VIII. SECURITY ASSURANCE A. Concepts and Definitions NASA policy states that automated information resources shall be provided with a level of security and integrity consistent with the potential harm from their loss, inaccuracy, alteration, unavailability, or misuse. Software is itself a resource and thus must be afforded appropriate security. Software also contains and controls data and other NASA resources; it must be designed and implemented to protect those resources. Software security assurance is the process of ensuring that the above requirements are satisfied during all phases of the software life cycle. B. Automated Information Security Policy for automated information security (AIS) is contained in NMI 2410.7, "Assuring the Security and Integrity of NASA Automated Information Systems." Very briefly, the policy states that security protection provided for a system must be appropriate to its sensitivity. It also states that the sensitivity of a system is based on the sensitivity of the information being handled by the system. Sensitivity is based on the impact on NASA of inaccurate, altered, disclosed, or unavailable information. The AIS process begins by considering and categorizing the information that is to be contained in the system. The information, including both programs and data, should be categorized according to its sensitivity. For example, in the lowest category, the impact of a security violation is minimal; the impact on NASA's missions, functions, or reputation is negligible, or result in the loss of no tangible asset. For a top category, however, the impact may pose a threat to human life; may have an irreparable impact on NASA's missions, functions, image, or reputation; or may result in the loss of significant assets or resources. Based on the categorization, security requirements should be developed. The security requirements should encompass system access control, including network access and physical access; data management and data access; environmental controls (power, air conditioning, etc.) and off-line storage; human resource security; and audit trails and usage records. C. Security Assurance Activities Security assurance activities are directed to ensuring that information being (or to be) processed by an automated information system has been assigned a proper sensitivity category and that the appropriate protection requirements have been developed and met in the system being developed or maintained. In addition, security assurance activities include ensuring the control and protection of the software being developed and/or maintained, and of software support tools and data. A minimum security assurance program should ensure that: A security evaluation has been performed. Security requirements have been established for the software and data being developed and/or maintained. Security requirements have been established for the development and/or maintenance process. Each software review and/or audit includes evaluation of security requirements. The configuration management and corrective action processes provide security for the existing software and that the change evaluation processes prevent security violations. Physical security for software and data is adequate. D. Techniques and Tools Off-the-shelf packages are available to be used to support security requirements. If used, they must be evaluated and their effectiveness assured.