Upload
robert-vale
View
224
Download
0
Embed Size (px)
Citation preview
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
1/68
NCSC-TG-027VERSION-1N A T I O N A L S ECORITY f .CENTER NATIONAL COMPUTER SECURITYCENTER
A GUIDETO UNDERSTANDING INFORMAT ION SYSTEM SECURITY OFFICERRESPONSIBILITIESFOR
AUTOMATED INFORMAT ION SYSTEMS
1 9 9 8 0 3 0 9 2 5 6 MAY1992 HOSE TURK f l f c B M D T E C H N I C A L I N F O R M A T I O N ttNTfB A L L I S T I C M I S S I L E O E F E N S E O R G A N I Z A T I O
W A S H I N G T O N )Approvedfo rPublicRelease:DistributionUnlimited
U37^0
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
2/68
Access ionNumber :3720PublicationDate:May 01 ,1992 Title:Guideto Unders tandingInformationSystem SecurityOfficer Responsibilitiesfo rAutomated InformationSystemsCorporate Author OrPublisher:NationalSecurity Agency,9800Savage Road,FortMeade,MD 20755-6000 ReportNumber:NCSC-TG-027Repor t111-91 ReportNumberAssigned byContract Monitor:Library No.S-238,461 CommentsonDocument :FinalReportDescriptors,Keywords:ModeOperation PhysicalSecurity Administrative Configuration ManagementAccessControlRisk AuditPages:00071 Cataloged Date:Aug20 ,1992 Document Type:HC Numberof CopiesIn Library:000001 Record ID :24623
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
3/68
NCSC-TG-027LibraryNo.S-238,461
Version-1FOREWORD
Theationalomputerecurityentersssuing uideonderstandingInformationystemecurityfficeresponsibilitiesorutomatednformationSystemssartfheRainbowSeries"focumentsurTechnicalGuidelinesProgramproduces.ntheRainbowSeries,w ediscussnetailtheeaturesftheDepartment ofDefenseTrustedComputerSystemEvaluationCriteria(DOD5200.28-STD)androvideguidanceormeetingachequirement.heNationalComputerSecurityenter,hroughtsrustedroductvaluationrogram,valuateshesecurityeaturesfommercially-producedomputerystems.ogether,heseprogramsnsurehatrganizationsreapablefrotectingheirmportantata withtrustedcomputersystems.
AGuideoUnderstandingnformationystemSecurityOfficerResponsibilitiesforutomatednformationystemselpsnformationystemecurityfficers(ISSOs)understandtheirresponsibilitiesforimplementingandmaintainingsecurityinaystem.heystemm aye emoteiteinkedo etwork, tand-aloneautomatednformationystem,rorkstationsnterconnectedia ocalreanetwork.hisuidelinels oiscussesheolesndesponsibilitiesftherindividualswhoreesponsibleorecurityndheirelationshipoheSSO,sdefinedinvariouscomponentregulationsandstandards.
Inviteouruggestionsorevisinghisocument.ela noeviewhis documentastheneedarises.
PatrickR.Gadgher,Z S ay1992DirectorNationalComputerSecurityCenter
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
4/68
ACKNOWLEDGMENTS Theationalomputerecurityenterxtendspecialecognitionorheir
contributionsohisocumentonnabelleeesrincipaluthor,ollen.FlahavinndCarol.anesontributinguthorsndrojectmanagers,ndoMonicaL.Collinsasprojectmanager.
W ealsothankthemanyrepresentativesfromth eomputersecuritycommunitywhogaveoftheirt imeandexpertisetoeviewth eguidelinendrovideommentsandsuggestions.pecialthanksreextendedto irstieutenant amelaD.Miller,UnitedStatesAirForce,fo rherthoughtprovokingsuggestionsandcomments.
