You are on page 1of 4

June 2001

ENGINEERING PRINCIPLES
FOR INFORMATION marketplace. Likewise, government ITL Bulletins are published by the
TECHNOLOGY SECURITY agencies are seeking to provide better Information Technology Laboratory
By Gary Stoneburner, Computer Security service to their citizens. (ITL) of the National Institute of
Division, Information Technology Standards and Technology (NIST).
Seeking to support and guide these Each bulletin presents an in-depth
Laboratory, National Institute of Standards
automation efforts, several private and discussion of a single topic of significant
and Technology
public organizations have developed a interest to the information systems
In June 2001, ITL released NIST Spe- number of explicit and implicit infor- community. Bulletins are issued on
cial Publication (SP) 800-27, Engineer- mation system security principles. an as-needed basis and are available
ing Principles for Information These security principles, in turn, have from ITL Publications, National
Technology Security (EP-ITS), by Gary the potential to become an extensive Institute of Standards and Technology,
Stoneburner, Clark Hayden, and canon for users, designers, and engi- 100 Bureau Drive, Stop 8901,
Alexis Feringa. This bulletin presents neers to consider in designing informa- Gaithersburg, MD 20899-8901,
an overview of the document. tion system security programs. telephone (301) 975-2832. To be
EP-ITS seeks to compile and present placed on a mailing list to receive
many of these security principles into future bulletins, send your name,
one, easy-to-use document for those organization, and business address to
Principle n. — A rule or standard, this office. You will be placed on this
especially of good behavior. concerned with information system
mailing list only.
security. In contrast to other
American Heritage Dictionary organization-level efforts, the principles Bulletins issued since December 1999
presented in EP-ITS are structured
around a system-level, engineering ❐ Operating System Security: Adding
Engineering Principles for Informa-
approach. to the Arsenal of Security
tion Technology (IT) Security (EP-ITS)
Techniques, December 1999
provides a list of system-level security
principles to be considered in the Security Principles ❐ Guideline for Implementing
design, development, and operation These principles provide a foundation Cryptography in the Federal
of an information system. The EP-ITS upon which a more consistent and Government, February 2000
principles can be used by: structured approach to the design, ❐ SecurityImplications of Active
■ Users when developing and evalu- development, and implementation of Content, March 2000
ating functional requirements or IT security capabilities can be
❐ Mitigating Emerging Hacker
when operating information sys- constructed. Threats, June 2000
tems within their organizations. While the primary focus is the imple- ❐ Identifying Critical Patches with
■ System Engineers and Architects mentation of technical controls, these ICAT, July 2000
when designing, implementing, or principles also highlight the fact that,
to be effective, a system security ❐ Security
for Private Branch
modifying an information system. Exchange Systems, August 2000
design should also consider non-
■ IT Specialists during all phases of technical issues, such as policy, opera- ❐ XML Technologies, September 2000
the system life-cycle. tional procedures, and user education.
❐ An Overview of the Common Criteria
■ Program Managers and Informa- The principles described here do not Evaluation and Validation Scheme,
tion System Security Officers apply to all systems at all times. Yet October 2000
(ISSO) to ensure adequate security each principle should be carefully ❐A Statistical Test Suite for Random
measures have been considered for considered throughout the life-cycle and Pseudorandom Number
all phases of the system life-cycle. of every system. Moreover, because of Generators For Cryptographic
the constantly changing information Applications, December 2000
Background system security environment, the prin-
ciples identified are not considered to ❐ What Is This Thing Called
Private businesses and government Conformance? January 2001
agencies, both foreign and domestic, be an inclusive list. Instead, as tech-
are becoming increasingly reliant on nology improves and security tech- ❐ An Introduction to IPsec (Internet
information technology to fulfill many niques are refined, additions, Protocol Security), March 2001
basic functions. Businesses are mak- deletions, and refinement of these
❐ Biometrics – Technologies For Highly
ing changes simply to remain compet- security principles will be required. Secure Personal Authentication,
itive in the changing global Continued on page 2 May 2001
2 June 2001
Table 1: EP-ITS Engineering Principles
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of
operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability.).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources (e.g., data, processes, etc.).
Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology
upgrade process.
Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across
domains.
Principle 23. Use unique identities to ensure accountability.
Principle 24. Implement least privilege.
Principle 25. Do not implement unnecessary security mechanisms.
Principle 26. Protect information while being processed, in transit, and in storage.
Principle 27. Strive for operational ease of use.
Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
Principle 29. Consider custom products to achieve adequate security.
Principle 30. Ensure proper security in the shutdown or disposal of a system.
Principle 31. Protect against all likely classes of “attacks.”
Principle 32. Identify and prevent common errors and vulnerabilities.
Principle 33. Ensure that developers are trained in how to develop secure software.
June 2001 3
Principle Applicability Table 2: Principle versus Life-Cycle Phases
to System Life-Cycle
Phase Life-Cycle Applicability

The five life-cycle planning phases Principle Initiation Devel/Acquis Implement Oper/Maint Disposal
used are defined in NIST SP 800-14, 1 ✔✔ ✔ ✔ ✔ ✔
Generally Accepted Principles and
Practices for Securing Information 2 ✔✔ ✔✔ ✔✔ ✔✔ ✔
Technology Systems:
3 ✔✔ ✔✔ ✔ ✔
■ Initiation Phase
4 ✔✔ ✔✔ ✔✔ ✔✔ ✔✔
■ Development/Acquisition Phase
5 ✔✔ ✔✔ ✔✔ ✔✔ ✔
■ Implementation Phase
6 ✔✔ ✔✔ ✔✔
■ Operation/Maintenance Phase
7 ✔ ✔✔ ✔ ✔✔ ✔
■ Disposal Phase.
8 ✔ ✔✔ ✔ ✔✔ ✔
In an effort to associate each principle
with the relevant life-cycle planning 9 ✔ ✔✔ ✔ ✔✔
phase(s), Table 2 summarizes the
relationship between the 33 principles 10 ✔ ✔✔ ✔✔
and the life-cycle phases to which 11 ✔ ✔✔ ✔ ✔✔
they apply. The table identifies each
life-cycle phase, and “check marks” 12 ✔✔ ✔ ✔ ✔
are used to indicate if the principle 13 ✔ ✔✔ ✔ ✔✔ ✔
should be considered or applied dur-
ing the specified phase. One check 14 ✔✔ ✔ ✔
“✔ ” signifies the principle can be
15 ✔ ✔✔ ✔ ✔
used to support the life-cycle phase,
and two checks “✔✔ ” signifies the 16 ✔ ✔✔ ✔ ✔
principle is key to successful comple-
tion of the life-cycle phase. 17 ✔✔ ✔ ✔✔
18 ✔ ✔✔ ✔
19 ✔✔ ✔✔ ✔✔

Who we are 20 ✔ ✔✔ ✔✔ ✔
The Information Technology 21 ✔✔ ✔ ✔✔
Laboratory (ITL) is a major research
component of the National Institute 22 ✔ ✔ ✔ ✔✔
of Standards and Technology (NIST) 23 ✔ ✔ ✔ ✔✔
of the Technology Administration,
U.S. Department of Commerce. We 24 ✔ ✔ ✔ ✔✔
develop tests and measurement 25 ✔ ✔✔ ✔✔ ✔ ✔
methods, reference data, proof-of-
concept implementations, and 26 ✔ ✔✔ ✔ ✔✔ ✔
technical analyses that help to 27 ✔ ✔✔ ✔ ✔✔
advance the development and use
of new information technology. We 28 ✔ ✔ ✔ ✔✔
seek to overcome barriers to the 29 ✔ ✔✔ ✔ ✔
efficient use of information
technology, and to make systems 30 ✔ ✔ ✔✔
more interoperable, easily usable, 31 ✔ ✔✔ ✔✔ ✔ ✔
scalable, and secure than they are
today. Our web site is 32 ✔✔ ✔✔
http://www.itl.nist.gov/. 33 ✔✔ ✔✔ ✔
4 June 2001
Summary understood guidance. From users to
system administrators and program ITL Bulletins Via E-Mail
Now, more than ever, IT security is a
managers, everyone should have a
critical element throughout the system We now offer the option of delivering
basic understanding of the security
life-cycle. Security must be incorpo- your ITL Bulletins in ASCII format
principles governing the system they
rated and addressed from the initial directly to your e-mail address. To
are using, maintaining, or designing
planning and design phases to dis- subscribe to this service, send an e-
and developing.
posal of the system. Without proper mail message from your business e-
attention to security, an organization’s EP-ITS provides a starting point. The mail account to listproc@nist.gov with
information technology can become a principles it contains are derived from a the message subscribe itl-bulletin,
source of significant mission risks. number of national and international and your name, e.g., John Doe. For
With careful planning from the earli- documents, as well as from the experi- instructions on using listproc, send a
est stages, however, security becomes ence of the scientists at NIST. It is hoped
message to listproc@nist.gov with the
an enabler, supporting and helping to that these principles will contribute to
message HELP. To have the bulletin
achieve the organization’s mission. improved IT security in any organization.
sent to an e-mail address other than
As security awareness becomes a way The complete NIST SP 800-27 docu- the From address, contact the ITL
of life within an organization, people ment is available at http://csrc.nist. editor at 301-975-2832 or
at all levels, and roles in the system gov/publications/nistpubs/800-27/ elizabeth.lennon@nist.gov.
life-cycle, should have access to easily sp800-27.pdf.

Disclaimer: Any mention of commercial


products or reference to commercial orga-
nizations is for information only; it does
not imply recommendation or endorse-
ment by NIST nor does it imply that the
products mentioned are necessarily the best
available for the purpose.

Address Service Requested


Penalty for Private Use $300
Official Business

PERMIT NUMBER G195 Gaithersburg, MD 20899-8900


NIST 100 Bureau Drive, Stop 8900
POSTAGE & FEES PAID National Institute of Standards and Technology
PRSRT STD
U.S. DEPARTMENT OF COMMERCE

You might also like