Text

I ;

U

[

UNITE D STAT [G 3 's.

ft

?!UCLE AR nEGULATORY COMMISslOfi

!% '/

2.

f k Zl

.y f

WASHINGTON D. C. 20"E e

'F

\\.... /

October 5, 1978 h

V

-c MEMORANDUM FOR:

NRC Directors of Headquarters Offices and Divisions i

FROM:

Daniel J. Donoghue, Director

, Office of Ad.ninistration 2

i=

SUBJECT:

SECURITY OF AUTO'GTIC DATA PROCESSING SYSTEMS 9

.j, The Office.of Management and Budget, Executive Office of the j

President, issued Circular No. A-71, Transmittal Memorandum No.1, 4

on July 27, 1978, to the heads of Executive Departments and Establish-5 ments, entitled " Security of Federal Automated Information Systems."

'd This directive' requires the development and implementation of computer

, f(f security progr'ams for all personal, proprietary or other sensitive data in automated systems, not subject to national security regulations.

[ff which is processed in-house and comercially.

]

" Sensitive data" is defined in Circular A-71 as follows:

~.Y2 3

" Sensitive data is data which requires a degree of protection 8

due to the risk and magnitude of loss or harm which could q

result from inadvertent or deliberate disclosure, alteration, NT or destruction of the data (e.g., personal data, proprietary data)."

~

)$

734

?6 We plan to develop pmcedures applicable to this data and will circu-late them to you for coment or concurrence, g,j

+

While we recognize the Office of Inspector and Auditor (OIA) requested

?!

some of this infonnation by memorandum dated May ll,1978, entitled i

" Review of Automatic Data Processing (ADP) Resources and Requirements,"

rh.

we believe it is necessary to supplement that infonnation with some E

additional infonnation.

If you desire, you can refer to information l

previously furnished 0IA provided the infonnation is still current and accurate.

l~d In order that we may develop and implement a computer security program

Y*]

for the NRC systems which process personal, proprietary or other sensi-

-fg tive data, it is requested that you furnish us the following information:

g f r (Ih CONTACTS:

C. L. Burch, SEC V

42-74406 1205550039'42 1 9 A989 C 9 D9 E9 E9 US NRC W

J. B. Winningham, ADPS ADM DIVISION OF SECURITY M

DIVI SION DIRECTOR i

49-28304 25455 WASHINGTON DC 20555

~r j.-

U 0204010539 011204 Nl

.R A

PDR FOIA

"'W3

, SHEARERB1-409 PDR

_ "l.

. d\\ ' j j_

Q f'

NRC Directors of Headquarters 2-Offices and Divisions 1.

Identify each comput.er system processing such data and indicate b

what type of informtion is processed for your office or division.

For example, "The computer system is a Data General Eclipse C-330 which is used by this office to process personal payroll data."

2.

Indicate the location of all equipment (input-output and process-ing) which your office or divistor. uses for processing personal, proprietary or other sensitive data by computer.

3.

Sumarize, if known, the security measures applicable to the computer system, including its physical, administrative and technical security measures.

4.

Provide the name, title and telephone number of the person to be contacted for additional information regarding the computer 5;+ '

system (s).

If your office or division does not use a computer system to process personal, proprietary or other sensitive data, a reply to that effect would be appreciated.

We would appreciate a reply to this memorandum by October 20, 1978.

U

%~ '

Daniel J. Do hue, Direc(br' Office of Administration

,>~c. p.

• ~ c,' e -

9 l

6 I

s t*,

.,.,,.~..

,0**  %

UtnTED sTATEE

'[g

' \\,

NUCLEAR REGULATORY COMf.'.!S910N

,; j

.dj 7 W ASHlf GTON. D. C. 205E5 s.sh.,;^$*f. I t v 6 [ o*J

'N ".....

.l' April 12, 1979 cance or wn CH AIRM AN The Honorable. Jack Brooks, Chairman Committee on Government Operations United States House of Representatives Washington, D.C.

20515

Dear Mr. Chairman:

In accordance with Section 236 of the Legislative Reorganization Act of 1970, the U.S. Nuclear Regulatory Commission (NRC) is hereby submitting a statement on the Comission actions being taken with regard to the recommendations made by the U.S. General Accounting Office (GAO) in a report entitled, " Automated Systems Security --

Federal Agencies Should Strengthen Safeguards Over Personal and Othe.r Sensitive Data." A discussion of the. NRC's Computer Security Program and specific responses to each of the GA0 recommendations as they pertain to the NRC are enclosed.

