RFC1244 - Page 97

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


   [NCSC2]
           NCSC, "A Guide to Understanding DISCRETIONARY ACCESS CONTROL
           in Trusted Systems", NCSC-TG-003, Version-1, 30 September
           1987, 29 pages.

           Discretionary control is the most common type of access
           control mechanism implemented in computer systems today.
           The basis of this kind of security is that an individual
           user, or program operating on the user's behalf, is
           allowed to specify explicitly the types of access other
           users (or programs executing on their behalf) may have to
           information under the user's control.  [...]  Discretionary
           controls are not a replacement for mandatory controls.  In
           any environment in which information is protected,
           discretionary security provides for a finer granularity of
           control within the overall constraints of the mandatory
           policy.

   [NCSC3]
           NCSC, "A Guide to Understanding CONFIGURATION MANAGEMENT
           in Trusted Systems", NCSC-TG-006, Version-1, 28 March 1988,
           31 pages.

           Configuration management consists of four separate tasks:
           identification, control, status accounting, and auditing.
           For every change that is made to an automated data
           processing (ADP) system, the design and requirements of the
           changed version of the system should be identified.  The
           control task of configuration management is performed
           by subjecting every change to documentation, hardware, and
           software/firmware to review and approval by an authorized
           authority.  Configuration status accounting is responsible
           for recording and reporting on the configuration of the
           product throughout the change.  Finally, though the process
           of a configuration audit, the completed change can be
           verified to be functionally correct, and for trusted
           systems, consistent with the security policy of the system.

   [NTISS]
           NTISS, "Advisory Memorandum on Office Automation Security
           Guideline", NTISSAM CONPUSEC/1-87, 16 January 1987,
           58 pages.

           This document provides guidance to users, managers, security
           officers, and procurement officers of Office Automation
           Systems.  Areas addressed include: physical security,
           personnel security, procedural security, hardware/software
           security, emanations security (TEMPEST), and communications



Site Security Policy Handbook Working Group                    [Page 97]