Title: For Information Systems Security Officers and System Administrators
1For Information Systems Security Officers and
System Administrators
INFORMATION SYSTEM SECURITY
2Disclaimer
- This briefing is generic in nature and should be
used as a guideline for briefing System
Administrators and ISSOs and should reflect the
conditions, waivers and specific requirements for
your facility. -
- ? NOTE Anything addressed with this symbol is
facility specific and may need to be changed for
your company.
3People to Know
- Facility Security Points of Contact (POCs)
- Facility Security Officer (FSO)
- Information Systems Security Manager (ISSM)
- Information Systems Security Officer (ISSO)
- Defense Security Services (DSS) Representatives
- Industrial Security Representative (ISR)
- Information System Security Professional (ISSP)
- previously known as the AIS Specialist
- ? Special Agent
4What is an Information System (IS)?
Whatever is used to process classified information
5Teamwork
- It is important that you, Security and DSS work
together - Security may have options for you that meet the
requirements of DSS (NISPOM) - Some of these options may be time/cost savers
- DSS is willing to hear other ways of doing things
- DSS requires a 30 day lead time for approvals.
It begins from the time DSS receives the plan.
6Things You Need To Know
- What is in the Security Plan/Profile
- Movement of Equipment and Media
- What actions require you to notify your ISSM
- Downloading unclassified files from secure
systems - Audit records
- If you are not sure - ASK YOUR ISSM!
7Whats in the Security Plan
- The Plan is Generic and covers the security at
the facility - Personnel Responsibilities
- Plant Physical Security
- General Operational Procedures
- System Configuration Management Plan
- Audit Features and Controls
- Clearing and Sanitization
8Whats in the Security Profile
- The Profile is Specific to Your System
- System Identification Requirements
Specification (SIRS) this is the same as the old
Concept of Operations - Hardware and Software Baseline
- Configuration Drawing
- IS Access Authorization and Briefing Form
- Upgrade/Downgrade Procedures Log
- Maintenance Log
- Weekly Audit Log
9Whats in the Security Profile - contd
- The Profile is Specific to Your System
- ISSO/System Administrator Delegation Record
- Seal Log (If Applicable)
- Information System Network Security Program
- (If Applicable)
- Receipt and Dispatch Record
- Certification Test Guides - Tests to ensure all
- safeguards are in place and operational
- Sanitization Procedure and Record
10Movement of Equipment and Media
- Hardware going in/out of controlled area
- Must be approved!
- Co-Located Systems -
- Systems must be clearly marked
- Users must be briefed and cautioned about Lan
Contanminations - Software can not be brought into the lab without
being virus checked first - Downloading marking lower level data (Trusted
Downloads)
11Who Should Be Notified When?
- Any equipment changes from the security profile
- ISSO, in some cases ISSM
- Software upgrades
- ISSO, in some cases ISSM
- Changes to the access list
- ISSO
- Discrepancies with procedures
- ISSM
- Abnormal events
- ISSO ISSM
- Detect viruses
- ISSO ISSM
12Who Should Be Notified When? contd
- Equipment not functioning
- ISSO ISSM
- Equipment requiring sanitizing
- ISSO ISSM
- Suspicious use of the systems
- (usually associated with
- Need-To-Know)
- ISSO ISSM
- Visitors not being escorted
- ISSO ISSM
- When someone no longer needs
- access to the system
13Trusted DownloadingCopying Unclassified/Lower
Level Files to Magnetic Media
- This MUST be approved by DSS/ISSM first!
- Check your Security Plan
- Be aware of what is classified
- Review files before and after copying
- Determine if slack space is an issue
- Be aware of the embedded data issue
- Use a Government-approved utility
14Audit Records
- Who fills out what?
