Text

.

v,

• e' I

[o* ** cq o UNIT ED STATES E'%

i NUCLEAR REGULATORY COMMISSION

$,*,hWg /g, j W ASHING TON, D. C,70555

e.,w 4

ghyl7'f

• ee MEMORANDUM FOR:

File 7.20

'THRU:

Calvin L. Burch, Chief

/'

Facilities and Systems g jfp e/f and Security Branch Division of Security FROM:

Chad M. Pfleger Summer Technical Intern o

Facilities and Systems and Security Branch

SUBJECT:

VISITTONATIONALiNSTITUTEOFHEALTH(NIH) COMPUTER CENTER l

On Wednesday, August 8,1979 three members of FSSB (e.g., Messrs. M. Richard Harris, Richard Finger and the writer) met with National Institute of Health (NIH) computer staff personnel.(e.g., Messrs. Jim Oberthqler, Wes Farmer, Bob Mamyck and Ms. Francis Halverson) in Building 12-A. Mr. Oberthaler and -

Ms. Halverson represented software security and Mr. Farmer and Mr. Mamyek represented physical security. The meeting was basically used as a tool to understand security measures taken to protect flRC sensitive data at the NIH computer center.

Although this meeting did not involve an investigation of the NIH computer system, it did help FSSB understand how NIH does process sensitive data.-

Firstly, keywords are used to protect data from unauthorized user access, who must have in addition to the keyword, account numbers and user initials.

This keyword can be changed without notifying the NIH computer center and is known only to the authorized users. NIH personnel further noted that it would be much easier for an unauthorized user to gain access to these key-words at a remote terminal,rather than at the NIH computer center.

If an unauthorized user tried to make an "end run" directly to NIH to gain access they would have to gain access into the system, know the name of the data set used,.know what program language to use and have access to keywords.

Therefore, it would be much easier for someone to find keywords and an account number at a remote terminal that someone had lef t turned on or unsecured.

According to NIH personnel, it is up to the individual user (i.e., NRC) to decide if proper protection is being used on their data at NIH. Further, NRC will have to decide exactly what material in the NIH center is sensitive and protected and what is not sensitive. At present NRC has not evaluated material in the NIH center for this purpose.

Further, protection for one agency's sensitive information is not always the best for many other users who want a fast turn-around time.

A special security package would not be 0204010526 511E04 in cost and provided fast turn-around time.

^

PDR FOIA SHEARER 81-409 PDR

=. -

file 7.20

• Physical security measures at flIH are weak but have been recognized and up-grading measures are being taken. Plans for a magnetic card system which 1

will enable only authorized users access to their own output which will be placed in separately locked boxes. Also a magnetic card system is being

[

considered for the main building doors to control access aftar hours.

l

(

It was suprising to learn that little was known by flIH personnel of OMB Circular A-71.

The flIH personnel, however, were very cooperative. As the

!!RC program for the protection of sensitive information developps and better defined protective measures are required, a more intense study of flIH may reveal the need to remove such sensitive programs for the flIH computer system.

Chad M. Pfleger Summer Technical Intern Facilities and Systems Security Branch

J 1

i j

i 3

9 1

1 9

e

[

g 9J i

9 8

g 6

e 1.

e e

9

,-v

--y

,,.,.m

-,, y

--c1..

--wp-

.w.

w--

,,y,,

-- --- -, -