slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Download Presentation

play fullscreen
1 / 30
Download Presentation
Download Presentation


- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

    1. NISPOM CHAPTER 8 TECHNICAL REQUIREMENTS FOR PROTECTION LEVEL ONE The ISSO/System Administrator Partnership John Waller, Syracuse Research Corporation April 17/18, 2002

    3. WHAT IS PROTECTION LEVEL 1? ALL users have the appropriate level of clearance, the need-to-know for all of the information on the information system, and have any special briefings required (e.g., NATO, CNWDI) The vast majority of IS in the field are PL1 systems/networks

    4. PROTECTION LEVEL 1 REQUIREMENTS Audit Capability 1 Data Transmission 1 Access Controls 1 Identification and Authentication 1 Session Controls 1 Security Documentation 1 System Recovery 1 System Assurance 1 Security Testing 1

    5. WHO SHOULD DO WHAT? ISSM/ISSO consult with the users and the data owners to decide the Protection Level and Levels of Concern identify the protection requirements needed convey these requirements to the system administrator certify that the measures are correctly implemented by the SysAdmin conduct weekly audits and interpret/act on the information provided to you SYSTEM ADMINISTRATOR implement the protection requirements identified by the ISSM/ISSO collect the audit information and provide same to the ISSM/ISSO for review

    6. AUDIT CAPABILITY 1 Auditing is the act of recognizing, recording, storing, and analyzing information related to security-relevant activities Default position: the system shall automatically create and maintain an audit trail or log. However, if the IS cannot provide an automated capability, manual logs are required Additionally, manual logs should be kept that reflect: maintenance, repair, installation, or removal of hardware components installation, testing, and modification of the operating system and security-related software periods processing times sanitization and declassifying memory, media and devices application and re-application of security seals

    7. WHAT KINDS OF INFORMATION MUST BE COLLECTED? action involved three unsuccessful attempts to logon system entity that initiated or completed the action waller date and time of actions April 17 at 1800 system locale of the action workstation number 4 resources involved removable hard drive 14115-000

    8. BUT…SPECIFICALLY… WHAT MUST BE AUDITED? successful and unsuccessful logons and logoffs …unsuccessful accesses to security-relevant objects and directories, including creation, open, close, modification, and deletion (ISL 01L-1#55 deleted requirement to log successful accesses to security-relevant objects - THANK YOU!!! changes in user authenticators blocking or blacklisting of a userID, terminal, or access port and the reason denial of access resulting from an excessive number of unsuccessful logon attempts (session control) Note: many of the auditable actions will be taken at the system console by your privileged users (e.g., SysAdmin)

    9. PROTECTING THE AUDIT INFORMATION The contents of the audit trails shall be protected against unauthorized access, modification, or deletion This means “general users” do not get access to the audit records!! Be concerned about physical control over the audit records when they are recorded to removable media such as disks you might want to thank in terms of recording the audit records on media that cannot be changed (e.g., magnetic optical or worm drive)

    10. HOW OFTEN DO I HAVE TO AUDIT? Weekly and that is all I have to say about that...

    11. DATA TRANSMISSION 1 The concern here is that the classified data will be transmitted through areas where individuals not authorized to have access to the information may have unescorted physical or uncontrolled electronic access to the information

    12. SO…HOW DO I MEET THE REQUIREMENTS? Make sure the information is distributed only within and area approved for open storage Encrypt the information using an NSA-approved encryption device e.g., STU, KG194, KIV19A, etc.) Use a Protected Distribution System (PDS) a wireline or fiber-optic distribution system used to transmit unencrypted classified NSI through an area of lesser classification or control - see NSTISSI No. 7003

    13. ACCESS CONTROLS 1 Denial of physical access by unauthorized individuals unless under constant supervision of technically qualified, authorized personnel note the words, “technically qualified” personnel This would include controlling access by folks who are at remote (connected) locations

    14. IDENTIFICATION AND AUTHENTICATION 1 Identification - unique identification of the user (e.g., “waller”) be concerned about userID Reuse - prior to reusing a userID, ensure the SysAdmin has removed all previous access authorizations Authentication - based on any one of three types of information: something the person knows (e.g., a password) something the person possesses (e.g., a card or key) something about the person (e.g., fingerprints, retina scan, or voiceprint) Access is not permitted until the user introduces him/herself with the proper ID and authentication!!

