INFORMATION SYSTEM SECURITY

Similar documents
Wide Area Network Approvals Memorandum of Understanding SIPRNET. JSAC Dallas Fort Worth April JD Springer

DEFINITIONS AND REFERENCES

Student Guide. Course: NISP C&A Process: A Walk-Through. Lesson 1: Course Introduction. Course Information. Course Overview

Student Guide Course: Introduction to the NISP Certification and Accreditation Process

Information Systems Self-Inspection

Information System Profile

Donor Credit Card Security Policy

Defense Security Service Office of the Designated Approving Authority

University of Sunderland Business Assurance PCI Security Policy

Cyber Security Program

Committee on National Security Systems. CNSS Policy No. 14 November 2002

Career Center for Development of Security Excellence (CDSE) Pre-Approved for CompTIA CEUs

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Checklist: Credit Union Information Security and Privacy Policies

PROCEDURE Cryptographic Security. Number: G 0806 Date Published: 6 July 2010

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Joint DoDIIS/Cryptologic SCI Information Systems Security Standards

NMHC HIPAA Security Training Version

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Virginia Commonwealth University School of Medicine Information Security Standard

Trust Services Principles and Criteria

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

CIS 444: Computer. Networking. Courses X X X X X X X X X

Carbon Black PCI Compliance Mapping Checklist

Information Security Management Criteria for Our Business Partners

Apex Information Security Policy

CYBER SECURITY POLICY REVISION: 12

INFORMATION SYSTEMS SECURITY MANAGER (ISSM) GUIDEBOOK

SECURITY & PRIVACY DOCUMENTATION

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

ISO27001 Preparing your business with Snare

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Table of Contents. PCI Information Security Policy

Standard CIP Cyber Security Critical Cyber Asset Identification

AUTHORITY FOR ELECTRICITY REGULATION

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Awareness Technologies Systems Security. PHONE: (888)

Standard CIP Cyber Security Critical Cyber Asset Identification

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

ManTech Advanced Systems International 2018 Security Training Schedule

Information Security Policy

Writer Corporation. Data Protection Policy

INFORMATION ASSET MANAGEMENT POLICY

BACK TO THE BASICS FOR ISSMS/ISSOS. Carol Petty L-3 Aerospace Systems Greenville, TX

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Security of Information Technology Resources IT-12

Juniper Vendor Security Requirements

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Integrating HIPAA into Your Managed Care Compliance Program

System Security Administration

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Network Security Policy

SAC PA Security Frameworks - FISMA and NIST

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

GM Information Security Controls

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Business Continuity Planning

Security Standards for Electric Market Participants

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Security Architecture

9/11/2014. Agenda. What is Counterintelligence?

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

SECURITY PLAN DRAFT For Major Applications and General Support Systems

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Managed Security Services - Endpoint Managed Security on Cloud

ADIENT VENDOR SECURITY STANDARD

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

1. Security of your personal information collected and/or processed through AmFIRST REIT s Web Portal; and

XO SITE SECURITY SERVICES

EXHIBIT A. - HIPAA Security Assessment Template -

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

7.16 INFORMATION TECHNOLOGY SECURITY

Standard Req # Requirement D20MX Security Mechanisms D20ME II and Predecessors Security Mechanisms

DRAFT. Standard 1300 Cyber Security

Total Security Management PCI DSS Compliance Guide

Executive Order 13556

ClearPath OS 2200 System LAN Security Overview. White paper

ISSP Network Security Plan

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

ManTech Advanced Systems International 2017 Security Training Schedule

An Introduction to the ISO Security Standards

TEL2813/IS2820 Security Management

Information Technology Procedure IT 3.4 IT Configuration Management

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Web Cash Fraud Prevention Best Practices

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Information Security Key Elements. for. irunway. Information Security. May 31, Public

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

A company built on security

Standard CIP 004 3a Cyber Security Personnel and Training

Transcription:

INFORMATION SYSTEM SECURITY For Users of Classified Information Systems (IS) 1

Disclaimer This briefing is generic in nature and should be used as a guideline for briefing System Users. 2

Overview Acronyms General Users Responsibilities - All Information System Security Policies System Hardware and Software System Maintenance Passwords Auditing 3

Acronyms/Definitions FSO- Facility Security Officer ISSM - Information System Security Manager ISSO - Information System Security Officer Closed Area - Allows unattended classified processing Restricted Area - Allows attended classified processing 4

Acronyms/Definitions - cont d DSS - Defense Security Service CSA - Cognizant Security Authority (i.e., DSS) C & A - Certification and Accreditation IATO - Interim Approval to Operate IS - Information System SSP - System Security Plan DAA - Designated Approving Authority 5

Acronyms/Definitions - cont d NISPOM - National Industrial Security Program Operating Manual CM - Configuration Management PL1 - Protection Level 1 ISSP - Information System Security Professional 6

General Users That s YOU!!! Individuals who can input, modify, or receive information from an IS Individuals who have appropriate clearance, need-to-know and formal access approvals Individuals who have been authorized system access by the ISSM/ISSO 7

Responsibilities - All Ensure that you are: Aware of your IS responsibilities Accountable for your actions Protection of your password to the highest classification level of the system and not sharing it! Acknowledging in writing, that you will protect the IS and all classified information 8

IS Policy and Procedures Information System Procedures Information System Security Plan Policy DOD 5220.22-M National Industrial Security Program Operating Manual February 2006 9

ISSM Designated by management Responsible for all IS Security Education Establishes, implements, monitors IS program and ensures compliance Identifies threats (internal/external) Ensures periodic self-inspections 10

