Title: For Information Systems Security Officers and System Administrators
1For Information Systems Security Officers and
System Administrators
INFORMATION SYSTEM SECURITY
2Disclaimer
- This briefing is generic in nature and should be
used as a guideline for briefing System
Administrators and ISSOs and should reflect the
conditions, waivers and specific requirements for
your facility. -
- ? NOTE Anything addressed with this symbol is
facility specific and may need to be changed for
your company.
3People to Know
- Facility Security Points of Contact (POCs)
- Facility Security Officer (FSO)
- Information Systems Security Manager (ISSM)
- Information Systems Security Officer (ISSO)
- (Old System Custodian)
- Defense Security Service (DSS) Representatives
- Industrial Security Representative (ISR)
- Information System Security Professional (ISSP)
- previously known as the AIS Specialist
4What is an Information System (IS)?
Whatever is used to process classified information
5Teamwork
- It is important that you, Security and DSS work
together - Security may have options for you that meet the
requirements of DSS (NISPOM) - Some of these options may be time/cost savers
- DSS is willing to hear other ways of doing things
- DSS requires a 30 day lead time for approvals.
It begins from the time DSS receives the plan.
6Things You Need To Know
- What is in the Protection Profile
- Movement of Equipment and Media
- What actions require you to notify your ISSM
- Downloading unclassified files from secure
systems - Audit records
- If you are not sure - ASK YOUR ISSM!
7Whats in the Security Plan
- The Plan is Generic and covers the security at
the facility - Personnel Responsibilities
- Plant Physical Security
- General Operational Procedures
- System Configuration Management Plan
- Audit Features and Controls
- Clearing and Sanitization
8PROTECTION LEVELS
- PL1 - Old Dedicated
- Same level, same briefings, same NTK
- PL2 - Old System High
- Same level, different NTK
- PL3 - Old Compartmented
- Same level, different NTK and briefings
- PL4 - Old Multi-Level
- Different levels, different NTK
9Whats in the Security Profile
- The Profile is Specific to Your System
- System Identification Requirements
Specification (SIRS) this is similar to the old
Concept of Operations - Hardware and Software Baseline
- Configuration Drawing
- IS Access Authorization and Briefing Form
- Upgrade/Downgrade Procedures Log
- Maintenance Log
- Weekly Audit Log
10Whats in the Security Profile - contd
- The Profile is Specific to Your System
- ISSO/System Administrator Delegation Record
- Seal Log (If Applicable)
- Information System Network Security Program (If
Applicable) - Receipt and Dispatch Record (if applicable)
- Certification Test Guides - Tests to ensure all
safeguards are in place and operational - Sanitization Procedure and Record
11Certification and Testing
- Inspection and Test procedures
- Demonstrate compliance with security requirements
- Identified in Master SSP
- Ensures safeguards are in place and functioning
properly)
12HARDWARE AND SOFTWARE
- Tested and Certified
- By the ISSO or ISSM
- Prior to installation
- Method identified in Plan or Profile
13Movement of Equipment and Media
- Hardware going in/out of controlled area
- Must be approved/sanitized
- Co-Located Systems -
- Systems must be clearly marked
- Users must be briefed and cautioned about System
Contaminations - Software can not be brought into the lab without
being virus checked first - Downloading marking lower level data (Trusted
Downloads)
14Who Should Be Notified When?
- Any equipment changes from the security profile
- ISSO, in some cases ISSM
- Software upgrades
- ISSO, in some cases ISSM
- Changes to the access list
- ISSO
- Discrepancies with procedures
- ISSM
- Abnormal events
- ISSO ISSM
- Detect viruses
- ISSO ISSM
15Who Should Be Notified When? contd
- Equipment not functioning
- ISSO ISSM
- Equipment requiring sanitizing
- ISSO ISSM
- Suspicious use of the systems
- ISSO ISSM
- Visitors not being escorted
- ISSO ISSM
- When someone no longer needs
- access to the system
16Trusted DownloadingCopying Unclassified/Lower
Level Files to Magnetic Media
- This MUST be approved by DSS/ISSM first!