    15. PROTECTION OF THE AUTHENTICATOR An authenticator that is in the form of knowledge or possession (password, smart card, keys, etc.) shall not be shared with anyone If the authenticator facilitates access to Secret-level information, then the authenticator should be protected at the Secret level

    16. DO WE ABSOLUTELY HAVE TO HAVE TECHNICAL I&A? The I&A procedures can be external to the IS (e.g., procedural or physical controls) or internal to the IS (i.e., technical) However, electronic means shall be employed where technically feasible

    17. SESSION CONTROLS 1 These are requirements above and beyond I&A All users shall be notified prior to gaining access to a system that: system usage is monitored, recorded, and subject to audit he/she has granted consent to monitoring and recording unauthorized use is prohibited and subject to criminal and civil penalties

    18. HOW DO I NOTIFY THE USERS OF THE MONITORING AND RECORDING THAT WILL BE OCCURING? The advice presented to the user should be in the form of a warning banner (if possible with your O/S) The warning banner should be presented PRIOR to the user logon and the user should be required to take positive action to remove the warning banner from the screen


    20. SECURITY DOCUMENTATION 1 The required documentation includes: the SSP Corporate IS Security Policy ISSM certification statement User acknowledgement forms

    21. THE SSP The SSP serves as the basis for inspections of the system!! So…if you say you will implement “best business practices” that are above and beyond PL-1 requirements, these practices should be in force at review time

    22. SPECIFIC THINGS TO BE INCLUDED IN THE SSP system identification system requirements specification system-specific risks and vulnerabilities system configuration connections to separately accredited networks and systems security support structure

    23. IS SECURITY POLICY Policy statement is required by paragraph 8-101b Responsibility of “contractor management” and an item that could be reviewed during inspections Should include: company commitment to protecting classified information intent to adhere to the requirements of chapter 8 provisions for disciplinary actions for employees that do not comply

    24. CERTIFICATION What is it? Comprehensive analysis of technical and non-technical security features especially access controls and configuration management demonstrates compliance with the security requirements associated with the PL assigned to the IS A statement in the SSP for PL-1 systems Formal written assurance by the ISSM for PL-2 systems Use the available certification test plan checklist

    25. USER ACKNOWLEDGEMENT OF RESPONSIBILITIES Paragraph 8-105 dictates that users will “acknowledge, in writing, their responsibilities for the protection of the IS and classified information.” Ensure this is accomplished AFTER provision of IS training to the user and BEFORE allowing him/her on the system Don’t forget to train the IT Support personnel on the need for documentation when they replace defective components and to get them to sign an acknowledgement form also train them on need to protect new hardware destined for classified operations

    26. SYSTEM RECOVERY 1 SR addresses the functions that respond to failures in the SSS or interruptions in operations Recovery actions ensure that the SSS is returned to a condition where all security-relevant functions are operational or system operation is suspended - that is, IS recovery is done in a trusted and secure manner If any off-normal conditions arise during recovery, the IS shall be accessible only via terminals monitored by the ISSO, his/her designee, or via the IS console

    27. SYSTEM ASSURANCE 1 These are features and procedures you implement to validate the integrity and the expected operation of the security-relevant software, hardware, and firmware Includes also features or procedures for protecting the O/S from improper changes You must ensure that access to the above features is limited to authorized personnel

    28. SECURITY TESTING 1 Testing involves verifying the correct operation of the protection measures required for PL-1 The ISSM shall ensure that a statement is in the SSP that the security features, including access controls and configuration management, are implemented and operational

    29. ISSM CERTIFICATION TEST Closed or Restricted Area is approved and security procedures are in place Clearance level, NTK, and special briefings for all users are verified Hardware components match the IS Profile hardware baseline Software resident on the IS matches the Software Baseline in the Profile All media has the appropriate security markings Media from all co-located systems in the area dedicated to unclassified processing is marked as unclassified I&A/logon procedures are in place If automated I&A is not possible, then list of authorized users is posted in the area Password routines (not required on standalones and small LANs) password length/composition/lifetime/masking general users cannot access password files Justifications for generic or group accounts Logon banner is technically implemented or prominently displayed in the area Lockouts for multiple failed logins occur Automated audit trails Activities that should be audited are being logged Virus detection software is installed and functional Access controls are in place for security-relevant objects If relevant, procedures are in place for clearance and sanitization of non-volatile memory or media A list of initial bad blocks/sectors has been generated and kept on removable media Procedures for remote connections are in place If used, procedures for a Protected Distribution System (PDS) are in place If requested, procedures for trusted downloading are in place and accredited by the CSA - not the ISSM Other areas of concern are addressed and procedures are certified to be in place and effective

    30. AND IN SUMMARY... Implementing the Chapter 8 requirements requires a partnership between the data owner, the ISSO, and the System Administrator - get to know your partners!!