For Information Systems Security Officers and System Administrators - PowerPoint PPT Presentation

1 / 37

About This Presentation

Title:

For Information Systems Security Officers and System Administrators

Description:

IS Access Authorization and Briefing Form. Upgrade/Downgrade Procedures & Log. Maintenance Log ... Users must be briefed and cautioned about System Contaminations ... – PowerPoint PPT presentation

Number of Views:206

Avg rating:3.0/5.0

Slides: 38

Provided by: Barbara453

Category:

more less

Transcript and Presenter's Notes

Title: For Information Systems Security Officers and System Administrators

1
For Information Systems Security Officers and
System Administrators
INFORMATION SYSTEM SECURITY
2
Disclaimer

This briefing is generic in nature and should be
used as a guideline for briefing System
Administrators and ISSOs and should reflect the
conditions, waivers and specific requirements for
your facility.
? NOTE Anything addressed with this symbol is
facility specific and may need to be changed for
your company.

3
People to Know

Facility Security Points of Contact (POCs)
Facility Security Officer (FSO)
Information Systems Security Manager (ISSM)
Information Systems Security Officer (ISSO)
(Old System Custodian)
Defense Security Service (DSS) Representatives
Industrial Security Representative (ISR)
Information System Security Professional (ISSP)
previously known as the AIS Specialist

4
What is an Information System (IS)?
Whatever is used to process classified information
5
Teamwork

It is important that you, Security and DSS work
together
Security may have options for you that meet the
requirements of DSS (NISPOM)
Some of these options may be time/cost savers
DSS is willing to hear other ways of doing things
DSS requires a 30 day lead time for approvals.
It begins from the time DSS receives the plan.

6
Things You Need To Know

What is in the Protection Profile
Movement of Equipment and Media
What actions require you to notify your ISSM
Downloading unclassified files from secure
systems
Audit records
If you are not sure - ASK YOUR ISSM!

7
Whats in the Security Plan

The Plan is Generic and covers the security at
the facility
Personnel Responsibilities
Plant Physical Security
General Operational Procedures
System Configuration Management Plan
Audit Features and Controls
Clearing and Sanitization

It's Not Magic!

8
PROTECTION LEVELS

PL1 - Old Dedicated
Same level, same briefings, same NTK
PL2 - Old System High
Same level, different NTK
PL3 - Old Compartmented
Same level, different NTK and briefings
PL4 - Old Multi-Level
Different levels, different NTK

9
Whats in the Security Profile

The Profile is Specific to Your System
System Identification Requirements
Specification (SIRS) this is similar to the old
Concept of Operations
Hardware and Software Baseline
Configuration Drawing
IS Access Authorization and Briefing Form
Upgrade/Downgrade Procedures Log
Maintenance Log
Weekly Audit Log

10
Whats in the Security Profile - contd

The Profile is Specific to Your System
ISSO/System Administrator Delegation Record
Seal Log (If Applicable)
Information System Network Security Program (If
Applicable)
Receipt and Dispatch Record (if applicable)
Certification Test Guides - Tests to ensure all
safeguards are in place and operational
Sanitization Procedure and Record

11
Certification and Testing

Inspection and Test procedures
Demonstrate compliance with security requirements
Identified in Master SSP
Ensures safeguards are in place and functioning
properly)

12
HARDWARE AND SOFTWARE

Tested and Certified
By the ISSO or ISSM
Prior to installation
Method identified in Plan or Profile

13
Movement of Equipment and Media

Hardware going in/out of controlled area
Must be approved/sanitized
Co-Located Systems -
Systems must be clearly marked
Users must be briefed and cautioned about System
Contaminations
Software can not be brought into the lab without
being virus checked first
Downloading marking lower level data (Trusted
Downloads)

14
Who Should Be Notified When?

Any equipment changes from the security profile
ISSO, in some cases ISSM
Software upgrades
ISSO, in some cases ISSM
Changes to the access list
ISSO
Discrepancies with procedures
ISSM
Abnormal events
ISSO ISSM
Detect viruses
ISSO ISSM

15
Who Should Be Notified When? contd

Equipment not functioning
ISSO ISSM
Equipment requiring sanitizing
ISSO ISSM
Suspicious use of the systems
ISSO ISSM
Visitors not being escorted
ISSO ISSM
When someone no longer needs
access to the system

16
Trusted DownloadingCopying Unclassified/Lower
Level Files to Magnetic Media

This MUST be approved by DSS/ISSM first!
These are OS and Application Specific
Check your Security Plan
Be aware of what is classified
Review files before and after copying
Determine if slack space is an issue
Be aware of the embedded data issue
Use a Government-approved utility

17
Audit Records

Who fills out what?
ISSOs Users
What logs are required? - Manual
Maintenance
Hardware Software
Upgrade/Downgrade
Sanitization
Weekly Audit Log
Custodian
Seal Log (If Applicable)
Receipt/Dispatch (If Applicable)

18
Audit Records - contd

What logs are required - Automated
if technically capable
Successful and unsuccessful logons and logoffs
Unsuccessful accesses to security-relevant
objects and directories, including
creation
open/close
modification and deletion
Changes in user authenticators, i.e., passwords
Denial of system access resulting from an
excessive number of unsuccessful logon attempts.
If not technically capable, the Authorized Users
list will be retained as an audit record

19
Re-Accreditation Protection Measures

Re-Accreditation
every Three Years
major Changes
Protection Measures
unique Identifier
individual User Ids and authentication
passwords

20
Passwords

Minimum 8 Characters
Classified to the highest level of the system
Changed every 12 months
Changed when compromised
Automated generation when possible

21
Passwords - contd

If User Generated
no dictionary words
mix upper and lower case
no blanks
Examples
fly2high
BigbsRHip
ih2Pnp4s (I hate to pick new passwords for
security)

22
Group Accounts

Disable accounts not needed
guest
Supervisor
Administrator
Change vendor pre-installed passwords
Single person has responsibility
Access kept to a minimum

23
DoD Warning Banner

Required
Positive User Action
Prominently displayed

24
Login Attempts

Maximum of 5 attempts
Lockout after X minutes
SSP specific - DSS recommends 30 minutes
System Administrator resets account or account
disabled for X minutes
SSP specific - DSS recommends 30 minutes

25
Access Controls

When technically feasible, General Users should
be restricted from security-relevant
applications, i.e., file permissions

26
File Protection

Authentication data (encrypted passwords)
System and network configuration data
System startup and shutdown
Commands that change the configuration
Commands that change user access
Files containing audit information
Commands that can change audit info

27
Virus Protection

Required on all ISs
Should be updated every 30 days
ALL media needs to be checked
Report viruses to the ISSM

28
Clearing and Sanitization

Printers
Print one page (font test) then power down

29
Terminations

User Ids
Disabled immediately
or
Removed
Removed from Authorized User List

30
Physical Security

Above false ceiling and below raised floor checks
With Security In Depth
30 days for transmission lines
6 months for no transmission lines
Without Security In Depth
weekly with lines
monthly without lines

31
Uncleared or Lower Cleared Maintenance Personnel
Requirements

Maintenance Software must be marked
UNCLASSIFIED - FOR MAINTENANCE USE ONLY
Write protected when possible - if it can not be
write protected it becomes classified to the
highest level on the IS
Approved container not required

32
Periods Processing