1 / 38

For Users of Classified Information Systems (IS)

INFORMATION SYSTEM SECURITY. For Users of Classified Information Systems (IS). Disclaimer. This briefing is generic in nature and should be used as a guideline for briefing System Users. Overview. Acronyms General Users Responsibilities - All Information System Security Policies

theophilia-xylia
Download Presentation

For Users of Classified Information Systems (IS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SYSTEM SECURITY ForUsers of ClassifiedInformation Systems (IS)

  2. Disclaimer This briefing is generic in nature and should be used as a guideline for briefing System Users.

  3. Overview • Acronyms • General Users • Responsibilities - All • Information System Security Policies • System Hardware and Software • System Maintenance • Passwords • Auditing

  4. Acronyms/Definitions • FSO- Facility Security Officer • ISSM - Information System Security Manager • ISSO - Information System Security Officer • Closed Area - Allows unattended classified processing • Restricted Area - Allows attended classified processing

  5. Acronyms/Definitions - cont’d • DSS - Defense Security Service • CSA - Cognizant Security Authority (i.e., DSS) • C & A - Certification and Accreditation • IATO - Interim Approval to Operate • IS - Information System • SSP - System Security Plan • DAA - Designated Approving Authority

  6. Acronyms/Definitions - cont’d • NISPOM - National Industrial Security Program Operating Manual • CM - Configuration Management • PL1 - Protection Level 1 • ISSP - Information System Security Professional

  7. General Users • That’s YOU!!! • Individuals who can input, modify, or receive information from an IS • Individuals who have appropriate clearance, need-to-know and formal access approvals • Individuals who have been authorized system access by the ISSM/ISSO

  8. Responsibilities - All • Ensure that you are: • Aware of your IS responsibilities • Accountable for your actions • Protection of your password to the highest classification level of the system and not sharing it! • Acknowledging in writing, that you will protect the IS and all classified information

  9. IS Policy and Procedures Procedures Information System Information System Security Plan Policy DOD 5220.22-M National Industrial Security Program Operating Manual February 2006

  10. ISSM • Designated by management • Responsible for all IS Security Education • Establishes, implements, monitors IS program and ensures compliance • Identifies threats (internal/external) • Ensures periodic self-inspections

  11. ISSM - (cont’d) • Acknowledgement statements • Security features • Implementation of SSP • Maintenance procedures • De-certification

  12. ISSO • May be appointed by ISSM • May perform functions delegated by the ISSM • Ensure SSP accurately depicts operational requirements • Ensure unauthorized personnel are not granted access to an IS • Ensure system recovery processes restore security features • Ensure active user IDs are re-validated annually

  13. Privileged Users • System Administrators • Users having “superuser” or “root” • Users having ability to change other user’s access

  14. System Hardware & Software • Authorization is required from ISSM/ISSO prior to installation

  15. System Hardware • IS hardware must be examined prior to use for classified processing • Must maintain strict Configuration Management • ISSM must approve ALL configuration changes on classified systems • ISSO will verify all new hardware or software is accounted for in the SSP

  16. SECRET/FGI UNCLASSIFIED SECRET/FGI UNCLASSIFIED System Hardware - cont’d • Labels • Highest, more restrictive Category • Unclassified hardware must be marked UNCLASSIFIED

  17. System Hardware - cont’d • Hardware going in/out of controlled area • Must be approved! • Co-Located Systems - • Systems must be clearly marked • Users must be briefed and cautioned about LAN Contamination risks

  18. Hardware Modifications • Approved by ISSM • Prior to installation or execution • Recorded in Maintenance Log

  19. System Software • All software must be licensed and acquired from reputable and authorized sources only • Approved vendors, GFE, In-House developed • Personally-owned software is prohibited • Restriction on shareware, freeware, public bulletin board software and software from foreign sources • Must receive prior approval from ISSM/ISSO before loading on system • Does not apply to routine software upgrades already stipulated in approved SSP’s. (e.g., Anti-virus signature updates, etc.)