- ISSOs Users
- What logs are required? - Manual
- Maintenance
- Hardware Software
- Upgrade/Downgrade
- Sanitization
- Weekly Audit Log
- Custodian
- Seal Log (If Applicable)
- Receipt/Dispatch (If Applicable)
15Audit Records - contd
- What logs are required - Automated
- if technically capable
- Successful and unsuccessful logons and logoffs
- Unsuccessful accesses to security-relevant
objects and directories, including - creation
- open
- modification and deletion
- Changes in user authenticators, i.e., passwords
- Denial of system access resulting from an
excessive number of unsuccessful logon attempts. - If not technically capable, the Authorized Users
list - will be retained as an audit record
16Re-Accreditation Protection Measures
- Re-Accreditation
- every Three Years
- major Changes
- Protection Measures
- unique Identifier
- individual User Ids and Authentication
- passwords
17Passwords
- Minimum 8 Characters
- Classified to the highest level of the system
- Changed every 12 months
- Changed when compromised
- Automated generation when possible
18Passwords - contd
- If User Generated
- no dictionary words
- mix upper and lower case
- no blanks
- Examples
- fly2high
- BigbsRHip
- ih2Pnp4s (I hate to pick new passwords for
security)
19Group Accounts
- Disable accounts not needed
- guest
- field
- nobody
- Change vendor pre-installed passwords
- Single person has responsibility
- Access kept to a minimum
20DoD Warning Banner
- Required
- Positive User Action
- Prominently displayed
21Login Attempts
- Maximum of 5 attempts
- Lockout after X minutes
- SSP specific - DSS recommends 30 minutes
- System Administrator resets account or account
disabled for X minutes - SSP specific - DSS recommends 30 minutes
22Access Controls
- When technically feasible, General Users should
be restricted from security-relevant
applications, i.e., file permissions
23File Protection
- Authentication data (encrypted passwords)
- System and network configuration data
- System startup and shutdown
- Commands that change the configuration
- Commands that change user access
- Files containing audit information
- Commands that can change audit info
24Virus Protection
- Required on all ISs
- Should be updated every 30 days
- ALL media needs to be checked
- Report viruses to the ISSM
25Clearing and Sanitization
- Printers
- Print one page (font test) then power down
26Terminations
- User Ids
- Disabled immediately
- or
- Removed
- Removed from Authorized User List
27Physical Security
- Above ceiling and below floor checks
- With Security In Depth
- 30 days for transmission lines
- 6 months for no transmission lines
- Without Security In Depth
- weekly with lines
- monthly without lines
28Uncleared or Lower Cleared Maintenance Personnel
Requirements
- Maintenance Software must be marked
- UNCLASSIFIED - FOR MAINTENANCE USE ONLY
- Write protected when possible - if it can not be
write protected it becomes classified to the
highest level on the IS - Approved container not required
29Periods Processing
- Separate Sessions
- Different Classification Levels
- Different Need-To-Know
- Removable Media for each processing session
30Hardware Labels
- Highest, more restrictive Category
- Unclassified hardware must be marked UNCLASSIFIED
31Software Labels
- DSS Marking Supplement
- www.dss.mil/isec/marking/index.htm
- Media Controls Marking
- All Media in a Controlled Area must be marked
- Open Shelf Storage
- Must be approved by DSS NISPOM 5-306a
32Hardware Modifications
- Approved by ISSO or ISSM
- Prior to installation or execution
- Recorded in Maintenance Log
- Sanitization Record for Removal
33PUBLIC DISCLOSURES
- Disclosures of classified information appearing
in the public media, publications or other
sources remains classified. - Individuals are not relieved of their obligation
to maintain the secrecy of such information and
are bound by the Non-Disclosure Agreement signed
during their indoctrination.
- When responding to questions about the Company
or other Company sites, including those released
through - Radio or TV, Newspapers, Magazines or Trade
Journals
You should neither confirm nor deny information
found in public sources. Questions should be
referred to your local Security Office or to the
appropriate Public Relations Office.
34EMERGENCY!
- Everyone is reminded to evacuate the area by the
closest exit point immediately upon the sounding
of a fire alarm.
35Questions?
36