System Certification and Accreditation

System certification is a formal methodology for comprehensive testing and documentation of information system security safeguards, both technical and nontechnical, in a given environment by using established evaluation criteria (the TCSEC).

Accreditation is an official, written approval for the operation of a specific system in a specific environment, as documented in the certification report. Accreditation is normally granted by a senior executive or Designated Approving Authority (DAA). The term DAA is used in the U.S. military and government. A DAA is normally a senior official, such as a commanding officer.

System certification and accreditation must be updated when any changes are made to the system or environment, and they must also be periodically re-validated, which typically happens every three years.

The certification and accreditation process has been formally implemented in U.S. military and government organizations as the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) and National Information Assurance Certification and Accreditation Process (NIACAP), respectively. These important processes are used to make sure that a new (or changed) system has the proper design and operational characteristics, and that it’s suitable for a specific task.

DITSCAP

The Defense Information Technology Security Certification and Accreditation Process (DITSCAP) formalizes the certification and accreditation process for U.S. DoD information systems through four distinct phases:

check.png Definition: Security requirements are determined by defining the organization and system’s mission, environment, and architecture.

check.png Verification: Ensures that a system undergoing development or modification remains compliant with the System Security Authorization Agreement (SSAA), which is a baseline security-configuration document.

check.png Validation: Confirms compliance with the SSAA.

check.png Post-Accreditation: Represents ongoing activities required to maintain compliance, and address new and evolving threats, throughout a system’s life cycle.

NIACAP

The National Information Assurance Certification and Accreditation Process (NIACAP) formalizes the certification and accreditation process for U.S. government national security information systems. NIACAP consists of four phases (Definition, Verification, Validation, and Post-Accreditation) that generally correspond to the DITSCAP phases. Additionally, NIACAP defines three types of accreditation:

check.png Site accreditation: All applications and systems at a specific location are evaluated.

check.png Type accreditation: A specific application or system for multiple locations is evaluated.

check.png System accreditation: A specific application or system at a specific location is evaluated.

DCID 6/3

The Director of Central Intelligence Directive 6/3 is the process used to protect sensitive information that’s stored on computers used by the U.S. Central Intelligence Agency (CIA).

Prep Test

1 The four CPU operating states include all the following except

A choice_circle Operating

B choice_circle Problem

C choice_circle Wait

D choice_circle Virtual

2 A computer system that alternates execution of multiple subprograms on a single processor describes what type of system?

A choice_circle Multiprogramming

B choice_circle Multitasking

C choice_circle Multiuser

D choice_circle Multiprocessing

3 An address used as the origin for calculating other addresses describes

A choice_circle Base addressing

B choice_circle Indexed addressing

C choice_circle Indirect addressing

D choice_circle Direct addressing

4 The four main functions of the operating system include all the following except

A choice_circle Process management

B choice_circle BIOS management

C choice_circle I/O device management

D choice_circle File management

5 The total combination of protection mechanisms within a computer system, including hardware, firmware, and software, which is responsible for enforcing a security policy defines

A choice_circle Reference monitor

B choice_circle Security kernel

C choice_circle Trusted Computing Base

D choice_circle Protection domain

6 A system that continues to operate following failure of a network component describes which type of system?

A choice_circle Fault-tolerant

B choice_circle Fail-safe

C choice_circle Fail-soft

D choice_circle Failover

7 Which of the following access control models addresses availability issues?

A choice_circle Bell-LaPadula

B choice_circle Biba

C choice_circle Clark-Wilson

D choice_circle None of the above

8 The four basic control requirements identified in the Orange Book include all the following except

A choice_circle Role-based access control

B choice_circle Discretionary access control

C choice_circle Mandatory access control

D choice_circle Object reuse

9 The purpose of session management in a web application is

A choice_circle To prevent Denial of Service attacks

B choice_circle To collect session-based security metrics

C choice_circle To control the number of concurrent sessions

D choice_circle To protect sessions from unauthorized access

10 Which of the following ITSEC classification levels is equivalent to TCSEC level B3?

A choice_circle E3

B choice_circle E4

C choice_circle E5

D choice_circle E6

Answers

1 D. Virtual. The four CPU operating states are operating (or run), problem (or application), supervisory, and wait. Review “CPU.”

2 B. Multitasking. A multiprogramming computer alternates execution of multiple programs on a single processor. A multiuser computer supports several users. A multiprocessing computer executes multiple programs on multiple processors. Review “CPU.”

3 A. Base addressing. Indexed addressing specifies an address relative to an index register. Indirect addressing specifies the address of the desired location. Direct addressing specifies the desired location. Review “Memory.”

4 B. BIOS management. The four main functions of an OS are process management, I/O device management, memory management, and file management. The system BIOS operates independently of the OS. Review “Software.”

5 C. Trusted Computing Base. A reference monitor enforces access controls on an object. A security kernel implements the reference monitor concept. A protection ring is a security concept that implements the principle of least privilege. Review “Trusted Computing Base (TCB).”

6 A. Fault-tolerant. A fail-safe system terminates program execution. A fail-soft system continues functioning in a degraded mode. A failover system automatically switches to a hot backup. Review “Recovery procedures.”

7 D. None of the above. Bell-LaPadula addresses confidentiality issues. Biba and Clark-Wilson address integrity issues. Review “Access Control Models.”

8 A. Role-based access control. The four basic control requirements identified in the Orange Book are discretionary access control, mandatory access control, object reuse, and labels. Review “Trusted Computer System Evaluation Criteria (TCSEC).”

9 D. To protect sessions from unauthorized access. Session management, usually implemented through cookies, hidden variables, or URL variables, is used to track individual application user sessions. Review “Vulnerabilities in security architectures.”

10 C. E5. E3 is equivalent to TCSEC level B1, E4 to B2, and E6 to A1. Review “European Information Technology Security Evaluation Criteria (ITSEC).”

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset