Protection of Sensitive Information in Microcomputer Processing

INTRODUCTION The widespread use of desktop computers by an ever increasing number of people, both for personal and for business and government uses, has brought public attention to surprising stories about computer abuse. Before the advent of microcomputers in the information processing environment, hundreds of amazing misdeeds involving large computers had already been reported, most of them perpetrated by highly skilled professionals. The undreamed enlarging of microcomputer potential has steadily posed a major threat to complex mainframe computing systems, as joyful teenagers become familiar with the habit of hacking around someone else's large processing system, by means of makeshift phone communication networks, based on their intended homework for personal computers -- for the sheer fun of it. Now, the never ending capacity and speed improvement of commercially available micros has given rise to a brand new concern for society: the hazards of processing sensitive information in the powerful, but still unsafe microcomputer itself, whether or not linked to other micros or mainframe networks. This paper deals with some aspects of the problems and presents some practical hints as to enhance protection and minimize risks to sensitive and secretive information when processed on microcomputers. The physical considerations of computer security and pertinent safety precautions will not be discussed, because while essentially relevant to information protection, recommendations are well defined by processing resources suppliers and their importance is more widely recognized by users in general. Definitions and Classifications. The following definitions and classifications will be considered in this report: Information Assets: Any knowledge or information processing, storing or conveying device displayed in one's environment. It consists of two main categories: INFORMATION RESOURCES: End user's application data wherever recorded. PROCESSING RESOURCES: EDP skilled user's hardware, software, peripherals, magnetic media, communication devices, auxiliary equipment, supplies and related operational procedures. Information Protection: In a broad sense this is the set of necessary procedures to assure to the legitimate user the effective control of the operation and allow modifications of information assets, so that their physical or cognitive integrity be preserved or any unexpected loss minimized inspite of accidental occurrences or intentional actions. Classification Processes: Commonly two classification processes are used to define key terms in information protection: SENSITIVE CLASSIFICATION: Pre-defined standards for assessing the vulnerability to losses due to lack of proper processing continuity if information is destroyed, disclosed, secluded, or misused. SECRECY CLASSIFICATION: A spectrum of degrees as to the expectancy of holding exclusiveness of unique information whose destruction, disclosure, seclusion or misuse will cause a negative impact on the legitimate holder environment. Sensitive Information: Any knowledge whose destruction. disclosure. seclusion or misuse - - - implies losses to its legitimate holder. It may be classified as: VITAL INFORMATION: An essential knowledge whose lack of proper availability implies total loss or termination of p