fips191_46
FIPS PUB 191
Appendix B - Personal Computer Considerations
Personal computers typically do not provide technical controls for user authentication, access
control, or memory protection that differentiates between system memory and memory used for
user applications. Because the lack of controls and the resultant freedom with which users can
share and modify software, personal computers are more prone to attack by viruses, unauthorized
users and related threats.
Virus prevention in the PC environment must rely on continual user awareness to adequately
detect potential threats and then to contain and recover from the damage. Personal computer
users are in essence personal computer managers, and must practice their management as a part
of their general computing. Personal computers generally do not contain auditing features, thus
a user needs to be aware at all times of the computers performance, i.e., what is normal or
abnormal activity. Ultimately, personal computer users need to understand some of the technical
aspects of their computers in order to detect security problems, and to recover from those
problems. Not all personal computer users are technically oriented, thus this poses some
problems and places even more emphasis on user education and involvement in virus prevention.
Because of the dependence on user involvement, policies for LAN environments (and thus PC
usage) are more difficult to implement than in a multi-user computer environment. However,
emphasizing these policies as part of a user education program will help to ingrain them in users
behavior. Users should be shown via illustrated example what can happen if they do not follow
the policies. An example where users share infected software and them spread the software
throughout an organization would serve to effectively illustrate the point, thus making the purpose
of the policy more clear and more likely to be followed. (It is not suggested that an organization
actually enact this example, merely illustrate it). Another effective method for increasing user
cooperation is to create a list of effective personal computer management practices specific to
each personal computing environment. Creating such a list would save users the problem of
determining how best to enact the policies, and would serve as a convenient checklist that users
could reference as necessary.
For guidance on general protection of PCs see [STIE85]. For guidance on protecting against
malicious software see [WACK89].
48