GUIDE TO COMPUTER PROTECTION AT BNL Table of Contents Chapter 1, What You Should Know About The BNL Computer Protection Program Purpose of the BNL Computer Protection Program Scope of the Guide Laboratory's Computer Security Policy Computer Protection Responsibilities Department Heads Application Owners Computer Security Representatives Facility/Network Managers Computer Protection Program Manager Computer Protection Responsibilities of Every BNL User Backing up Your Data Sensitivity of Your Application or Facility Physical Protection for Your Computer and Data Reporting Computer Security Incidents Software Copyright Laws Protection Against Virus Infection CIAC Bulletins Computer Security Awareness Protection of Computer Accounts @nd Passwords Protection of Personal Identification Numbers (PIN) Using Audit Trails Auditing for Misuse and Abuse Unclassified Controlled Nuclear Information Chapter 2: Specific Guidelines and Requirements Platforms and Operating Systems UNIX Computer Systems MPE (HP) Computer Systems VMS Computer Systems Local Area Networks Data Communications Persona@ computers Chapter 3: Computer Security Plans What Requires a Plan? Sensitive Computer Applications Computer Facilities The Computer Security Plan Appendix A Unclassified Computer Security Incidents Reporting Appendix B Definitions Appendix C Statement of Threat Appendix D Procedure for Certification of Sensitive and Mission Essential Computer Facilities Appendix E Guidelines for Auditing PCs, Workstations and Networks Appendix F Sample Training Record Form Appendix G Computer Security Review Form Appendix H Computer Security Representatives *** Foreword *** The GUIDE TO COMPUTER PROTECTION AT BNL defines the Unclassified Computer Protection Program in effect at BNL. The guide has three main functions: 1. To provide BNL computer users with the requirements they need to follow in order to protect their computers, applications, and information in accordance with DOE requirements. 2. To document the responsibilities of management, computer security personnel, and computer users. 3. To provide "how to" information for the various re- quirements of the program. This guide replaces the following BNL publications: 1. COMPUTER SECURITY GUIDELINES published April, 1984,. and 2. First section of the COMPUTER SECURITY IMPLEMENTATION PLAN pubLished June, 1989. The DOE Risk Assessment Guide is still valid. This guide was prepared by Peter Pohlig, Computer Protection Program Manager (CPPM), with assistance from the BNL Computer Security Advisory Group and the Departmental computer security representatives. Chapter 1 What You Should Know About the BNL Computer Protection Program This guide does not cover classified computing. If you are planning to do any computing using classified data or appli- cations, you are reguired to contact the BNL Computer Security Site Manager (CSSM) at extension 7955 at least 4 weeks in advance of the time you need to begin computing. If you are not certain whether the work you are doing should be classified, contact the BNL Classification Officer at extension 7759. This guide will describe various computer security requirements and guidelines. Guidelines, while optional, are encouraged. *** Purpose of the BNL Computer Protection Program *** The main goal of the BNL Computer Protection Program is to ensure against the loss or misuse of BNL unclassified computers, applications, and data. The Computer Protection Program's mission is to provide guidance to all users in effectively protecting their own work and that of their colleagues from damage or destruction due to human error, computer malfunction, virus infection, or deliberate mischief or destruction. The program also acts to fulfill the reguirements of DOE Orders and Congressional Acts for the protection of government information. The program seeks to develop and maintain systems and procedures to protect not only the integrity of BNL data and hardware but also to effect a smooth continuity of operations. *** Scope of This Guide *** This guide is a reference for all users of BNL computers. This guide contains the complete description of the various elements of the BNL Computer Protection Program for non-sensitive, sensitive, and mission essentiai computers and applications. All computer users, even those who only use personal computers, have certain responsibilities under the program corresponding to the type of computing done and the computers used. Use this guide to make sure you are following the Computer Protection program reguirements for backing up your information, reporting computer security incidents, choosing proper computing account passwords and protecting them, protecting your computers and computing accounts from damage due to virus or similar infection, using computing networks in a responsible manner, and assuring that your computing accounts are used oniy for approved work. *** Laboratory's Computer Security Policy *** DOE unclassified computer systems shall be protected from theft, fraud, waste, and abuse. Sensitive unclassified automated information shall be protected from unauthorized access, alteration, disclosure, destruction or improper use as a result of improper actions or adverse events. Unclassified computer systems and applications which support DOE mission essential functions shali be protected from unnecessary processing delays. Required security measures wiil be used, alone or'in combination with one another, to protect unclassified computer systems and sensitive unclassified automated information. *** Computer Protection Responsibilities *** All users of BNL computers, whether BNL employees, guests, col- laborators, or students, are responsible for adhering to the requirements described in this guide. Supervisors are respon- sible for ensuring that their personnel are familiar with the requirements in this guide. ------------ Department/Division Heads ------------------ Ensure that the organization complies with the Laboratory's computer protection program. REQUIREMENTS: 1. Appoint in writing an organizational Computer Security Rep- resentative(s) knowledgeable in the computer activities and computer eguipment of the organization. 2. Ensure that their organization is in compliance with the Laboratory's STANDARD PRACTICE INSTRUCTIONS Manual, Section 5-10. 3. Approve a11 computer security plans for their department or division by signing page 6 of the DOE Risk Assessment Guide ---------------- Application Owners ------------------------ Responsible for the security of a particular application or a portion of a particular application. REQUIREMENTS: 1. Review the application to determine if it is sensitive or mission essential. 2. If the application has been identified as sensitive or mission essential ensure that: a. It has been registered with the Computer Protection Program Manager (CPPM), Building 50. b. An approved computer security plan has been written. c. Contingency plans have been developed and tested to assure continuation of processing in the event of disaster. 3. Before acquiring or starting to formally develop sensitive or mission essential software, the application owner(s) shall send the functional security requirements and specifications to the CPPM for review. This action is a part of the certification process. 