Sincerely,

,A Joseph M. Hendrie Chairman Enclosures :

1. The NRC Computer Security Program i

2. Response to the GAO Recomendations

3. NRC Manual Chapter 2101, "NRC Security Program" cc:

The Honorable Frank Horton e

44*gn l

~

l

t IDEtlTICAL LETTERS SEtlT T0:

Sen. Abraham Ribicoff, Chairman l

Committee on Governmental Affairs cc:

Sen. Charles A. Percy

+

Sen. Gary Hart, Chairman Subcommittee on Nuclear Regulation cc:

Sen. Alan Simpson Rep. Morris K. Udall, Chairman Subcommittee on Energy and the Environment cc:

Steven D. Symms Rep. John D. Dingell, Chairman Subcommittee on Energy and Power cc:

Rep. Clarence J. Brown Elmtr B. Staats i

Comptroller General of the U.S.

James T. McIntyre, Jr.

Director, OMB

)

l i

5 4

4 f

h i

u l

i

\\

l-I t

a.,...-.

THE NRC COMPUTER SECURITY PROGRAM

~

__.The Office of_ Administration of the Nuclear Regulatory Commission (NRC)

}

was assigned, in November 1976, the responsibility for agency-wide plan-ning, coordination, control and support services for automatic data pro-l cessing (ADP) in order to strengthen the NRC organization for compliance with OMB Circular A-71.

Until recently, the NRC, as a relatively new agency, h'ad no in-house computer capC ;'ity and relied almost exclusively on the use of computers, via remote.

.nals, at other government agencies to perform its ADP op-erations in accordance with procedures established by those agencies.

In addition, some policies and procedures for the stdrage and handling of source documents and data were developed for the protection of personal, proprietary and other sensitive data.

For example, NRC Manual Chapter 0204, " Privacy Act," was issued to implenent the provisions of th,e Pri-vacy Act of 1974 (5 U.S.C. 552a) to control the dissemination of personal information about individuals.

At the same time, a secure ADP system using remote job entry techniques was developed and installed at one of the NRC Headquarters facilities to permit the transmission and receipt by cryptographic means of National Security Information (NSI) to and from a secure ADP facility at the Department of Energy, Oak Ridge, Tennessee.

The secure facility has been~

used both for the protection of NSI as well as other sensitive data.

Poli-cies and procedures related to the protection of NSI in an ADP system have been issued and are contained in NRC Manual Chapter 2101, "NRC Security Program," primarily Part XII, " Security of Automatic Data Processing Systems."

A copy of this NRC Manual Chapter is enclosed.

A variety of factors led to the initiation in January 1979 of an Informa-tion Technology Management P.lan Task Force.

The factors prompting the initiation of the Task Force include:

the receipt of OMB Circular A-71, Transmittal Semorandum No.1, and the proposed revision to Circular A-71; the recent acquisition of four Data General C-330 minicomputers; the in-tention that the acquired minicomputers will process personal, proprietary or other sensitive data; and the desire of NRC management to assure that a comprehensive approach is taken within NRC on all aspects of information technology management including resources and applications.

Although the NRC has a computer security program for classified informa-tion, we recognize the need.for i more comprehensive computer security t

program for personal, proprietary and other sensitive data and have taken actions to develop and implement-such a program.

--- - - j A response to each of the GAO recommendations follows.

l i

l l

NRC RESPONSE TO THE GA0 RECOMMENDATIONS GAO Recommendation Number 1 Establish an automated systems security administration organiza-tion with independence from computer operations.

This organiza-tion should report directly to or through a principal official I

who reports directly to the agency head, and it should have i

authority to.. discharge the enumerated responsibilities of agency heads as outlined in OMB Circular A-71, TM-1.

NRC Resoonse The Director of the Division of Security, who is independent from compu-ter operations, is responsible for the overall NRC security program, in-cluding that relating to automated systems.

The Director of Security reports to the Director of Administration who, in turn, reports directly to the Executive Director for Operations.

G'O Recommendation Number 2 Develop comprehensive computer data security programs in compliance with OMB Circular A-71 from the total systems perspective--ensure that they provide for security of data in all media and in all j

stages of the data life-cycle--and consider the need for controls from the perspective of all possible security threats at all loca-tions involved with the agency's. data.

j NRC Response The Division of Security, in< coordination with affected NRC Offices and Divisions, will develop comprehensive c.omputer data seculity pro-grams and will consider the need for controls from the perspective of all possible security threats at all locations involved with the agency's data.

For example, HRC Manual Chapter 0204, entitled " Privacy Act,"

already contains provisions under Part V.B. " Computer Security Safe-guards," for the establishment of ADP safeguards sufficient to prevent careless, accidental or unintentional dis' closure, modification or destruc-l tion of identifiable personal data.

i GA0 Recommendation Number 3 Assign to a specific group in' the agency the task of ensuring that

,compr.ehensive computer data security plans and programs as developed ~,

will be documented, written, and disseminated to all activities and locations involved with the subject data, and that responsibilities for all provisions be clearly delineated.