  20. System Software - cont’d • Software can not be brought into the lab without being virus checked first • Anti-Virus signature files need to be kept current • Notify ISSM/ISSO immediately should an infection occur • DSS requirements: • Isolation and damage assessment prior to corrective actions • Contamination of classified systems requires notification to DSS

  21. System Software - cont’d Trusted DownloadingCopying Unclassified/Lower Level Files to Magnetic Media • This MUST be approved by DSS/ISSM first! Check your Security Plan • Be aware of what is classified • Review files before and after copying • Be aware of the embedded data issue • Use a Government-approved utility

  22. SECRET CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ CONFIDENTIAL CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ UNCLASSIFIED System Software - cont’d • LABELS • DSS Marking Supplement • http://people.lmaero.lmco.com/itrain/manage/dloads/markingguide.pdf Media Controls & Marking • All Media in a Controlled Area Must be Marked • Open Shelf Storage – Case by Case • Must be approved by DSS NISPOM 5-306a

  23. System Software - cont’d • Foreign Coded or Foreign-Owned Software • Research Origin of Software • Foreign software will only be considered if there is no comparable American made package • Prior concurrence from DSS required on foreign coded packages • Provide ample time to allow DSS to research package

  24. System Maintenance • All system maintenance must be pre-coordinated through ISSO or ISSM prior to occurring • Must use a cleared technician when at all possible • Briefed company technician • Briefed outside vendor technician

  25. System Maintenance - cont’d • Uncleared Technicians • Use only as a last resort • Uncleared maintenance personnel must be US Citizens • Requires a technically knowledgeable “shoulder-to-shoulder” escort while in secure area • Prior sanitization of work areas as well as the systems in question • Use of dedicated, unclassified media for maintenance • If system has fixed internal drive, restrict access to all input and output devices

  26. System Maintenance - cont’d • Diagnostic equipment may not be connected to system

  27. Periods Processing • Separate Sessions • Different Classification Levels • Different Need-To-Know • Removable Media for each processing session

  28. Who Should Be Notified When? • Any equipment changes from the security profile • ISSM • Software upgrades • ISSM • Changes to the access list • ISSO • Discrepancies with procedures • ISSM • Abnormal events • ISSM & ISSO • Detect viruses • ISSM & ISSO

  29. Who Should Be Notified When? cont’d • Equipment not functioning • ISSO & ISSM • Equipment requiring sanitizing • ISSO & ISSM • Suspicious use of the systems (usually associated with Need-To-Know) • ISSO & ISSM • Visitors not being escorted • ISSO & ISSM • When someone no longer needs access to the system • ISSO

  30. Audit Records • All audit records should include enough information to allow the ISSM/ISSO to determine… • date and time of action • system locale of the action • system entity that initiated or completed the action • resources involved • action involved • Protect the contents of audit trails against unauthorized access, modification or deletion

  31. Passwords • Minimum 14 Characters • Classified to the highest level of the system • Changed every 90 Days • Changed when compromised • Automated generation when possible

  32. Passwords - cont’d • If User Generated: • no dictionary words • mix upper and lower case • no blanks • Examples: • fly2high • Bigb&sRHip

  33. Clearing and Sanitization • Printers • Print one page (font test) then power down

  34. Computer Incidents • Don’t touch or delete anything! • Notify ISSO/ISSM as soon as possible • ISSO/ISSM will perform a preliminary investigation of the incident

  35. Computer Incidents - cont’d • FSO will notify DSS • ISSM will provide a solution to DSS on how to best resolve the situation

  36. DAILY BLAB Technology Today TODAY - In The News • Contractor is reported to announce.. continued on page 6) Public Disclosures • Disclosures of classified information appearing in the public media, publications or other sources remains classified. • Individuals are not relieved of their obligation to maintain the secrecy of such information and are bound by the Non-Disclosure Agreement signed during their indoctrination. When responding to questions about the Company or other Company sites, including those released through: Radio or TV, Newspapers, Magazines or Trade Journals You should neither confirm nor deny information found in public sources. Questions should be referred to your local Security Office or to the appropriate Public Relations Office.

  37. Conclusion • Security is everyone’s responsibility! • You are in the trenches and can help us by being our eyes and ears to what is going on in the facilities • Let’s work together!

  38. Questions?

More Related