|
Controls and Protections
To protect hardware, software and media resources from:
- Threats in an operating environment
- Internal or external intruders
- Operators who are inappropriately accessing resources
Categories of Controls:
- Preventative Controls:
Are designed to lower the amount and impact of unintentional errors that are entering the system and to prevent unauthorized intruder from internally or externally accessing the system.
- Detective Controls:
Are used to detect an error once it has occurred.
- Corrective Controls / Recovery Controls:
Are implemented to mitigate the impact of a loss event through data recovery procedures.
- Deterrent Controls / Directive Controls:
Are used to encourage compliance with external controls.
- Application Controls:
Are the controls that are designed into a software application to minimize and detect the software's operational irregularities.
- Transaction Controls:
Are used to provide control over the various stages of a transaction. Types of controls are: Input, processing, output, change and test controls.
Orange Book Controls:
Operational assurance:
- System architecture
- System integrity
- Covert channel analysis
- Trusted facility management
- Trusted recovery
Life cycle assurance:
- Security testing
- Design specification and testing
- Configuration management
- Trusted distribution
Covert channel analysis:
- B2:
The system must protect against covert storage channels. It must perform covert channel analysis for all covert storage channels.
- B3 and A1:
The system must protect against both covert storage and covert timing channels. It must perform a covert channel analysis for both types.
Trusted Facility Management:
B2:
Systems must support separate operator and system administrator roles.
B3 and A1:
System must clearly identify functions of the security administrator to perform the security-related functions.
|
|
