OSE Inspection of Computer Security: Review

Year
1987
Author(s)
Edwin M. Jaehne - Jaehne Associates, Ltd.
Abstract
The inspection process within the Department of Energy (DOE) serves the function of analyzing and reporting on the performance of security measures and controls in specific areas at sites throughout DOE. Three aspects of this process are discussed based on experience in computer security: o Policy basis of performance inspections; o Role and form of standards and criteria in inspections; and o Conducting an inspection using the standards and criteria. Inspections are based on DOE and other applicable policy in each area. These policy statements have a compliance orientation in which the paper trail is often more clearly discernable than the security intention. The relationship of policy to performance inspections is discussed. To facilitate bridging the gap between the paper trail and the security intention defined by policy, standards and criteria were developed in each area. The consensus process and structure of the resulting product for computer security are discussed. Standards and criteria are inspection tools that support the site in preparing for an inspection and the inspector in conducting one. They form a systematic approach that facilitates consistency in the analysis and reporting of inspection results. Experience using the computer security standards and criteria is discussed.