UNCLASSIFIED
2
Disclaimer
This briefing is generic in nature and should be
used as a guideline for briefing System Users.
UNCLASSIFIED
3
Overview
Acronyms
General Users
Responsibilities - All
Information System Security Policies
System Hardware and Software
System Maintenance
Passwords
Auditing
UNCLASSIFIED
4
Acronyms/Definitions
FSO- Facility Security Officer
ISSM - Information System Security Manager
ISSO - Information System Security Officer
Closed Area - Allows unattended classified
processing
Restricted Area - Allows attended classified
processing
UNCLASSIFIED
5
Acronyms/Definitions - cont’d
DSS - Defense Security Service
CSA - Cognizant Security Authority (i.e., DSS)
C & A - Certification and Accreditation
IATO - Interim Approval to Operate
IS - Information System
SSP - System Security Plan
DAA - Designated Approving Authority
UNCLASSIFIED
6
Acronyms/Definitions - cont’d
NISPOM - National Industrial Security Program
Operating Manual
CM - Configuration Management
PL1 - Protection Level 1
ISSP - Information System Security Professional
UNCLASSIFIED
7
General Users
That’s YOU!!!
Individuals who can input, modify, or receive
information from an IS
Individuals who have appropriate clearance,
need-to-know and formal access approvals
Individuals who have been authorized system
access by the ISSM/ISSO
UNCLASSIFIED
8
Ensure that you are:
Aware of your IS responsibilities
Accountable for your actions
Protection of your password to the highest
classification level of the system and
not sharing it!
Acknowledging in writing, that you will
protect the IS and all classified information
Responsibilities - All
UNCLASSIFIED
9
IS Policy and Procedures
Policy
DOD 5220.22-M
National Industrial
Security Program
Operating Manual
February 2006
Information System
Security Plan
Procedures Information System
UNCLASSIFIED
10
ISSM
Designated by management
Responsible for all IS Security Education
Establishes, implements, monitors IS program
and ensures compliance
Identifies threats (internal/external)
Ensures periodic self-inspections
UNCLASSIFIED
11
Acknowledgement statements
Security features
Implementation of SSP
Maintenance procedures
De-certification
ISSM - (cont’d)
UNCLASSIFIED
12
ISSO
May be appointed by ISSM
May perform functions delegated by the ISSM
Ensure SSP accurately depicts operational
requirements
Ensure unauthorized personnel are not granted
access to an IS
Ensure system recovery processes restore
security features
Ensure active user IDs are re-validated annually
UNCLASSIFIED
13
Privileged Users
System Administrators
Users having
“superuser” or “root”
Users having ability to
change other user’s
access
UNCLASSIFIED
14
System Hardware & Software
Authorization is
required from
ISSM/ISSO prior to
installation
UNCLASSIFIED
15
System Hardware IS hardware must be
examined prior to use for
classified processing
Must maintain strict
Configuration Management
ISSM must approve ALL
configuration changes on
classified systems
ISSO will verify all new
hardware or software is
accounted for in the SSP
UNCLASSIFIED
16
System Hardware - cont’d Labels
Highest, more restrictive Category
Unclassified hardware must be marked UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
SECRET/FGI
SECRET/FGI
UNCLASSIFIED
17
Hardware going in/out of controlled area
Must be approved!
Co-Located Systems -
Systems must be clearly marked
Users must be briefed and cautioned about LAN
Contamination risks
System Hardware - cont’d
UNCLASSIFIED
18
Hardware Modifications
Approved by ISSM
Prior to installation or execution
Recorded in Maintenance Log
UNCLASSIFIED
19
System Software
All software must be licensed and acquired from
reputable and authorized sources only
Approved vendors, GFE, In-House developed
Personally-owned software is prohibited
Restriction on shareware, freeware, public bulletin
board software and software from foreign sources
Must receive prior approval from ISSM/ISSO before
loading on system
Does not apply to routine software upgrades already
stipulated in approved SSP’s. (e.g., Anti-virus
signature updates, etc.)
UNCLASSIFIED
20
System Software - cont’d
Software can not be brought
into the lab without being virus
checked first
Anti-Virus signature files need to
be kept current
Notify ISSM/ISSO immediately should an
infection occur
DSS requirements:
Isolation and damage assessment prior to corrective
actions
Contamination of classified systems requires
notification to DSS
UNCLASSIFIED
21
Trusted Downloading Copying Unclassified/Lower Level Files to Magnetic Media
This MUST be approved by DSS/ISSM first!
Check your Security Plan
Be aware of what is classified
Review files before and after copying
Be aware of the embedded data issue
Use a Government-approved utility
System Software - cont’d
UNCLASSIFIED
22
System Software - cont’d LABELS
DSS Marking Supplement
http://people.lmaero.lmco.com/itrain/manage/dloads/markingg
uide.pdf
Media Controls & Marking
All Media in a Controlled Area Must be Marked
Open Shelf Storage – Case by Case
Must be approved by DSS NISPOM 5-306a
UNCLASSIFIED
SECRET
CLASSIFIED BY: DD254
3 JUNE 1999
CONTRACT NO: XXXXXX
DECLASSIFY ON: X3
PROJECT: XYZ
CONFIDENTIAL
CLASSIFIED BY: DD254
3 JUNE 1999
CONTRACT NO: XXXXXX
DECLASSIFY ON: X3
PROJECT: XYZ
UNCLASSIFIED
23
System Software - cont’d Foreign Coded or
Foreign-Owned Software
Research Origin of Software
Foreign software will only be
considered if there is no
comparable American made
package
Prior concurrence from DSS
required on foreign coded
packages
Provide ample time to allow DSS to
research package
UNCLASSIFIED
24
System Maintenance
All system maintenance must be pre-coordinated
through ISSO or ISSM prior to occurring
Must use a cleared technician when at all
possible
Briefed company technician
Briefed outside vendor technician
UNCLASSIFIED
25
System Maintenance - cont’d
Uncleared Technicians
Use only as a last resort
Uncleared maintenance personnel must be US
Citizens
Requires a technically knowledgeable “shoulder-to-
shoulder” escort while in secure area
Prior sanitization of work areas as well as the
systems in question
Use of dedicated, unclassified media for
maintenance
If system has fixed internal drive, restrict access to
all input and output devices
UNCLASSIFIED
27
Periods Processing
Separate Sessions
Different Classification Levels
Different Need-To-Know
Removable Media for each processing session
UNCLASSIFIED
28
Who Should Be Notified When?
Any equipment changes from the security profile
ISSM
Software upgrades
ISSM
Changes to the access list
ISSO
Discrepancies with procedures
ISSM
Abnormal events
ISSM & ISSO
Detect viruses
ISSM & ISSO
UNCLASSIFIED
29
Who Should Be Notified When? cont’d Equipment not functioning
ISSO & ISSM
Equipment requiring sanitizing
ISSO & ISSM
Suspicious use of the systems
(usually associated with
Need-To-Know)
ISSO & ISSM
Visitors not being escorted
ISSO & ISSM
When someone no longer needs
access to the system
ISSO
UNCLASSIFIED
30
Audit Records
All audit records should include enough
information to allow the ISSM/ISSO to
determine…
date and time of action
system locale of the action
system entity that initiated or completed the action
resources involved
action involved
Protect the contents of audit trails against
unauthorized access, modification or deletion
UNCLASSIFIED
31
Passwords
Minimum 14 Characters
Classified to the highest level of the system
Changed every 90 Days
Changed when compromised
Automated generation when possible
UNCLASSIFIED
32
If User Generated:
no dictionary words
mix upper and lower case
no blanks
Examples:
fly2high
Bigb&sRHip
Passwords - cont’d
UNCLASSIFIED
34
Computer Incidents
Don’t touch or delete
anything!
Notify ISSO/ISSM as soon
as possible
ISSO/ISSM will perform a
preliminary investigation of
the incident
UNCLASSIFIED
35
Computer Incidents - cont’d
FSO will notify DSS
ISSM will provide a solution
to DSS on how to best
resolve the situation
UNCLASSIFIED
36
Public Disclosures Disclosures of classified information appearing in the public
media, publications or other sources remains classified.
Individuals are not relieved of their obligation to maintain the
secrecy of such information and are bound by the Non-
Disclosure Agreement signed during their indoctrination.
When responding to questions
about the Company or other
Company sites, including
those released through:
Radio or TV, Newspapers,
Magazines or Trade Journals
Technology Today
DAILY BLAB
TODAY -
In The
News
•Contractor is
reported to
announce..
continued on
page 6)
You should neither confirm nor deny
information found in public
sources. Questions should be
referred to your local Security
Office or to the appropriate
Public Relations Office.
UNCLASSIFIED
37
Conclusion Security is everyone’s responsibility!
You are in the trenches and can help us by being our
eyes and ears to what is going on in the facilities
Let’s work together!