1 / 35

For Information Systems Security Officers and System Administrators

INFORMATION SYSTEM SECURITY. For Information Systems Security Officers and System Administrators. Disclaimer.

hilary-finch
Download Presentation

For Information Systems Security Officers and System Administrators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SYSTEM SECURITY ForInformation Systems Security Officers and System Administrators

  2. Disclaimer This briefing is generic in nature and should be used as a guideline for briefing System Administrators and ISSOs and should reflect the conditions, waivers and specific requirements for your program.

  3. People to Know • Facility Security Points of Contact (POCs) • Facility Security Officer (FSO) • Information Systems Security Manager (ISSM) • Information Systems Security Officer (ISSO) • Defense Security Services (DSS) Representatives • Industrial Security Representative (ISR) • Information System Security Professional (ISSP) previously known as the AIS Specialist

  4. What is an Information System (IS)? Whatever is used to process classified information

  5. Teamwork • It is important that you, Security and DSS work together • Security may have options for you that meet the requirements of DSS (NISPOM) • Some of these options may be time/cost savers • DSS is willing to hear other ways of doing things • DSS lead time can take up to 180 days for approvals. It begins from the time DSS receives the plan.

  6. Things You Need To Know • What is in the Security Plan/Profile • Movement of Equipment and Media • What actions require you to notify your ISSM • Downloading unclassified files from secure systems • Audit records • If you are not sure - ASK YOUR ISSM!

  7. What’s in the Security Plan • The Plan is Generic and covers the security at the facility • Personnel Responsibilities • Plant Physical Security • General Operational Procedures • System Configuration Management Plan • Audit Features and Controls • Clearing and Sanitization It's Not Magic!

  8. SECURITY PROFILE WEEKLY AUDIT LOG What’s in the Security Profile • The Profile is Specific to Your System • System Identification & Requirements Specification (SIRS) this is the same as the old Concept of Operations • Hardware and Software Baseline • Configuration Drawing • IS Access Authorization and Briefing Form • Upgrade/Downgrade Procedures • Maintenance Log • Weekly Audit Log

  9. What’s in the Security Profile- cont’d • The Profile is Specific to Your System • ISSO/System Administrator Delegation Record • Seal Log (If Applicable) • Information System Network Security Program (If Applicable) • Certification Test Guides - Tests to ensure all safeguards are in place and operational

  10. Movement of Equipment and Media • Hardware going in/out of controlled area • Must be approved! • Co-Located Systems - • Systems must be clearly marked • Users must be briefed and cautioned about LAN Contanminations • Files must be scanned for malicious code before being introduced to a classified computer system • Downloading & marking lower level data (Trusted Downloads)

  11. Who Should Be Notified When? • Any equipment changes from the security profile • ISSO, in some cases ISSM • Software upgrades • ISSO, in some cases ISSM • Changes to the access list • ISSO • Discrepancies with procedures • ISSM • Abnormal events • ISSO & ISSM • Detect viruses • ISSO & ISSM

  12. Who Should Be Notified When? cont’d • Equipment not functioning • ISSO & ISSM • Equipment requiring sanitizing • ISSO & ISSM • Suspicious use of the systems (usually associated with Need-To-Know) • ISSM & ISSO • Visitors not being escorted • ISSO & ISSM • When someone no longer needs access to the system • ISSO

  13. Trusted DownloadingCopying Unclassified/Lower Level Files to Magnetic Media • This MUST be approved by DSS/ISSM first! • Check your Security Plan • Be aware of what is classified • Review files before and after copying • Be aware of the embedded data issue • Use a Government-approved utility

  14. Audit Records • Who fills out what? • ISSOs & Users • What logs are required? - Manual • Maintenance • Hardware & Software • Upgrade/Downgrade • Sanitization • Weekly Audit Log – On-Line Record • Custodian, AISSO, ISSO • Seal Log (If Applicable)

