HostedDB - Dedicated UNIX Servers

-->
Handbook of Information Security Management:Computer Architecture and System Security

Previous Table of Contents Next


Integrity Issues and Associated Policy Concerns

1.  Duties and responsibilities must be defined so that security controls are established to ensure separation of logical and physical environments (i.e., maintenance, test, production, quality assurance, and configuration management) for each distributed system node and the interaction between nodes. Policies must also address the various resources, skills, and information requirements that exist for consistent deployment of controls supporting the management and maintenance of the distributed systems facilities. Additional policies may need to be developed based on the characteristics of a specific distributed system node after the software and hardware for that node have been selected for implementation.
2.  Organizational functions and individual duties must be separated. Separation of functions and duties along organizational lines will complicate circumvention of security controls in the acquisition, implementation, and operation of the software at each distributed node or in defining the permissibility of actions between nodes.
3.  Configuration Management (CM) plans will need to be developed at the system level, or at a minimum redesigned to include the following:
  Distributed system CM plans must document system-level and site-level policies, standards, procedures, responsibilities, and requirements for the overall system control of the exchange of data.
  Distributed system CM plans must document the identification of each individual site’s configuration.
  Distributed system CM plans must include documentation for common data, hardware, and software.
  Maintenance of each component’s configuration must be identified in the CM plan.

A system-level CM plan is needed that will describe distribution controls and audit checks to ensure common data and application versions are the same across the distributed system in which site-level CM plans are subordinate to distributed-level CM plans. For distributed-level changes, if the components are not documented in a single CM plan, a change control authority will need to be established as a point of control. In distributed systems where nodes are geographically separated or when the components are not documented in a single CM plan, site-level changes must be reviewed by a site’s change control authority for potential impacts at the distributed level. Additionally, the change control authority(s) will need to establish agreements with all distributed systems on policies, standards, procedures, roles, responsibilities, and requirements for distributed systems that are not managed by a single organizational department, agency, or entity.
4.  If digital signatures are used for configuration management of critical software components; then the digital signature technology must validate the configuration of each node during system validation tests. It is imperative that the signature construct be formulated during node certification.
5.  Security control requirements and responsibilities will need to be identified that focus on establishing procedures for owners, users, and custodians of distributed systems hardware and software; as well as procedures for the overall system and for each node to ensure consistent implementation of security controls for handling data between components of distributed systems.
6.  Organizational and functional access controls must be implemented for each node identifying and establishing the relationship between node software and hardware resources, and that periodic assessment of the relationship between node software and hardware resources be performed to ensure that access is limited to a definite minimum.
7.  Security controls need to be assessed, by node, at each phase review of the system development life cycle to ensure that as requirements and vulnerabilities are discovered, they are addressed using the design/implementation approach. Additionally, independent testing and verification responsibilities should be assigned, by node, for maintenance and production processes to ensure that safeguards and protection mechanisms are not compromised by special interests.
8.  Since distributed systems require network connection for communication with other nodes, network security controls must be considered which address:
  User authentication
  Data flow disguise
  Traffic authentication
  System attack detection
  Repudiation protection
9.  The level of physical access control depends on the functional criticality or sensitivity level of the information being processed, proprietary process(es) invoked, and/or software/hardware employed. Distributed system components that normally need to be guarded include:
  Terminals
  Equipment
  Nodes
  Communication lines
  Connections
10.  Intrusion detection processes and mechanisms will need to be deployed to detect, monitor, and control both internal and external intrusion and/or infiltration attempts. Additionally, corresponding controls will need to be established to address all security incidents. A security incident is considered to be an event that is judged unusual enough to warrant investigation to determine if a threat manifestation or vulnerability exploitation has occurred. For distributed systems, security incident detection requires the reporting of and warning to other nodes of the system that such an event has occurred within the control domain.
11.  A capability will need to be provided to evaluate the effectiveness of security controls. In order to evaluate the effectiveness, security controls must be modular and measurable.
12.  Software with privileged instruction sets that can override security controls within the system must be identified, certified, and controlled.
13.  Designers will need to reconcile the differences in security software installed or available on each platform.
14.  Designers must be able to ensure a consistent implementation of security controls.
15.  Communications subsystem packages for each node must be capable of logging the status of information transfer attempts. Additionally, security management personnel must periodically review these data for evidence of attempts to gain unauthorized access or corrupt data integrity during the transfer process.
16.  Distributed system managers will need to maintain connectivity capabilities by allowing only authorized, authenticated users to log on, responding to access violation alarms, and auditing access logs for attempts at unauthorized access.


Previous Table of Contents Next