SlideShare a Scribd company logo

IRS_Tier_2_Compiler_Policy_V3

D
David G. Peterson, PMP
1 of 11
Download to read offline
DRAFT DRAFT Policy for Compiler and Interpreter Usage Within Tier II Production Centers and Platforms In Compliance with IRM 2.1.7, 2.1.8, 2.1.10, and 21.2
DRAFT DRAFT TABLE OF CONTENTS 1.0 INTRODUCTION 1 2.0 PREMISES 1 3.0 REFERENCES AND AUTHORITY 1 4.0 MISSION 1 4.1 THE ROLE OF DSMB 2 4.2 DSMB RESPONSIBILITIES 2 4.3 UNIX SECURITY 2 4.4 IRM 2.1.7 3 4.5 IRM 2.1.8 3 4.6 IRM 2.1.10 4 4.7 IRM 21.2 5 4.8 IRS DOCUMENT 9627, INFORMATION SYSTEMS SECURITY PROCEDURAL GUIDE 5 5.0 SECURITY 6 6.0 POLICY FOR COMPILER AND INTERPRETER USAGE WITHIN TIER II PRODUCTION SYSTEMS 6 6.1 PERL AND IRM 102.1.4 6 6.2 INITIAL AUDIT OF TIER II CORPORATE PLATFORMS 7 6.3 USAGE OF INITIAL AUDIT REPORT 7 6.4 FUTURE USAGE OF COMPILERS AND INTERPRETERS ON TIER II CORPORATE PLATFORMS 8 6.5 SECONDARY AND PERIODIC AUDITS 9 7.0 CONSEQUENCES RESULTING FROM NOT ESTABLISHING THIS POLICY 9
DRAFT Page: 1 DRAFT 1.0 Introduction In accordance and compliance with the standards detailed in IRM 2.1.7, Information Systems Operations; and the directives detailed in IRM 2.1.8, Information Systems Operations Support, and IRM 2.1.10, Information Systems Security; this document will: (1) Define the policy for the usage of compilers and interpreters within the Tier II Production environment at the Computing Centers and Campuses. (2) Outline the tasks required to fulfill that policy. 2.0 Premises (1) All Tier II systems operate in a trusted environment. (2) The Distributed Systems Management Branch, M:I:SS:DS (DSMB) is responsible for all Tier II platforms. (3) The Distributed Systems Management Branch, M:I:SS:DS (DSMB) is responsible for Configuration Management (CM) on all Tier II corporate platforms (SUN, NUMA-Q, EMC). (4) Without the establishment of the policy listed in the previous section, the Tier II Consolidated Environment is at risk for the compromise of system and structural integrity. 3.0 References and Authority The following documents are cited here as references and authority for this Policy: (1) Memo of June 7, 1999 from Paul J. Cosgrave, CIO, on Tier II Systems Management. (2) IRM Handbook 102.13, Information Technology Systems, Chapter 5, Basic UNIX Security Requirements (BUSR) Handbook (3) IRM 2.1.7, Information Systems Operations, dated November 1, 2000 (4) IRM 2.1.8, Information Systems Operations Support, dated November 1, 2000 (5) IRM 2.1.10, Information Systems Security, dated April 30, 1998 (6) IRM 21.2, Customer Accounts Services, dated March 3, 2001 (7) IRS Document 9627, Information Systems Security Procedures Guide (8) IRM 102.1, Standard Systems Profile, Chapter 4, Software Engineering Services (9) Tier II Systems Support Organizational Roles and Responsibilities document, Release 3.2, dated October 20, 2000. (10) Policy for Security and Access Within Tier II Centers and Platforms. 4.0 Mission (1) The following sections outline the mission and responsibilities of DSMB for Tier II Management and Technical Support.
DRAFT Page: 2 DRAFT 4.1 The Role of DSMB (1) As stated in Reference (1), management responsibility for all Tier II systems has been assigned to the Systems Support Division (SSD). This responsibility includes Management Policy, Configuration Management (CM), standards, and technical support including tuning and troubleshooting assistance. Within SSD, the Distributed Systems Management Branch (DSMB) will have primary responsibility for this activity. This branch will provide technical guidance and support for the operating systems, database management systems, system utilities, COTS products, and telecommunications interface software running on all Tier II production, D/R, and PDS platforms. DSMB management and technical support includes version and update control, distribution and problem solving of and for operating and data base management systems and configuration management of these platforms. Additionally, the branch will have direct responsibility for corporately managing Tier II systems software components, such as the Sun and Sequent systems installed in the Service's Computing Centers and Campuses, respectively. 4.2 DSMB Responsibilities (1) As stated in Reference (9), the DSMB is responsible for technical and programmatic management of all Tier II systems service wide, to include acquisition, use, management and disposition of Tier II hardware and other system resources, including asset management and reporting. The mission includes setting, and enforcing standards and strategic direction for hardware and system components, including DBMSs. DSMB may delegate responsibility to subordinate organizations to accomplish this mission. (2) Within the context of the DSMB mission, the National Office (NO) has the primary responsibility for both Configuration Management (CM) and Controlled Access Protection (C2). 4.3 UNIX Security (1) As stated in Reference (3), The IRM Handbook 102.13 provides basic security requirements for Internal Revenue Service (IRS) UNIX computer systems and networks based on C2 functionality. (2) Chapter 5 of the handbook specifically addresses the Basic UNIX Security Requirements (BUSR) for IRS Information Technology Systems.
DRAFT Page: 3 DRAFT 4.4 IRM 2.1.7 (1) Section 2.1.7.1 (11-01-2000), Information Systems Operations, states: (1) This section provides general standards and requirements to be observed by all personnel throughout the Service in carrying out their Information Systems (IS) Operations responsibilities. This information is applied to all Systems including those not directly controlled by the Chief Information Officer (CIO). (2) Section 2.1.7.2.1 (11-01-2000), National Office IRMs and Handbooks, states: (3) General standards must be established at the National Office level to ensure that activities are properly administered at the local level. (3) In accordance with the above statements, the DSMB will establish all standards, policies, and procedures that will guide all aspects of Tier II Computing Centers and Campuses. This includes Configuration Management (CM) and Controlled Access Protection (C2). 4.5 IRM 2.1.8 (1) Section 2.1.8.2 (05-11-2000), Systems Control Point Overview, defines the concept, responsibilities, and duties of the Control Point function. (2) In the context of the Control Point function, and for all Tier II Computing Centers and Campuses, the DSMB will function as the high-level Control Point for standards, procedures, policies, distribution, and the SSD Configuration Control Board (CCB). The SSD CCB explicitly pertains to all installation, upgrade, or maintenance activities for operating systems, database systems, and COTS software across all Tier II Computing Centers and Campuses.
DRAFT Page: 4 DRAFT 4.6 IRM 2.1.10 (1) IRM 2.1.10, Information Systems Security, provides policies and requirements to be used by IRS organizations to carry out their respective responsibilities in information systems security. Among the subject areas covered in this IRM are the following: 10.1.3 – Information Systems Security Regulations 10.2.4 - Configuration Management (CM) 10.4 - Security Guidelines 10.4.1.8 – Information System User 10.4.3 - Controlled Access Protection (C2) 10.4.3.2 – C2 Security Features (2) All activities of Tier II Computing Centers and Campuses will comply with all subsections of 10.1.3 – Information Systems Security Regulations. (3) For all Tier II Computing Centers and Campuses, the DSMB functions as the high-level Configuration Management (CM) authority. This explicitly pertains to all installation, upgrade, or maintenance activities for operating systems, database systems, and COTS software across all Tier II Centers and Platforms. (4) For all Tier II Computing Centers and Campuses, the DSMB will define and enforce all policies and procedures pertaining to IRM 2.1.10.4 – Security Guidelines. The specific sections that apply to this policy are listed below: • IRM 2.1.10.4.1.8 – Information System User. This states the following: • protect access IDs and authentication codes (e.g., passwords, personal identification numbers (PIN), encryption codes, etc.) from any misuse and improper disclosure; • access only authorized data and applications necessary to perform management approved responsibilities. However, access capability does not equate to authority (e.g., browsing of taxpayer data is not permitted) • IRM 2.1.10.4.3 - Controlled Access Protection (C2). This explicitly pertains to all installation, upgrade, or maintenance activities for operating systems, database systems, and COTS software across all Tier II Computing Centers and Campuses. The specific section that applies to this policy is listed below: • IRM 2.1.10.4.3.2 – C2 Security Features. This states the following: • To maintain baseline security requirements for sensitive but unclassified (SBU) information systems and networks, C2 requirements shall be maintained. Controlled access protection provides the following security features: • ensure individual accountability through identification and authentication of each individual system user; • maintain an audit trail of user security relevant events; • control response to a user request to access information according to the user authorization; and