in
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
5/68
TABLEOFCONTENTS FOREWORDACKNOWLEDGMENTS iLISTOFTABLES ii
1.NTRODUCTION1.1ecurityRegulations,Policies,andStandards
1.1.1ederalRegulations1.1.2DepartmentofDefenseSecurityPolicy1.1.3ecurityStandards
1.2urpose 1.3Structureof theDocument
2.OPERATIONALENVIRONMENT2.1yp e of InformationProcessed
2.1.1nclassified2.1.2ensitiveUnclassified2.1.3Confidential2.1.4ecret2.1.5TopSecret2.2ecurityModeof Operation2.2.1edicatedSecurityMode2.2.2ystemHighSecurityMode2.2.3PartitionedSecurityMode 02.2.4CompartmentedSecurityMode 02.2.5MultilevelSecurityMode 0
3.SSOAREASOFRESPONSIBILITY 1 3.1SSOTechnicalQualifications 1 3.2OverviewofISSOResponsibilities 23.3SSOSecurityResponsibilities 33.4SecurityRegulationsandPolicies 33.5MissionNeeds 43.6hysicalSecurityRequirements 4
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
6/68
ISSORESPONSIBILITIESGUIDE
3.6.1ontingencyPlans 43.6.2DeclassificationandDowngradingofDataandEquipment.5
3.7AdministrativeSecurityProcedures 63.7.1ersonnelSecurity 63.7.2ecurityIncidentsReporting 63.7.3TerminationProcedures 8
3.8Security Training 83.9Security ConfigurationManagement 93.10ccessControl 1
3.10.1acility Access 23.10.2dentificationandAuthentication(l&A) 23.10.3DataAccess 3
3.11iskManagement 43.12Audits 53.12.1uditTrails 53.12.2AuditingResponsibilities 6
3.13CertificationandAccreditation 74.ECURITYPERSONNELROLES 9
4. 1esignatedApprovingAuthority(DAA) 24.2ComponentInformationSystemSecurityManager(CISSM) 24.3nformationSystem SecurityManager(ISSM) 34.4NetworkSecurityManager(NSM) 44.5nformationSystem Security Officer(ISSO) 64.6Network SecurityOfficer(NSO) 64.7TerminalAreaSecurity Officer(TASO) 84.8SecurityResponsibilities of OtherSitePersonnel 84.9Assignmentof SecurityResponsibilities 9
BIBLIOGRAPHY 1REFERENCES 7AC RON YMS 9GLOSSARY 3
VI
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
7/68
LISTOFTABLES TABLENUMBER AGE 1.erviceandAgencySecurityPersonnelTitles 30 2.UniformSecurityPersonnelTitles 13.FunctionMatrix 40
VII
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
8/68
1. INTRODUCTION Thisuidelinedentifiesystemecurityesponsibilitiesornformationystem
SecurityOfficersISSOs).tppliesoomputerecurityspectsfutomatedinformationystemsAISs)ithinheepartmentfefenseDOD)ndtscontractoracilitiesha trocesslassifiedndensitivenclassifiednformation.Computersecurity(COMPUSEC)includescontrolsthatprotectanAI SagainstdenialofervicendrotectsheIS sndataromnauthorizedinadvertentrintentional)isclosure,odification,ndestruction.OMPUSECncludeshe totalityofsecuritysafeguardseededtoprovideancceptablerotectioneveloranAISan dfordatahandledbyanAIS.[1 ]ODDirective(DODD)5200.28definesanAISas"a nassemblyofcomputerhardware,software,and/orfirmwareconfiguredtoollect,reate,ommunicate,ompute,isseminate,rocess,tore,nd/orcontroldataorinformation."2]hisuidelinesonsistentwithstablishedDO Dregulationsndtandards,siscussednheollowingections.lthoughhisguidelinemphasizesomputerecurity,tsmportantonsureha thetheraspectsfnformationystemsecurity,sescribedelow,renlacend operational:
Physicalsecurityincludescontrollingaccesstofacilitiesthatcontainclassifiedan densitivenclassifiednformation.hysicalecuritylsoddressestheprotectionofthestructuresthatcontainthecomputerequipment.
Personnelecurityncludesheroceduresonsurehatccessoclassifiedndensitivenclassifiednformationsrantednlyfterdeterminationasbeenmadeaboutaperson'strustworthinessan dnlyifavalidneed-to-knowexists.Need-to-knowisthenecessityforaccessto,nowledgeof,rpossessionofspecificnformationequiredoerformfficialasksrervices.hecustodian,otherospectiveecipient(s),fhelassifiedrensitiveunclassifiedinformationdeterminestheneed-to-know.
