INFORMATION SYSTEM SECURITY For Users of Classified Information Systems (IS) 1
Disclaimer This briefing is generic in nature and should be used as a guideline for briefing System Users. 2
Overview Acronyms General Users Responsibilities - All Information System Security Policies System Hardware and Software System Maintenance Passwords Auditing 3
Acronyms/Definitions FSO- Facility Security Officer ISSM - Information System Security Manager ISSO - Information System Security Officer Closed Area - Allows unattended classified processing Restricted Area - Allows attended classified processing 4
Acronyms/Definitions - cont d DSS - Defense Security Service CSA - Cognizant Security Authority (i.e., DSS) C & A - Certification and Accreditation IATO - Interim Approval to Operate IS - Information System SSP - System Security Plan DAA - Designated Approving Authority 5
Acronyms/Definitions - cont d NISPOM - National Industrial Security Program Operating Manual CM - Configuration Management PL1 - Protection Level 1 ISSP - Information System Security Professional 6
General Users That s YOU!!! Individuals who can input, modify, or receive information from an IS Individuals who have appropriate clearance, need-to-know and formal access approvals Individuals who have been authorized system access by the ISSM/ISSO 7
Responsibilities - All Ensure that you are: Aware of your IS responsibilities Accountable for your actions Protection of your password to the highest classification level of the system and not sharing it! Acknowledging in writing, that you will protect the IS and all classified information 8
IS Policy and Procedures Information System Procedures Information System Security Plan Policy DOD 5220.22-M National Industrial Security Program Operating Manual February 2006 9
ISSM Designated by management Responsible for all IS Security Education Establishes, implements, monitors IS program and ensures compliance Identifies threats (internal/external) Ensures periodic self-inspections 10
ISSM - (cont d) Acknowledgement statements Security features Implementation of SSP Maintenance procedures De-certification 11
ISSO May be appointed by ISSM May perform functions delegated by the ISSM Ensure SSP accurately depicts operational requirements Ensure unauthorized personnel are not granted access to an IS Ensure system recovery processes restore security features Ensure active user IDs are re-validated annually 12
Privileged Users System Administrators Users having superuser or root Users having ability to change other user s access 13
System Hardware & Software Authorization is required from ISSM/ISSO prior to installation 14
System Hardware IS hardware must be examined prior to use for classified processing Must maintain strict Configuration Management ISSM must approve ALL configuration changes on classified systems ISSO will verify all new hardware or software is accounted for in the SSP 15
System Hardware - cont d Labels Highest, more restrictive Category Unclassified hardware must be marked UNCLASSIFIED UNCLASSIFIED SECRET/FGI UNCLASSIFIED SECRET/FGI 16
System Hardware - cont d Hardware going in/out of controlled area Must be approved! Co-Located Systems - Systems must be clearly marked Users must be briefed and cautioned about LAN Contamination risks 17
Hardware Modifications Approved by ISSM Prior to installation or execution Recorded in Maintenance Log 18
System Software All software must be licensed and acquired from reputable and authorized sources only Approved vendors, GFE, In-House developed Personally-owned software is prohibited Restriction on shareware, freeware, public bulletin board software and software from foreign sources Must receive prior approval from ISSM/ISSO before loading on system Does not apply to routine software upgrades already stipulated in approved SSP s. (e.g., Anti-virus signature updates, etc.) 19
System Software - cont d Software can not be brought into the lab without being virus checked first Anti-Virus signature files need to be kept current Notify ISSM/ISSO immediately should an infection occur DSS requirements: Isolation and damage assessment prior to corrective actions Contamination of classified systems requires notification to DSS 20
System Software - cont d Trusted Downloading Copying Unclassified/Lower Level Files to Magnetic Media This MUST be approved by DSS/ISSM first! Check your Security Plan Be aware of what is classified Review files before and after copying Be aware of the embedded data issue Use a Government-approved utility 21
System Software - cont d LABELS DSS Marking Supplement http://people.lmaero.lmco.com/itrain/manage/dloads/markingg uide.pdf Media Controls & Marking All Media in a Controlled Area Must be Marked Open Shelf Storage Case by Case Must be approved by DSS NISPOM 5-306a CONFIDENTIAL CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ SECRET CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ UNCLASSIFIED 22
System Software - cont d Foreign Coded or Foreign-Owned Software Research Origin of Software Foreign software will only be considered if there is no comparable American made package Prior concurrence from DSS required on foreign coded packages Provide ample time to allow DSS to research package 23
System Maintenance All system maintenance must be pre-coordinated through ISSO or ISSM prior to occurring Must use a cleared technician when at all possible Briefed company technician Briefed outside vendor technician 24
System Maintenance - cont d Uncleared Technicians Use only as a last resort Uncleared maintenance personnel must be US Citizens Requires a technically knowledgeable shoulder-toshoulder escort while in secure area Prior sanitization of work areas as well as the systems in question Use of dedicated, unclassified media for maintenance If system has fixed internal drive, restrict access to all input and output devices 25
System Maintenance - cont d Diagnostic equipment may not be connected to system 26
Periods Processing Separate Sessions Different Classification Levels Different Need-To-Know Removable Media for each processing session 27
Who Should Be Notified When? Any equipment changes from the security profile ISSM Software upgrades ISSM Changes to the access list ISSO Discrepancies with procedures ISSM Abnormal events ISSM & ISSO Detect viruses ISSM & ISSO 28
Who Should Be Notified When? cont d Equipment not functioning ISSO & ISSM Equipment requiring sanitizing ISSO & ISSM Suspicious use of the systems (usually associated with Need-To-Know) ISSO & ISSM Visitors not being escorted ISSO & ISSM When someone no longer needs access to the system ISSO 29
Audit Records All audit records should include enough information to allow the ISSM/ISSO to determine date and time of action system locale of the action system entity that initiated or completed the action resources involved action involved Protect the contents of audit trails against unauthorized access, modification or deletion 30
Passwords Minimum 14 Characters Classified to the highest level of the system Changed every 90 Days Changed when compromised Automated generation when possible 31
Passwords - cont d If User Generated: no dictionary words mix upper and lower case no blanks Examples: fly2high Bigb&sRHip 32
Clearing and Sanitization Printers Print one page (font test) then power down 33
Computer Incidents Don t touch or delete anything! Notify ISSO/ISSM as soon as possible ISSO/ISSM will perform a preliminary investigation of the incident 34
Computer Incidents - cont d FSO will notify DSS ISSM will provide a solution to DSS on how to best resolve the situation 35
Public Disclosures Disclosures of classified information appearing in the public media, publications or other sources remains classified. Individuals are not relieved of their obligation to maintain the secrecy of such information and are bound by the Non- Disclosure Agreement signed during their indoctrination. DAILY BLAB TODAY - In The News Contractor is reported to announce.. continued on page 6) You should neither confirm nor deny information found in public sources. Questions should be referred to your local Security Office or to the appropriate Public Relations Office. When responding to questions about the Company or other Company sites, including those released through: Radio or TV, Newspapers, Magazines or Trade Journals Technology Today 36
Conclusion Security is everyone s responsibility! You are in the trenches and can help us by being our eyes and ears to what is going on in the facilities Let s work together! 37
Questions? 38