For Information Systems Security Officers and System Administrators

1
For Information Systems Security Officers and
System Administrators
INFORMATION SYSTEM SECURITY
2
Disclaimer

• This briefing is generic in nature and should be
  used as a guideline for briefing System
  Administrators and ISSOs and should reflect the
  conditions, waivers and specific requirements for
  your facility.
• ? NOTE Anything addressed with this symbol is
  facility specific and may need to be changed for
  your company.

3
People to Know

• Facility Security Points of Contact (POCs)
• Facility Security Officer (FSO)
• Information Systems Security Manager (ISSM)
• Information Systems Security Officer (ISSO)
• Defense Security Services (DSS) Representatives
• Industrial Security Representative (ISR)
• Information System Security Professional (ISSP)
• previously known as the AIS Specialist
• ? Special Agent

4
What is an Information System (IS)?
Whatever is used to process classified information
5
Teamwork

• It is important that you, Security and DSS work
  together
• Security may have options for you that meet the
  requirements of DSS (NISPOM)
• Some of these options may be time/cost savers
• DSS is willing to hear other ways of doing things
• DSS requires a 30 day lead time for approvals.
  It begins from the time DSS receives the plan.

6
Things You Need To Know

• What is in the Security Plan/Profile
• Movement of Equipment and Media
• What actions require you to notify your ISSM
• Downloading unclassified files from secure
  systems
• Audit records
• If you are not sure - ASK YOUR ISSM!

7
Whats in the Security Plan

• The Plan is Generic and covers the security at
  the facility
• Personnel Responsibilities
• Plant Physical Security
• General Operational Procedures
• System Configuration Management Plan
• Audit Features and Controls
• Clearing and Sanitization

• It's Not Magic!

8
Whats in the Security Profile

• The Profile is Specific to Your System
• System Identification Requirements
  Specification (SIRS) this is the same as the old
  Concept of Operations
• Hardware and Software Baseline
• Configuration Drawing
• IS Access Authorization and Briefing Form
• Upgrade/Downgrade Procedures Log
• Maintenance Log
• Weekly Audit Log

9
Whats in the Security Profile - contd

• The Profile is Specific to Your System
• ISSO/System Administrator Delegation Record
• Seal Log (If Applicable)
• Information System Network Security Program
• (If Applicable)
• Receipt and Dispatch Record
• Certification Test Guides - Tests to ensure all
• safeguards are in place and operational
• Sanitization Procedure and Record

10
Movement of Equipment and Media

• Hardware going in/out of controlled area
• Must be approved!
• Co-Located Systems -
• Systems must be clearly marked
• Users must be briefed and cautioned about Lan
  Contanminations
• Software can not be brought into the lab without
  being virus checked first
• Downloading marking lower level data (Trusted
  Downloads)

11
Who Should Be Notified When?

• Any equipment changes from the security profile
• ISSO, in some cases ISSM
• Software upgrades
• ISSO, in some cases ISSM
• Changes to the access list
• ISSO
• Discrepancies with procedures
• ISSM
• Abnormal events
• ISSO ISSM
• Detect viruses
• ISSO ISSM

12
Who Should Be Notified When? contd

• Equipment not functioning
• ISSO ISSM
• Equipment requiring sanitizing
• ISSO ISSM
• Suspicious use of the systems
• (usually associated with
• Need-To-Know)
• ISSO ISSM
• Visitors not being escorted
• ISSO ISSM
• When someone no longer needs
• access to the system

13
Trusted DownloadingCopying Unclassified/Lower
Level Files to Magnetic Media

• This MUST be approved by DSS/ISSM first!
• Check your Security Plan
• Be aware of what is classified
• Review files before and after copying
• Determine if slack space is an issue
• Be aware of the embedded data issue
• Use a Government-approved utility

14
Audit Records

• Who fills out what?
• ISSOs Users
• What logs are required? - Manual
• Maintenance
• Hardware Software
• Upgrade/Downgrade
• Sanitization
• Weekly Audit Log
• Custodian
• Seal Log (If Applicable)
• Receipt/Dispatch (If Applicable)