4. The Computer Protection Program Manager (CPPM) shall be advised in writing of all: a. Computer security audits and provided information copies of audit results. b. Modifications that change an application's security status. ------------ Computer Security Representatives (CSRs) ----------- The CSR is an organization's contact point for computer security. REQUIREMENTS: 1. Assist application owners and facility managers in the identification of security needs and the development of cost- effective safeguards. 2. Understand the computer functions and needs of the organ- ization. 3. Distribute in a timeiy manner all Computer Incident Advisory Capability (CIAC) bulletins distributed by the CPPM. 4. Keep written procedures for the distribution of CIAC bul- letins. 5. To counter fraud, waste, and abuse, CSRs shall conduct an annual audit of a minimum of 5% of all PCs and workstations in their organization. See Appendix E. 6. Ensure that the organization is in compliance with the Lab- oratory's STANDARD PRACTICE INSTRUCTION Manual, Section 5-10. 7. Provide computer security training. Each CSR may define the level of training for their area. A minimum training program would need to include the distribution of this guide or the Computer Security Pocket Guide, and all appropriate computer security material (provided by the CPPM) to all computer users. The CSRs shall document all training and retain the records in their files for 24 months. Appendix F contains a sample form that CSRs may use for recording training. Distributed infor- mation, such as CIAC Bulletins, need not be entered for each individual, however, a record of who received the information and date distributed needs to be kept. The CPPM mpy require CSRs to provide special training and would supply all training material for such cases. ------------------- Facility/NetworkManagers -------------------- Responsible for the application processing hardware and for the security of the application or any part of it while it is under their control. REQUIREMENTS: 1. Review the facility or network to determine if it is mission essential or if any of the applications depending on the facility or network are sensitive or mission essential. 2. If the facility or network has been identified as mission essential, or if applications depending on the facility or net- work are sensitive or mission essential, or if the replacement value of the hardware and software is greater than $100,000, then the faciiity/network manager shall ensure that: - a. The facility or network is registered with the Computer Protection Program Manager (CPPM). b. An approved computer security plan has been written. c. Contingency plans have been developed and tested to assure continuation of processing in the event of disaster. 3. Notify the CPPM in writing of major changes to the facility or network. ---------- Computer Protettion Program Manager (CPPM) ---------- Responsible for the unclassified computer security program. REQUIREMENTS: 1. Develop and administer the site computer protection program. 2. Provide computer security awareness information to Laboratory computer users (usually through the CSRs). 3. Distribute in a timely manner all CIAC bulletins to the CSRs. 4. Maintain an inventory of sensitive and mission essential computer applications and faciiities. 5. Ensure that annual audits are conducted on a minimum of 5% of all Laboratory PCs and workstations. 6. Assist Laboratory personnel with computer security issues. 7. Ensure that the organization is in compliance with the Lab- oratory's STANDARD PRACTICE INSTRUCTIONS Manual, Section 5-10. *** Computer Protection Responsibilities of Every BNL User *** The following are comprehensive descriptions of everyday computer protection responsibilities. ---------- Back up your Data ----------- As a computer user, you are responsible for assuring your infor- mation ie backed up. Having a backup on your personal computer hard disk, on a diskette, on a tape, or on a large computer assures that if your primary data are inadvertently damaged or destroyed, all is not lost; you may recover your data by calling upon your backup. The probability of losing your data and the possibie consegwences of that loss must be the decisive factor in how often you create backups. The more valuable your data are and the harder they are to recreate, the more effort and cost you should put into your backup procedures. If the backup contains sensitive data, the backup media needs to be protected to the same degree as the original. REQUIREMENTS: 1. Application 0wmers shalL be responsible for backups. Owners shall either back up themselves or make arrangements with the facility or network manager to back up for them. 2. Facility managers are not responsibie for backing up data for application owners unless the mission of the facility includes backing up for users. Facility managers are responsible for backing up system information (operating system and system files). Facilities that do not back up user data will inform their users in writing, or via a permanent login message, that the responsibility for back up is with system users and not the facility. 3. Local Area Network (LAN) managers shall be responsible for backups unless the mission of the LAN excludes backups. Network managers are responsible for backing up system information (operating system and system files). Networks that do not back up user data will inform their users in writing, or via a permanent login message, that the responsibility for back up is with network users and not with the network manager. 4. PC users will backup their data. The schedule for backup depends on the freguency that data is added or modified, the value of the data, the time it takes to recreate the data, or as dictated by the application owner. 5. Backups of mission essential and sensitive data shall be kept apart fron the computer area. The location of the backups depends on the outcome of the risk analysis. Backups of data critical to the mission need to be kept further away from the computer area to insure their availability after a disaster. 6. Sensitive backups shall be protected from disclosure. --- Determine The Sensitivity of your Appliction or Facility ---- An act of Congress, an order of the Department of Energy, and the BNL Computer Protection Program all reguire every computer user at BNL to determine the sensitivity of individual computer applications or computer facilities they are responsible for. Users of sensitive or mission essential information are responsible for protecting it from fraud, waste, or abuse. There are three levels of sensitivity: Non-sensitive, sensitive, and miesion essential. The definitions in Appendix B give full descriptions of these levels. Sensitive and mission essential applications or computer systems require a Computer Security Plan. REQUIREMENTS: 1. All computer applications must have an owner. If an applic- ation's function spreads across departmental or divisional boundaries, such as the IPAP system that runs at the Management Information Systems (MIS) Division, each department or division needs to have an owner for their portion of the application. 2. The owner is responsible for determining the sensitivity of the application and for providing security measures. 3. Multi-user computer systems must have a facility manager. 4. Local Area Networks must have a network manager. 