- These are OS and Application Specific
- Check your Security Plan
- Be aware of what is classified
- Review files before and after copying
- Determine if slack space is an issue
- Be aware of the embedded data issue
- Use a Government-approved utility
17Audit Records
- Who fills out what?
- ISSOs Users
- What logs are required? - Manual
- Maintenance
- Hardware Software
- Upgrade/Downgrade
- Sanitization
- Weekly Audit Log
- Custodian
- Seal Log (If Applicable)
- Receipt/Dispatch (If Applicable)
18Audit Records - contd
- What logs are required - Automated
- if technically capable
- Successful and unsuccessful logons and logoffs
- Unsuccessful accesses to security-relevant
objects and directories, including - creation
- open/close
- modification and deletion
- Changes in user authenticators, i.e., passwords
- Denial of system access resulting from an
excessive number of unsuccessful logon attempts. - If not technically capable, the Authorized Users
list will be retained as an audit record
19Re-Accreditation Protection Measures
- Re-Accreditation
- every Three Years
- major Changes
- Protection Measures
- unique Identifier
- individual User Ids and authentication
- passwords
20Passwords
- Minimum 8 Characters
- Classified to the highest level of the system
- Changed every 12 months
- Changed when compromised
- Automated generation when possible
21Passwords - contd
- If User Generated
- no dictionary words
- mix upper and lower case
- no blanks
- Examples
- fly2high
- BigbsRHip
- ih2Pnp4s (I hate to pick new passwords for
security)
22Group Accounts
- Disable accounts not needed
- guest
- Supervisor
- Administrator
- Change vendor pre-installed passwords
- Single person has responsibility
- Access kept to a minimum
23DoD Warning Banner
- Required
- Positive User Action
- Prominently displayed
24Login Attempts
- Maximum of 5 attempts
- Lockout after X minutes
- SSP specific - DSS recommends 30 minutes
- System Administrator resets account or account
disabled for X minutes - SSP specific - DSS recommends 30 minutes
25Access Controls
- When technically feasible, General Users should
be restricted from security-relevant
applications, i.e., file permissions
26File Protection
- Authentication data (encrypted passwords)
- System and network configuration data
- System startup and shutdown
- Commands that change the configuration
- Commands that change user access
- Files containing audit information
- Commands that can change audit info
27Virus Protection
- Required on all ISs
- Should be updated every 30 days
- ALL media needs to be checked
- Report viruses to the ISSM
28Clearing and Sanitization
- Printers
- Print one page (font test) then power down
29Terminations
- User Ids
- Disabled immediately
- or
- Removed
- Removed from Authorized User List
30Physical Security
- Above false ceiling and below raised floor checks
- With Security In Depth
- 30 days for transmission lines
- 6 months for no transmission lines
- Without Security In Depth
- weekly with lines
- monthly without lines
31Uncleared or Lower Cleared Maintenance Personnel
Requirements
- Maintenance Software must be marked
- UNCLASSIFIED - FOR MAINTENANCE USE ONLY
- Write protected when possible - if it can not be
write protected it becomes classified to the
highest level on the IS - Approved container not required
32Periods Processing
- Separate Sessions
- Different Classification Levels
- Different Need-To-Know
- Removable Media for each processing session
33Hardware Labels
- Highest, more restrictive Category
- Unclassified hardware must be marked UNCLASSIFIED
34Software Labels
- DSS Marking Supplement
- www.dss.mil/isec/marking/index.htm
- Media Controls Marking
- All Media in a Controlled Area Must Be Marked
- Open Shelf Storage
- Must be approved by DSS NISPOM 5-306a
35Hardware Modifications
- Approved by ISSO or ISSM
- Prior to installation or execution
- Recorded in Maintenance Log
- Sanitization Record for Removal
36Questions?
37