DRAFT Page: 5 DRAFT • prevent unauthorized access to a user's current or residual data by clearing all storage areas (core, disk, etc.) before the storage areas are allocated or reallocated. 4.7 IRM 21.2 (1) Subsection 21.2.2.3.2 references the Taxpayer Browsing Protection Act. This subsection states that “All IRS employees are required by law to protect the confidentiality of a taxpayer's tax matters. You must ensure you are dealing with the taxpayer or someone properly authorized to receive this data before giving out any tax information. “ (2) The provisions of this new law are listed below: a. Willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns - as well as computerized information - is a misdemeanor, punishable, upon conviction, by fines, prison terms and termination of employment. b. Taxpayers have the right to take legal action when they are victims of unlawful access or inspection - even if a taxpayer's information is never revealed to a third party. c. When managers or employees are criminally charged, we are required to notify taxpayers that their records have been accessed without authorization. d. In short, the new law closes the loopholes in the existing statutes on willful UNAX or inspection. It makes all cases of UNAX - electronic and paper - a crime that carries with it penalties ranging from loss of job to fines and prison terms if an individual is convicted. And in all substantiated cases of UNAX, the appropriate managerial response, absent any mitigating circumstances, will be removal. 4.8 IRS Document 9627, Information Systems Security Procedural Guide (3) The purpose of IRS Document 9627 is to provide standardized procedures to be used by Internal Revenue Service organizations to ensure the protection of sensitive but unclassified (SBU) information systems, applications, and networks. Document 9627 includes "how to" guidance for certain items addressed in IRM 2.1.10, Information Systems Security. Document 9627 is not meant to cover all procedures for all the various security processes. Additional procedures are being considered for inclusion in the future revisions of this document. (4) Document 9627 provides procedures for: • Computer Security Plan • Risk Assessment • Virus and Malicious Software Prevention • Controlled Access Protection (C2) • Security Compliance Review • Security Exception • Security Documentation
DRAFT Page: 6 DRAFT 5.0 Security (1) All established IRS security procedures would be followed. The IRS form 5081 will be used to request access for primary and alternate DSMB staff to fulfill their mission. In addition, all applicable sections of the UNIX Security Standards, Reference 3, will be strictly adhered to. 6.0 Policy for Compiler and Interpreter Usage within Tier II Production Systems (1) The following section delineates the policy for the usage of compilers and interpreters within the Tier II corporate platforms. This policy will apply to all Production Tier II corporate platforms at both the Computing Centers and Campuses. (2) This policy will ensure that the Tier II environment complies with all applicable standards, policies, and regulations for Production IRS systems. 6.1 PERL and IRM 102.1.4 (1) Section 102.1.4.3 addresses Special Use Languages. In particular, this section of the IRM states that: the languages presented (i.e. C++, 4GLs, and PERL) are not approved for the development of production systems within the IRS. If adherence to this standard is either impossible or not in the best interest of the IRS then an approved waiver must be obtained. See IRM2.1.11, Systems Standards Profile, Section 1.6, SSP Waiver Process. (2) Section 102.1.4.3.3.2 Guidance states that: PERL is not a mandatory Federal Standard, but has been selected for use by the IRS for the following reasons: • PERL as a de facto standard is being widely accepted by industry; • PERL is a leading component for Internet/Intranet development; • PERL’s process, file, and text manipulation facilities make it particularly well suited for tasks involving quick prototyping, system utilities, report generation, database access, systems management tasks, and lnternet/lntranet programming. (3) While PERL has been selected for use by the IRS, its use is prohibited on Tier II corporate platforms due to the lack of security inherent in the language and lack of product support by the platform vendor. In particular, it will not reside on any Tier II production platform.
DRAFT Page: 7 DRAFT 6.2 Initial Audit of Tier II Corporate Platforms (1) DSMB will conduct an audit of all Tier II corporate platforms at both the Computing Centers and the Campuses. (2) This audit shall be used as a baseline to identify the existence and usage of compilers and interpreters on all Tier II corporate platforms. (3) The audit will be conducted in one (1) of three (3) ways: • DSMB will audit directory listings when doing site visits in accordance with Reference 10, the Policy for Security and Access within Tier II Centers and Platforms • This policy details the access accorded DSMB personnel • Access will be provided in accordance with it • By DSMB's use of infrastructure management tools • And by DSMB's coordinating with TIGTA and SPO to ensure this topic is covered in their audits (4) This audit will generate a detailed report, for each site and system, containing the following information: • Center or Campus • Platform • Operating System and Version • Compiler or Interpreter name • Compiler or Interpreter release/version • Date installed • Date uninstalled 6.3 Usage of Initial Audit Report (1) Using the audit report, all identified compilers and interpreters will be removed from every Tier II production system at both the Computing Centers and the Campuses. • All compilers and interpreters will be archived to tape. (2) The removal process will generate a detailed audit report, for each site and system, containing the following information: • Center or Campus • Platform • Operating System and Version • Compiler or Interpreter name • Compiler or Interpreter release/version • Date removed
DRAFT Page: 8 DRAFT 6.4 Future Usage of Compilers and Interpreters on Tier II Corporate Platforms (1) Future usage of compilers and interpreters within the Tier II corporate platforms will be initiated and tracked through the Change Request (CR) process. The CR must include a justification to DSMB for the proposed usage of the compiler or interpreter and approval shall be granted by DSMB. (2) Normally, DSMB Transmittal procedures will provide the authority for the use of the compiler. (3) The following policies will apply for the future usage of all compilers (e.g., COBOL, C, etc.) and interpreters (e.g., PERL, BASIC, etc.) on Tier II corporate platforms. (4) Compilers are pre-approved only to be used for compiling the UNIX kernel. However, these compilers shall be uninstalled when not required for use on the kernel. (a) The following process would be followed: • An audit trail will be initiated. • The compiler would be installed. • The kernel would be compiled. • The compiler would be removed after the compile. • The audit trail would be closed, and the audit report generated.
DRAFT Page: 9 DRAFT 6.5 Secondary and Periodic Audits (1) A secondary audit (spot check) may be conducted by DSMB to verify the removal, at the discretion of DSMB. This would be an 'unannounced' type of audit. (2) The audit will be conducted in one (1) of three (3) ways: • When doing site visits in accordance with Reference 10, the Policy for Security and Access within Tier II Centers and Platforms • This policy details the access accorded DSMB personnel • Access will be provided in accordance with it • By using infrastructure management tools • And by coordinating with TIGTA and SPO to ensure this topic is covered in their audits (3) Periodic (spot check) audits will be conducted by DSMB to verify that no compilers are resident on Tier II production systems (4) As stated in Reference (9), DSMB is responsible for the Configuration Management (CM) of the Tier II corporate platforms. In support of the CM function assigned to the National Office (NO) Systems Administrators (SAs) are responsible for controlling version updates to the Operating System (OS). (5) In accordance with Reference (9), the National Office (NO) Systems Administrators (SAs) will be granted the necessary access level (Root) to conduct the audit of any Production Tier II platform. 7.0 Consequences Resulting from not Establishing this Policy (1) To be able to provide the required controlled access environment, certain policies and subsequent implementations dictate that compilers and interpreters should be removed just as certain remote access commands need to be removed. The requirements for C2, or the comparable Common Criteria version, cannot be met without setting a policy to remove or to tightly control unnecessary software such as compilers and interpreters. (2) Without the establishment of the policy listed in the previous section, the Tier II Consolidated Environment is at risk for the compromise of system and structural integrity.