5. The facility manager is responsible for determining the sen- sitivity of the facility and for the security of the hardware and information residing on their systems. Facility managers are not responsible for the data while under an application program's control. Data accuracy and accessibility controlled by the application program are the application owner's respon- sibility. 6. When purchasing a computer, the COMPUTER SECURITY REVIEW form needs to be completed and either included with the documentation sent to the Computing and Communications Division (CCD) for installation by CCD, or turned in when picking up a computer from stock. The form is used to indicate if the computer will process information that is sensitive (which includes mission essential), or not sensitive. See Appendix G for a copy of the form. Note that SENSITIVE on the form does not refer to "Sensitive Item"; all BNL computers are sensitive items. --- Provide Physical Protetion for Your Computer and Data - --- Personal computers and other computer equipment are a popular target for theft. Sensitive information can be a target for the inquisitive or unscrupuloue. REQUIREMENTS: 1. Lock your office when you are away. : 2. Computer systems that contain sensitive information on the hard disk and are in open areas require a locking device or some means of protecting the data from theft, disclosure, or tampering. 3. Computer facilities that contain mission essential systems or computers that process sensitive information shall have locked doors, limited access, and provide a sign in sheet for visitors. 4. Do not leave computers or terminals unattended when proces- 5ing sensitive information. 5. Place the monitor so unauthorized viewing of sensitive infor- mation can not occur. 6. BNL computer equipment used off site in travel status must be protected from unauthorized use and theft. Computers must not be left unsecured and unattended. GUIDELINES: 1. If you have an office that can not be locked, such as an ope office, install a locking device on the computer so casual theft will be discouraged. 2. Avoid eating or drinking around your computer. 3. Do not attempt to install hardware or software if you are not trained to do so. ----- Report Computer Security Incidents -------- BNL has created incident reporting procedures for computer sscurity incidents, such as the misuse of computing resources, password disclosure, deliberate attempts to access sensitive infor@ation, theft of computing equipment, and deliberate destruction of computer data. The BNL incident reporting procedures describe three levels of security incidents: ninor, important, and significant. All need to be reported to some level of BNL management. Appendix A defines these levels of incidents and the reporting procedure. REQUIREMENTS: 1. Report all important and significant computer security incid- ents to your supervisor, the manager of the computer involved, your departmental Computer Security Representative (CSR), and the Laboratory's Computer Protection Program Manager (CPPM). 2. Report minor incidents to your CSR. ------ Obey Software Copyright Laws --------- Software is an intellectual property and as such can be protected by U.S. Copyright laws. Most vendors of shrink-wrapped software have chosen to apply copyright protection to their products. Some authors of software have chosen not to use copyright protection and, instead, placed their software in the public domain. uch software, called Shareware, can be freely used and copied either without charge or by sending a small fee to the author. Do this with great caution. While much legitimate useful software can be obtained in this manner, it also is a path for the distribution of malicious software such as computer viruses. REQUIREMENTS: 1. If you are a purchaser of copyrighted software, you are res- ponsible for obeying the copyright laws. 2. For copyrighted software on a server, network managers should allow access to only as many users as the software license stipulates. 3. Your department or division needs to have on hand the doc- umentation to prove any software you are using has been properly licensed for your use. Acceptable documentation includes: a. An original program disc for each copy in use. b. The original program documentation for each copy in use. c. A purchase order for the software, or a license agreement. 4. All requirements for the legal use of a shareware product (as normally described in the software's message displays) must be adhered to, for instance fees that are to be paid if the soft- ware is used permanently. 5. Any department or division that provides others with software for Laboratory use shall also provide the proof that the software is legal. ----------- Protection Against Virus Infection ----------- Computer viruses and their relatives are commonplace, especialiy on personal computers and workstations that have operating systems unprotected from alteration or destruction by users. You must take precautions to minimize your exposure to this risk. If yow managa your personal computer, it is your responsibility to keep it virus free, protecting not only your data but also that which may come into contact with your system, either through exchange of diskettes or through computer networks. Unless you are a knowledgeable user experienced in writing and maintaining personal computer or workstation software, you should use only software obtained from reliable sources. One of the best precautions you can take against virus damage is to back up your data regularly. If you manage a server on a network, it is vital that you take precautions to prevent viral infection. REQUIREMENTS: 1. PCs that run DOS shall install and use the latest version of DATA PHYSICIAN PLUS, available from your CSR. 2. Floppies (of both known and unknown origin) must be tested for viruses with DATA PHYSICIAN PLUS prior to use. 3. Never use pirated software. 4. Divisions or departments that supply IBM/IBM clone PCs to other divisions or departments shall install DATA PHYSICIAN PLUS before distribution. GUIDELINES: 1. Do not use your diskettes in other computers with hard disks unless you are certain the manager of that computer is careful about protecting against viruses. 2. Use the writeprotect tab on your diskettes whenever you do not need write access. 3. Users of MAC PCs should consider installing virus prevention software; an examPle is SAM INTERCEPPT by Symantec. ---------- CIAC Bulletins ------------- The Computer Incident Advisory Capability (CIAC) distributes to all DOE sites information on known and possible vulnerabilities with various operating systems. REQUIREMENTS: 1. The CSRs are responsible for distributing the CIAC Bulletins within their area of responsibility and creating a written procedure for the distribution process. 