Certification Certification and and

AccreditationAccreditationCS-7493-01CS-7493-01

UnitUnit 2:ITSEC System 2:ITSEC System

ClassesClasses

LTC Tim O’HaraLTC Tim O’HaraMs Jocelyne FarahMs Jocelyne Farah

Mr Clinton Campbell Mr Clinton Campbell

2

Unit GoalsUnit Goals

IntroductionIntroduction Goal: Determining System ClassGoal: Determining System Class ITSEC Classification Criteria ITSEC Classification Criteria System Security RequirementsSystem Security Requirements

References: DITSCAP Enclosure 7 – ITSEC System Class Description

3

What is a “system”?What is a “system”?

Information System Information System

(a.k.a: Automated Information System, (a.k.a: Automated Information System, Information Technology System)Information Technology System)– ““Any Any equipmentequipment or or interconnected system or interconnected system or

subsystem of equipmentsubsystem of equipment that is used in the that is used in the automatic acquisition, storage, manipulation, automatic acquisition, storage, manipulation, management, movement, control, display, management, movement, control, display, switching, interchange, transmission or reception of switching, interchange, transmission or reception of data and data and includes computer software, firmware, includes computer software, firmware, and hardwareand hardware.”.”

4

Ultimate GoalUltimate Goal

Fact:Fact: IT Systems perform valuable IT Systems perform valuable functions and processes in the government functions and processes in the government and in private sectorand in private sector

Goal:Goal: Missions must be completed and Missions must be completed and harm should be preventedharm should be prevented

IT Systems should be afforded an appropriate level of Confidentiality,

Integrity, Availability and Accountability

5

DefinitionDefinition

An ITSEC system class is a profile of An ITSEC system class is a profile of system characteristics derived from system characteristics derived from considering how the same characteristics considering how the same characteristics applied to the system's operation data applied to the system's operation data affects community mission outcome. affects community mission outcome.

6

Why System Classes?Why System Classes?

Independent Independent assessment is slowassessment is slow

Established and tested Established and tested security requirements security requirements existexist– Req. = F(Mission, Req. = F(Mission,

Env., Arch.)Env., Arch.)

– DegDegcompliancecompliance = F(value) = F(value)

Benefit: ReuseBenefit: Reuse– IssuesIssues– RisksRisks– RequirementsRequirements– SolutionsSolutions– ImplementationsImplementations– AnalysesAnalyses

Essentially, system classes provide an

economical solution

7

BenefitsBenefits

Reuse past experienceReuse past experience Compare and contrast systems within a Compare and contrast systems within a

class or related tasksclass or related tasks Bound the security problem to satisfy Bound the security problem to satisfy

individual class conditionsindividual class conditions Consider systems security posture Consider systems security posture

independently and in relation to other independently and in relation to other systemssystems

8

LimitationsLimitations

Certification is faster, but not shorterCertification is faster, but not shorter System engineering tradeoff decisions still System engineering tradeoff decisions still

necessarynecessary– Implementation of physical controlsImplementation of physical controls– Technical countermeasuresTechnical countermeasures

9

ITSEC Class CharacteristicsITSEC Class Characteristics

Characteristic Operation Data Infrastructure System Alternatives

Interfacing Mode

Processing Mode

Attribution Mode

Mission-Reliance Factor

Accessibility Factor

Accuracy Factor

InformationCategories

10

Assigning ClassesAssigning Classes

Assignments based on similar riskAssignments based on similar risk– With respect to impact on other systemsWith respect to impact on other systems

Discriminating characteristics with respect Discriminating characteristics with respect to data and operationsto data and operations

Don’t ignore the infrastructure where Don’t ignore the infrastructure where the system is connectedthe system is connected

11

Interfacing ModeInterfacing Mode

Goal: Containment of Goal: Containment of risk among risk among connected systemsconnected systems

Operation, data, Operation, data, system risk to other system risk to other connected connected operations, data, or operations, data, or systemssystems

AlternativesAlternatives Benign – No physical or Benign – No physical or

logical relationships logical relationships (closed community)(closed community)