Recommended

Remote administration of bms through android application
Remote administration of bms through android applicationRemote administration of bms through android application
Remote administration of bms through android applicationeSAT Journals
 
Object Oriented Secure Modeling using SELinux Trusted Operating System
Object Oriented Secure Modeling using SELinux Trusted Operating SystemObject Oriented Secure Modeling using SELinux Trusted Operating System
Object Oriented Secure Modeling using SELinux Trusted Operating SystemEswar Publications
 
IRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with PrivacyIRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with PrivacyIRJET Journal
 
report on network security fundamentals
report on network security fundamentalsreport on network security fundamentals
report on network security fundamentalsJassika
 
Analysis of Embedded Linux Literature Review Report
Analysis of Embedded Linux Literature Review ReportAnalysis of Embedded Linux Literature Review Report
Analysis of Embedded Linux Literature Review ReportSitakanta Mishra
 
NC CNC DNC - A K Mansuri
NC CNC DNC - A K MansuriNC CNC DNC - A K Mansuri
NC CNC DNC - A K MansuriMansuriak
 
MC 7204 OS Question Bank with Answer
MC 7204 OS Question Bank with AnswerMC 7204 OS Question Bank with Answer
MC 7204 OS Question Bank with Answersellappasiva
 
Information security management guidance for discrete automation
Information security management guidance for discrete automationInformation security management guidance for discrete automation
Information security management guidance for discrete automationjohnnywess
 

