COMPUTER SECURITY

Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90G00993R000300270007-8 4 FEB1987 MEMORANDUM FOR: Deputy Director for Administration Director of Security SUBJECT: Computer Security 1. The Office of Security and the Office of Information Technology share common goals regarding the security of CIA information systems. Progress toward those goals is being jeopardized by continuing uncertainty and debate over basic responsibilities. This memorandum offers a plan to clear the air and get us moving forward together. 2. The Action Plan: We believe that the following actions should be taken to get CIA computer security activities back on track: ? Reaffirm the basic responsibilities of the D/OS and the D/OIT as set forth in the joint OS/OIT memorandum of understanding of 31 December 1985. ? Create a joint OS/OIT task force to revise the implementation plan contained in the MOU. Set a tight timetable for creation of a more detailed and more realistic action plan. If appropriate, issue a revised MOU. ? Raise the organizational rank of computer security activities in OS from Division to Group level to increase visibility and priority. Insure strong leadership. ? Ask the D/OS to audit budget submissions to insure that component needs for computer security are adequately addressed. This should be done in full cooperation with components. ? Direct the D/OS to prepare a comprehensive, agency-wide information security plan in consonance with overall CIA planning for information processing. This plan should be prepared by a working group composed of representatives from all involved components. Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90G00993R000300270007-8  Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90GO0993R000300270007-8 ? Restore OS as a full member on the Information Systems Board. ? Strengthen CIA participation in community information security activities. 3. Background: As we sought to consolidate technical security activities in 1985, resolution of computer security responsibilities was one of our most difficult tasks. Earlier debate over the issue had resulted in the breakup of the former OS Information Systems Security Group (ISSG) into two components: the Information Security Group in OS and the Computer Security Group in OIT. For a multitude of reasons, the divided activity did not serve us well. 4. Dialogue between OS and OIT during the latter part of 1985 produced a joint Memorandum of Understanding (MOU), signed on 31 December 1985, that laid out a new working arrangement. (See attachment) 5. The key provisions of the 1985 MOU were: a. A statement of common goals in protecting CIA information systems. b. A recognition of the D/OS's responsibility to "develop and administer policy and doctrine" for infor- mation security. c. A recognition of other central responsibilities of the D/OS in computer security. d. A recognition of the D/OIT's responsibilities for the day-to-day security of CIA computer centers. e. Specification of details of a plan to consolidate positions in OS to form a central computer security unit and to reallocate positions to form an expanded OIT computer security unit. f. An assurance from OIT to allow OS access to OIT resources and to provide advice and consultation to OS. g. An agreement to jointly review the threat to CIA information systems on an annual basis. h. An agreement to work jointly to insure that adequate resources are allocated to computer security. 2 SECRET Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90GO0993R000300270007-8  Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90GO0993R000300270007-8 6. Just over a year has passed since the signing of the MOU and progress has been slow. We believe that the basic principles established in the MOU are still valid, but the implementation plan we laid out in the MOU (paragraph D) could have been better. We were probably too optimistic in our forecasts as to how quickly an expanded computer security unit could be-established in OIT. Increased priority in OS and greater dialogue between the two offices might have produced faster results. Other details of the implementation plan may not have been practical. At the same time, leadership in OIT has changed and a move to place computer security under OIT's control is evident. Uncertainties at the working level are affecting progress. Dialogue between the offices is not what it should be. 7. We believe the secret to success in computer security will be to reaffirm the basic principles laid out in the MOU, reestablish a constructive dialogue between OS and OIT, and work out a practical new game plan for achieving our common goals. 8. The Basics: As with any other security discipline, computer security is a responsibility shared between OS and line components. The D/OS bears the central responsibility for formulating security policy, standards, and guidelines. He does this in consultation with line elements. He has established the Technical Security Policy Advisory Board, whose members are the Directors of offices involved in technical security, to assist him in formulating technical security policy. 9. It is the responsibility of line components to carry out policies established by the D/OS. They must institute appropriate procedures and monitor component activities on a daily basis to insure that security needs are met. They must plan for security in developmental activities and in operations and insure that adequate resources are available for security. 10. OS has assigned) (security officers at home and abroad to assist line components in carrying out security responsibilities. This force consists of security generalists, technical security personnel, and specialists such as polygraphers and protective officers. Representation is tailored to the needs of the component. 11. The D/OS must provide a check and balance on component security by continually assessing the state of security. He does this through the area officers and through special surveys and inspections. This is critical to insure that security is maintained at an appropriate level at all times, including those times when a component is faced with unusual operational demands and resource limitations. SECRET Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90GO0993R000300270007-8  Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90G00993R000300270007-8 12. The D/OS must also support line components by providing certain services of common concern, such as RDT&E, threat and vulnerability assessments, and training. He must help to insure that adequate resources are provided for security activities by planning, programming and budgeting for those resources not included in component programs. 13. We believe all of the above applies to computer security. We believe that, as provided in the MOU, the best solution to computer security is a strong, central unit in OS with strong, resident "area" computer security staffs to assist components in carrying out their computer security programs. OIT must have a robust staff to plan and monitor security activities and to insure that security is a component of developmental programs. 14. We continue to believe that we can provide the best personnel for computer security staffs through development and training in OS. We believe this to be true because computer security is one of the most complex security disciplines. It is not a "pure" security discipline. Some features are unique, involving very technical details of hardware and software. But many features involve linkages with other security disciplines: personnel security. Careful personnel selection, training and development is key. 15. It is important that we move with resolve to correct our present difficulties with computer security. We must work toward a solution which will not only solve today's problems, but will provide a foundation for the future. I hope you will give serious consideration to our action plan. cc: D/OIT Declassified in Part - Sanitized Copy Approved for Release 2012/05/01 : CIA-RDP90G00993R000300270007-8