Passive – Limited to Passive – Limited to indirect interactionindirect interaction– Possibly physical Possibly physical

relationshipsrelationships– Logical relationships tightly Logical relationships tightly

controlledcontrolled Active – Direct interactionActive – Direct interaction

– Physical and logical Physical and logical relationshipsrelationships

12

Processing ModeProcessing Mode

Goal: Distinguish the way processing, Goal: Distinguish the way processing, transmission, storage, or data is handledtransmission, storage, or data is handled– Reflect use of the system by one or more Reflect use of the system by one or more

different sets of users or processesdifferent sets of users or processes AlternativesAlternatives

– dedicated level, compartmented level, system dedicated level, compartmented level, system high level, and multi-level high level, and multi-level

13

Processing Mode Processing Mode Alternatives Alternatives

Dedicated Level – Single information categoryDedicated Level – Single information category– All users/processes have valid clearance for all data, and same need-to-knowAll users/processes have valid clearance for all data, and same need-to-know– Access controls equal for all users and processesAccess controls equal for all users and processes

Compartmented Level – Different information categories with single-level Compartmented Level – Different information categories with single-level access by individual users or processes at any "given time" access by individual users or processes at any "given time" – All users/processes have valid clearance for the most restricted data and need-All users/processes have valid clearance for the most restricted data and need-

to-know for particular datato-know for particular data– Access controls are different for each user and processAccess controls are different for each user and process

System High Level – Actually multiple information categories, but treated System High Level – Actually multiple information categories, but treated as a single categoryas a single category– All users/processes have valid clearance for all data, but not the same need-to-All users/processes have valid clearance for all data, but not the same need-to-

knowknow– Access controls equal for all users and processesAccess controls equal for all users and processes

Multi-Level – Different information categories with simultaneous access by Multi-Level – Different information categories with simultaneous access by individual users/processesindividual users/processes– All users/processes may not have the same clearance or need-to-knowAll users/processes may not have the same clearance or need-to-know– Access controls are different for each user and processAccess controls are different for each user and process

14

Attribution ModeAttribution Mode

GoalGoal Degree or complexity Degree or complexity

of accountability of accountability required to establish required to establish authenticity and non-authenticity and non-repudiationrepudiation

ComponentsComponents– processing (p) processing (p) – transmission (t)transmission (t)– Storage (s)Storage (s)– data (d)data (d)

AlternativesAlternatives None – no p, t, s, & d None – no p, t, s, & d

can be attributed to can be attributed to users or processes users or processes

Rudimentary – only Rudimentary – only the most basic p, t, s, the most basic p, t, s, & d can be attributed& d can be attributed

Selected – some p, t, s, Selected – some p, t, s, & d can be attributed& d can be attributed

Comprehensive – all Comprehensive – all (or most) p, t, s, & d (or most) p, t, s, & d can be attributedcan be attributed

15

Mission-Reliance FactorMission-Reliance Factor

Goal: Degree that mission success relies Goal: Degree that mission success relies on operation, data, infrastructure, or the on operation, data, infrastructure, or the systemsystem– Independent of the criticality of the missionIndependent of the criticality of the mission

AlternativesAlternatives– NoneNone– CursoryCursory– PartialPartial– Total Total

16

Accessibility FactorAccessibility Factor

Goal: Degree that operation, data, Goal: Degree that operation, data, infrastructure, or system needs to be infrastructure, or system needs to be availableavailable– From a security perspective, not performanceFrom a security perspective, not performance

AlternativesAlternatives– ReasonableReasonable– SoonSoon– ASAPASAP– Immediate Immediate

17

Accuracy FactorAccuracy Factor

Goal: Degree that integrity of operation, Goal: Degree that integrity of operation, data, infrastructure, or system is needed data, infrastructure, or system is needed – From a security perspective From a security perspective

AlternativesAlternatives– Not-applicable – Integrity of data is irrelevant Not-applicable – Integrity of data is irrelevant

to operationsto operations– Approximate – Degree of integrity must be Approximate – Degree of integrity must be

approximate to avoid operational impactapproximate to avoid operational impact– Exact – Degree of integrity must be exact or Exact – Degree of integrity must be exact or

extremely high to avoid operational impactextremely high to avoid operational impact

18

Information CategoriesInformation Categories

GoalGoal Categorize information Categorize information

based on common based on common management management principles and security principles and security requirements requirements promulgated by promulgated by security policysecurity policy

AlternativesAlternatives UnclassifiedUnclassified SensitiveSensitive Privacy ActPrivacy Act Financially SensitiveFinancially Sensitive Proprietary InformationProprietary Information Administrative/OtherAdministrative/Other Collateral ClassifiedCollateral Classified Compartmented and/or Compartmented and/or

Special Access Special Access ClassifiedClassified

19

Remember the Initial Table?Remember the Initial Table?

