendor is able to respond to the RFP because of lack of hardware/software security controls, the planned mode of operation of the OA System should be revised to reflect the security capabilities of those systems that are available.
SECURE DISPOSAL OF OFFICE AUTOMATION SYSTEMS
10.0 SECURE DISPOSAL OF OFFICE AUTOMATION SYSTEMS
When an Office Automation System has outlived its usefulness and has become obsolete, or when it has become damaged beyond repair, it must be disposed of properly. If the OA System has been used to process or store classified or sensitive, but unclassified, information, certain precautions should be taken before the system can be disposed of through normal channels. These precautions will help to prevent the compromise of any classified or sensitive, but unclassified, information remaining in the system after it is beyond the control of the organization that once used it.
10.1 Removable Media
Any removable media that were used in the OA System should be removed. If these media will be used in another OA System without being cleared, care must be taken to ensure that the new OA System is approved for processing information of the removable media's sensitivity level.
If it is desired that the removable media be reused in the same facility (but after information currently stored on them is erased), they may be cleared by one of the methods detailed in Reference 4.
In all other cases, removable media that once contained classified or sensitive, but unclassified, information should be either declassified or destroyed, as appropriate, using the methods detailed in Reference 4.
10.2 Fixed Media
Fixed media attached to the OA System that contain or formerly contained classified or sensitive, but unclassified, information should be declassified, destroyed, or removed from the system before they leave the controlling organization. Declassification and destruction procedures are described in Reference 4.
The Remainder of the OA System
10.3 The Remainder of the OA System
Once both fixed and removable media have been removed from the system and handled appropriately, any semiconductor memory that remains in the system should be properly declassified. To declassify semiconductor memory, the following procedures should be followed prior to disconnecting the power supply. A random pattern of bits must be written over each location. No further data is to be inserted for a 24-hour period and the power is to remain on. This same overwrite procedure should be used a second and third time, i.e., inserting a random pattern of bits and leaving the system powered up for 24 hours, for a total of 72 hours, and no interim insertion of bits. Upon completion of the third cycle, the memory will be considered unclassified. As a second option, the security officer may have the semiconductor memory removed from the OA system and destroyed before the system leaves his control.
Users who cannot use either of these options should contact their organization's Computer Security Office. Additional information is also available from NSA, Ft. George G. Meade, MD 20755-6000, ATTN:
Division of Computer Security Standards.
A Guideline on Sensitivity Marking of the Office Automation System and Its Storage Media
Throughout this guideline, sensitivity marking of OA Systems processing classified or sensitive, but unclassified, information and of magnetic storage media is discussed. This appendix provides guidance on how to mark the OA System and its media appropriately.
Sensitivity Marking of OA Systems
A.1 Sensitivity Marking of OA Systems Having Removable-Media-Only
The OA System and its peripheral devices must be clearly marked with the highest sensitivity of information that it is allowed to process[9,22]. Stickers indicating the highest sensitivity of information that may be processed by that device should be applied directly to the OA System and each peripheral device. Under normal circumstances, this label should not be removed from the system.
An OA System with removable media (and with only volatile semiconductor memory) is considered to have the same sensitivity level as the media which are currently contained in it. Since OA Systems that do not contain fixed media can change sensitivities (see Section 184.108.40.206), it is recommended that there be a clearly-visible sign placed near the system that indicates when the OA System is being used to process a specific type or range of information (e.g., classified, personnel privileged, proprietary). In this manner, others in the office can be forewarned not to allow visitors to wander about in the vicinity of the OA System. (The user should be aware that this sign might also have the effect of "advertising" the fact that classified or sensitive, but unclassified, information is being processed. This could draw unwanted attention from curious people. Again, the user should be very careful that no one is looking at what is being done.)
Sensitivity Marking of OA Systems
A.2 Sensitivity Marking of OA Systems Containing Fixed Media
Any OA System on which classified or sensitive, but unclassified, information is stored is considered to be a sensitive OA System. Any sensitive OA System is assumed to have the same sensitivity level as the highest classified or most sensitive information stored on it. This includes systems with fixed media, as well as systems with nonvolatile semiconductor memory. These systems must always be given the same level of protection as any other information of that sensitivity level.
There should be attached to the OA System and each peripheral device, which is not physically collocated with it, a human-readable label (e.g., a sticker) on which is clearly and legibly written the sensitivity of the OA System. Under normal circumstances, this label should never be removed. If the sensitivity level of the system or device changes, a new label indicating the new sensitivity of the system can be placed on top of the old one.
Because of the presence of the fixed media, the sensitivity level of the OA System may never be decreased, unless the system is declassified in accordance with Reference 4.
The label attached to a peripheral device (e.g., a laser printer) that is shared among several OA Systems should indicate the highest (most restrictive) sensitivity of information that may be sent to that device.
Sensitivity Marking of Removable Storage Media
A.3 Sensitivity Marking of Removable Storage Media
The sensitivity level of a volume of removable media is the same as the most restrictive sensitivity level of information stored on that volume. All information on a volume of removable media should be regarded as being at the same sensitivity level (e.g., it is not permissible to consider one file on a diskette to be TOP SECRET and another file on the same diskette to be Unclassified).
There should be a human-readable label attached to the container of each volume of removable media (e.g., the outside of a diskette, the outside of a tape reel) that clearly indicates the current sensitivity level of that volume of media[5,11,12,22,23]. Under normal circumstances, this label should not be removed unless the volume of media is declassified using procedures specified in Reference 4. Labels should be color coded in accordance with applicable government and agency or departmental standards.
The volume of media should then be protected to a level that is at least commensurate with this label.