Recommended

Remote administration of bms through android application
Remote administration of bms through android applicationRemote administration of bms through android application
Remote administration of bms through android applicationeSAT Journals
 
Object Oriented Secure Modeling using SELinux Trusted Operating System
Object Oriented Secure Modeling using SELinux Trusted Operating SystemObject Oriented Secure Modeling using SELinux Trusted Operating System
Object Oriented Secure Modeling using SELinux Trusted Operating SystemEswar Publications
 
IRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with PrivacyIRJET - Scrutinize the Utility of Preserved Data with Privacy
IRJET - Scrutinize the Utility of Preserved Data with PrivacyIRJET Journal
 
report on network security fundamentals
report on network security fundamentalsreport on network security fundamentals
report on network security fundamentalsJassika
 
Analysis of Embedded Linux Literature Review Report
Analysis of Embedded Linux Literature Review ReportAnalysis of Embedded Linux Literature Review Report
Analysis of Embedded Linux Literature Review ReportSitakanta Mishra
 
NC CNC DNC - A K Mansuri
NC CNC DNC - A K MansuriNC CNC DNC - A K Mansuri
NC CNC DNC - A K MansuriMansuriak
 
MC 7204 OS Question Bank with Answer
MC 7204 OS Question Bank with AnswerMC 7204 OS Question Bank with Answer
MC 7204 OS Question Bank with Answersellappasiva
 
Information security management guidance for discrete automation
Information security management guidance for discrete automationInformation security management guidance for discrete automation
Information security management guidance for discrete automationjohnnywess
 
Mousavi and Bazrgar 2014
Mousavi and Bazrgar 2014Mousavi and Bazrgar 2014
Mousavi and Bazrgar 2014Amir Behzad Bazrgar
 
FergusonAATribute
FergusonAATributeFergusonAATribute
FergusonAATributeFrank "Rue" Tamru
 
N binarios
N binariosN binarios
N binariosdanielamontanez97
 
Epigonal amp إيبيجونال حقن by pharmacia1.com
Epigonal amp إيبيجونال حقن by pharmacia1.comEpigonal amp إيبيجونال حقن by pharmacia1.com
Epigonal amp إيبيجونال حقن by pharmacia1.comPharmacia1 .com
 
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنية
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنيةقرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنية
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنيةmhmas
 
PhillipDaniel_CV
PhillipDaniel_CVPhillipDaniel_CV
PhillipDaniel_CVPhillip Daniel
 
article on education
article on educationarticle on education
article on educationRavi Dasari
 
Fes el pas
Fes el pasFes el pas
Fes el pasSergi Pich Cañisà
 
Module_CLP-Markets-Staff-Training
Module_CLP-Markets-Staff-TrainingModule_CLP-Markets-Staff-Training
Module_CLP-Markets-Staff-TrainingS. M. Mainul Islam (Nutritionist, Agriculturist)
 
IT Tecnologies
IT TecnologiesIT Tecnologies
IT TecnologiesFozanRizvi
 
week8_finalproject_garst
week8_finalproject_garstweek8_finalproject_garst
week8_finalproject_garstAshley Garst
 
B2 b integration
B2 b integrationB2 b integration
B2 b integrationShafique002
 
Folliropine fsh
Folliropine fshFolliropine fsh
Folliropine fshPharmacia1 .com
 
FISH Training Module for RED
FISH Training Module for REDFISH Training Module for RED
FISH Training Module for REDS. M. Mainul Islam (Nutritionist, Agriculturist)
 
PTCIL
PTCILPTCIL
PTCILBalwant Singh
 
Daily fantasy sports
Daily fantasy sportsDaily fantasy sports
Daily fantasy sportsoddsandpots
 
One m2m 3- managment_capability
One m2m 3- managment_capabilityOne m2m 3- managment_capability
One m2m 3- managment_capabilityHamdamboy (함담보이)
 
oneM2M security summary
oneM2M security summaryoneM2M security summary
oneM2M security summaryJongseok Choi
 
A Survey Embedded Systems Supporting By Different Operating Systems.pdf
A Survey Embedded Systems Supporting By Different Operating Systems.pdfA Survey Embedded Systems Supporting By Different Operating Systems.pdf
A Survey Embedded Systems Supporting By Different Operating Systems.pdfFiona Phillips
 
Mapping document
Mapping documentMapping document
Mapping documentSuresh Kesavan
 
Project Report on Intrusion Detection System
Project Report on Intrusion Detection SystemProject Report on Intrusion Detection System
Project Report on Intrusion Detection SystemVishal Polley
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 securityraje21
 

More Related Content

Viewers also liked

Epigonal amp إيبيجونال حقن by pharmacia1.com
Epigonal amp إيبيجونال حقن by pharmacia1.comEpigonal amp إيبيجونال حقن by pharmacia1.com
Epigonal amp إيبيجونال حقن by pharmacia1.comPharmacia1 .com
 
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنية
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنيةقرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنية
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنيةmhmas
 
article on education
article on educationarticle on education
article on educationRavi Dasari
 
IT Tecnologies
IT TecnologiesIT Tecnologies
IT TecnologiesFozanRizvi
 
week8_finalproject_garst
week8_finalproject_garstweek8_finalproject_garst
week8_finalproject_garstAshley Garst
 
B2 b integration
B2 b integrationB2 b integration
B2 b integrationShafique002
 
Daily fantasy sports
Daily fantasy sportsDaily fantasy sports
Daily fantasy sportsoddsandpots
 

Viewers also liked (16)

Mousavi and Bazrgar 2014
Mousavi and Bazrgar 2014Mousavi and Bazrgar 2014
Mousavi and Bazrgar 2014
 
FergusonAATribute
FergusonAATributeFergusonAATribute
FergusonAATribute
 
N binarios
N binariosN binarios
N binarios
 
Epigonal amp إيبيجونال حقن by pharmacia1.com
Epigonal amp إيبيجونال حقن by pharmacia1.comEpigonal amp إيبيجونال حقن by pharmacia1.com
Epigonal amp إيبيجونال حقن by pharmacia1.com
 
