UNCLASSIFIED

1

For Users of Classified

Information Systems (IS)

INFORMATION SYSTEM

SECURITY

UNCLASSIFIED

2

Disclaimer

This briefing is generic in nature and should be

used as a guideline for briefing System Users.

UNCLASSIFIED

3

Overview

Acronyms

General Users

Responsibilities - All

Information System Security Policies

System Hardware and Software

System Maintenance

Passwords

Auditing

UNCLASSIFIED

4

Acronyms/Definitions

FSO- Facility Security Officer

ISSM - Information System Security Manager

ISSO - Information System Security Officer

Closed Area - Allows unattended classified

processing

Restricted Area - Allows attended classified

processing

UNCLASSIFIED

5

Acronyms/Definitions - cont’d

DSS - Defense Security Service

CSA - Cognizant Security Authority (i.e., DSS)

C & A - Certification and Accreditation

IATO - Interim Approval to Operate

IS - Information System

SSP - System Security Plan

DAA - Designated Approving Authority

UNCLASSIFIED

6

Acronyms/Definitions - cont’d

NISPOM - National Industrial Security Program

Operating Manual

CM - Configuration Management

PL1 - Protection Level 1

ISSP - Information System Security Professional

UNCLASSIFIED

7

General Users

That’s YOU!!!

Individuals who can input, modify, or receive

information from an IS

Individuals who have appropriate clearance,

need-to-know and formal access approvals

Individuals who have been authorized system

access by the ISSM/ISSO

UNCLASSIFIED

8

Ensure that you are:

Aware of your IS responsibilities

Accountable for your actions

Protection of your password to the highest

classification level of the system and

not sharing it!

Acknowledging in writing, that you will

protect the IS and all classified information

Responsibilities - All

UNCLASSIFIED

9

IS Policy and Procedures

Policy

DOD 5220.22-M

National Industrial

Security Program

Operating Manual

February 2006

Information System

Security Plan

Procedures Information System

UNCLASSIFIED

10

ISSM

Designated by management

Responsible for all IS Security Education

Establishes, implements, monitors IS program

and ensures compliance

Identifies threats (internal/external)

Ensures periodic self-inspections

UNCLASSIFIED

11

Acknowledgement statements

Security features

Implementation of SSP

Maintenance procedures

De-certification

ISSM - (cont’d)

UNCLASSIFIED

12

ISSO

May be appointed by ISSM

May perform functions delegated by the ISSM

Ensure SSP accurately depicts operational

requirements

Ensure unauthorized personnel are not granted

access to an IS

Ensure system recovery processes restore

security features

Ensure active user IDs are re-validated annually

UNCLASSIFIED

13

Privileged Users

System Administrators

Users having

“superuser” or “root”

Users having ability to

change other user’s

access

UNCLASSIFIED

14

System Hardware & Software

Authorization is

required from

ISSM/ISSO prior to

installation

UNCLASSIFIED

15

System Hardware IS hardware must be

examined prior to use for

classified processing

Must maintain strict

Configuration Management

ISSM must approve ALL

configuration changes on

classified systems

ISSO will verify all new

hardware or software is

accounted for in the SSP

UNCLASSIFIED

16

System Hardware - cont’d Labels

Highest, more restrictive Category

Unclassified hardware must be marked UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

SECRET/FGI

SECRET/FGI

UNCLASSIFIED

17

Hardware going in/out of controlled area

Must be approved!

Co-Located Systems -

Systems must be clearly marked

Users must be briefed and cautioned about LAN

Contamination risks

System Hardware - cont’d

UNCLASSIFIED

18

Hardware Modifications

Approved by ISSM

Prior to installation or execution

Recorded in Maintenance Log

UNCLASSIFIED

19

System Software

All software must be licensed and acquired from

reputable and authorized sources only

Approved vendors, GFE, In-House developed

Personally-owned software is prohibited

Restriction on shareware, freeware, public bulletin

board software and software from foreign sources

Must receive prior approval from ISSM/ISSO before

loading on system

Does not apply to routine software upgrades already

stipulated in approved SSP’s. (e.g., Anti-virus

signature updates, etc.)

UNCLASSIFIED

20

System Software - cont’d

Software can not be brought

into the lab without being virus

checked first

Anti-Virus signature files need to

be kept current

Notify ISSM/ISSO immediately should an

infection occur

DSS requirements:

Isolation and damage assessment prior to corrective

actions

Contamination of classified systems requires

notification to DSS

UNCLASSIFIED

21

Trusted Downloading Copying Unclassified/Lower Level Files to Magnetic Media

This MUST be approved by DSS/ISSM first!

