These Advanced System Security Measures define the security measures that must be applied to High Criticality systems. The requirements are:
I. Audit and Accountability
(a) Enable process auditing or accounting: Enable process auditing or accounting, which generates log information about the creation of new processes and their system activity.
(b) Audit privilege escalation or change in privilege: Generate a log message whenever a user changes their level of privilege.
(c) Audit firewall denial: Generate a log message when the host-based firewall denies a network connection.
(d) Audit all significant application events: Log all significant application events.
(e) Write audit events to a separate system: System logs must be written to a remote system in such a way that they cannot be altered by any user on the system being logged.
II. Configuration and Maintenance
(a) Follow advanced vendor security recommendations: This document cannot be comprehensive for all systems and applications available. Conform to best practices and recommendations outlined in vendor security whitepapers and documentation.
(b) Host-based and network-based firewalls: Systems must be protected by both a host-based and a network-based firewall that allows only those incoming connections necessary to fulfill the business need of that system.
(c) Configuration management process: Configuration changes must be regulated by a documented configuration and change management process.
(d) Partitioning: Systems may share hardware and resources only with other systems that have similar security requirements, regardless of their Criticality classification. Systems which share similar security requirements have user communities of similar size and character, similar firewall profiles, and similar technical requirements. For example:
(i) Multiple systems of the same Criticality may be aggregated together to share hardware and resources provided they have similar security requirements.
(ii) High Criticality systems may share hardware and resources with Medium and Low Criticality systems provided that all systems meet these Advanced Systems Security Measures, and share similar security requirements.
III. Additional Requirements
Physical access: The system must reside in a secured, managed data center.
DATA HANDLING SECURITY MEASURES
1. Requirements for Handling Confidential Data
(a) Access control: Access to confidential data must be provided on a least-privilege basis. No person or system should be given access to the data unless required by business process. In such cases where access is required, permission to use the data must be granted by the Data Steward (see “Definitions,”
below).
(b) Sharing: Confidential data may be shared among the NYU community. It may be released publicly only according to well-defined business processes, and with the permission of the data steward.
(c) Retention: Confidential data should only be stored for as long as is necessary to accomplish the documented business process.
2. Requirements for Handling Protected Data
(a) Access control: Access to protected data must be provided on a least-privilege basis. No person or system should be given access to the data unless required by business process. In such cases where access is required, permission to use the data must be granted by the Data Steward.
(a) Sharing: Protected data may be shared among the among University employees according to well-defined business process approved by the Data Steward. It may be released publicly only according to well-defined business processes, and with the permission of the Data Steward.
(c) Retention: Protected data should only be stored for as long as is necessary to accomplish the documented business process.
(d) Incident Notification: If there is a potential security incident that may place protected data at risk of unauthorized access, ITS Technology Security Services must be notified:
3. Requirements for Handling Restricted Data
(a) Collection: Restricted data should only be collected when all of the following conditions are met:
(i) The data is not available from another authoritative source;
(ii) The data is required by business process; and
(iii) You have permission to collect the data from the appropriate Data Steward.
(b) Access control: Individuals must be granted access to restricted data on a least-privilege basis. No person or system may access the data unless required by a documented business process. In such cases where access is required, permission to use the data must be granted by the Data Steward.
(c) Access auditing: Enable file access auditing to log access to files containing restricted data.
(d) Labeling: Portable media containing restricted data should be clearly marked.
(e) Sharing: Access to restricted data can be granted only by a Data Steward. No individual may share restricted data with another individual who has not been granted access by a Data Steward.
(f) Idle access: Devices which can be used to access restricted data must automatically lock after some period of inactivity, through the use of screensaver passwords, automatic logout, or similar controls.
(g) Transit encryption: Restricted data must be encrypted during transmission with a method that meets the following requirements.
(i) Cryptographic algorithm(s) are listed in FIPS 140-2 Annex A, the list of approved security functions.
(ii) Cryptographic key lengths meet best practices for length, given current computer processing capabilities.
(iii) Both the source and destination of the transmission must be verified.
(h) Storage encryption: Restricted data must be encrypted using strong, public cryptographic algorithms and reasonable key lengths given current computer processing capabilities. Keys must be stored securely, and access to them provided on a least-privilege basis (see ISO 11568 for recommendations on securing keys). If one-way hashing is used in lieu of reversible encryption, salted hashes must be used. Possible encryption scenarios are:
(i) Encrypt files containing restricted data using different keys or passwords than those used for system login.
(ii) Encrypt data stored in databases at the column-level.
(iii) In addition to file and/or database encryption, implement full-disk encryption on portable devices containing restricted data.
(i) Retention: Restricted data should only be stored for as long as is necessary to accomplish the documented business process.
(j) Destruction: When restricted data is no longer needed it should be destroyed using methods that are resistant to data recovery attempts such as cryptographic data destruction utilities, on-site physical device destruction, or NAID certified data destruction service.
(k) Incident notification: If there is a potential security incident which may place restricted data at risk of unauthorized access, ITS Technology Security Services must be notified
LESSON ROUND-UP
– Software refers to a set of programs that makes the hardware perform a particular set of tasks in particular order. The process of writing (or coding) programs is called programming, and individuals who perform this task are called programmers.
– Software can be classified mainly into following categories. 1. System Software 2. Application Software.
– An operating system is a collection of integrated computer programs that provide recurring services to other programs or to the user of a computer. These services consist of disk and file management, memory management, and device management. In other words, it manages CPU operations, input/
output activities, storage resources, diverse support services, and controls various devices.
– Android is a Linux-based operating system designed primarily for touch screen mobile devices such as smart phones and tablet computers.
– Utility software is system software designed to help analyze, configure, optimize or maintain a computer.
Utility software usually focuses on how the computer infrastructure (including the computer hardware, operating system, application software and data storage) operates
– Application software consists of Programs that direct computers to perform specific information processing activities for end users. These programs are called application packages because they direct the processing required for a particular use, or application, which users want to accomplish.
– Firmware is a combination of software and hardware. Computer chips that have data or programs recorded on them are firmware
– Multiprogramming is a form of parallel processing in which several programs are run at the same time on a uniprocessor. Since there is only one processor , there can be no true simultaneous execution of different programs. Instead, the operating system executes part of one program, then part of another, and so on. To the user it appears that all programs are executing at the same time
– Multiprocessing is the coordinated processing of programs by more than one computer processor.
Multiprocessing is a general term that can mean the dynamic assignment of a program to one of two or more computers working in tandem or can involve multiple computers working on the same program at the same time (in parallel)
– In data processing, method of operation in which multiple users with different programs interact nearly simultaneously with the central processing unit of a large-scale digital computer is termed as Time sharing
– Batch processing is execution of a series of programs (“jobs”) on a computer without manual intervention.
Jobs are set up so they can be run to completion without manual intervention. So, all input data are preselected through scripts, command-line parameters, or job control language
– Online processing means users directly enter information online (usually, online, in this case, means online to a central processor, rather than its modern connotation of the Internet, but it could mean both!), it is validated and updated directly onto the master file. No new file is created in this case.
Therefore, there is near immediate input process, and output. Imagine a cash dispenser transaction or booking a holiday at travel agents or over the Internet
– Real time processing is usually found in systems that use computer control. This processing method is used when it is essential that the input request is dealt with quickly enough so as to be able to control an output properly.
– System security refers to techniques for ensuring that data stored in a computer cannot be read or compromised by any individuals without authorization. System Security is a mechanism through which it is ensured that the organisation data and information is secured from unauthorized access
SELF-TEST QUESTIONS
(These are meant for re-capitulation only. Answers to these questions are not to be submitted for evaluation) 1. What do you mean by the term Software? Differentiate between the hardware and software of a
system.
2. What are the different characteristics of software? Explain in detail.
3. What are the different types of Computer software? Explain each one in detail.
4. What do you mean by operating system? Explain about different types of operating system.
5. What are the different Functions of operating systems?
6. What do you mean by utility software? Explain about 5 popular utility software in detail.
7. What do you mean by Application software? Explain about different Application software.
8. What is the difference between Application Software and system software? Explain
9. What do you mean by multiprogramming and multiprocessing? State the difference between multiprogramming and multiprocessing.
10. What do you mean by batch processing, online processing and real-time processing? Explain the difference between online processing and real-time processing.
11. What do you mean by system security? Explain basic system securities measures.
12. Write short note on (a) Time sharing
(b) Android operating system (c) Linux
(d) Characteristic of strong password (e) Firewall
(f) Social Computing
(g) Agile software development technology (h) Firmware
LESSON OUTLINE
– Data Base Concepts – Data Structure