350 likes | 446 Views
INFORMATION SYSTEM SECURITY. For Information Systems Security Officers and System Administrators. Disclaimer.
E N D
INFORMATION SYSTEM SECURITY ForInformation Systems Security Officers and System Administrators
Disclaimer This briefing is generic in nature and should be used as a guideline for briefing System Administrators and ISSOs and should reflect the conditions, waivers and specific requirements for your program.
People to Know • Facility Security Points of Contact (POCs) • Facility Security Officer (FSO) • Information Systems Security Manager (ISSM) • Information Systems Security Officer (ISSO) • Defense Security Services (DSS) Representatives • Industrial Security Representative (ISR) • Information System Security Professional (ISSP) previously known as the AIS Specialist
What is an Information System (IS)? Whatever is used to process classified information
Teamwork • It is important that you, Security and DSS work together • Security may have options for you that meet the requirements of DSS (NISPOM) • Some of these options may be time/cost savers • DSS is willing to hear other ways of doing things • DSS lead time can take up to 180 days for approvals. It begins from the time DSS receives the plan.
Things You Need To Know • What is in the Security Plan/Profile • Movement of Equipment and Media • What actions require you to notify your ISSM • Downloading unclassified files from secure systems • Audit records • If you are not sure - ASK YOUR ISSM!
What’s in the Security Plan • The Plan is Generic and covers the security at the facility • Personnel Responsibilities • Plant Physical Security • General Operational Procedures • System Configuration Management Plan • Audit Features and Controls • Clearing and Sanitization It's Not Magic!
SECURITY PROFILE WEEKLY AUDIT LOG What’s in the Security Profile • The Profile is Specific to Your System • System Identification & Requirements Specification (SIRS) this is the same as the old Concept of Operations • Hardware and Software Baseline • Configuration Drawing • IS Access Authorization and Briefing Form • Upgrade/Downgrade Procedures • Maintenance Log • Weekly Audit Log
What’s in the Security Profile- cont’d • The Profile is Specific to Your System • ISSO/System Administrator Delegation Record • Seal Log (If Applicable) • Information System Network Security Program (If Applicable) • Certification Test Guides - Tests to ensure all safeguards are in place and operational
Movement of Equipment and Media • Hardware going in/out of controlled area • Must be approved! • Co-Located Systems - • Systems must be clearly marked • Users must be briefed and cautioned about LAN Contanminations • Files must be scanned for malicious code before being introduced to a classified computer system • Downloading & marking lower level data (Trusted Downloads)
Who Should Be Notified When? • Any equipment changes from the security profile • ISSO, in some cases ISSM • Software upgrades • ISSO, in some cases ISSM • Changes to the access list • ISSO • Discrepancies with procedures • ISSM • Abnormal events • ISSO & ISSM • Detect viruses • ISSO & ISSM
Who Should Be Notified When? cont’d • Equipment not functioning • ISSO & ISSM • Equipment requiring sanitizing • ISSO & ISSM • Suspicious use of the systems (usually associated with Need-To-Know) • ISSM & ISSO • Visitors not being escorted • ISSO & ISSM • When someone no longer needs access to the system • ISSO
Trusted DownloadingCopying Unclassified/Lower Level Files to Magnetic Media • This MUST be approved by DSS/ISSM first! • Check your Security Plan • Be aware of what is classified • Review files before and after copying • Be aware of the embedded data issue • Use a Government-approved utility
Audit Records • Who fills out what? • ISSOs & Users • What logs are required? - Manual • Maintenance • Hardware & Software • Upgrade/Downgrade • Sanitization • Weekly Audit Log – On-Line Record • Custodian, AISSO, ISSO • Seal Log (If Applicable)
Audit Records - cont’d • What logs are required - Automated • if technically capable • Successful and unsuccessful logons and logoffs • Unsuccessful accesses to security-relevant objects and directories, including: • creation • open • modification and deletion • Changes in user authenticators, i.e., passwords • Denial of system access resulting from an excessive number of unsuccessful logon attempts. • If not technically capable, the Authorized Users list will be retained as an audit record
Re-Accreditation &Protection Measures • Re-Accreditation • every Three Years • major Changes • Protection Measures • unique Identifier • individual User Ids and Authentication • passwords
Passwords • Minimum 14 Characters • Classified to the highest level of the system • Changed every 6 months • Changed when compromised • Automated generation when possible
Passwords - cont’d • If User Generated: • no dictionary words • mix upper and lower case • no blanks • Examples: • fly2high • Bigb&sRHip
Group Accounts • Disable accounts not needed • guest • field • nobody • Change vendor pre-installed passwords • Single person has responsibility • Access kept to a minimum
DoD Warning Banner • Required • Positive User Action • Prominently displayed
Login Attempts • Maximum of 5 attempts • Lockout after X minutes • SSP specific - DSS recommends 30 minutes • System Administrator resets account or account disabled for X minutes • SSP specific - DSS recommends 30 minutes
Access Controls • When technically feasible, General Users should be restricted from security-relevant applications, i.e., file permissions
File Protection • Authentication data (encrypted passwords) • System and network configuration data • System startup and shutdown • Commands that change the configuration • Commands that change user access • Files containing audit information • Commands that can change audit info
Virus Protection • Required on all ISs (excluding some legacy systems – see the ISSM for details) • Should be updated every 30 days • ALL media needs to be checked • Report viruses to the ISSM
Clearing and Sanitization • Printers • Print one page (font test) then power down
Terminations • User Ids: • Validate annually • Disabled immediately or Remove account • Removed from Authorized User List Make a maintenance log entry regarding these actions!
Physical Security • Above ceiling and below floor checks • With Security In Depth • 6 months for transmission lines • Without Security In Depth • monthly with lines
Uncleared or Lower Cleared Maintenance Personnel Requirements • Maintenance Software must be marked: • UNCLASSIFIED - FOR MAINTENANCE USE ONLY • Write protected when possible - if it can not be write protected it becomes classified to the highest level on the IS • Uncleared maintenance personnel must be US Citizens
Periods Processing • Separate Sessions • Different Classification Levels • Different Need-To-Know • Removable Media for each processing session
SECRET/FGI UNCLASSIFIED SECRET/FGI UNCLASSIFIED Hardware Labels • Highest, more restrictive Category • Unclassified hardware must be marked UNCLASSIFIED
SECRET CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ CONFIDENTIAL CLASSIFIED BY: DD254 3 JUNE 1999 CONTRACT NO: XXXXXX DECLASSIFY ON: X3 PROJECT: XYZ UNCLASSIFIED Software Labels • DSS Marking Guide • http://people.lmaero.lmco.com/itrain/manage/dloads/DoD5200_1ph.pdf • Media Controls & Marking • All Media in a Controlled Area must be marked • Open Shelf Storage – Case by Case • Must be approved by DSS NISPOM 5-306a
Hardware Modifications • Approved by ISSM • Prior to installation or execution • Recorded in Maintenance Log • Sanitization Record for Removal
DAILY BLAB Technology Today TODAY - In The News • Contractor is reported to announce..continued on page 6) PUBLIC DISCLOSURES • Disclosures of classified information appearing in the public media, publications or other sources remains classified. • Individuals are not relieved of their obligation to maintain the secrecy of such information and are bound by the Non-Disclosure Agreement signed during their indoctrination. When responding to questions about the Company or other Company sites, including those released through: Radio or TV, Newspapers, Magazines or Trade Journals You should neither confirm nor deny information found in public sources. Questions should be referred to your local Security Office or to the appropriate Public Relations Office.