2. Network managers, system managers, and comput@r owners are responsible for taking the steps described in the CIAC Bulletins to counter the vulnerability. ------------- ComputerSecurity Awareness ------------ Each computer user at BNL shall become aware of computer security issues. Information is supplied to computer users through this guide, material supplied to the departmental CSRs, through articles in the LINK.bnl, and through articles published in newspapers and trade journals. REQUIREMENTS: 1. All new employees, guests, visitors, and collaborators who will have contact with a BNL computer shall review this guide and receive a copy of the COMPUTER SECURITY POCIET GUIDE 2. The CPPM shall suppiy the departmental CSRs with CIAC bul- letins and other information related to computer security. -------- Protection of Computer Accounts and Passwords ------- If you have an account (login ID for H.P computers) on a multi- user computer, you are responsible for ensuring that your account is used responsibly and only for BNL-approved work. If you allow others to know (or easily guess) your password, you are in effect giving up control of how your account or ID is used. Each computer user who has been given a computer password or assigned a Personal Identification Number (PIN) is respon- sible for protecting them from disclosure. REQUIREMENTS: 1. All accounts or IDs shall be protected by a password or PIN. 2. Choose your password carefully, do not let others know it, do not write it down and keep it where others may discover it, and do not place it in pre-loaded function keys. 3. Passwords need to be 6 characters in length at a minimum and contain a combination of letters, numbers, and special char- acters (where possible). Do not use words found in a dictionary or phrases that can be associated with you. 4. Passwords shall be changed, at a minimum, once a year. 5. Password disclosure will be considered an "important" security incident reportable to the CPPM. 6. If you no longer need your account or ID, or will not be using your account or ID for six months or more, contact the computer's system manager so that the accoumt or ID may be removed or inactivated. 7. New computers shall have default passwords and security features changed to reflect BNL and DOE security reguirements. 8. Computer systems that can produce a login message shall display one that states unauthorized use is prohibited. Do not include in the login message words or phrases that convey "welcome". 9. System managers will remove or inactivate accounts with pass- words that do not meet the described policy. 10. System managers will remove or inactivate accounts that have not been used in more than 6 months. GUIDELINES: 1. If feasible, install software to prevent computer users from walking away and leaving an active session logged on and unattended. ----- Protetion of Personel Identification Numbers (PIN) ----- Users of sensitive MIS computer applications are assigned PIN numbers. PIN numbers not only provide access to the various applications but aiso determine what functions the individual user has within the application. REQUIREMENTS: 1. A PIN number needs to be treated the same as a password; namely, do not let others know it, do not write it down and keep it where others may discover it, and do not place it in pre- loaded function keys. If your PIN number has been compromised, cont@ct your CSR then MIS so that it can be disabled. 2. PIN number disclosure will be considered an "important" security incident reportable to the CPPM. ------- Using Audit Trails ------------ If you manage a multi-user computer system you are responsible for auditing (if possible) the system for improper passwords and unused accounts or IDs. REQUIREMENTS: 1. Information from audits shali be kept a minimum of 6 months. GUIDELINES: 1. You should also consider auditing certain events such as login failures, use of special authority, or attempts (suc- cessful or unsuccessful) at obtaining sensitive or restricted information. -------- Auditing for Misuse and Abuse --------- One of the requirements of DOE Order 1360.2B is that BNL must audit computer files for evidence of misuse and abuse. REQUIREMENTS: 1. Departmental CSRs are responsible for auditing personal computers and workstations. The audits are required annually (results must be reported to the CPPM by 12/31) and need to include a minimum of 5% of all PCs and workstations. 2. Large multi-user computers, where the system managers do not (or can not) control the files placed on the system, shall be audited. The audits are required annually (results must be reported to the CPPM by 12/31) and need to contain a random selection of either 2 percent of all files or 100 files, what- ever is smallest. Appendix E describes how to perform the audits. ----- Unclassified Controlled Nuclear Information ------ The existance of Uncl@ssified Controlled Nuclear Information (UCNI) shall be reported to the CSR and CPPM. Chapter 2 Specific Guidelines and Requirements The following are guidelines and requirements for various plat- forms and operating systems. The system manager(s) are responsible for executing the security requirements established by this guideline, DOE and BNL require- ments, and specific reguirements issued by the facility manager or application owner(s). *** Platforms and Operating Systems *** ---------- UNIX Computer Systems ---------- There are different variations of UNIX, therefore" the require- ments and guidelines presented may not be possible for all versions. REQUIREMENTS: 1. Restrict Super User (SU) access, by name, and if possible, by location. 2. Run the SPI program (available free from Lawrence Livermore National Laboratory) a minimum of once a quarter to check for poor passwords. GUIDELINES: 1. Control the "WHEEL GROUP". 2. Prohibit "ROOT" logins. Such logins result in intruders reguiring 2 passwords, their own and the root, to gain root access. 3. Require that the ROOT password be required for single user boots. 4. Audit comm@nd usage ("Process Accounting"). 5. Make the current directory (.) the last directory in the path; this limits the effect of trojan horse programs. 6. Control TRUSTED HOSTS (/ETC/HOSTS.EQUIV). Remove them if not - needed. 7. If users need to walk away from their workstation while a process is running, they should use the LOCK SCREEN feature. ------------ MPE (HP) Computer SYSTEMS --------------------- REQUIREMENTS: 1. Assure that Account, Group, and User security are provided as needed. 2. All "production" IMAGE databases shall be protected by a password. 3. All applications that are either sensitive or mission essential shall be protected by assigning PIN numbers to users. The minimum protection is account access. GUIDELINES: 1. The remaining features of the MIS security software (PACS), such as capabilities and data base opens, should be used if the computer language used to create an application is capable of calling the various security modules. 2. HP systems that process sensitive information should consider using a third party security software package to enhance security. An exampie is SECURITY/3000 by VESoft. 3. If possible, require two passwords for log on IDs that grant system Manager (SM) or Privileged Mode (PM) capability. 4. Change the default log on error messages to avoid assisting unauthorized users. ---------------- VMS Computer Systems ---------------------- REQUIREMENTS: 1. Use double passwords for privileged accounts. 2. All system managers will use DOE's VMS SYSTEM SECURITY GUIDELINE to review their systems and employ the guidelines where applicable. (Available from your CSR or the BNL CPPM) GUIDELINES: 1. Guest accounts should be captive (menu driven) to limit access. 2. Do not allow wildcard proxy assignments. ---------- Local Area Networks ------------------ Network managers are responsible for the security of the LAN. REQUIREMENTS: 1. Network users will be assigned passwords. 2. Network managers will ensure that directory and file trustee assignments, and security equivalences are correct. 3. Use the EXPIRATION DATE feature for temporary user accounts. GUIDELINES: 1. To assist in determining the identification and origin of all ethernet packets, all current ethernet addresses should be recorded by the Laboratory's network support organization. 