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنية
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنيةقرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنية
قرار رئيسا لجمهورية مصر العربية بقانون الخدمة المدنية
 
PhillipDaniel_CV
PhillipDaniel_CVPhillipDaniel_CV
PhillipDaniel_CV
 
article on education
article on educationarticle on education
article on education
 
Fes el pas
Fes el pasFes el pas
Fes el pas
 
Module_CLP-Markets-Staff-Training
Module_CLP-Markets-Staff-TrainingModule_CLP-Markets-Staff-Training
Module_CLP-Markets-Staff-Training
 
IT Tecnologies
IT TecnologiesIT Tecnologies
IT Tecnologies
 
week8_finalproject_garst
week8_finalproject_garstweek8_finalproject_garst
week8_finalproject_garst
 
B2 b integration
B2 b integrationB2 b integration
B2 b integration
 
Folliropine fsh
Folliropine fshFolliropine fsh
Folliropine fsh
 
FISH Training Module for RED
FISH Training Module for REDFISH Training Module for RED
FISH Training Module for RED
 
PTCIL
PTCILPTCIL
PTCIL
 
Daily fantasy sports
Daily fantasy sportsDaily fantasy sports
Daily fantasy sports
 

Similar to IRS_Tier_2_Compiler_Policy_V3

oneM2M security summary
oneM2M security summaryoneM2M security summary
oneM2M security summaryJongseok Choi
 
A Survey Embedded Systems Supporting By Different Operating Systems.pdf
A Survey Embedded Systems Supporting By Different Operating Systems.pdfA Survey Embedded Systems Supporting By Different Operating Systems.pdf
A Survey Embedded Systems Supporting By Different Operating Systems.pdfFiona Phillips
 
Project Report on Intrusion Detection System
Project Report on Intrusion Detection SystemProject Report on Intrusion Detection System
Project Report on Intrusion Detection SystemVishal Polley
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 securityraje21
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
 
N(I)2 Overview Including Functional Processes
N(I)2 Overview Including Functional ProcessesN(I)2 Overview Including Functional Processes
N(I)2 Overview Including Functional Processeskvz
 
IRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET Journal
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
Cyber Security.pptx
Cyber Security.pptxCyber Security.pptx
Cyber Security.pptxJohn96107
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
 
oneM2M Introduction and security
oneM2M Introduction and securityoneM2M Introduction and security
oneM2M Introduction and securityJongseok Choi
 

Similar to IRS_Tier_2_Compiler_Policy_V3 (20)

One m2m 3- managment_capability
One m2m 3- managment_capabilityOne m2m 3- managment_capability
One m2m 3- managment_capability
 
oneM2M security summary
oneM2M security summaryoneM2M security summary
oneM2M security summary
 
A Survey Embedded Systems Supporting By Different Operating Systems.pdf
A Survey Embedded Systems Supporting By Different Operating Systems.pdfA Survey Embedded Systems Supporting By Different Operating Systems.pdf
A Survey Embedded Systems Supporting By Different Operating Systems.pdf
 
Mapping document
Mapping documentMapping document
Mapping document
 
Project Report on Intrusion Detection System
Project Report on Intrusion Detection SystemProject Report on Intrusion Detection System
Project Report on Intrusion Detection System
 
TMS320F28335 security
TMS320F28335 securityTMS320F28335 security
TMS320F28335 security
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...
 
N(I)2 Overview Including Functional Processes
N(I)2 Overview Including Functional ProcessesN(I)2 Overview Including Functional Processes
N(I)2 Overview Including Functional Processes
 
IRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on CloudIRJET-Domain Data Security on Cloud
IRJET-Domain Data Security on Cloud
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
 
Cyber Security.pptx
Cyber Security.pptxCyber Security.pptx
Cyber Security.pptx
 
Src 147
Src 147Src 147
Src 147
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
F5_and_Azure_v3.pptx
F5_and_Azure_v3.pptxF5_and_Azure_v3.pptx
F5_and_Azure_v3.pptx
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
CEMS_Guideline_II.pdf
CEMS_Guideline_II.pdfCEMS_Guideline_II.pdf
CEMS_Guideline_II.pdf
 
oneM2M Introduction and security
oneM2M Introduction and securityoneM2M Introduction and security
oneM2M Introduction and security
 
Industrial networks safety & security - e+h june 2018 ben murphy
Industrial networks safety & security - e+h june 2018 ben murphyIndustrial networks safety & security - e+h june 2018 ben murphy
Industrial networks safety & security - e+h june 2018 ben murphy
 
Attachment_0.pdf
Attachment_0.pdfAttachment_0.pdf
Attachment_0.pdf
 

More from David G. Peterson, PMP

IRS_DGP_Modernization_Oracle_DB_Naming_Stds
IRS_DGP_Modernization_Oracle_DB_Naming_StdsIRS_DGP_Modernization_Oracle_DB_Naming_Stds
IRS_DGP_Modernization_Oracle_DB_Naming_StdsDavid G. Peterson, PMP
 

More from David G. Peterson, PMP (9)

Winstar_NEW_Billing_High_Level_Merged
Winstar_NEW_Billing_High_Level_MergedWinstar_NEW_Billing_High_Level_Merged
Winstar_NEW_Billing_High_Level_Merged
 
Winstar_FM2B_VIEWS_V21
Winstar_FM2B_VIEWS_V21Winstar_FM2B_VIEWS_V21
Winstar_FM2B_VIEWS_V21
 
MCPS_ADMINISTRATIVE_REPORTS_OVERVIEW
MCPS_ADMINISTRATIVE_REPORTS_OVERVIEWMCPS_ADMINISTRATIVE_REPORTS_OVERVIEW
MCPS_ADMINISTRATIVE_REPORTS_OVERVIEW
 
