1. Security requirements may be divided into three general areas: security policy, accountability, and assurance. Each area represents what may be done to control, through specific security features, over information access so that only authorized individuals or processes may read, write, create, or delete the information.
  2. The satisfaction of security requirements may be accomplished with hardware, software, firmware, procedures or any combinations of these elements. The extent to which the requirements are satisfied is related to the sensitivity of the system and is defined through a cost/benefit analysis that will relate the marginal cost of the measure to the previously defined level of sensitivity.
  3. Security Policy:
    1. Security policy must be explicit and well defined. This is a statement of intent regarding access and distribution of information. This policy may be positively or negatively formulated, - “all appropriate individuals will have easy access to the information they require,” or “no unauthorized individual may have access...” The policies must be explicit enough so that specific interpretations can be made and must also be distributed to the appropriate individuals.
    2. A security policy should reflect any laws, regulations, or basic company policy. Particular attention must be paid to the privacy of individual personal information. Failure to create a valid and complete security policy could put any organization at great risk.
    3. The policy should state whether discretionary or mandatory control is to be employed and the extent to which formal verification is to take place. Most importantly, the policy must clearly delineate the responsibilities of all those involved. All factors should be related to the level of sensitivity.
    4. A list of subjects covered in the policy area includes:
      1. Responsibility/Authority
      2. Access Control
      3. Discretionary/Mandatory Control
      4. Marking/Labeling
      5. Control of Media
      6. Import & Export of Data
      7. Security Levels
      8. Treatment of System Outputs
  4. Accountability
    1. The system must assure individual accountability both for access to data and use of system capability. There must also be a way to audit transactions. This involves three basic elements: individual identification, authentication, and audit.
    2. Individual Identification refers to the ability to recognize uniquely anyone accessing the system. This can be determined at any level a policy requires. Many access control systems group individual users so that the same privileges (i.e., access to specific data or functions) are granted to several individuals. These privileges may also be related to location, time of day, or other criteria that in turn relate to the level of security required. For example, in a hospital information system, doctors may be able to access data about a patient from any location while nurses may only be able to access data about medication for specific patients from specific stations. The level of individual access authority control should relate directly to sensitivity levels previously defined.
    3. Authentication refers to techniques available to assure that individuals identified are who they represent themselves to be. The most common form of authentication is the use of passwords, but there are other techniques. Authentication techniques fall into three categories: what someone knows (passwords, encryption keys); what someone possesses (smart cards, electronic keys); or some personal characteristic (biometrics -- fingerprints, hand geometry, retina patterns). In the sequence of reliability and ease of use, what someone knows is easy and inexpensive to implement. What someone possesses is also easy to use but more expensive and more reliable because of the greater difficulty to compromise. Human error, however, is more highly probable when relying on what someone knows and what someone posses. Passwords, and the use of encryption methods, require keys. Management of passwords and keys determines the reliability and security of a system.
    4. Audit capability refers to the capability of authorized personnel to track actions taken by individuals. The system must provide authorized personnel with the capability to track actions taken by individuals. The granularity of these tracking mechanisms relates to sensitivity. The higher the level of sensitivity, the more detail should be available in the auditing system. The authorized user should be able to manipulate easily the system so that data can be selected as needed.
  5. Assurance:
    1. Assurance refers to the guarantee of correct policy interpretation, the integrity of the system, and the effective operation of the system. The degree to which the subjects listed below are addressed pertains to the security level of the system. The elements contained in the assurance category are:
      1. Architecture: Specify the security relevant aspects and clearly identify how they are treated.
      2. Integrity: Both system and data integrity should be addressed. The analysis should include what checks are made, the frequency, and the impact of failure.
      3. Testing: No system can be considered secure if adequate testing has not been done. The test should be well planned and structured and evaluation should be directed toward making improvements.
      4. Specification/Verification: To establish the security of a system, it is necessary to know what the system should be doing and determine how well it accomplished its functions. It is impossible to define security requirements if the function of the system is not known.
      5. Facility Management: This addresses physical access control and operational actions, such as policy change, program implementation procedures and other actions that relate to the manner in which the system is implemented and operated.
      6. Configuration Control: This is relative to the certain knowledge of the contents of hardware and software at any given moment.
      7. Disaster Recovery or Contingency Planning: This element of system security has two distinct parts -- what must be done during normal operation and what must be done in the event of emergency. Effective backup data creation and storage are as important as the identification of a backup concept and storage facility. The intention of this discussion is not to address disaster recovery fully, but to ensure that it is considered.
      8. Compliance: The identification and treatment of violations to established policy is important. Both the mechanism to identify violations and the response to violations must exist and be enforced. Objective review must be made to ensure that security procedures are being complied with.