Texas Security and Risk Management

9.0 Data Communication Systems

Copyright(c), 1995 - Management Analytics - All Rights Reserved

A communication network, including local and wide area networks and distributed processing architectures, enables the transfer of data among users, hosts, applications, and intermediate facilities. During transfer, data is particularly vulnerable to either unintentional or deliberate access or alteration.

Custodians of information should, in cooperation with the owners of the information, establish and maintain security controls to detect unauthorized attempts (successful or otherwise) to access or modify data via a communication network. Each agency having ownership responsibility for automated information should establish follow-up procedures to investigate such incidents once they are reported by the custodian.

9.1 General Network Controls

STANDARD. Network resources participating in the access of confidential information shall assume the confidentiality level of that information for the duration of the session. Controls shall be implemented commensurate with the highest risk.

STANDARD. All network components under state control must be identifiable and restricted to their intended use.


9.2 Distributed Network Access Security

State owned or leased network facilities and host systems are state assets. Their use should be restricted to authorized users and purposes. Where public users are authorized access to networks or host systems, these public users as a class must be clearly identifiable and restricted to only services approved for public functions. State employees who have not been assigned a user identification code and means of authenticating their identity to the system are not distinguishable from public users and should not be afforded broader access.

STANDARD. Owners of distributed information resources served by distributed networks shall prescribe sufficient controls to ensure that access to those resources is restricted to authorized users and uses only. These controls shall selectively limit services based on:


9.3 Application Security

STANDARD. Network access to an application containing confidential or sensitive data, and data sharing between applications, shall be as authorized by the application owners and shall require authentication.


9.4 Adapting Policies and Procedures

State programs and supporting computer applications frequently undergo modifications that may affect an existing security system. To ensure that security issues are considered when changes do occur, system documentation should address the impact modifications may have on the existing security system. Agency security policies and procedures should ensure that the security system and its supporting documentation are periodically reviewed and, if need be, corrective action is planned for and implemented.

The agency's internal security policies and procedures should be reviewed as part of the agency's risk analysis process. Modifications should be made to accommodate changes in its network and communications technology.

9.5 Security Controls for Network Malfunctions

Assurances that program operations are not interrupted or deterred are primary goals of a security system. To meet these objectives, each agency should establish security controls that enable prompt identification of computing or network problems. An effective security awareness program should detect security and performance abnormalities in the network, computing system, or output and notify the appropriate personnel.

9.6 Planning for the Unavailability of the Communication Network

An agency that is dependent on the services of a communication network in the performance of its mission critical functions could be severely affected by the unavailability of such services. Loss of a communication network may result in hours of unproductive time and in some cases the public's health, safety, or welfare may be endangered.

STANDARD. If the agency utilizes a communication network to process critical applications or functions, it shall, as part of its contingency plan, provide for an alternate means of accomplishing its program objectives in case the system or its communication network becomes unavailable. Alternative procedures shall be established that enable agency personnel to continue critical day-to-day governmental operations in spite of the loss of the communication network.

9.7 Risk Analysis

Risk analysis is a means of assessing the vulnerabilities associated with an agency's information assets, including its data, applications, and communication networks. To conduct a thorough analysis, the agency should develop an understanding of the relationship between its program operations and the automated information systems that provide information and technical support services. This understanding assists in making sufficient preparations for, and designing and implementing an appropriate security system. Additionally, the risk analysis process provides the basis for justifying expenditures for security equipment, software, personnel, and services.

The following paragraphs identify vulnerabilities or risks that are common to a great many automated systems that use a communication network. Each should be considered during the agency's risk analysis process. For additional information about risk analysis, refer to the applicable section within this publication.

9.8 Authentication Techniques

Authentication is vital to the security of an automated information system that functions in a communication environment. Authentication techniques function to control access to the assets of a data processing system. They are employed to validate information or the identities of users, terminals, computers, and peripheral devices within a data processing system.

For example, passwords function as authentication mechanisms. Presumably, knowing the secret password authenticates the identity of a user and allows him or her access to a system. Unless the authentication is successful, it precludes the receipt of information.

Devices such as smart cards and smart tokens strengthen the authentication mechanism by requiring that a user possess the card/token, in addition to a password, before they can be authenticated.

Message authentication is another validation mechanism. This technology enables users, devices, and processing functions to verify that received information is genuine.

Refer to the applicable sections within this publication for additional information relative to data protection techniques such as passwords and message authentication.

9.9 Passwords

Passwords are pre-stored combinations of characters used by the host computer to authenticate the identity of an individual. Based on the password, the computing system can restrict or grant specific privileges.

If password control is implemented, the computing system will require the user to enter a password when logging on to the system. A comparison is then made to passwords that are held by the computing system. If the password is correct, the system will allow the user access. The system will allow access to other than the authorized user if the password has been compromised. Passwords are effective only if they remain confidential or secret.

Refer to the applicable section within this publication for additional information about passwords.

9.10 Data and File Encryption

The most cost-effective means of protecting the confidentiality of information against disclosure during transfer is through the use of a properly implemented and validated encryption methodology. Properly implemented, an encryption system virtually eliminates risks of disclosure of sensitive information at network nodes and facilities that are not under state control, such as the public switched network. Encryption also protects against undetected modification of data and thus enhances integrity as well as confidentiality. Depending on the value of information to an unauthorized recipient, interception or modification of unencrypted information must be recognized as a significant threat.

Security through encryption depends upon both of the following:


9.11 Dial-Up Access

Systems accessible from dial-up terminals are particularly vulnerable to unauthorized access since the call can be initiated from virtually any telephone instrument. Official users of dial-up facilities must be distinguishable from public users if they are to be given access rights greater than those given public users.

STANDARD. For services other than those authorized for the public, users of dial-up terminals shall be positively and uniquely identifiable and their identity authenticated (e.g., by password) to the systems being accessed.

GUIDELINES. For dial-up services other than those authorized for public use, the following should be considered:

GUIDELINES. For dial-up facilities authorized for public use:

9.12 System Identification Screens

STANDARD. Communication system identification screens shall include the following warning statements: