Briefly discuss the protection mechanisms available in the system that help to counter threats described in the above narrative.  This narrative should serve as a summary of the protection philosophy used in the design and implementation of the protection mechanisms. 

Physical Security Assumptions

(1)   Provide narrative, which states what physical security assumptions are made by the system designer.  The dialogue should address, but not be limited to, the common assumption that the system profile ensures that the level of trust associated with the physical environment containing a system’s  peripheral will always dominate the maximum sensitivity associated with that peripheral. 

(2)  Explicitly state the physical security assumptions to ensure that administrative users are aware of the negative consequences of not satisfying these assumptions. 

Protection Mechanisms Available to Administrative Users

Describe administrative commands, privileges, which must be protected from ordinary users.  Identify the protection mechanisms available to administrative users to ensure that these users are aware of the means available to control access to their commands, privileges and databases. 

Separation of Duties

Thoroughly document separation of duties and how the requirements that the commands, procedures, and databases are separated by system design.  Define each separate role supported by the system in terms of commands and system interfaces available to the role, the use of each command, the command effects and exceptions, parameter and default settings, and specific warning of the command use. 

Security Policy 

Discretionary Access Control

(1)   Commands and interfaces used to initialize discretionary access control privileges and defaults. 

(2)   Commands interfaces to distribute, review, and revoke user privileges. 

(3)   Group membership definition and the impact on discretionary access control. 

(4)   Change of object ownership (if any), restoration of accidentally deleted privileges, destruction of processes. 

Management of User Accounts

Definition and deletion of user and group accounts and identifiers. 

System Commands and Function Definitions 

(1)  Effects and exceptions.

(2)  Parameter and default settings.

(3)  Examples of command use and potential misuse. 

Specific Vulnerabilities of Administrative Procedures and Activities Related to the Security Policy. 

Describe security vulnerabilities of commands and procedures with specific ways to counter them. 

Accountability

Identification and Authentication 

(1)   Level of trust requirements (security clearance, etc.).

(2)  Password distribution to ordinary and administrative users. 

(3)  Commands and interfaces for setting up user security profiles and authentication and authorization parameters of the login mechanism. 

(4)  Management of password generation, and protection of passwords. 

(5)  Account restrictions (restrictions of time intervals for login and logoff). 

(6)  Choice of user or group identifiers. 

(7)  Maximum levels of trust for users and groups. 

Change of System Parameters of Login Mechanism

(1)  Time‑out intervals 

(2)  Multiple login attributes 

(3)  Maximum login time 

(4)  Limits on unsuccessful logins from a terminal or to an account 

Audit Mechanisms

(1)  Description of audit log and event formats 

(2)  Audit‑event selection mechanisms 

(3)  Audit log management 

(4)  Functions for formatting, compressing, and processing of audit files