Protecting Classifi ed Information Systemsby Jeffrey W. Bennett, Industrial Security Professional (ISP), for ClearanceJobs.com

Lightening fast capabilities enable enterprises to

perform on contracts more effi ciently and in less

time. However, because of fast distribution and

processing speeds, measures must be in place

to prevent unauthorized disclosure, spillage and

compromise of classifi ed information.

Classifi ed ProcessingInformation systems allow businesses to increase work productivity at blinding speeds. Documents, images, and media can be duplicated, printed, emailed and faxed much quicker than technology allowed just a few years ago.

As with protecting physical classifi ed properties, information systems and their products must also be safeguarded at the appropriate level. Primarily classifi ed processing is conducted in controlled areas. Computers used for uploading, storing, processing, disseminating, printing and other functions are protected at the level of the information being worked. These protection levels include creating an environment where users of Information Systems (IS) understand the policies, threat, and their role in enforcing security measures.

The safeguarding of the IS should refl ect compliance with the National Industrial Security Operating Manual (NISPOM) as well as the results of thorough risk management. The security managerʼs responsibility is not only to look at the eff ectiveness of protection measures as they relate to the computer or system, but as it aff ects the mission and national security. As the senior security professional, the Facility Security Offi cer (FSO) should

involve senior offi cers to take part in the strategic risk management. This management cooperation ensures the enterpriseʼs vision incorporates the protection of classifi ed information. In such an environment FSOs, industrial security specialists and others in a security discipline provide proactive measures.

AuthenticationThe NISPOM describes roles of key control custodians as they maintain accountability of combinations, locks and keys used in the storage of classifi ed material. In the same way, an IS administrator controls the authentication and identifi cation and ensures measures are in place for the proper access of the classifi ed information stored

FSO SeriesA CLEARANCEJOBS SPECIAL REPORT

4101 NW Urbandale Drive • Urbandale, Iowa 50322 • 1.877.386.3323 • www.clearancejobs.com

or processed on the computer system or network. The authentication, user identifi cation and logon information acts as “keys” controlling access to classifi ed information on the system. Without the strict control, there is no way to prevent unauthorized persons from getting to the data stored in computers or components.

All information regarding authentication must be restricted to only those with the proper clearance and need to know. Each user should have the ability to access only the data authorized. The segregation of access and need to know can be aff ected on either individual systems or components or an entire system capable of allowing access to many user levels. The Information System Security Manager (ISSM) or Information Security Offi cer (ISSO) can protect the authentication data by making it unreadable or simply controlling the fi le access. This system is the same theory as controlling access to security combinations and storing them in a security container aff ording the proper level of protection.

Just as combinations and keys are rotated and changed during certain events, user identifi cation, removal and revalidation must also be in place. These similar measured are used to ensure the proper users have access and deny access to those who have lost their clearance or need to know, changed jobs or otherwise no longer require access to the IS. Each authorized user identifi cation procedure is revalidated at least yearly for those who still require access. Authenticators such as the keys, passwords and smartcards, must be protected at the highest classifi cation level needed.

Passwords must be protected at the level of classifi cation of the data stored or processed by the IS. If an information system is confi gured to process SECRET information, then the password is also classifi ed SECRET. It cannot be stored in a phone, personal data assistant, or otherwise written down unless stored in a security container. According to the NISPOM the password must be at least eight characters long and generated by an approved method. This approval is based on length of password, structure and size of password space as described in the System Security Plan designed by the ISSM. The passwords are changed annually and those passwords pre-installed in software and operating systems must be replaced before users can access the IS.

Physical AccessPhysical access is controlled to prevent unauthorized personnel from obtaining and or compromising classifi ed material. This also applies during maintenance operations. Information systems may require repair, upgrades and other maintenance that may not be performed by the ISSM or ISSO. When necessary and available, maintenance should be performed by cleared personnel with need to know or at least with an ability to control the need to know. This is the least risky of all options as a technically knowledgeable employee can escort and monitor the repairs and ensure security processes are in place.

In many cases maintenance personnel without security clearances or if they do have clearances, are not cleared to the level of IS classifi cation. They are not employees of the company and do not have the need to know. These maintenance professionals must be U.S. citizens and be escorted. The escort conducts all login and logoff and remove all classifi ed data and media to deny access to the unauthorized repair persons. These controls prevent the un-cleared persons from gaining access to passwords, authentications and classifi ed data. They are only allowed to work on the system after system access is granted. The system is similar to opening a combination and removing contents of a security container prior to granting authorization for a locksmith to make repairs. ★ ★ ★

Jeff rey W. Bennett, ISP, is a former Army offi cer, FSO and is

an accomplished writer of security books and periodicals.

His books include ISP Certifi cation-The Industrial Security

Professional Exam Manual. He is the owner of Red Bike

Publishing (www.redbikepublishing.com).