Check your Security Plan

Be aware of what is classified

Review files before and after copying

Be aware of the embedded data issue

Use a Government-approved utility

System Software - cont’d

UNCLASSIFIED

22

System Software - cont’d LABELS

DSS Marking Supplement

http://people.lmaero.lmco.com/itrain/manage/dloads/markingg

uide.pdf

Media Controls & Marking

All Media in a Controlled Area Must be Marked

Open Shelf Storage – Case by Case

Must be approved by DSS NISPOM 5-306a

UNCLASSIFIED

SECRET

CLASSIFIED BY: DD254

3 JUNE 1999

CONTRACT NO: XXXXXX

DECLASSIFY ON: X3

PROJECT: XYZ

CONFIDENTIAL

CLASSIFIED BY: DD254

3 JUNE 1999

CONTRACT NO: XXXXXX

DECLASSIFY ON: X3

PROJECT: XYZ

UNCLASSIFIED

23

System Software - cont’d Foreign Coded or

Foreign-Owned Software

Research Origin of Software

Foreign software will only be

considered if there is no

comparable American made

package

Prior concurrence from DSS

required on foreign coded

packages

Provide ample time to allow DSS to

research package

UNCLASSIFIED

24

System Maintenance

All system maintenance must be pre-coordinated

through ISSO or ISSM prior to occurring

Must use a cleared technician when at all

possible

Briefed company technician

Briefed outside vendor technician

UNCLASSIFIED

25

System Maintenance - cont’d

Uncleared Technicians

Use only as a last resort

Uncleared maintenance personnel must be US

Citizens

Requires a technically knowledgeable “shoulder-to-

shoulder” escort while in secure area

Prior sanitization of work areas as well as the

systems in question

Use of dedicated, unclassified media for

maintenance

If system has fixed internal drive, restrict access to

all input and output devices

UNCLASSIFIED

26

System Maintenance - cont’d

Diagnostic equipment may

not be connected to system

UNCLASSIFIED

27

Periods Processing

Separate Sessions

Different Classification Levels

Different Need-To-Know

Removable Media for each processing session

UNCLASSIFIED

28

Who Should Be Notified When?

Any equipment changes from the security profile

ISSM

Software upgrades

ISSM

Changes to the access list

ISSO

Discrepancies with procedures

ISSM

Abnormal events

ISSM & ISSO

Detect viruses

ISSM & ISSO

UNCLASSIFIED

29

Who Should Be Notified When? cont’d Equipment not functioning

ISSO & ISSM

Equipment requiring sanitizing

ISSO & ISSM

Suspicious use of the systems

(usually associated with

Need-To-Know)

ISSO & ISSM

Visitors not being escorted

ISSO & ISSM

When someone no longer needs

access to the system

ISSO

UNCLASSIFIED

30

Audit Records

All audit records should include enough

information to allow the ISSM/ISSO to

determine…

date and time of action

system locale of the action

system entity that initiated or completed the action

resources involved

action involved

Protect the contents of audit trails against

unauthorized access, modification or deletion

UNCLASSIFIED

31

Passwords

Minimum 14 Characters

Classified to the highest level of the system

Changed every 90 Days

Changed when compromised

Automated generation when possible

UNCLASSIFIED

32

If User Generated:

no dictionary words

mix upper and lower case

no blanks

Examples:

fly2high

Bigb&sRHip

Passwords - cont’d

UNCLASSIFIED

33

Clearing and Sanitization

Printers

Print one page (font test) then power down

UNCLASSIFIED

34

Computer Incidents

Don’t touch or delete

anything!

Notify ISSO/ISSM as soon

as possible

ISSO/ISSM will perform a

preliminary investigation of

the incident

UNCLASSIFIED

35

Computer Incidents - cont’d

FSO will notify DSS

ISSM will provide a solution

to DSS on how to best

resolve the situation

UNCLASSIFIED

36

Public Disclosures Disclosures of classified information appearing in the public

media, publications or other sources remains classified.

Individuals are not relieved of their obligation to maintain the

secrecy of such information and are bound by the Non-

Disclosure Agreement signed during their indoctrination.

When responding to questions

about the Company or other

Company sites, including

those released through:

Radio or TV, Newspapers,

Magazines or Trade Journals

Technology Today

DAILY BLAB

TODAY -

In The

News

•Contractor is

reported to

announce..

continued on

page 6)

You should neither confirm nor deny

information found in public

sources. Questions should be

referred to your local Security

Office or to the appropriate

Public Relations Office.

UNCLASSIFIED

37

Conclusion Security is everyone’s responsibility!

You are in the trenches and can help us by being our

eyes and ears to what is going on in the facilities

Let’s work together!

UNCLASSIFIED

38

Questions?