Administrativeecurityddressesheanagementonstraintsndsupplementalcontrolsneededtoprovideanacceptablelevelofprotectionfor
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
9/68
ISSORESPONSIBILITIESGUIDE
data.heseconstraintsndproceduresupplementth eecurityproceduresimplementedinthecomputerandnetworksystems.Communicationssecurity(COMSEC)definesmeasuresthataretakentodenyunauthorizedersonsnformationerivedro melecommunicationsfheU.S.Governmentoncerningationalecurityndonsureheuthenticityofsuchtelecommunications.1]
missionssecurityistheprotectionesultingfromal lmeasurestakentodenyunauthorizedersonsnformationfaluehichighteerivedrominterceptndnalysisfompromisingmanationsro mrypto-equipment,AISs,andtelecommunicationssystems.
Allheseecurityreasreitaloheperationf ecureystem.his guidelineocusesnomputerecurity,ithiscussionsfhetherecuritytopics,asapplicable.1.1 SECURITY REGULAT IONS ,POL IC IES ,AND STANDARDS
Thisectionrovidesnverviewfegulations,olicies,ndriteriahataddresssecurityrequirements.1.1.1 FEDERALREGULATIONS
Nationalandatesequireherotectionfensitivenformation,sistedbelow:Title8,U.S.Code905,m akestunlawfuloranyofficeremployeefth e
U.S.overnmentoisclosenformationfnfficialaturexceptsprovidedbylaw,ncludingdataprocessedbycomputersystems.
OfficefanagementndudgetO M B )ircularo.-130stablishesrequirementsfo rFederalagenciestoprotectsensitivedata.
ublicaw00-235,heComputerSecurityActof1987,createsam eansfo restablishinginimumcceptableecurityracticesorystemsrocessingsensitiveinformation.
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
10/68
IN T R O DUC T IO N
Executiverder2356rescribesniformystemorlassifying,declassifying,andsafeguardingnationalsecurityinformation.
1 . 1 . 2 DEPARTMENT OF DEFENSE SECURITY POLICYDODD200.28,ecurityequirementsorutomatednformationystems(AISs),sheverallomputerecurityolicyocumentorheOD.hedocumentdentifiesandatoryndinimumISecurityequirements.ach
agencym ayssuetswnupplementarynstructions.orODgencies,heseinstructionsallwithinhecopefheDO Duidelinesndddmorepecificity.Additionalequirementsayeecessaryorelectedystems,asedniskassessments.
Additionalsecuritydocumentsare:Departmentfefense220.22-M,ndustrialecurityanualor
SafeguardingClassifiedInformation. DefenseIntelligenceAgencyManual(DIAM)50-4,SecurityofCompartmentedComputerOperations(U).
DirectorfentralntelligenceirectiveDCID)/16,ecurityolicyorUniformrotectionfntelligencerocessednutomatednformationSystemsandNetworks(U).
heupplementoCID/16,ecurityanualorniformrotectionfIntelligenceProcessedinAutomatedInformationSystemsandNetworks(U).
NationalecurityAgency/Central ecurityerviceNSA/CSS)anual30-1,TheNSA/CSSOperationalComputerSecurityManual.
AirForceRegulation(AFR)205-16,ComputerSecurityPolicy.ArmyRegulation(AR)380-19,Security:InformationSystemsSecurity.ChiefofNavalOperationsnstructionOPNAVINST)239.1 A,AutomaticDataProcessingSecurityProgram.
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
11/68
ISSORESPONSIBILITIESGUIDE
1.1.3 SECURITYSTANDARDSTheNationalComputerSecurityCenterNCSC)sesponsibleorstablishing
andaintainingechnicaltandardsndriteriaorhevaluationfrustedcomputerystems.sartfhisesponsibility,heCSCasevelopedheTrustedComputerSystemEvaluationCriteriaTCSEC), lsonownsheOrangeBook"fterheolorftsover,hichefinesechnicalecurityriteriaorevaluatinggeneralpurposeAISs.3]n985,heCSECbecame DO Dtandard(DOD5200.28-STD)andismandatoryforusebyallDODcomponents.heCSECratesomputerystemsasednnvaluationfheirecurityeaturesndassurances.herustedNetworknterpretationTNI)nterpretsheCSECornetworksandprovidesguidancefo rselectingndpecifyingthersecurityservices(e.g.,communicationsintegrity,denialofservice,andtransmissionsecurity).4]1.2 PURPOSE
TheprimarypurposeofthisguidelinestoprovideguidancetoSSOs,whore responsibleforimplementingandmaintainingsecurityinasystem.hesystemm aybe emoteiteinkedo etwork,tand-aloneIS ,rorkstationsinterconnectedia ocalre aetwork.hroughoutthisuideline,hetermsite"willesedoefertohe ISonfigurationhatsheesponsibilityfheSSO.TheISSOm aybeoneormorendividualswhohaveth eresponsibilitytoensureth esecurityofn ISxcluding,orxample,uards,hysicalecurityersonnel,awenforcementofficials,nddisasterecoveryofficials.hisguidelinels odiscussestheolesndesponsibilitiesftherndividualswhoreesponsibleorecurityandtheirrelationshiptoth eISSO,asdefinednvariousDODcomponentregulationsandstandards.
