9.1 What is Information Security
9.1.1 The Environment
Organizations today, connected to extensive networks and global communications, are realizing that achieving enterprise-wide information security is a complex but necessary task. Users have become critically dependent on information, and on the systems and networks used to provide access to this information. As this dependency grows, the need for increased connectivity and inter-connectivity amongst the many diverse government and private sector systems becomes ever more important. Furthermore, the incredible sophistication and speed of evolution of the emerging information technologies being offered by industry create an insatiable desire by users to employ these emerging technologies. At the same time, user organizations are concerned about protecting classified and sensitive information, about ensuring the integrity and authenticity of the information, and about controlling access to the information and to the systems and networks that process and transport this information. They are also concerned about detecting and reacting to malicious acts that could result in a temporary or sustained loss of service. As time goes on criminals, hackers, competitors, and other threats will gain access to more sophisticated capabilities to break into, exploit, or disrupt, information infrastructures. Information systems security and assurance, then, cannot be viewed as a point in time. It is in fact achieved through a process of awareness, readiness, and vigilance.
9.1.2 Types of Security
Within this environment, security consists of two broad areas; those security measures defined within the requirements of a particular contract and defined by the acquiring organization and its sponsoring governmental entity and those actions taken by organizations to achieve routine information assurance.
9.1.2.1 Regulatory Requirements
Security requirements that are typically called out in contracting actions are well defined within existing and emerging policies, regulations, and requirements. These are cited by the sponsoring governmental entity. Emerging regulations can often be found posted to a particular sponsoring agency's Web site or on the Web site for that governmental body responsible for security of the affected area.
9.1.2.2 Information Assurance
Information Assurance for enterprise-wide information systems, is a vital requirement of every commercial CIO and senior government IT professional for day to day operation. Information Assurance enables connectivity in a safe manner, which makes companies and agencies more productive in this information age and meets the need for secure interoperability with our Allied and Coalition partners. This section concentrates on Information Assurance activities applicable to all organizations.
9.2 What Needs to be Considered?
To help focus the analysis of security solutions, users' needs have been consolidated into four major requirement categories. This allows related requirements to be discussed together and it helps to ensure that common solutions are considered for similar problems.
9.2.1 System Security Methodology
A Framework should be developed that presents a systematic set of inter-related processes for addressing a user's security needs. Consideration of mission needs, relevant policies and regulations, and a projection of threats to the systems and information all contribute to an organizational security policy. The Framework then recognizes that an effective security solution to satisfy this security policy is most often realized through a balance of technical and non-technical countermeasures. The Framework also recognizes that it is usually likely that practical solutions will not completely satisfy the security policy, so a risk management methodology should be applied in making decisions about the fielding and operation of available solution alternatives. A structure for risk assessment should be developed, supporting the risk management methodology. This then forms the basis for the certification and accreditation process (recognized as a risk management decision). The need for extending this risk management methodology beyond deployment should be developed to ensure that the final system continues to offer the intended security features and protections.
9.2.2 Technical Security Countermeasures
A Framework should be developed that considers concepts and technologies that form the foundation for technical countermeasures available to develop an effective network security solution. The specific areas to be considered include the following:
9.2.2.1 Fundamental Security Services
Fundamental Security Services are those services that are implemented to provide the protection necessary to secure information and system resources. These services include access control, confidentiality, integrity, availability, authentification and non-repudiation. These are realized by the application of security technologies within various system components.
9.2.2.2 Security Technologies
Security Technologies introduces technical countermeasures. Typical technical security countermeasures include intrusion detection/prevention, virus scanners, data link and network layer encryptors, security protocols, and tokens. These technologies provide the underpinnings for the framework recommendation guidance.
9.2.2.3 Robustness Strategy
Robustness Strategy provides a philosophy and initial guidance for selecting the strength of security mechanisms and the security assurance provisions that may be needed for a particular value of information and potential threat level. Robustness of a security solution needs to be in direct proportion to the value of, and the threats to, what is being protected. A strategy is described for measuring and assessing the need for various levels of robustness for technical (and selected non-technical) security countermeasures.
9.2.2.4 Interoperability Framework
Interoperability Framework strongly advocates the use of compatible and interoperable security solutions. This is needed to ensure that as security solutions are added to the community's Information Technology environment, that the existing interoperability lines are not broken. The best path for achieving this is to recommend solutions based on industry standards or "de facto" standards. The Framework recognizes that emerging information and security technologies are often fielded prior to the adoption of interoperability standards. The user's desire to use these emerging technologies sometimes requires acceptance of vendor-unique or proprietary solutions. In these cases, the Framework advocates a migration path towards standards-based solutions, as they become available.
9.2.2.5 Security Management Infrastructure Considerations
Security Management Infrastructure Considerations address the need for SMI capabilities to accompany the use of technical security countermeasures, placing demands on network users and administrators. It is important that consideration be given to the needs and demands placed on network users and operators by an SMI within the context of any potential network security solution.
9.2.3 Security Solutions Framework
9.2.3.1 Requirement Category Guidance
Requirement Category Guidance addresses each of the requirement categories, one by one. For each category, the Framework defines user requirements; both current and those anticipated based on emerging technology trends. It considers applicable potential threats and identifies potential countermeasures articulated as security requirements for that category. Currently available security technologies for addressing each requirement are described and compared. Where appropriate, preferred solution(s) is (are) identified and characterized in terms of features and assurances.
9.2.3.2 Security Management Infrastructure Considerations
Security Management Infrastructure Considerations emphasize the importance of the Security Management Infrastructure, and provide a description of the major SMI services, followed by an in-depth characterization of processes, requirements, potential attacks, and countermeasures that are available for each SMI service. The SMI discussion concludes with recommendations for the features needed to achieve three assurance levels.
9.2.3.3 Aggregated Solution
An Aggregated Solution recognizes that the needs of most users are reflected not by any one of the four requirement categories, but by some combinations of them. The Framework recognizes that a means is needed to develop a solution for logical aggregations of the recommendations for the individual categories.
9.2.4 Technology Characterization
The recommendations for the best technologies to address each requirement category and case are summarized in the framework. This identifies the type of features and assurance levels that are recommended overall for a particular technology area. If existing technology needed to mitigate the threat at a sufficient level is not available, the need is considered a gap in technology for this customer requirement category. These gaps are identified in the appropriate technology assessment within the relevant Framework guidance sections.
