What is security functionality?

SECURITY FUNCTIONAL REQUIREMENTS

What is security functionality?

There are several ways to classify and characterize countermeasures that can be used to reduce vulnerabilities and counter threats to system resources. It will be useful for  presentation in the rest of the book to explore different approaches, which we will do in this section and the next two. 

In this section, we consider the countermeasures related to functional requirements and  follow the classification defined in FIPS PUB 200 (Minimum Federal Information Security Requirements and Information Systems). This standard lists 17 security-related areas related to protecting the confidentiality, integrity and availability of information systems and the information  processed, stored and transmitted by these systems

The requirements listed in FIP PUB 200 cover a wide range of countermeasures for vulnerabilities and threats. Broadly speaking, we can divide these countermeasures into two categories: those that require technical computer security  measures (discussed in parts one and two of this book), either hardware or software, or both; and those that are fundamentally management problems.

Access Control: 

Limit access to the information system  to authorized users, processes acting on behalf of authorized users or devices (including other information systems), and  the types of transactions and functions authorized users can perform.

Awareness and training: 

(i) ensuring that administrators and users of the organisation's information systems are aware of the security risks associated with their activities and  the applicable laws, regulations and policies relating to the security of the organisation's information systems.

(ii) ensure that personnel are adequately trained to perform their assigned information security-related tasks and responsibilities.

Audit and Accountability: 

(i) create, protect and maintain audit records for information systems to the extent necessary to enable the monitoring, analysis, investigation and reporting of illegal, unauthorized or inappropriate information systems activities.

(ii) ensure that the actions of individual  users of the information system can be positively traced back to those users so that they can be held accountable for their actions.

Certification, accreditation and security assessments:

 (i) periodic assessment of the security controls in the organization's information systems to determine whether the controls are effective in their application.

(ii) developing and implementing action plans  to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.

(iii) authorize the operation of the organizational information systems and the connections to the related information systems.

 (iv) continuously monitor the security controls of the information system  to ensure the continued effectiveness of the controls.

Configuration Management: 

(i) establishment and maintenance of reference configurations and inventories of the organisation's information systems (including hardware, software, firmware and documentation) throughout their respective systems development lifecycles.

(ii) establishing and enforcing security configuration settings for IT products used in the organisation's information systems. 

Contingency Planning: 

Create, maintain, and implement contingency, backup, and disaster recovery plans for the organisation's information systems to ensure the availability of critical information assets and the continuity of operations in emergency situations.

Identification and authentication: 

Identify the users of the information system, the processes acting on behalf of the users or the devices, and authenticate (or verify) the identity of these users, processes or devices as a prerequisite for granting access to the Information systems of the organization.

Incident Response: 

(i) establish an operational incident handling capability for the organization's information systems that includes appropriate preparedness, detection, analysis, containment, recovery and user response activities.

(ii) track, document and report incidents to appropriate officials and/or organisational authorities. 

Maintenance:

 (i) Regular and timely maintenance of the organisation's information systems.

(ii) provide effective controls over the tools, techniques, mechanisms and personnel used to perform maintenance of information systems.

Physical and Environmental Protection: 

(i) limit physical access to information systems, equipment and the respective operating environments to authorised persons.

(ii) protecting the physical facility and infrastructure supporting information systems.

(iii) to provide  utilities for information systems.

(iv) protect information systems from environmental risks.

 (v) provide appropriate environmental controls in facilities with information systems. 

Planning:

 Develop, document, regularly update, and implement organisational information systems security plans  that describe the security controls implemented or planned for the information systems and the   code of conduct for individuals accessing the information systems.

Personnel Security:

 (i) ensure that individuals holding positions of responsibility within organizations (including external service providers) are trustworthy and meet the security criteria established for those positions.

(ii) ensure that the organization's information and information systems are protected during and after personnel actions such as dismissals and transfers.

 (iii) apply formal sanctions to employees who fail to comply with the organisation's security policies and procedures. 

Risk Assessment: 

Regularly assess the risk to the organization's operations (including mission, functions, image or reputation), the organization's assets and people as a result of the operations.  of organizational information systems and related organizational information processing, storage or transmission.

Communications and systems protection: 

(i) monitoring, controlling and protecting the organisation's communications (i.e. information transmitted or received by the organisation's information systems) at the external border and critical internal border information systems. 

(ii) apply architectural designs, software development techniques, and systems engineering principles that promote effective information security within the organization's information systems.

System and information integrity: 

(i) identify, report and correct information and information system failures in a timely manner; 

(ii) providing protections against malicious code at appropriate locations within the organization's information systems.

(iii) monitor security warnings and alerts from information systems and take appropriate action.

Each of the functional areas can contain both technical IT security  measures and management measures.

 The functional areas that primarily require technical IT security  measures include access control, identification and authentication, system and communication protection, and system and information integrity. Functional areas  primarily involving management controls and procedures include awareness and training; auditing and accountability; certification, accreditation and security assessments; emergency planning; Maintenance; physical and environmental protection; Planning; security personnel; risk assessment; and purchase of systems and services.

Functional areas that  overlap with technical computer security measures and managerial controls include configuration management, incident response, and media protection.

Note: that most of the functional requirement areas in FIP PUB 200 are primarily management, or at least have a significant management component, as opposed to pure software or hardware solutions.This may be new to some readers and  not found in many  books on computer and information security. But as one computer security expert noted, "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology" [SCHN00].

This article reflects the need to combine technical and managerial approaches to achieve effective computer security.

FIPS PUB 200 provides a useful overview of the major problem areas, both technical and administrative, related to computer security. This article attempts to cover all of these areas.