This definition of 1

1

2 responsibility should encompas's prov.ision for implementing plans l

and programs further required of subordinate activities.

l NRC Response The Directcr, Division of Security, has been assigned the task of ensur-ing that comprehensive com,, uter data security plans and programs, as developed, will be documented, written and disseminated to all activities and locations invulved with subject data.

This will be accomplished, in part, by the issuance of an Appendix to NRC Manual Chapter 2101, "NRC Security Program," entitled " Automated Systems Security of Personal, Proprietary and Other Sensitive Data."

GAO Recommendation tjumber 4 1

Require that security programs include a provision for monitoring and reporting to top management on the status and adequacy of the program, and evaluate its implementation and the effectiveness of safeguards, procedures, and other instruments of the program.

NRC Resconse l

With respect ' o NRC classified information security programs, provisions t

i already exist to monitor and report to top management on the status and adequacy of these programs.

A new Manual Appendix, " Automated Systems Security of Personal, Proprietary and Other Sensitive Data," which was referenced earlier, will contain adequate provisions for monitoring and-reporting to top management and for evaluating the safeguards, procedures and other instruments of the program.

This task may precede or be an out-growth of the Information Teghnology Management Plan previously mentioned.

GA0 Recommendation Number 5 Anticipate training and indoctrination needs for raising expertise I

to the level required to implement requirements of their programs and of OMB.

NRC Response t

The NRC has a comprehensive-security training program that currently f

involves primarily classified information.

Division of Security per-sonnel have already attended the Department of Defense Computer Institute i

(D00CI) and have participated in conferences, such as the Fifth Annual.

Computer Security Conference and Exhibition in 1978, to-enhance their knowledge of computer security.

However, additional training (e.g., in risk assessment) is planned for NRC personnel, with the cooperation of the Management Development and Training Staff.

l

)

The security training and indoctrination needs of NRC will be broadened to raise the expertise of all personnel to the level required to imple-l uent the requirements of Circular A-71. TM-1.

The Division of Security I

will also be responsible for implementing the security training and in-doctrination program to satisfy those requirements identified in the NRC Information Technology Management Plan.

l t

GAO Rec &mnendation Number 6 We recommend that heads of departments and agencies ensure that (1) periodic risk analysis be conducted for the selection of cost-effective safeguards, from the total systems perspective, and (2) this effort in their organizations be directed and monitored by an independent computer data security administration reporting directly to or through a principal official who reports directly to the agency head.

Additionally, agencies' security plans should anticipate their j

increasing training needs, particularly for risk analysis, and make these needs known to the organizational level responsible for training.

l

~

NRC Resoonse p

The NRC has recognized the need for risk assessment to be done on a more consistent and formal basis, particularly with the acquisition of an in-house computer capability. As a consequence, an individual is being recruited to help perform that function.

The Division of Security will monitor NRC's risk analysis activities.

In addition, as noted earlier, members of the NRC organizat, ion have attended or will attend courses on risk assessment and on the security of ADP systems at such organiza-tions as the D0DCI.

The increased training needs, particularly for risk analysis for com-puterized security systems and programs, have.been made known to the Management Development and Training Staff.

The NRC is in the process of identifying the resources that may be required to implement the additional i

security training programs.

GAO Recommendation Number 7 We recommend that department and agency heads assign priority

._.to developing expertise in independent internal audit organiza-tions which would allow internal audit to assume broader respon-I sibilities for assisting managenent in control of computer and data resources.

Also, we recommend that heads of departments

1 4_

and agencies nake sure that internal ~ audit plays a continuing role in assessing computer security programs and in participating in the design of information system controls over data confiden-tiality and integrity.

i t

NRC Response _

In order to develop expertise in the internal audit function which would allow NRC's internal audit organization, the Office of Inspector and Auditor (OIA), to assist maragement in the control of computer and data resources, some members of OIA have attended several courses involving In addition. DIA has joined the Audit Managers Sub-computer security.

committee, Federal Audit Executive Council, which will be conducting j

monthly seminars on the various phases of auditing ADP in which OIA will OIA has also identified other ADP training in which they participate.

will participate in the near future and will continue, on a priority basis, to develop their internal auditor's ADP expertise.

DIA has included computer security reviews as part of their ongoing audit in their work plan of NRC's ADP resources and requirements for the current These reviews will include computer operations as well and future years.

For new or contemplated information as developed infonnation systems.

systems, OIA will pa,rticipate on a continuing basis in security reviews The purpose will be to durir.g various stages of the development process.

ensure that the developers are considering data confidentiality and inte-DIA will also, on a grity during the design of the information systems.

continuing basis, review and evaluate the adequacy of any feasibility studies which may be used for the new information systems or the procure-j ment of new equipment.

s k

i e

see e

GM f

e