IRS_DGP_Modernization_Oracle_DB_Naming_Stds
IRS_DGP_Modernization_Oracle_DB_Naming_StdsIRS_DGP_Modernization_Oracle_DB_Naming_Stds
IRS_DGP_Modernization_Oracle_DB_Naming_Stds
 
IRS_T2_TA_TRR_SOP_V1_0
IRS_T2_TA_TRR_SOP_V1_0IRS_T2_TA_TRR_SOP_V1_0
IRS_T2_TA_TRR_SOP_V1_0
 
MCPS_IDMS_to_Oracle_Conversion
MCPS_IDMS_to_Oracle_ConversionMCPS_IDMS_to_Oracle_Conversion
MCPS_IDMS_to_Oracle_Conversion
 
CCATS_CONVERSION
CCATS_CONVERSIONCCATS_CONVERSION
CCATS_CONVERSION
 
PGCPS_DataConversion_High_Level
PGCPS_DataConversion_High_LevelPGCPS_DataConversion_High_Level
PGCPS_DataConversion_High_Level
 
IRS_CHCS_Respond to Inquiries
IRS_CHCS_Respond to InquiriesIRS_CHCS_Respond to Inquiries
IRS_CHCS_Respond to Inquiries
 

IRS_Tier_2_Compiler_Policy_V3

  • 1. DRAFT DRAFT Policy for Compiler and Interpreter Usage Within Tier II Production Centers and Platforms In Compliance with IRM 2.1.7, 2.1.8, 2.1.10, and 21.2
  • 2. DRAFT DRAFT TABLE OF CONTENTS 1.0 INTRODUCTION 1 2.0 PREMISES 1 3.0 REFERENCES AND AUTHORITY 1 4.0 MISSION 1 4.1 THE ROLE OF DSMB 2 4.2 DSMB RESPONSIBILITIES 2 4.3 UNIX SECURITY 2 4.4 IRM 2.1.7 3 4.5 IRM 2.1.8 3 4.6 IRM 2.1.10 4 4.7 IRM 21.2 5 4.8 IRS DOCUMENT 9627, INFORMATION SYSTEMS SECURITY PROCEDURAL GUIDE 5 5.0 SECURITY 6 6.0 POLICY FOR COMPILER AND INTERPRETER USAGE WITHIN TIER II PRODUCTION SYSTEMS 6 6.1 PERL AND IRM 102.1.4 6 6.2 INITIAL AUDIT OF TIER II CORPORATE PLATFORMS 7 6.3 USAGE OF INITIAL AUDIT REPORT 7 6.4 FUTURE USAGE OF COMPILERS AND INTERPRETERS ON TIER II CORPORATE PLATFORMS 8 6.5 SECONDARY AND PERIODIC AUDITS 9 7.0 CONSEQUENCES RESULTING FROM NOT ESTABLISHING THIS POLICY 9
  • 3. DRAFT Page: 1 DRAFT 1.0 Introduction In accordance and compliance with the standards detailed in IRM 2.1.7, Information Systems Operations; and the directives detailed in IRM 2.1.8, Information Systems Operations Support, and IRM 2.1.10, Information Systems Security; this document will: (1) Define the policy for the usage of compilers and interpreters within the Tier II Production environment at the Computing Centers and Campuses. (2) Outline the tasks required to fulfill that policy. 2.0 Premises (1) All Tier II systems operate in a trusted environment. (2) The Distributed Systems Management Branch, M:I:SS:DS (DSMB) is responsible for all Tier II platforms. (3) The Distributed Systems Management Branch, M:I:SS:DS (DSMB) is responsible for Configuration Management (CM) on all Tier II corporate platforms (SUN, NUMA-Q, EMC). (4) Without the establishment of the policy listed in the previous section, the Tier II Consolidated Environment is at risk for the compromise of system and structural integrity. 3.0 References and Authority The following documents are cited here as references and authority for this Policy: (1) Memo of June 7, 1999 from Paul J. Cosgrave, CIO, on Tier II Systems Management. (2) IRM Handbook 102.13, Information Technology Systems, Chapter 5, Basic UNIX Security Requirements (BUSR) Handbook (3) IRM 2.1.7, Information Systems Operations, dated November 1, 2000 (4) IRM 2.1.8, Information Systems Operations Support, dated November 1, 2000 (5) IRM 2.1.10, Information Systems Security, dated April 30, 1998 (6) IRM 21.2, Customer Accounts Services, dated March 3, 2001 (7) IRS Document 9627, Information Systems Security Procedures Guide (8) IRM 102.1, Standard Systems Profile, Chapter 4, Software Engineering Services (9) Tier II Systems Support Organizational Roles and Responsibilities document, Release 3.2, dated October 20, 2000. (10) Policy for Security and Access Within Tier II Centers and Platforms. 4.0 Mission (1) The following sections outline the mission and responsibilities of DSMB for Tier II Management and Technical Support.
  • 4. DRAFT Page: 2 DRAFT 4.1 The Role of DSMB (1) As stated in Reference (1), management responsibility for all Tier II systems has been assigned to the Systems Support Division (SSD). This responsibility includes Management Policy, Configuration Management (CM), standards, and technical support including tuning and troubleshooting assistance. Within SSD, the Distributed Systems Management Branch (DSMB) will have primary responsibility for this activity. This branch will provide technical guidance and support for the operating systems, database management systems, system utilities, COTS products, and telecommunications interface software running on all Tier II production, D/R, and PDS platforms. DSMB management and technical support includes version and update control, distribution and problem solving of and for operating and data base management systems and configuration management of these platforms. Additionally, the branch will have direct responsibility for corporately managing Tier II systems software components, such as the Sun and Sequent systems installed in the Service's Computing Centers and Campuses, respectively. 4.2 DSMB Responsibilities (1) As stated in Reference (9), the DSMB is responsible for technical and programmatic management of all Tier II systems service wide, to include acquisition, use, management and disposition of Tier II hardware and other system resources, including asset management and reporting. The mission includes setting, and enforcing standards and strategic direction for hardware and system components, including DBMSs. DSMB may delegate responsibility to subordinate organizations to accomplish this mission. (2) Within the context of the DSMB mission, the National Office (NO) has the primary responsibility for both Configuration Management (CM) and Controlled Access Protection (C2). 4.3 UNIX Security (1) As stated in Reference (3), The IRM Handbook 102.13 provides basic security requirements for Internal Revenue Service (IRS) UNIX computer systems and networks based on C2 functionality. (2) Chapter 5 of the handbook specifically addresses the Basic UNIX Security Requirements (BUSR) for IRS Information Technology Systems.