2. Place virus checking software on network file servers. ------------- Data Communications ------------------ Personal computers or workstations that contain modems that allow incoming calls need to be protected from unauthorized access. This is especially true for PCs and workstations that are connected to LAN's or mainframes. The owner of the PC or workstation is responsible for assuring that the computer or workstation is secure. REQUIREMENTS: 1. Computer systems that process sensitive or mission essential information and are attached to a modem(s) shall use a call back feature or either disable the modem(s) when not in use or provide a separate password for the modem(s) or port(s). GUIDELINES: 1. Computer systems that process sensitive or mission essential information and are attached to a network may want to consider installing a firewall to protect the information. 2. All computer systems that are attached to modems should consider using a call back system or provide passwords on the modem(s) or port(s). ------------ Personal Computers -------------------------- Personal computers, printers, scanners, and other associated hardware need to be protected from theft and abuse. The degree of protection depends on the value of the hardware and software, and the sensitivity of the data. Chapter 3 Computer Security Plans *** What Requires A Plan? *** -------------- Sensitive Computer Applications --------------- The process of computer protection should be thought of as risk management. Risk assessment is only the first step in this process. The second step is to weigh the probability and costs associated with accessing the risks against the cost (including effort and inconvenience) of reducing the risks. This is the responsibility of the application owner and computer facility manager while they are preparing their computer security plans. Management is responsible for approving action or accepting the risks presented in the plans. REQUIREMENTS: All computer applications that are sensitive ar mission essential shall have an approved computer security plan. --------------- Computer Facilities ------------------- Computer facilities that contain more than $100,000.00 in total computer and communications eguipment are considered sensitive. REQUIREMENTS: 1. All computer facilities that are sensitive or mission essential shall have an approved computer security plan. 2. Computer facilities that contain mission essential systems or computers that process sensitive information shall: a. Have locked doors and limited access b. Provide a sign in sheet for visitors c. Have access control security measures in effect to allow computer facility personnel to screen, by both visual and voice, any individual who requests facility access. Computer facilities that are not mission essential nor process sensitive information need to provide security measures to protect their computer assets. 3. Facility doors shall be locked during off hours. *** The Computer Security Plan *** The computer security plan consists of three parts. The first is a description of the application or facility. The second part is the forms from the DOE RISK ASSESSMENT GUIDELINES (available from your CSR). The third Part is the contingency Plan. DESCRIPTION: Does not need to be more than a page in length. Include a basic description, sensitivity level (sensitive and/or mission essential), and security precautions in place. DOE RISK ASSESSMENT GUIDELINES FORMS: PCs, workstations, and networks need to complete forms 1, 2, 3, and 6. All others need to complete all forms. The forms shall be signed by the application owner or facility manager, and the department manager or division head. Care should be taken to include all known risks to the assets involved. Refer to Appendix C, the BNL STATEMENT OF THREAT for UNCLASSIFIED COMPUTERS for more threat information. CONTINGENCY PLAN: Contingency plans for applications and/or computer systems supporting mission essential functions shall provide for minimizing interruption and reasonable continuity of services should adverse events occur that prevent normal operations. The contingency plan consists of the following items: 1. A determination of when the application or facility must be back in operation to avoid adverse impact on the mission of the user(s) or owner(s). This can be stated in hours, days, weeks, etc. 2. The contingency procedures, which are the actual steps required to provide contingency service to the user(s) or owner(s) of the application or facility. The contingency pro- cedures could range from doing nothing until a replacement is available to providing a "hot" site for the computer facility. The degree of contingency depends on how essential the computer is to the mission in question and the risk that management is willing to take. Examples of contingency procedures include: a. A manual system (and associated documentation) that des- cribes the neceseary steps to complete the mission. This shall include all forms and formai procedures. b. Moving to another computer site, which could range from moving down the hall to moving to a "hot site" in another state. c. Buy a new computer and waiti@g until it is delivered and installed. If the computer is a "one-of-a-kind" and can not be replaced in a reasonable amount of time, if ever, then security procedures need to be enhanced to protect the system, which, in turn pro- tects the mission. If the contingency procedure (step 2) includes the use of an alternate computer site, a formal written agreement shall be established to insure: a. Sufficient processing capacity and time will be avaiiable. b. Confidentiality of sensitive Laboratory information. 3. A test plan shall be developed and executed to test the pro- cedures outlined above. The test can be as simple as loading your software on another PC or as complex as moving a team to a hot site. The written plan shall cover all steps necessary to establish the functions reguired by the mission. Mission essential applications reguire performing the test plan a minimum of once a year. 4. The procedure on how backup media is made available. Include the location where the backup is stored, 5. Names of key individuals and emergency notification pro- cedures. 6. A list of the hardware, software, and communications reguired to perform the contingency plan. Include the foilowing: a. Type of peripheral required to restore data. b. Approximate amount of disk space required c. Number and type of printers required. d. Number of ports reguired. e. Any other computer system or network required by the application. f. All communications reguirements. g. Operating system and associated patches or modifications. h. All necessary computer supplies (blank checks, forms, tapes, and cables). When the Security Plan is reviewed and approved, the unclas- sified computer application or facility ie CERTIFIED as meeting the requirements of documented and approved security spec- ifications and related applicable Federal and departmental policies, regulations and standards. The results of the system test shall demonstrate that application, computer systems and installation protective measures are adequate and function properly. A Security Plan shall be prepared before construction or operational use of a new application or computer installation, whenever there is a significant change to an existing computer installation or application, or every three years even if no significant changes have occurred. Appendix A UNCLASSIFIED COMPUTER SECURITY INCIDENTS REPORTING There are three types of computer security incidents, minor, important and significant. Important and significant computer security incidents shall be reported immediately to the organization's computer security representative, the computer facility manager, and your supervisor. The representative shall then notify departmental or divisional management and the CPPM and take whatever steps are required to secure the data and equipment. Minor incidents must be reported to the organ- ization's computer security representative who shall record the incident in their files. Examples of a minor incident are: 1. A virus that does not destroy data or takes less than an hour to remove. 