For distributed systems managed under a single organization, the Distributed System CM Plan must identify, define, and substantiate distributed system-level policies, standards and procedures, roles, responsibilities, and requirements for the interchange of data, as well as for configuration management at the distributed system-level in accordance with corporate Configuration Management guidelines.

Systems should segregate data and applications according to their organizational and/or functional sensitivity or criticality levels. Transitions between levels should be explicitly controlled. The process for transitioning data or applications from one sensitivity level to another, as well as from office systems and or end-user systems to other systems, must be formally documented and well understood. The transition process must include measures to increase the integrity and reliability of data and/or applications moving from less stringent requirements. Data must not be transitioned from a higher sensitivity level to a lower level that provides insufficient sensitivity protection. Additional application software may need to be developed to remove sensitive data when those data are transitioned to a level that cannot provide adequate protection. Application software must increase and ensure the integrity and reliability required when transitioning data from a component of lower reliability and integrity. A formal process of transformation, testing, and certification must be developed for each transition.

For systems requiring a high level of integrity, techniques such as digital signature or digital envelope may be used to ensure that the data are not changed in transit. The digital envelope technique will provide a means for implementing the principle of least privilege or need-to-know concept.

Dispersed Distributed Systems Integrity Control Issues and Concerns

The following suggestions are provided as additional guidance for establishing a baseline set of controls that ensure minimal risk accountability encountered in managing the more complex environments of dispersed and/or interoperable systems. Additional controls for dispersed and/or interoperable systems will need to be developed addressing:

•  Multisystem configuration management.

•  Establishing and maintaining connectivity.

•  Multilevel, multisite information transfers.

•  Contingency planning, backup, and recovery.

•  Maintaining multisystem data and referential integrity.

•  Attaining a graceful degradation capability.

•  Hardware maintenance.

Change control should be applied to dispersed or interoperable system level data, applications, and hardware to reduce the vulnerability to integrity loss. Periodic verification should be performed to ensure that the common data and applications are the correct version. Techniques (such as digital signature) may be used to assure applications and common data are at their expected version levels.

The functional equivalence claimed between two different software applications executing on different platforms will need to be closely examined during the procurement process due to the possibility of nonhomogeneous hardware being used in the dispersed system.

Network management personnel must maintain connectivity by allowing only authorized, authenticated users to log on, responding to access violation alarms, and auditing access logs for evidence of unauthorized access attempts.

Systems requiring the highest levels of availability must use error correction software during transmissions and redundant transmission of data down multiple communications paths to ensure that at least one is received. Transmission along multiple paths may be simultaneous, as in a broadcast mode, or may be an automatic response to failure detection or performance degradation beyond a predetermined threshold. An automatic response can be implemented to protect specific transmission lines, or it can be implemented as an overall network scheme for automatic reconfiguration to optimize data transfer. The multiple path approach makes denial of service more difficult and reduces the possibility of a single point of failure.

Dispersed/interoperable systems must be supported by an onsite backup and restore repository for archiving applications and data. Backup procedures should be posted and training given to ensure backup integrity of data. Additionally, backup procedures should be automated to the greatest extent possible. A system of periodic and requested backups should be developed and enforced based upon the functional criticality of the system with respect to availability, accessibility, operational continuity, and responsiveness of recoverability needs. The more dynamic the critical data, the more frequently backups should occur. Intelligent backup systems, which back up only changed data, must have their configuration periodically certified for use.

Contingency planning for dispersed and/or interoperable systems must exist for those failures which are inevitable and those which may be unlikely but may result in catastrophic consequences. Contingency Planning should concentrate on the ability to configure, control and audit, operate, and maintain the data processing equipment to achieve information integrity, availability, and confidentiality. Specifically:

1.  Upon failure, critical components should be replaced, repaired, and restarted according to contingency planning procedures.

2.  Referential integrity of the data will need to be preserved. In systems where several processes may manipulate a data object, state data must be maintained about the data object so that incorrect sequencing may be prevented.

3.  Each component must be capable of executing a controlled shutdown without impacting unrelated functions in other components in the event of a security breach or failure.

4.  The dispersed system topology should be designed so that when hardware is taken out of service for maintenance, impact on the rest of the system is minimized.

Cooperative Distributed Systems Integrity Control Issues and Concerns

Additional controls for fully cooperative systems will need to be developed focusing on:

•  Establishing and maintaining connectivity.

•  Multilevel, multisite information transfers.

•  Software development and maintenance.

•  Hardware maintenance.

System management will need to conduct an impact analysis to determine the affect of monitoring all transactions involving data, process, and control information without causing degradation of the work in progress.