Example: A floppy disk that is marked SECRET should be given the same level of protection as a piece of paper that is marked SECRET (e.g., stored in a GSA-approved safe when not in use).
It is permissible to raise the sensitivity level of a volume of media. When this happens, the label on the media should also be changed. A new label indicating the higher sensitivity level may be placed on top of the old label, or the old label may be removed before the new label is applied.
It should not be permissible to decrease the sensitivity level of a volume of media without first declassifying it using one of the approved methods described in Reference 4.
Any volume of media which is in the OA System at the same time as other media of a more restrictive sensitivity level should automatically acquire that more restrictive sensitivity.
Example: If an Unclassified system disk is placed in drive A of an OA System, with a TOP SECRET disk in drive B, the system disk should be considered to be TOP SECRET and protected as such. The reason for this is that the average user has no way of being absolutely certain what is being written on each disk, and must therefore guard against the OA System writing to the wrong disk by upgrading the sensitivity of the system disk.
Any volume of removable media that is not sealed in its original package and is not labeled should be presumed to be at the same sensitivity level as the OA System in which it is used[5,15]. If this OA System can have a range of sensitivity levels (e.g., is a system with removable-media-only), the volume of media should be considered to have the same sensitivity level as the highest classified or most sensitive information the system can process.
If there is an unsealed, unlabeled volume of media, and it cannot be determined which (if any) OA System it has been used in, the media should be considered to have the same sensitivity level as the highest sensitivity level of any OA System that they could have been used in.
Example: Suppose that there are four OA Systems in the same room. Three are Unclassified systems, while the fourth is TOP SECRET. An unlabeled floppy disk is found lying on top of a desk in this room, and it cannot be determined in which, if any, of these four OA Systems this particular floppy has been used. This floppy disk should therefore be considered to be TOP SECRET.
Sensitivity Marking of Fixed Storage Media
A.4 Sensitivity Marking of Fixed Storage Media
All fixed media should be regarded as having the same sensitivity level as the OA Systems to which they are attached.
Unless the OA System has been approved to simultaneously process information of a range of sensitivity levels, all information on the fixed media should be regarded as being at the same level: the highest sensitivity level of any information on the media.
LIST OF ACRONYMS
ADPSSO ADP System Security Officer
AIS Automated Information System
LAN Local Area Network
NACSI National Communications Security Instruction
NCSC National Computer Security Center
OA System Office Automation System
PC Personal Computer
TCSEC Department of Defense Trusted Computer System
WP Word Processor
ADP System Security Officer (ADPSSO)
The person who is nominally responsible for the secure operation of an OA system.
Automated Information System (AIS)
An assembly of computer hardware, software, and firmware configured in such a way that it can collect, communicate, compute, process, disseminate, and/or control data.
Connected Office Automation System
An OA System that is electrically connected to one or more AIS. The OA System may be used as a host, a file server, a terminal, or any other component of a network.
Local Area Network
An interconnected group of OA Systems or system components that are physically located within a small geographic area, such as a building or campus.
A measure of the magnetic flux density remaining after removal of an applied magnetic force. Can also mean any data remaining on ADP storage media after removal of the power.
An OA System that can be used by more than one person simultaneously.
Non-removable Magnetic Media
Any magnetic media used for the storage of information that is not designed to be regularly removed from the system. Examples of non-removable media include fixed or "Winchester" disks. (This will also be referred to as "fixed media" for short.)
Memory contained within an Office Automation System that retains its information after power has been removed.
Office Automation System
Any microprocessor-based AIS or AIS component that is commonly used in an office environment. This includes, but is not limited to, Personal Computers, Word Processors, printers, and file servers. It does not include electric typewriters, photocopiers, and facsimile machines.
Personal Computer (PC)
A microprocessor-based computer which is primarily intended to be used by one person at a time. It is usually characterized by relatively low cost and small physical size (usually small enough to fit on a desk or table).
Physically Protected Communications Media
Any communications media to which physical access is sufficiently controlled that the chance of compromise, improper modification, or destruction of information is assumed to be zero.
Removable Magnetic Media
Any magnetic media used for the storage of information that is designed to be frequently and easily removed from the Office Automation System by a user. Examples of removable magnetic media include floppy disks, removable hard disks (e.g., Bernoulli disks) and magnetic tapes. (This will also be referred to as "removable media" for short.)
Sensitive, but Unclassified Information
Information the disclosure, loss, misuse, alteration, or destruction of which could adversely affect national security or other Federal Government interests. National security interests are those unclassified matters that relate to the national defense or the foreign relations of the U.S. Government. Other government interests are those related, but not limited to the wide range of government or government-derived economic, human, financial, industrial, agricultural, technological, and law enforcement information, as well as the privacy or confidentiality of personal or commercial proprietary information provided to the U.S. Government by its citizens.
The physical representation of the sensitivity level of information.
A designation, associated with information, indicating (1) the amount of harm that can be caused by the exposure of that information to an unauthorized user, (2) any formal access approvals that must be granted prior to the granting of access to that information, and (3) any specific handling restrictions placed on that information.
Sensitivity levels contain both a hierarchical component (e.g.,Unclassified, CONFIDENTIAL, SECRET, TOP SECRET) and a non-hierarchical component (e.g., For Official Use Only (FOUO), Proprietary Information Enclosed (PROPIN)).
An OA System that is used by more than one person, but is used by only one person at a time.
Stand-Alone Office Automation System
An OA System that is electrically and physically isolated from all other AIS.
Memory contained within an Office Automation System that loses its information a short time after power has been removed.
Word Processor (WP)
An Office Automation System that is designed to be used primarily in the preparation of documents containing alphanumeric text.
The total collection of Office Automation equipment, physically located in one place, that makes up the resources meant to be used by one person at a time.