  • 5. DRAFT Page: 3 DRAFT 4.4 IRM 2.1.7 (1) Section 2.1.7.1 (11-01-2000), Information Systems Operations, states: (1) This section provides general standards and requirements to be observed by all personnel throughout the Service in carrying out their Information Systems (IS) Operations responsibilities. This information is applied to all Systems including those not directly controlled by the Chief Information Officer (CIO). (2) Section 2.1.7.2.1 (11-01-2000), National Office IRMs and Handbooks, states: (3) General standards must be established at the National Office level to ensure that activities are properly administered at the local level. (3) In accordance with the above statements, the DSMB will establish all standards, policies, and procedures that will guide all aspects of Tier II Computing Centers and Campuses. This includes Configuration Management (CM) and Controlled Access Protection (C2). 4.5 IRM 2.1.8 (1) Section 2.1.8.2 (05-11-2000), Systems Control Point Overview, defines the concept, responsibilities, and duties of the Control Point function. (2) In the context of the Control Point function, and for all Tier II Computing Centers and Campuses, the DSMB will function as the high-level Control Point for standards, procedures, policies, distribution, and the SSD Configuration Control Board (CCB). The SSD CCB explicitly pertains to all installation, upgrade, or maintenance activities for operating systems, database systems, and COTS software across all Tier II Computing Centers and Campuses.
  • 6. DRAFT Page: 4 DRAFT 4.6 IRM 2.1.10 (1) IRM 2.1.10, Information Systems Security, provides policies and requirements to be used by IRS organizations to carry out their respective responsibilities in information systems security. Among the subject areas covered in this IRM are the following: 10.1.3 – Information Systems Security Regulations 10.2.4 - Configuration Management (CM) 10.4 - Security Guidelines 10.4.1.8 – Information System User 10.4.3 - Controlled Access Protection (C2) 10.4.3.2 – C2 Security Features (2) All activities of Tier II Computing Centers and Campuses will comply with all subsections of 10.1.3 – Information Systems Security Regulations. (3) For all Tier II Computing Centers and Campuses, the DSMB functions as the high-level Configuration Management (CM) authority. This explicitly pertains to all installation, upgrade, or maintenance activities for operating systems, database systems, and COTS software across all Tier II Centers and Platforms. (4) For all Tier II Computing Centers and Campuses, the DSMB will define and enforce all policies and procedures pertaining to IRM 2.1.10.4 – Security Guidelines. The specific sections that apply to this policy are listed below: • IRM 2.1.10.4.1.8 – Information System User. This states the following: • protect access IDs and authentication codes (e.g., passwords, personal identification numbers (PIN), encryption codes, etc.) from any misuse and improper disclosure; • access only authorized data and applications necessary to perform management approved responsibilities. However, access capability does not equate to authority (e.g., browsing of taxpayer data is not permitted) • IRM 2.1.10.4.3 - Controlled Access Protection (C2). This explicitly pertains to all installation, upgrade, or maintenance activities for operating systems, database systems, and COTS software across all Tier II Computing Centers and Campuses. The specific section that applies to this policy is listed below: • IRM 2.1.10.4.3.2 – C2 Security Features. This states the following: • To maintain baseline security requirements for sensitive but unclassified (SBU) information systems and networks, C2 requirements shall be maintained. Controlled access protection provides the following security features: • ensure individual accountability through identification and authentication of each individual system user; • maintain an audit trail of user security relevant events; • control response to a user request to access information according to the user authorization; and
  • 7. DRAFT Page: 5 DRAFT • prevent unauthorized access to a user's current or residual data by clearing all storage areas (core, disk, etc.) before the storage areas are allocated or reallocated. 4.7 IRM 21.2 (1) Subsection 21.2.2.3.2 references the Taxpayer Browsing Protection Act. This subsection states that “All IRS employees are required by law to protect the confidentiality of a taxpayer's tax matters. You must ensure you are dealing with the taxpayer or someone properly authorized to receive this data before giving out any tax information. “ (2) The provisions of this new law are listed below: a. Willful unauthorized access or inspection of non-computerized taxpayer records, including hard copies of returns - as well as computerized information - is a misdemeanor, punishable, upon conviction, by fines, prison terms and termination of employment. b. Taxpayers have the right to take legal action when they are victims of unlawful access or inspection - even if a taxpayer's information is never revealed to a third party. c. When managers or employees are criminally charged, we are required to notify taxpayers that their records have been accessed without authorization. d. In short, the new law closes the loopholes in the existing statutes on willful UNAX or inspection. It makes all cases of UNAX - electronic and paper - a crime that carries with it penalties ranging from loss of job to fines and prison terms if an individual is convicted. And in all substantiated cases of UNAX, the appropriate managerial response, absent any mitigating circumstances, will be removal. 4.8 IRS Document 9627, Information Systems Security Procedural Guide (3) The purpose of IRS Document 9627 is to provide standardized procedures to be used by Internal Revenue Service organizations to ensure the protection of sensitive but unclassified (SBU) information systems, applications, and networks. Document 9627 includes "how to" guidance for certain items addressed in IRM 2.1.10, Information Systems Security. Document 9627 is not meant to cover all procedures for all the various security processes. Additional procedures are being considered for inclusion in the future revisions of this document. (4) Document 9627 provides procedures for: • Computer Security Plan • Risk Assessment • Virus and Malicious Software Prevention • Controlled Access Protection (C2) • Security Compliance Review • Security Exception • Security Documentation