  15. Audit Records - cont’d • What logs are required - Automated • if technically capable • Successful and unsuccessful logons and logoffs • Unsuccessful accesses to security-relevant objects and directories, including: • creation • open • modification and deletion • Changes in user authenticators, i.e., passwords • Denial of system access resulting from an excessive number of unsuccessful logon attempts. • If not technically capable, the Authorized Users list will be retained as an audit record

  16. Re-Accreditation &Protection Measures • Re-Accreditation • every Three Years • major Changes • Protection Measures • unique Identifier • individual User Ids and Authentication • passwords

  17. Passwords • Minimum 14 Characters • Classified to the highest level of the system • Changed every 6 months • Changed when compromised • Automated generation when possible

  18. Passwords - cont’d • If User Generated: • no dictionary words • mix upper and lower case • no blanks • Examples: • fly2high • Bigb&sRHip

  19. Group Accounts • Disable accounts not needed • guest • field • nobody • Change vendor pre-installed passwords • Single person has responsibility • Access kept to a minimum

  20. DoD Warning Banner • Required • Positive User Action • Prominently displayed

  21. Login Attempts • Maximum of 5 attempts • Lockout after X minutes • SSP specific - DSS recommends 30 minutes • System Administrator resets account or account disabled for X minutes • SSP specific - DSS recommends 30 minutes

  22. Access Controls • When technically feasible, General Users should be restricted from security-relevant applications, i.e., file permissions

  23. File Protection • Authentication data (encrypted passwords) • System and network configuration data • System startup and shutdown • Commands that change the configuration • Commands that change user access • Files containing audit information • Commands that can change audit info

  24. Virus Protection • Required on all ISs (excluding some legacy systems – see the ISSM for details) • Should be updated every 30 days • ALL media needs to be checked • Report viruses to the ISSM

  25. Clearing and Sanitization • Printers • Print one page (font test) then power down

  26. Terminations • User Ids: • Validate annually • Disabled immediately or Remove account • Removed from Authorized User List Make a maintenance log entry regarding these actions!

  27. Physical Security • Above ceiling and below floor checks • With Security In Depth • 6 months for transmission lines • Without Security In Depth • monthly with lines

  28. Uncleared or Lower Cleared Maintenance Personnel Requirements • Maintenance Software must be marked: • UNCLASSIFIED - FOR MAINTENANCE USE ONLY • Write protected when possible - if it can not be write protected it becomes classified to the highest level on the IS • Uncleared maintenance personnel must be US Citizens

  29. Periods Processing • Separate Sessions • Different Classification Levels • Different Need-To-Know • Removable Media for each processing session

  30. SECRET/FGI UNCLASSIFIED SECRET/FGI UNCLASSIFIED Hardware Labels • Highest, more restrictive Category • Unclassified hardware must be marked UNCLASSIFIED

  31. SECRET CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ CONFIDENTIAL CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ UNCLASSIFIED Software Labels • DSS Marking Guide • http://people.lmaero.lmco.com/itrain/manage/dloads/DoD5200_1ph.pdf • Media Controls & Marking • All Media in a Controlled Area must be marked • Open Shelf Storage – Case by Case • Must be approved by DSS NISPOM 5-306a

  32. Hardware Modifications • Approved by ISSM • Prior to installation or execution • Recorded in Maintenance Log • Sanitization Record for Removal

  33. DAILY BLAB Technology Today TODAY - In The News • Contractor is reported to announce..continued on page 6) PUBLIC DISCLOSURES • Disclosures of classified information appearing in the public media, publications or other sources remains classified. • Individuals are not relieved of their obligation to maintain the secrecy of such information and are bound by the Non-Disclosure Agreement signed during their indoctrination. When responding to questions about the Company or other Company sites, including those released through: Radio or TV, Newspapers, Magazines or Trade Journals You should neither confirm nor deny information found in public sources. Questions should be referred to your local Security Office or to the appropriate Public Relations Office.

  34. Questions?

  35. The End

More Related