Characteristic Operation Data Infrastructure System Alternatives

Interfacing Mode Benign, Passive, or Active

Processing Mode

Dedicated Level, Compartmented Level, System High, or Multi-level

Attribution Mode None, Rudimentary, Basic, or Comprehensive

Mission-Reliance Factor

None, Cursory, Partial, or Total

Accessibility Factor

Reasonable, Soon, ASAP, or Immediate

Accuracy Factor Not-applicable, Approximate, or Exact

InformationCategories

Unclassified, Sensitive (Privacy Act, Financially Sensitive, Administrative, Proprietary, or Other), Collateral Classified, or Compartmented/Special Access Classified

20

Successful ImplementationSuccessful ImplementationSecure SystemsSecure Systems

Define security requirements earlyDefine security requirements early Consider all ITSEC disciplinesConsider all ITSEC disciplines Remember that system specific Remember that system specific

requirements can be inherited from requirements can be inherited from mission and functionmission and function– Some systems need higher level of assurance Some systems need higher level of assurance

of implementationof implementation But, how will security requirement sets be But, how will security requirement sets be

developed?developed?

21

Initial StepInitial Step

Analyze existing systems to determine classesAnalyze existing systems to determine classes– Accredited systems become “models”Accredited systems become “models”– Applicable ITSEC requirements, high-level architectures Applicable ITSEC requirements, high-level architectures

and approved solutions are stored in a common and approved solutions are stored in a common repositoryrepository

Requirements definition process collects ITSEC Requirements definition process collects ITSEC requirements into a common database requirements into a common database – Requirements are reviewed to remove conflicts and Requirements are reviewed to remove conflicts and

duplicationsduplications– Result is a clean, and complete set of requirementsResult is a clean, and complete set of requirements– Requirements are allocated to each security class Requirements are allocated to each security class – Results are stored in a databaseResults are stored in a database

22

Recurring StepsRecurring Steps

Construct a description Construct a description of each systemof each system

Define the boundaries Define the boundaries of the system of the system compared to those that compared to those that this system may this system may interactinteract

Example DescriptionExample Description Mission of the system.  Mission of the system.  Functions this system will perform.  Functions this system will perform.  Interfaces with other systems.  Interfaces with other systems.  Interactions across system interfaces.  Interactions across system interfaces.  Expected users of this system.  Expected users of this system.  Information categories to be Information categories to be

processed.  processed.  Time frame for developing and Time frame for developing and

implementing the system.  implementing the system.  Components of the system that will be Components of the system that will be

automated versus manual.  automated versus manual.  Budget limitations that may affect the Budget limitations that may affect the

system.system. Other system constraints or Other system constraints or

assumptions that will impact the assumptions that will impact the system. system. If the systems aren’t If the systems aren’t

understood well enough to understood well enough to create these descriptions, create these descriptions, the DITSCAP is NOT ready the DITSCAP is NOT ready to begin!to begin!

23

Determination of System ClassDetermination of System Class

Select the applicable entries for the first Select the applicable entries for the first three columns (operation, data, and three columns (operation, data, and infrastructure)infrastructure)

Resolve these entries to determine the most Resolve these entries to determine the most applicable value for the fourth columnapplicable value for the fourth column– The system should adequately support the needs The system should adequately support the needs

as defined for operation, data, and infrastructure as defined for operation, data, and infrastructure Result: Result: System with minimum security System with minimum security

requirements specified in context of requirements specified in context of operation, data, and infrastructure. operation, data, and infrastructure.

Don’t forget to update the common database if necessary!

03/14/2001 24

QuestionsQuestions