Thisuidelinerovideseneralnformationndoesotncludeequirementsforspecificagencies,ranches,rcommands.herefore,henformationncludedinhisocumenthouldeonsidereds aselinewithmoreetailedecurityguidelinesprovidedbyeachagency,ranch,orcommand.
Finally,tsssumedhatndividualshoillesinghisocumentavesomebackgroundinsecurity.hisguidelinepresentssometermsanddefinitionstoprovide ommonrameworkorthenformationtresents;owever,tdoesotprovideacompletetutorialonsecurity.
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
12/68
INTRODUCTION
1.3 STRUCTUREOFTHEDOCUMENTSection fhisocumentdentifiesheperationalnvironment.ection
presentstherolean dresponsibilitiesoftheISSOan dtheenvironmentinwhichtheISSOerformsheseasks.ection iscussesheolendesponsibilitiesfsecurityersonnelithinnrganizationndheositionfheSSO.bibliographynd eferenceistfecurityegulations,tandards,nduidelinesthatprovideadditionalinformationonsystemsecurityareincludedfollowingection4.ncronymistan d glossaryofomputerecuritytermsrencludedttheen dofthisdocument.
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
13/68
2. OPERATIONAL ENVIRONMENT TheSS Oerformsecurityasksor itehatm ayupporteveralifferent
userommunities.herefore,heSSOustnderstandheperationalcharacteristicsfheite.ocumentationnheiteonfigurationhouldeavailableandshould,ataminimum,containth efollowing:
Overallmissionofth esite.Overallfloorlayout.Hardwareonfigurationtheite,dentifyingllheevicesndhe
connectionsetweenevicesndocation,umber,ndonnectionsfremoteterminalsandperipherals.
Softwaretheite,ncludingperatingystems,atabaseanagementsystems,andmajorsubsystemsandapplications.
Typefnformationrocessedtheitee.g.,lassified,ensitiveunclassified,andintelligence).
Userorganizationandsecurityclearances.Operatingodefheitee.g.,ystemigh,edicated,ndultilevelsecure).nterconnectionsotherystems/networksfsers,.g.,heutomatic
DigitalNetwork(AUTODIN).Securitypersonnelandassociatedresponsibilities.Thisdocumentationm aybepreparedjointlybyth eoperationsmanagementand
th eSSO.heollowingubsectionsrovidedditionalnformationnheypefinformationprocessedandtheoperatingmodeofthesite.
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
14/68
ISSORESPONSIBILITIESGUIDE
2.1 TYPEOFINFORMATIONPROCESSEDThenformationhatstored,rocessed,ristributedtheiteille
includedinneofthefollowingclassificationevelsthatdesignatesthesensitivityofthedata.2.1 .1NCLASSIFIEDUnclassifiedinformationisanyinformationthatneednotbesafeguardedagainstdisclosure,utmusteafeguardedgainsttampering,estruction,rossueorecordvalue,tility,eplacementcostorsusceptibilitytofraud,waste,rbuse.2] Life-criticalandothertypesofcriticalprocesscontrolatathatareunclassifiedls omustbeprotected.2.1 .2ENSITIVEUNCLASSIFIEDTheoss,misuse,runauthorizedaccessto ,rmodificationfthisnformationmightadverselyaffectU.S.ationalnterest,heonductfDODrograms,rtheprivacyofDODpersonnel.2]xamplesncludefinancial,roprietary,ndmission-sensit ivedata.2.1 .3ONFIDENTIAL
Thenauthorizeddisclosureofthisnformationrmaterialouldeasonablyeexpectedtocausedamagetoth enationalsecurity.[5 ]2.1 .4ECRET
Thenauthorizeddisclosurefthisnformationormaterialouldeasonablyeexpectedtocauseseriousdamagetothenationalsecurity.5] 2.1 .5OP SECRET
Thenauthorizeddisclosurefthisnformationormaterialouldeasonablyeexpectedtocauseexceptionallygravedamagetothenationalsecurity.[5 ]
8
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
15/68
OPERATIONALENVIRONMENT
2.2 SECURITYMODEOFOPERATION TheesignatedpprovinguthorityDAA)ccreditsnISoperaten
specificsecuritym ode.hesecuritymodeselectedreflectswhetherornotallusershaveheecessarylearance,ormalccesspproval,ndeed-to-knoworllinformationcontainedinth eAIS.
Formalccessapprovalsth edocumentedpprovaly atawnerollow accesso articularategoryfnformation.2]hemodesreefinedelowwithheistinctionsotedntalicsormphasis.heefinitionsreasednDODD5200.28,xceptfo rompartmentedecuritymode,whichsasednDCID 1/16.otehatom eermshatppearnomputerecurityequirements-GuidanceorpplyingheepartmentfefenserustedomputerystemEvaluationCriteriainSpecificEnvironments,CSC-STD-003-85,renolongerdefinedinDODD200.28.Limitedaccessmodendompartmentedmodeal lnderth eheadingfartitionedode.ontrolledodeomesnderheeadingfmultilevelecuritym ode.nODD200.28,artitionedmodessednlacefcompartmentedmode.)nddition,thermodesofoperationm aybetipulatedyth eorganizationoragencythatincludesth esite.2.2.1EDICATEDSECURITYMODE
AnISperatesnedicatedecuritymodehenachserithirectrindirectndividualccessohe IS ,tseripherals,emoteerminals,remotehostsashelearanceruthorization,ocumentedormalccesspproval,frequired,ndeed-to-knoworllnformationandledyheIS .2]nIS operatingndedicatedmodedoesotequirenyadditionalechnicalapabilitytocontrolaccesstonformation.hennth ededicatedecuritym ode,heystemsspecificallyndxclusivelyedicatedondontrolledorherocessingfneparticularyperlassificationfnformation,itherorull-timeperationrorspecifiedperiodoft ime.6]2.2 .2YSTEMHIGHSECURITYMODE Systemighecuritymodes odefperationhereinllsersavingaccessoheISossess ecuritylearanceruthorizationsellsdocumentedormalccesspproval,utnotnecessarily eed-to-know,orlldataandledyth e IS .2] An ISperatingnystemighecuritymodemust
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
16/68
ISSORESPONSIBILITIESGUIDE
haveheechnicalapabilityoontrolccessonformationasedn ser'sneed-to-know.eed-to-knowm aybepecifiedsingaccesscontrolistsACLs)rnon-hierarchicalSchemasforcategorizinginformation.2 .2 .3ARTITIONEDSECURITYMODE
Inartitionedecuritym ode,llsersavehelearanceutotecessarilyformalccesspprovalndeed-to-knoworllnformationontainednhesystem.hiseanshatomesersmayotaveeed-to-knowndormalaccessapprovalfo ralldataprocessedbytheAIS.[2 ]
AnISperatingnartitionedodeustaveheechnicalapabilityocontrolaccesstoinformationasedonneed-to-knowandtheensitivitylevelfthedatainth esystem.2.2 .4OMPARTMENTEDSECURITYMODE DCID/1 6definescompartmentedsecuritymodewhereineachuserhasavalidclearanceorhemostestrictedntelligencenformationrocessednheIS .Eachserls oasormalccesspproval, alideed-to-know,nd ignednondisclosuregreementorhatntelligencenformationowhichhesersohaveaccess.[7 ]
2.2 .5ULTILEVELSECURITYMODE MultilevelecurityMLS)modes modefperationhereinotallusers
have learancerormalccessapprovalorllataandledyhe IS .his modeofoperationanaccommodatetheoncurrentprocessingndtoragefa) twoormorelevelsofclassifieddata,or(b )oneormorelevelsofclassifieddatawithunclassifieddatadependinguponth econstraintsplacednth esystemytheDAA.[2 ]nAISoperatinginmultilevelmodem u sthaveth etechnicalcapabilitytocontrolaccessonformationasedneed-to-know,ormalccesspproval,ndsensitivitylevelfth eatanth eystem.Note:ControlledmodesotseparatelydefinedinDODD5200.28. Itisincludedinmultilevelmode.)
10
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
17/68
3. ISSOAREASOFRESPONSIBILITY Withinnrganization,heSS Om aybeneormorendividualswhoavethe
responsibilitytoensureth esecurityofanAIS.ISSO"doesnotnecessarilyrefertothepecificfunctionsfasinglendividual.lso,dditionalesponsibilitiesm ayedefinedytheSSO'specificrganization.hedministrationfystemecuritycanecentralizedrdecentralizeddependingponheeedsfth erganization.Wheremultipleataenterocationsrenvolved,hedecentralizedpproachm aybemoreppropriate.owever,neocalointhouldoordinatellnformationsecurityolicy.lso,heesponsibilityornformationecurityestsithllmembersofth eorganizationandnotjustthesecuritypersonnel.
TheSSOupportsw oifferentrganizations:heserrganizationndhetechnicalrganization.heserrganizationsrimarilyoncernedwithrovidingoperationsndheechnicalrganizationocusesnrotectingata.tsrecommendedthattheISSOnotreporttooperationalelementsofth eAISthatm u stabideytheecurityequirementsfhepplicableirectives,olicies,tc .heobjectivesorovide egreefndependenceorheSSO.heSS Ohallreporttoahighlevelauthoritywhoisnottheoperationalmanager.lso,therankorgradeoftheISSOshallbecommensuratewiththeassignedresponsibilities.3.1 ISSO TECHN ICAL QUAL IF ICAT IONS
TheAA,r esignee,nsuresnSSOsam edorachIS .his individualndheSSO'sanagementhouldnsurehatheSSOeceivesapplicablerainingoarryutheuties.heSS Oositionequires olidtechnicalackground,oodanagementkills,ndhebilityoealellithpeopletllevelsro mopmanagementondividualsers.t minimum,heISSOshouldhavethefollowingqualifications:
Twoyearsofexperienceinacomputerrelatedfield.O neearfxperiencenomputerecurity,rmandatoryttendancet
computersecuritytrainingcourse.amiliarizationwithth eoperatingsystemoftheAIS.
1 1
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
18/68
ISSORESPONSIBILITIESGUIDE
Atechnicalegreesdesirablenomputercience,mathematics,lectricalengineering,orarelatedfield.
3.2 OVERVIEW OFISSORESPONSIBILITIES TheSS Octsorheomponentnformationystemecurityanager(CISSM)toensureompliancewith ISecurityproceduresttheassignediter
installation. DODD5200.28summarizesth edutiesoftheISSOasfollows:nsurehatheISsperated,sed,aintained,ndisposedfn
accordancewithinternalsecuritypoliciesandpractices.nsureth eAISisaccreditedifitprocessesclassifiedinformation. nforceecurityoliciesndafeguardsnllersonnelavingccessoth eAISforwhichth eISSOha sresponsibility. nsurehatsersndystemupportersonnelaveheequiredecurity
clearances,uthorizationandneed-to-know;avebeenindoctrinated;ndare familiarwithinternalsecuritypracticesbeforeaccesstotheAISisgranted.
nsurethataudittrailsarereviewedperiodically,e.g.,weeklyordaily).lso,thatauditrecordsarearchivedforfuturereference,frequired.
nitiateprotectiveorcorrectivemeasuresifasecurityproblemisdiscovered.ReportecurityncidentsnccordancewithDOD200.1-RndoheD AA
whenanAISiscompromised.Reportth esecuritystatusofth eAIS,asrequiredbyth eDAA. valuatenownulnerabilitiesoscertainfdditionalafeguardsre
needed.Maintainaplanorsiteecuritymprovementsndprogresstowardsmeetingth eaccreditation.