  • 8. DRAFT Page: 6 DRAFT 5.0 Security (1) All established IRS security procedures would be followed. The IRS form 5081 will be used to request access for primary and alternate DSMB staff to fulfill their mission. In addition, all applicable sections of the UNIX Security Standards, Reference 3, will be strictly adhered to. 6.0 Policy for Compiler and Interpreter Usage within Tier II Production Systems (1) The following section delineates the policy for the usage of compilers and interpreters within the Tier II corporate platforms. This policy will apply to all Production Tier II corporate platforms at both the Computing Centers and Campuses. (2) This policy will ensure that the Tier II environment complies with all applicable standards, policies, and regulations for Production IRS systems. 6.1 PERL and IRM 102.1.4 (1) Section 102.1.4.3 addresses Special Use Languages. In particular, this section of the IRM states that: the languages presented (i.e. C++, 4GLs, and PERL) are not approved for the development of production systems within the IRS. If adherence to this standard is either impossible or not in the best interest of the IRS then an approved waiver must be obtained. See IRM2.1.11, Systems Standards Profile, Section 1.6, SSP Waiver Process. (2) Section 102.1.4.3.3.2 Guidance states that: PERL is not a mandatory Federal Standard, but has been selected for use by the IRS for the following reasons: • PERL as a de facto standard is being widely accepted by industry; • PERL is a leading component for Internet/Intranet development; • PERL’s process, file, and text manipulation facilities make it particularly well suited for tasks involving quick prototyping, system utilities, report generation, database access, systems management tasks, and lnternet/lntranet programming. (3) While PERL has been selected for use by the IRS, its use is prohibited on Tier II corporate platforms due to the lack of security inherent in the language and lack of product support by the platform vendor. In particular, it will not reside on any Tier II production platform.
  • 9. DRAFT Page: 7 DRAFT 6.2 Initial Audit of Tier II Corporate Platforms (1) DSMB will conduct an audit of all Tier II corporate platforms at both the Computing Centers and the Campuses. (2) This audit shall be used as a baseline to identify the existence and usage of compilers and interpreters on all Tier II corporate platforms. (3) The audit will be conducted in one (1) of three (3) ways: • DSMB will audit directory listings when doing site visits in accordance with Reference 10, the Policy for Security and Access within Tier II Centers and Platforms • This policy details the access accorded DSMB personnel • Access will be provided in accordance with it • By DSMB's use of infrastructure management tools • And by DSMB's coordinating with TIGTA and SPO to ensure this topic is covered in their audits (4) This audit will generate a detailed report, for each site and system, containing the following information: • Center or Campus • Platform • Operating System and Version • Compiler or Interpreter name • Compiler or Interpreter release/version • Date installed • Date uninstalled 6.3 Usage of Initial Audit Report (1) Using the audit report, all identified compilers and interpreters will be removed from every Tier II production system at both the Computing Centers and the Campuses. • All compilers and interpreters will be archived to tape. (2) The removal process will generate a detailed audit report, for each site and system, containing the following information: • Center or Campus • Platform • Operating System and Version • Compiler or Interpreter name • Compiler or Interpreter release/version • Date removed
  • 10. DRAFT Page: 8 DRAFT 6.4 Future Usage of Compilers and Interpreters on Tier II Corporate Platforms (1) Future usage of compilers and interpreters within the Tier II corporate platforms will be initiated and tracked through the Change Request (CR) process. The CR must include a justification to DSMB for the proposed usage of the compiler or interpreter and approval shall be granted by DSMB. (2) Normally, DSMB Transmittal procedures will provide the authority for the use of the compiler. (3) The following policies will apply for the future usage of all compilers (e.g., COBOL, C, etc.) and interpreters (e.g., PERL, BASIC, etc.) on Tier II corporate platforms. (4) Compilers are pre-approved only to be used for compiling the UNIX kernel. However, these compilers shall be uninstalled when not required for use on the kernel. (a) The following process would be followed: • An audit trail will be initiated. • The compiler would be installed. • The kernel would be compiled. • The compiler would be removed after the compile. • The audit trail would be closed, and the audit report generated.
  • 11. DRAFT Page: 9 DRAFT 6.5 Secondary and Periodic Audits (1) A secondary audit (spot check) may be conducted by DSMB to verify the removal, at the discretion of DSMB. This would be an 'unannounced' type of audit. (2) The audit will be conducted in one (1) of three (3) ways: • When doing site visits in accordance with Reference 10, the Policy for Security and Access within Tier II Centers and Platforms • This policy details the access accorded DSMB personnel • Access will be provided in accordance with it • By using infrastructure management tools • And by coordinating with TIGTA and SPO to ensure this topic is covered in their audits (3) Periodic (spot check) audits will be conducted by DSMB to verify that no compilers are resident on Tier II production systems (4) As stated in Reference (9), DSMB is responsible for the Configuration Management (CM) of the Tier II corporate platforms. In support of the CM function assigned to the National Office (NO) Systems Administrators (SAs) are responsible for controlling version updates to the Operating System (OS). (5) In accordance with Reference (9), the National Office (NO) Systems Administrators (SAs) will be granted the necessary access level (Root) to conduct the audit of any Production Tier II platform. 7.0 Consequences Resulting from not Establishing this Policy (1) To be able to provide the required controlled access environment, certain policies and subsequent implementations dictate that compilers and interpreters should be removed just as certain remote access commands need to be removed. The requirements for C2, or the comparable Common Criteria version, cannot be met without setting a policy to remove or to tightly control unnecessary software such as compilers and interpreters. (2) Without the establishment of the policy listed in the previous section, the Tier II Consolidated Environment is at risk for the compromise of system and structural integrity.