ISSM - (cont d) Acknowledgement statements Security features Implementation of SSP Maintenance procedures De-certification 11

ISSO May be appointed by ISSM May perform functions delegated by the ISSM Ensure SSP accurately depicts operational requirements Ensure unauthorized personnel are not granted access to an IS Ensure system recovery processes restore security features Ensure active user IDs are re-validated annually 12

Privileged Users System Administrators Users having superuser or root Users having ability to change other user s access 13

System Hardware & Software Authorization is required from ISSM/ISSO prior to installation 14

System Hardware IS hardware must be examined prior to use for classified processing Must maintain strict Configuration Management ISSM must approve ALL configuration changes on classified systems ISSO will verify all new hardware or software is accounted for in the SSP 15

System Hardware - cont d Labels Highest, more restrictive Category Unclassified hardware must be marked UNCLASSIFIED UNCLASSIFIED SECRET/FGI UNCLASSIFIED SECRET/FGI 16

System Hardware - cont d Hardware going in/out of controlled area Must be approved! Co-Located Systems - Systems must be clearly marked Users must be briefed and cautioned about LAN Contamination risks 17

Hardware Modifications Approved by ISSM Prior to installation or execution Recorded in Maintenance Log 18

System Software All software must be licensed and acquired from reputable and authorized sources only Approved vendors, GFE, In-House developed Personally-owned software is prohibited Restriction on shareware, freeware, public bulletin board software and software from foreign sources Must receive prior approval from ISSM/ISSO before loading on system Does not apply to routine software upgrades already stipulated in approved SSP s. (e.g., Anti-virus signature updates, etc.) 19

System Software - cont d Software can not be brought into the lab without being virus checked first Anti-Virus signature files need to be kept current Notify ISSM/ISSO immediately should an infection occur DSS requirements: Isolation and damage assessment prior to corrective actions Contamination of classified systems requires notification to DSS 20

System Software - cont d Trusted Downloading Copying Unclassified/Lower Level Files to Magnetic Media This MUST be approved by DSS/ISSM first! Check your Security Plan Be aware of what is classified Review files before and after copying Be aware of the embedded data issue Use a Government-approved utility 21

System Software - cont d LABELS DSS Marking Supplement http://people.lmaero.lmco.com/itrain/manage/dloads/markingg uide.pdf Media Controls & Marking All Media in a Controlled Area Must be Marked Open Shelf Storage Case by Case Must be approved by DSS NISPOM 5-306a CONFIDENTIAL CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ SECRET CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ UNCLASSIFIED 22

System Software - cont d Foreign Coded or Foreign-Owned Software Research Origin of Software Foreign software will only be considered if there is no comparable American made package Prior concurrence from DSS required on foreign coded packages Provide ample time to allow DSS to research package 23

System Maintenance All system maintenance must be pre-coordinated through ISSO or ISSM prior to occurring Must use a cleared technician when at all possible Briefed company technician Briefed outside vendor technician 24

System Maintenance - cont d Uncleared Technicians Use only as a last resort Uncleared maintenance personnel must be US Citizens Requires a technically knowledgeable shoulder-toshoulder escort while in secure area Prior sanitization of work areas as well as the systems in question Use of dedicated, unclassified media for maintenance If system has fixed internal drive, restrict access to all input and output devices 25

System Maintenance - cont d Diagnostic equipment may not be connected to system 26

Periods Processing Separate Sessions Different Classification Levels Different Need-To-Know Removable Media for each processing session 27

Who Should Be Notified When? Any equipment changes from the security profile ISSM Software upgrades ISSM Changes to the access list ISSO Discrepancies with procedures ISSM Abnormal events ISSM & ISSO Detect viruses ISSM & ISSO 28

Who Should Be Notified When? cont d Equipment not functioning ISSO & ISSM Equipment requiring sanitizing ISSO & ISSM Suspicious use of the systems (usually associated with Need-To-Know) ISSO & ISSM Visitors not being escorted ISSO & ISSM When someone no longer needs access to the system ISSO 29

Audit Records All audit records should include enough information to allow the ISSM/ISSO to determine date and time of action system locale of the action system entity that initiated or completed the action resources involved action involved Protect the contents of audit trails against unauthorized access, modification or deletion 30

Passwords Minimum 14 Characters Classified to the highest level of the system Changed every 90 Days Changed when compromised Automated generation when possible 31

Passwords - cont d If User Generated: no dictionary words mix upper and lower case no blanks Examples: fly2high Bigb&sRHip 32

Clearing and Sanitization Printers Print one page (font test) then power down 33

Computer Incidents Don t touch or delete anything! Notify ISSO/ISSM as soon as possible ISSO/ISSM will perform a preliminary investigation of the incident 34

Computer Incidents - cont d FSO will notify DSS ISSM will provide a solution to DSS on how to best resolve the situation 35

Public Disclosures Disclosures of classified information appearing in the public media, publications or other sources remains classified. Individuals are not relieved of their obligation to maintain the secrecy of such information and are bound by the Non- Disclosure Agreement signed during their indoctrination. DAILY BLAB TODAY - In The News Contractor is reported to announce.. continued on page 6) You should neither confirm nor deny information found in public sources. Questions should be referred to your local Security Office or to the appropriate Public Relations Office. When responding to questions about the Company or other Company sites, including those released through: Radio or TV, Newspapers, Magazines or Trade Journals Technology Today 36

Conclusion Security is everyone s responsibility! You are in the trenches and can help us by being our eyes and ears to what is going on in the facilities Let s work together! 37

Questions? 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback