FIPS PUB 73 : 0

1. INTRODUCTION
2. SECURITY OBJECTIVES AND VULNERABILITIES
   2.1 Integrity, Confidentiality and Availability
   2.2 Accidental and Deliberate Events
   2.3 Examples of Sensitive Applications
       2.3.1 Applications Providing General Processing Support
       2.3.2 Funds Disbursement, Accounting, Asset Management
             Systems
       2.3.3 General-Purpose Information Systems
       2.3.4 Automated Decisionmaking Systems
       2.3.5 Real-Time Control Systems
       2.3.6 System Affecting National Security or Well-Being
   2.4 Vulnerabilities
3 BASIC CONTROLS
  3.1 Data Validation
      3.1.1 Consistency and Reasonableness Checks
      3.1.2 Validation During Data Entry
      3.1.3 Validation During Processing
      3.1.4 Data Elements Dictionary/Directory
      3.1.5 Management Considerations
  3.2 User Identity Verification
      3.2.1 Requirements for Identity Verification
      3.2.2 Basic Techniques
      3.2.3 Management Considerations
  3.3 Authorization
      3.3.1 Authorization Schemes
      3.3.2 Delegation of Authority
      3.3.3 Protecting the Authorization Data
      3.3.4 Authorization Schemes for Confidential Data
      3.3.5 Management Considerations
  3.4 Journalling
      3.4.1 Contents of the Journal
      3.4.2 The Journal as Legal Evidence
      3.4.3 Management Considerations
  3.5 Variance Detection
      3.5.1 Management Inspection of Event Journals
      3.5.2 External Variance Detection Methods
      3.5.3 Response to Variances
      3.5.4 Dynamic Monitoring
      3.5.5 Management Considerations
  3.6 Encryption
      3.6.1 Encrypting Computer Communications
      3.6.2 Encrypting Off-Line Storage
      3.6.3 Encrypting On-Line Files
      3.6.4 Management Considerations
4 SELECTION OF CONTROLS THROUGHOUT THE SYSTEM LIFE CYCLE
  4.1 The Application System Life Cycle
  4.2 Improving Security for Existing Applications
  4.3 Auditor Involvement in the System Life Cycle
5 PLANNING FOR SECURITY DURING THE INITIATION PHASE
  5.1 Security Feasibility
      5.1.1 Source Data Accuracy
      5.1.2 User Identity Verification
      5.1.3 Restricted interfaces
      5.1.4 Separation of Duties
      5.1.5 Facility Security
  5.2 Initial Assessment of Risks
      5.2.1 Impact of Major Failures
      5.2.2 Frequency of Major Failures
6 BUILDING IN SECURITY DURING THE DEVELOPMENT PHASE
  6.1 Definitions of Security Requirements
      6.1.1 Applications System Interfaces
      6.1.2 Responsibilities Associated with Each Interface
      6.1.3 Separation of Duties
      6.1.4 Sensitive Objects and Operations
      6.1.5 Error Tolerance
      6.1.6 Availability Requirements
      6.1.7 Requirements for Basic Controls
      6.1.8 Management Considerations
  6.2 Designing for Security
      6.2.1 Unnecessary Programming
      6.2.2 Restricted User Interfaces
      6.2.3 Human Engineering
      6.2.4 Shared Computer Facilities
      6.2.5 Isolation of Critical Code
      6.2.6 Backup and Recovery
      6.2.7 Use of Available Controls
      6.2.8 Design Review
  6.3 Programming Practices for Security
      6.3.1 Peer Review
      6.3.2 Program Library
      6.3.3 Documentation of Security-Related Code
      6.3.4 Programmer Association with Operational System
      6.3.5 Redundant Computation
      6.3.6 Program Development Tools
  6.4 Test and Evaluation of Security Software
      6.4.1 Test Plan
      6.4.2 Static Evaluation
      6.4.3 Dynamic Testing
7 PRESERVING SECURITY DURING OPERATIONS
  7.1 Control of Data
      7.1.1 Input Verification
      7.1.2 Data Storage Management
      7.1.3 Output Dissemination Control
  7.2 Employment Practices
      7.2.1 Hiring Procedures
      7.2.2 Assignment Procedures
      7.2.3 Termination Procedures
  7.3 Security Training
      7.3.1 Task Training
      7.3.2 Security Awareness Training
  7.4 Response to Security Variances
  7.5 Software Modification and Hardware Maintenance
      7.5.1 Modification of Software
      7.5.2 Maintenance of Hardware
  7.6 Contingency Planning
      7.6.1 Identification of Critical Functions
      7.6.2 Alternate Site Operations
      7.6.3 Manual Replacement of Limited Processing
      7.6.4 Backup of Data
      7.6.5 Recovery of Data
      7.6.6 Restoration of the Facility
REFERENCES AND ADDITIONAL READINGS