Management Controls

Management controls are typically involved in risk assessment, system planning, and system acquisition, as well as security certifications, accreditations, and assessments. The sub-sections below discuss management controls for RFID systems in more detail.

5.1.1 RFID Usage Policy

Control: An RFID usage policy describes the authorized and unauthorized uses of RFID technology in

an organization and the personnel roles assigned to particular RFID system tasks. Federal agencies should follow FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, when developing the RFID usage policy.

The usage policy also should be consistent or integrated with the organization’s privacy policy, which addresses topics such as how personal information is stored and shared. The RFID usage policy should also address privacy issues associated with the tag identifier formats and the potential disclosure of information based on solely on the tag identifier format selected. Additional information resources are found in the privacy guidelines in Section 6.

Applicability: All organizations that use RFID technologies or are considering using them.

Benefits: The policy establishes the framework for many other security controls. It provides a vehicle

for management to communicate its expectations regarding the RFID system and its security. It enables management to take legal or disciplinary action against individuals or entities that do not comply with the policy.

Weaknesses: The existence of a policy does not ensure compliance with the policy. A policy needs to be

coupled with the implementation and enforcement of appropriate operational and technical controls to be effective.

5.1.2 IT Security Policies

Control: IT security policies describe the approach to achieve high-level security objectives of the usage

policy. The IT security policies related to RFID should cover each RFID subsystem, including network, database and application security in the enterprise and inter-enterprise subsystems; they should not just be limited to security of tags and readers in the RF subsystem.

IT security policies for RFID systems should address:

SECTION 5:RFIDSECURITY CONTROLS

 Perimeter protection, including port and protocol restrictions for network traffic between the RF and enterprise subsystems and between the enterprise subsystem and a public network or extranet,  Password management, particularly with respect to the generation, distribution, and storage of tags’

access, lock, and kill passwords,

 Management system security for readers and middleware, including the use and protection of SNMP read and write community strings,41

 RFID security training for system administrators and operators, and

 Management of associated cryptographic systems, including certification authorities and key management.

Applicability: All RFID implementations, particularly those with enterprise subsystems or inter-

enterprise subsystems.

Benefits: Well-crafted security policies govern the mitigation of business risks associated with the use of

RFID technologies. The policies provide requirements and guidelines for the individuals designing, implementing, using, and maintaining RFID systems. For example, IT policies help the personnel designing RFID systems or procuring system components to make appropriate decisions. Similarly, they help system administrators correctly implement and configure software and related network components.

Weaknesses: The existence of a policy does not ensure compliance with the policy. A policy needs to be

coupled with the implementation and enforcement of appropriate operational and technical controls to be effective.

5.1.3 Agreements with External Organizations

Control: When data associated with an RFID system needs to be shared across organizational

boundaries, formal agreements among the participating organizations can codify the roles and

responsibilities, and in some cases the legal liability, of each organization. These formal agreements are usually documented as a Memorandum of Agreement (MOA) or Memorandum of Understanding (MOU). The MOU or MOA specifies the network connections and authentication mechanisms to be used, the data to be shared, and the manner in which data should be protected both in transit and at rest. It may also address controls on vendors, subcontractors, and other third parties to the extent they have access to the system.42

If the inter-enterprise application requires tag passwords to be shared across organizations, then the MOU or MOA should specify how these passwords will be generated, stored, and shared. The memorandum may specify IT security controls such as methods of authentication, access control, or encryption that participating organizations shall implement to protect the passwords.

Applicability: Any RFID system involving more than one organization, which is most common in

supply chain applications.

41

SNMP community strings are passwords that provide anyone with an SNMP management client and network access the ability to manage the associated systems. Knowledge of the read community string provides the holder the ability to view the system configuration and track system behavior. Knowledge of the write community string provides the holder the ability to reconfigure system components.

42 _{For additional information on agreements with external organizations, see NIST Special Publication 800-47, Security Guide}

for Interconnecting Information Technology Systems, which can be found at http://csrc.nist.gov/publications/nistpubs/800- 47/sp800-47.pdf.

Benefits: Having an MOA or MOU significantly reduces the potential for subsequent misunderstandings

and security breaches. They enable signatories to communicate their respective security requirements while also realizing the benefits of the business partnership that led them to collaborate in the

development and use of the RFID system.

Weaknesses: Monitoring an external organization’s enforcement of an agreement is difficult without full

access to its systems and personnel, which is unlikely. As a result, violations may occur without detection. This risk can be mitigated with independent audits if signatories agree to hire third-parties to conduct such audits.

5.1.4 Minimizing Sensitive Data Stored on Tags

Control: Instead of placing sensitive data on tags, the data could be stored in a secure enterprise

subsystem and retrieved using the tag’s unique identifier.

Applicability: Applications that use tags with on-board memory and process data that is either

considered sensitive or that could be combined with other data to infer sensitive information.

Benefits:

 Adversaries cannot obtain information from the tag through rogue scanning or eavesdropping.  Data encryption and access control is often more cost-effectively performed in the enterprise

subsystem than in the RF subsystem.

Weaknesses:

 Adversaries can often obtain valuable information from the identifier alone. For example, knowledge of the EPC manager ID and object class bits in certain EPC formats may reveal the make and model of a tagged object concealed in a container. An adversary might target containers based on the perceived worth of their contents.

 Placing data in the enterprise subsystem makes the availability of that data contingent on the availability of the network. Retrieving data over a network also introduces a small delay, which could be unacceptable for some applications. Section 3.3.3 discusses why organizations might choose to store data on tags even after taking into consideration the risks of doing so.