2. Non-authorized games and personal data on a computer system. Examples of an important incident are: 1. A virus that destroys data and/or takes more than an hour to remove. 2. Repeated attempted logons (unsuccessful) to a computer or network. 3. Password and/or PIN number disclosure. 4. Theft of computer equipment or software. 5. Misuse of computers or software for profit. Examples of significant incidents are: 1. Complete unauthorized penetration of a computer system. 2. Penetration of an ADP system that exposes a security vul- nerability in hardware or software that may be used at other sites within DOE. 3. Physical loss sufficient to cause mission or programmatic impact. 4. Known loss or compromise of sensitive information. 5. Use of an ADP system in support of a criminal activity. 6. Any incident that may result in loss, harm, or embarrassment to BNL and/or the DOE, or result in the occurrence of similar incidents at other DOE sites. Reporting Significant and Important Incidents: The Computer Security Representative, with assistance from the individual reporting the incident and the facility manager shall: 1. Obtain as many of the facts relating to the incident as possible. 2. Contact the Safeguards and Security Division to report the security incident. Contacts are: 8:30 to 17:00 (1) Peter Pohlig 7955 Mon ----> Fri (2) Richard Giesler 7799 (3) Russel Reaver 7759 17:00 to 8:30 (1) Peter Pohlig 929-3847 Mon ----> Fri (2) Richard Giesler 345-5090 or (3) Police Desk 282-2238 Weekends and Alfred Berretta 475-2159 Holidays 3. Important and significant incidents must be reported to the DOE by the CPPM within 12 hours; therefore, all reporting shall be done within 10 hours. 4. If the incident spans more than one department, then the computer security representatives of the departments in question shall be contacted as well. Then, as soon as possible, but within 24 hours, provide a nar- rative describing the incident to the CPPM. The narrative shall include the following: 1. The date and time of the incident. 2. The department(s)/division(s) involved. 3. The computer equipment involved. a. CPU make and model b. The operating system c. The location of the computer d. Any networks that are attached to the computer. 4. The nature of the incident. 5. The type of application involved, if any. Examples are the following: a. Sensitive b. Mission essential c. Nonsensitive scientific d. Nonsensitive administrative. 6. How the incident was discovered and by whom. 7. The identification of the perpetrator. 8. The effects of the incident. 9. Short-term corrective action(s) taken. 10. Long-term corrective action(s) planned. 11. The name and phone numbers of the computer security rep- resentative, computer system manager, and involved personnel. Reporting a Minor Incident: Minor incidents are reported to your computer security rep- resentative, and shail contain: : a. The date and time of the incident. b. The computer equipment involved. c. A description of the incident. d. How the incident was discovered and by whom. e. The corrective action(s) taken. Appendix B DEFINITIONS APPLICATION OWNER - The person(s) with primary line responsibility for the development, maintenance, and operation of a computer application. For a scientific/technical program this person is the Principal Investigator. APPLICATION USER - Other than the application owner, someone who interacts with the processing of the application or uses the results of the application process. CERTIFICATION - A reasonable assurance and written acknowledgment made by a CPPM that a proposed unclassified computer application processing sensitive information meets all applicable federal and departmental policies, regulations and procedures, and that results of a system test demonstrate installed security safeguards are adeguate and functioning properly. COMPUTER APPLICATION - The data, programs, and other information associated with an identifiabie recurring computer-based task. For scientific/technical program an application could be that set of tasks defined in a Fieid Task Proposal/Agreement (FTP/A) for DOE supported research or in a proposal or Interagency Agreement for "Work for Others". COMPUTER FACILITY - The physical space which contains one or more computer systems. Computer installations may range from locations for large centralized computer centers to locations for individual stand-alone microcomputers. COMPUTER SECURITY INCIDENT - The occurrence of an event which has or could adversely affect normal computer operations, such as an unauthorized access, interruption to computer service or 6afeguarding controls, or discovery of a vulnerability. CONTINGENCY PLANS - Documents developed in conjunction with computer application owners and maintained at the primary and backup computer installation. These plans describe procedures and identify personnel necessary to respond to abnormal situations, and ensure that computer application owners can continue to process mission essential applications in the event that computer support is interrupted. DISASTER RECOVERY PLANS - Documents containing procedures for emergency response, extended backup operation and post disaster recovery should a computer installation experience a partial or total loss of a computer resources and physical facilities. The objective of these plans, in conjunction with contingency plans, is to provide reasonable assurance that a computer installation can recover from such incidents, continue to process mission essential applications in a degraded mode, and to return to a normal mode of operation within a reasonable amount of time. FACILITY MANAGER - The person with primary line responsibility for the hardware on which a computer application is processed. MISSION ESSENTIAL UNCLASSIFIED INFORMATION - Plain text or machine encoded unclassified data that, as determined by competent authority has high importance related to accomplishing a DOE mission and requires a degree of protection because unnecessary delays in processing could adversely affect the ability of an owner organization, site or department to accomplish such missions. Computer-based information that is essenti@l in the successful completion of a particular mission or is used in systems that provide environmental, safety, or alarm services are coneidered mission essential. MISSION ESSENTIAL APPLICATION/FACILITY/NETWORK - A computer application, computer facility, or network that, as determined by competent authority has high importance related to