15
Audit Records - contd

• What logs are required - Automated
• if technically capable
• Successful and unsuccessful logons and logoffs
• Unsuccessful accesses to security-relevant
  objects and directories, including
• creation
• open
• modification and deletion
• Changes in user authenticators, i.e., passwords
• Denial of system access resulting from an
  excessive number of unsuccessful logon attempts.
• If not technically capable, the Authorized Users
  list
• will be retained as an audit record

16
Re-Accreditation Protection Measures

• Re-Accreditation
• every Three Years
• major Changes
• Protection Measures
• unique Identifier
• individual User Ids and Authentication
• passwords

17
Passwords

• Minimum 8 Characters
• Classified to the highest level of the system
• Changed every 12 months
• Changed when compromised
• Automated generation when possible

18
Passwords - contd

• If User Generated
• no dictionary words
• mix upper and lower case
• no blanks
• Examples
• fly2high
• BigbsRHip
• ih2Pnp4s (I hate to pick new passwords for
  security)

19
Group Accounts

• Disable accounts not needed
• guest
• field
• nobody
• Change vendor pre-installed passwords
• Single person has responsibility
• Access kept to a minimum

20
DoD Warning Banner

• Required
• Positive User Action
• Prominently displayed

21
Login Attempts

• Maximum of 5 attempts
• Lockout after X minutes
• SSP specific - DSS recommends 30 minutes
• System Administrator resets account or account
  disabled for X minutes
• SSP specific - DSS recommends 30 minutes

22
Access Controls

• When technically feasible, General Users should
  be restricted from security-relevant
  applications, i.e., file permissions

23
File Protection

• Authentication data (encrypted passwords)
• System and network configuration data
• System startup and shutdown
• Commands that change the configuration
• Commands that change user access
• Files containing audit information
• Commands that can change audit info

24
Virus Protection

• Required on all ISs
• Should be updated every 30 days
• ALL media needs to be checked
• Report viruses to the ISSM

25
Clearing and Sanitization

• Printers
• Print one page (font test) then power down

26
Terminations

• User Ids
• Disabled immediately
• or
• Removed
• Removed from Authorized User List

27
Physical Security

• Above ceiling and below floor checks
• With Security In Depth
• 30 days for transmission lines
• 6 months for no transmission lines
• Without Security In Depth
• weekly with lines
• monthly without lines

28
Uncleared or Lower Cleared Maintenance Personnel
Requirements

• Maintenance Software must be marked
• UNCLASSIFIED - FOR MAINTENANCE USE ONLY
• Write protected when possible - if it can not be
  write protected it becomes classified to the
  highest level on the IS
• Approved container not required

29
Periods Processing

• Separate Sessions
• Different Classification Levels
• Different Need-To-Know
• Removable Media for each processing session

30
Hardware Labels

• Highest, more restrictive Category
• Unclassified hardware must be marked UNCLASSIFIED

31
Software Labels

• DSS Marking Supplement
• www.dss.mil/isec/marking/index.htm
• Media Controls Marking
• All Media in a Controlled Area must be marked
• Open Shelf Storage
• Must be approved by DSS NISPOM 5-306a

32
Hardware Modifications

• Approved by ISSO or ISSM
• Prior to installation or execution
• Recorded in Maintenance Log
• Sanitization Record for Removal

33
PUBLIC DISCLOSURES

• Disclosures of classified information appearing
  in the public media, publications or other
  sources remains classified.
• Individuals are not relieved of their obligation
  to maintain the secrecy of such information and
  are bound by the Non-Disclosure Agreement signed
  during their indoctrination.

• When responding to questions about the Company
  or other Company sites, including those released
  through
• Radio or TV, Newspapers, Magazines or Trade
  Journals

You should neither confirm nor deny information
found in public sources. Questions should be
referred to your local Security Office or to the
appropriate Public Relations Office.
34
EMERGENCY!

• Everyone is reminded to evacuate the area by the
  closest exit point immediately upon the sounding
  of a fire alarm.

35
Questions?
36

• The End