1 / 49

For Security Professionals

INFORMATION SYSTEM SECURITY. For Security Professionals. Objectives. Discuss the principles of Computer Security Identify required IS security documentation Identify the purpose of a System Security Plan (SSP). C. I. A. Foundations of Computer Security. Confidentiality

hal
Download Presentation

For Security Professionals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INFORMATION SYSTEM SECURITY ForSecurity Professionals

  2. Objectives • Discuss the principles of Computer Security • Identify required IS security documentation • Identify the purpose of a System Security Plan (SSP)

  3. C I A Foundations of Computer Security Confidentiality Integrity Availability Paragraph 8-401 NISPOM

  4. CONFIDENTIALITY PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE

  5. INTEGRITY Protection of data software used or processed on classified systems. FROM: • MANIPULATION • DELETION

  6. AVAILABILITY Protecting the computer from malicious logic or natural disasters

  7. Protection LevelsNISPOM 8-402 PL-1 Dedicated PL-2 System High PL-3 Compartmented

  8. Protection Level (PL) 1Dedicated Security Mode • Clearance, N-T-K and, if applicable, all formal access approvals for all information TS TS

  9. TS TS Protection Level (PL) 2 System High Security Mode • Clearance and access approvals for all information but with different N-T-K b a

  10. Protection Level (PL) 3Compartmented Security Mode • Clearance for most restrictive information, but different formal access approvals NATO CRYPTO TS-NATO TOP SECRET CNWDI SAP

  11. Confidentiality Matrix TABLE 5 - Protection Profile Table for Confidentiality

  12. Levels of Concern 8-403Confidentality

  13. Integrity Matrix Must be contractually imposed.

  14. Levels of Concern 8-403Integrity Must be contractually imposed.

  15. Availability Matrix Must be contractually imposed.

  16. Levels of Concern 8-403Availability Must be contractually imposed.

  17. Cognizant Security Agency • Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC. 8-101a, NISPOM

  18. Cognizant Security Office The entity designated by the Head of a CSA to administer industrial security on behalf of the CSA. Performs oversight, program review, training, and certification and accreditation of ISs used by its contractors 8-101a, NISPOM

  19. Contractor Role • Publish and promulgate an IS Security Policy • Appoint and train an Information Systems Security Manager (ISSM) 8-101b, NISPOM

  20. IS Security Manager (ISSM) • Not necessarily theFacility Security Officer(FSO) • Designated by Management • The CSA’s point ofcontact for IS security • Generally a very nice guy

  21. IS Security Officer (ISSO) • Appointed by ISSM in facilities with multiple accredited IS • Assists in day-to-day IS security operations • Has PCL, NTK, and formal access approvals for all information processed on accredited IS • Not so nice

  22. Security Documentation8-610 NISPOM • System Security Plan • Profile • Configuration Plan • Risk Acceptance Letter • Memorandum of Understanding • Protected Distribution System

  23. Basis for Accreditation

  24. System Security Plan • Defines Security Policy • Includes Configuration Management Plan • Covers the life-cycle of system • Target audience includes users, system administrative, government, and security staff • Best single security tool 8-610

  25. Self-Certification Master/Profile Concept Master/Profile System Security Plan

  26. Self-Certification ConceptProfile Requirements Approved TD Approved Periods Processing Approved Mobile Systems Approved Test Equipment • Same classification • Same PL level • Same Level of Concern • Same Environment • Approved O/S • Same system type

  27. Self-Certification ConceptNot Authorized • SIPRNET • WAN self-certs • Systems requiring variances • Audit variances • Alternate TD procedures • Legacy O/S

  28. SSP INCLUDES System requirements Personnel Clearance Level of Users Need to Know of Users Protection Level Physical controls Marking requirements • System Identification • Purpose • Security personnel • System description • Mission or purpose • Architecture • Classification Level • Formal Access Approvals 8-610a.(1)(a)

  29. SSP-Protection Measures • Audit Capabilities • Access Controls • Resource Controls • System Recovery • Security Testing • Data Transmission • I & A • Session Controls • System Assurance • Physical Security

  30. SSP-Protection Measures • Trusted Downloading • Software controls • Media controls • Maintenance • Clearing and sanitization • Self Inspections

  31. SSP-Variances and RAL letters • Description of approved variances from protection measures • Attach documentation • Documentation of any unique threat or vulnerabilities to system • Document if none exists

  32. SSP-May Also Include • MOU for connections to separately accredited networks & systems • Special purpose type systems • embedded systems • Other contractual issues

  33. Audit Records • Who fills out what? • ISSOs & Users • What logs are required? - Manual • Maintenance • Hardware & Software • Upgrade/Downgrade • Sanitization • Weekly Audit Log • Seal Log (If Applicable) • Receipt/Dispatch (If Applicable)

  34. Audit Records - cont’d • What logs are required - Automated • if technically capable • Successful and unsuccessful logons and logoffs • Unsuccessful accesses to security-relevant objects and directories, including: • creation • open • modification and deletion

  35. Audit Records - cont’d • Changes in user authenticators, i.e., passwords • Denial of system access resulting from an excessive number of unsuccessful logon attempts. • If not technically capable, the Authorized Users list will be retained as an audit record

  36. Re-Accreditation &Protection Measures • Re-Accreditation • Every Three Years • Major Changes • If no changes updated • SSP may not be required.

  37. Passwords • Minimum 8* Characters • Classified to the highest level of the system • Changed at least every 365* days • Changed when compromised • Automated generation when possible

  38. DoD Warning Banner • Required • Positive User Action • Prominently displayed

  39. Login Attempts • Maximum of 5* attempts • Lockout for 15* minutes

  40. Special CategoriesSection 5, Chapter 8May not meet all NISPOM Requirements • Single-users Stand-alones • Only one users accesses system • Pure Servers • No user code on system • Tactical, Embedded Special-Purpose Systems • Configured as directed by customer Customer can require additional requirements above NISPOM

  41. Clearing and Sanitization

  42. Clearing Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes). DCID 6/3

  43. Sanitization The process of removing information from media or equipment such thatdata recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings.DCID 6/3

  44. Clearing and Sanitization Matrixwww.dss.mil • Hard drives • May be degaussed or destroyed at end of life cycle • CPUs • Remove power for one minute • Printers • Print one page (font test) then power down

  45. Configuration Management Plan • Formal change control procedures for security-relevant hardware and software • Management of all documentation • Implement, test and verify CM plan

  46. CM Plan Documents: • Procedures to identify and document type, model and brand of IS hardware • Procedures to identify and document product names and version or release numbers and location of security relevant software • System connectivity 8-311

  47. Periods Processing • Separate Sessions • Different Classification • Levels • Different Need-To-Know • Removable Media for each processing session

  48. Summary • Principals of Computing Security • System Security Plan • Purpose • Contents • NISPOM = What • SSP = How

More Related