accomplishing a DOE mission and requires a degree of protection because unnecessary delays in processing could adversely affect the ability of an owner organization, site or department to accomplish such missions or cost the organization, site or department financial loss. Computer applications, facilities, and/or networks that: 1. Process mission essential information/applications, or 2. Are essential for the successful completion of a particuiar mission, or 3. Control systems that provide environmental, safety, or alarm services, are considered mission essential and shall have a computer security plan, as outlined in Chapter 3, approved by the Laboratory CPPM. NONSENSITIVE APPLICATION - An application that does not process sensitive or mission essentiai information. PROTECTIVE MEASURES - Physical, administrative, personnel and technical security measures which, when applied separately or in combination, are designed to reduce the probability of harm, loss or damage to, or compromise of an unclassified computer system or sensitive and/or mission essential information. RECERTIFICATION - An ongoing reassurance that previously certified unclassified computer application processing sensitive infor- mation has been periodically reviewed, that compliance with established protection policies and procedures remains in effect, and that security risks remain at an acceptable level. SENSITIVE UNCLASSIFIED INFORMATION - Plain text or machine-encoded data that, as determined by competent authority (e.g. application owners), has relative sensitivity and requires mandatory protection because of statutory or regulatory restrictions (e.g., Unclassified Controlled Nuclear Information, Official Use Only Information, Privacy Act Information) or requires a degree of discretionary protection because inadvertent or deliberate misuse, alteration, disclosure, or destruction could adversely affect national or other DOE interests. Examples of sensitive data are the following: 1. Personnel data, (salary information for example). 2. Medical information. 3. Information, that if compromised, which would cause legal actions, embarrassment, media attention, and loss or harm to the Laboratory or DOE. THREAT, RISK and VULNERABILITY ASSESSMENT - A management tool which provides a systematic approach for determining the relative value and sensitivity of computer installation assets, assessing vulnerabilities, assessing loss expectancy or perceived risk exposure levels, assessing existing protection features and additional protection alternatives or acceptance of risk, and documenting management decisions. Decisions for implementing additional protection features are normally based on the existence of a reasonable ratio between cost/benefit of the safeguard and sensitivity/value of the assets to be protected. Risk assessments may vary from an informal review of a small scale microcomputer installation to a more formal and fully documented analysis of a large scale computer installation. Appendix C STATEMENT OF THREAT AGAINST UNCLASSIFIED COMPUTING RESOURCES and INFORMATION The following represents some of the categories of threat to unclassified computing resources and unclassified information used by the Laboratory and describes some parameters peculiar to each threat. HUMAN THREATS - The threats generated by human activities can be divided into two general categories. The first category is the result of benign actions. The second is the result of intent to inflict damage. Unintentional actions 1. Erasing critical files. Example: A user not quite familiar with what they are doing erasing a file by mistake. 2. Persons having unauthorized access to sensitive data. Examples: a. Sensitive reports left out for others to see or discarded into the trash instead of being properly destroyed. b. Leaving a computer that is processing sensitive infor- mation unattended. c. Disclosing a password or PIN number that allows access to sensitive information. 3. Improperly modifying or installing software or hardware. Examples: a. Installing new or modified software without testing or with improper testing. b. Installing software without reading the instructions. c. Installing hardware without knowledge of what one is doing or without reading the instructions. d. Servicing computer equipment without proper training. 4. Installing software from unknown sources. Examples: a. Copying down software from a bulletin board or installing software from an unknown source. b. Disregarding copyright laws. 5. Incorrectly operating a computer system. 6. Observing passwords or PIN numbers of others or having others observe your password or PIN number. Examples: a. Posting passwords and/or PIN numbers on or near terminals or PCs so others can read them, b. Installing passwords or PIN numbers in a terminal's or PCis (running emulation software) function keys to save key strokes. 7. Erroneously deleting or modifying critical data by persons not familiar with what they are attempting to do, or by means other than established procedures for deleting and or modifying data. Example: Using a data base utility program to modify data instead of using the established production soft- ware, which contains the required audit trails and input editing. Intentional Actions 1. Erasing critical files. 2. Reading or stealing printed sensitive reports. 3. Copying sensitive data. Examples: a. Copying sensitive data into a PC, where it can not be so easily controlled, and using the data for one's own use. b. Making a copy of sensitive data and giving it or selling it to outside interests. 4. Installing unauthorized and/or destructive software or hardware. Examples: a. Making an illegal copy of copyrighted software. b. Installing software with a known bug or virus/worm. 5. Observing passwords of others. The human threat can come from different types of people. 1. Insider - The threats posed by the insider range from the totally innocent to the intentionally maricious. Insiders can include: a. A disgruntled employee b. A financially distressed employee c. A mentally disturbed employee d. An employee addicted to alcohol or drugs e. An employee with personal problems f. An untrained employee g. A careless employee. 2. Outsider - Outsider threats come from various sources: a. Foreign government representatives b. Zealots c. Hackers d. Unsupervised visitors. ENVIRONMENTAL THREATS It is necessary when addressing environmental threats to examine the resources, equipment, and personnel required to restore the facility. This must include not only the major items like computer hardware and air conditioning, but also small items, such as pre-printed forms, paper, required media. Acts of Nature The Long Island area could affected by: 1. Hurricanes - Could destroy buildings containing computer facilities. 2. Flood - Flood damage could result from heavy rains or snow on a weak roof, or from a broken water pipe on a floor above the computer facility. 3. Fire - Fire, heat, smoke, and material used to extinguish a fire could cause serious damage. 4. Lightning - Can cause havoc with electrical power and communications. Acts of Man Examples of this threat could consist of: 1. LILCO - Power brownouts or disruption. 2. Sabotage 3. Mischief 4. Accidents - The equipment used to support a computer facility is as important as the facility itself and needs to be protected from accident. Anyone of the above threats could cause the loss of power, com- munications, water, steam, and air conditioning. Appendix D PROCEDURE FOR CERTIFICATION OF SENSITIVE APPLICATIONS and MISSION ESSENTIAL COMPUTER FACILITIES New Hardware and/or Software: Acquisition or implementation plans shall be required when purch@sing new computing equipment. All acquisitions, other than add-ons to existing equipment, require a COMPUTER SECURITY REVIEW form, SSD-21, (see appendix G). The individual requestor is responsible for complying with this requirement. For items acquired via an ILR, the completed form may be attached to the ILR; for those needing an Acquisition Plan, it may be attached to the latter. The office of ADPE Acquisition will forward all forms with acquisitions marked as sensitive to the Computer Protection Program Manager. The form must be submitted to Supply and Material directly when picking up hardware from the warehouse. Existing Hardware and/or Software: Existing applications or facilities that change from non- sensitive and/or non-mission essential to either sensitive or mission essential shall inform the CPPM in writing of the change of status before the change. Comouter Security Plan: No application or facility may process sensitive or mission essential information without an approved Computer Security Plan. See Chapter 3 for information on preparing a computer security plan. The application or facility may start processing sensitive or mission essential information once the Computer Security Plan has been approved. The CPPM will notify owners or manager of the approval status. The Computer Security Plan shall be updated every three years and resubmitted. Major changes in the status of an application or a facility requires an updated pian. Appendix E GUIDELINES FOR AUDITING PCs, WORKSTATIONS, and NETWORKS The audit may be conducted by the department's CSR, a member of the department, or a BNL employee. The auditor(s) must have knowledge and experience with the computer and operating system being audited. The audit shall be unannounced and inciude, at a minimum, a random selection of 5% of all PCs and workstations in the Department/Division. For each computer selected: 1. List the root directory on the non-removable disk(s). 2. Select at random one or two sub-directories and list the files within them. Question users on any file that looks questionable to you. Do not worry about hidden files or cover-ups being done by the computer's user. Each user is responsible for adhering to BNL and DOE requirements and will be responsible for future findings if the auditor was deceived. 3. Look for evidence of fraud, waste, or abuse (see examples below). 10% of the files on each computer, with up to a maximum of 20 files (per computer), shall be randomly selected and have their contents reviewed. This applys to only data files. Use whatever word processor, database, or spreadsheet program as necessary. You need not read the entire document, a quick scan will reveal if a file is legitimate or not. If questioned, remind users that the computer and all its information are US Government property, and that the review is required by DOE Orders. In those rare circumstances where proprietary data prevents review by the auditor, request that the user's supervisor verify file legitimacy. Record the number of files reviewed including any reviewed by a supervisor, and any non legitimate files found. 4. Documenting the results and forwarding them to the CPPM. At a minimum, include the following: a. The number of files examined. Describe cases where files were reviewed by a supervisor. b. Findings, both outstanding and ones fixed on the spot. c. The number of copies of illegal software. d. The time frame for correcting the outstanding findings. e. Do not include names. Do not forward iistings of direct- ories. Keep that information in your files. f. The auditor(s) and the CSR must sign the document and state that the audit information is accurate to the best of their knowledge. GUIDELINES FOR AUDITING MULTI-USER COMPUTERS Since large multi-user systems can contain many accounts with thousands of files, a detailed audit by the system manager is not normally possible. BNL and DOE conduct audits by teams of auditors that can do more detailed reviews. The system manager needs to perform at random, a small sample audit that contains either 2 percent of all system data files or 100 files, whatever is the smallest. The audit will consist of: 1. Obtaining a listing of the system's data files and selecting, at random, either 2 percent of the files or 100 files. 2. Look for evidence of fraud, waste, or abuse (see examples below) by examining the contents of the files. In those rare circumstances where proprietary data prevents review by the auditor, request that the owner of the data verify file iegitimacy. 3. Obtaining a list of the system's account names and review for questionable names or unauthorized accounts. EXAMPLES OF FRAUD, WASTE, AND ABUSE: Programs or files not applicable to the business normally conducted in the division, for example: 1. Files related to non-BNL, consulting or outside business interests. Finding such files is considered a significant computer security incident and must be reported to divisional management and the Computer Protection Program Manager (CPPM). 2. Obvious game programs (as opposed to packaged games included in software like WINDOWS which need not be removed). 3. Personal files such as letters, resumes, and softball team data. Personal files must be removed from the hard disk(s). 4. Illegal software. User must be able to demonstrate that the - software is legal. 5. Unused files. Files that are not needed shouid be removed from the system. Homework, B.E.R.A. related information, and other non-mission related information are allowed only if computer owners have written permission from their supervisors. Include all approved non-mission related information found in your report. Appendix H Computer Security Representatives as of January, 1994 Name Deot/Div or Area Building Phone CAROL ARCHER BUDGET OFFICE 460 5819 LOUISE HANSON APPLIED SCIENCE 480 7709 WILLIAM BOT@INGER PHOTOGRAPHY & GRAPHIC ARTS 197B 2955 BILL FRITZ RHIC (1005) 1005 3278 JIM KOS ENVIRONMENTAL RESTORATION 051M 3232 NANCY FALLON S&EP 129 4530 ELOISE GMUR PUBLIC AFFAIRS 184B 4495 JOHN GOULD AGS 510A 3951 DONNA GRABOWSKI INSTRUMENTATION 535B 2720 VICrOR GUTIERREZ QUALITY ASSURANCE 902B 2395 ARTHUR FORMAN CHEMISTRY 555A 4378 KATHY HAUSER NUCLEAR ENERGY 197 2223 PRED HOHMANN FISCAL 134A 3259 SUE PERINO PLANT ENGINEERING 134C 2477 ROBERT KASZUBA SUPPLY & MATERIAL 211 7785 STU KERN RHIC (902B) 902B 4711 DAVE KIRBY PHYSICS (ADMINISTRATIVE) 510A 5460 HERBERT LANGENBACH LIGHT SOURCE 725B 5330 LES LAWRENCE CCD 515 4107 DONNA LE DOUX AUI 134A 5174 KIMBERLY BOOMER MEDICAL & OCC. MED. CLINIC 490 3180 PETER MAIER PERSONNEL 185 3048 GEORGE MALCOLM MIS 459 7654 KEN MOHRING SAFF SERVICES 179B 2715 DAWN MOSOFF SCIENCE EDUCATION CNTR. 490 4503 VALE P. MYLES TECHNOLOGY TRANSFER 902C 33@2 TOM NEPSEE PHYSICS (SCIENTIFIC) 510C 3996 FRANK OHLHORST DOE 464 7082 RONALD ONDROVIC CONTRACTS @ PROCUREMENT 355 4553 PETER POHLIG SAFEGUARDS @ SECURITY SO 7955 DAVID RORER REACTOR 120 4056 BE@SY SCHWARTZ TECH. INFORMATION 477A 2758 ROSEMARY TAYLOR CENTRAL SHOPS 462U 5036 KEITH THOMPSON BIOLOGY 463 3385 LARRY TURF DIRE@rOR'S OFFICE 460 4295 This list is subject to change. If you are not sure of your CSR, contact the BNL CPPM at 7955. 39