12
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
19/68
ISSOAREASOF RESPONSIBILITY
3.3SSO SECURITYRESPONSIBILITIES Command-specificutiesfheSSOaveeenell-definednany
regulations,irectives,ndocuments,.g.,F R05-16,R80-19,ndOPNAVINST239.1 A.hisuidelinerovides moreeneraliscussionfSSO responsibilities,whichm aybetailoredtoaparticularenvironment.heremainderofsection3detailsISSOresponsibilities.om eoftheseresponsibilitiesarenecessarytosupportth esecuritydutiessummarizedbove.hematerialsotpresentedinaspecificorder.3.4ECURITYREGULATIONSANDPOLICIES
TheSS Ohallewarefthedirectives,egulations,olicies,nduidelinesthataddressth eprotectionofclassifiedinformation,swellssensitiveunclassifiedinformation.heoverallsecuritydocumentsarediscussednection.lso,achcommandandagencym ayhaveadditionalequirementsthatprovidemoredetailedguidancenrotectingensitivenformation.tm ayeecessaryorth eSS Otoprepare,orhaveprepared, listofth eapplicabledirectives,egulations,tc.,foneisnotavailable.
Securityocumentation.heSS Oarticipatesnheevelopmentrrevisionfsite-specificsecuritysafeguardsndocalperatingroceduresthatre basednheboveegulations.hebjectivesoncludeheSS Ouringhedevelopmentandwritingatherthannlyatth emplementationhase.heverallsiteecurityocumentsheecuritylan.tontainsheecurityrocedures,instructions,operatingplans,andguidanceforeachAI Satth esite.
TheISSOalsoprovidesinputtoothersecuritydocuments,forexample,ecurityincidenteports,quipment/softwarenventories,peratingnstructions,echnicalvulnerabilitiesreports,andcontingencyplans.
Tw odocumentsthatth eSS Oshouldefamiliarwith,equiredforproductswithsecurityfeaturesatth eC1evelorabove,arediscussedbelow:
TheTrustedFacilityManualTFM )etailsecurityfunctionsandrivileges.tisesignedoupportISdministratorse.g.,heSSO,heatabaseadministrator,ndomputerperationsersonnel).tddressesheconfiguration,administration,ndperationfth eAIS. Itprovidesguidelines
13
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
20/68
ISSORESPONSIBILITIESGUIDE
fortheonsistentndffectivesefth erotectioneaturesftheystem.(Additionalinformationisprovidedinth eCSEC.)
heSecurityeaturesUser'sGuideSFU G )ssistshesersfth e IS .tdescribesowoseherotectioneaturesfhe ISorrectlyorotectthenformationtorednheystem.heFU Giscussesheeaturesnthe ISthatarevailabletosers,swellsheesponsibilitiesorystemsecuritythatapplytousers.
3.5ISSIONNEEDS TheSS Ohallnderstandherganization'smissioneeds,hats,heoals
andbjectivesfth erganizationndheesourcesequiredoccomplishhesegoals.equirementsrepecifiedynalyzingherganization'surrentcapabilities,vailableesources,acilities,unds,ndechnologyase,ndydetermininghetherheyreufficientoulfillheission.fot,heissionneedshouldevaluatedndrioritizednd la nevelopedoddressheseneeds.ecausesecurityrequirementsshouldbeincludedinthemissionneedsandcurrentassetsssessment,tsmportantorheSS Ooecomenvolvednhemissiondefinitionprocess.3.6HYS ICAL SECURITY REQU IREMENTS
Ingeneral,hysicalecurityaddressesfacilityaccessndtheprotectionfthestructuresndomponentshatontainhe ISndetworkquipment.hysicalsecurityalsoaddressesontingencylansndth emaintenancenddestructionfstoragemediaandequipment.hesehysicalafeguardsmustmeettheminimumrequirementsstablishedorheighestlassificationfatatoredtheite.TheISSOincoordinationwithsitesecuritypersonnelisresponsiblefo rensuringthatphysicalafeguardsrenlace.acilityccessndaintenancereurtherdiscussedinsection3.10.ontingencyplanninganddeclassificationarediscussedinsections3.6.1nd3.6.2.3.6.1 CONTINGENCYPLANS
ThenformationystemecurityanagerISSM)sesponsibleorheformulation,esting,ndevisionfiteontingencylansecausefhemanager'sccountabilityornsuringontinuityfperations. Theontingency
14
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
21/68
ISSOAREASOF RESPONSIBILITY
plansocumentmergencyesponse,ackupperations,ndost-disasterrecoveryrocedures.hileheSSMasverallesponsibilityorhelans,heISSOprovidestechnicalcontributionsconcerningth eoverallsecurityplanstoensureth evailabilityfriticalesourcesndoacilitateystemvailabilitynnemergencyituation.tsls omportantthatllesponsibilitiesnderthela nre adequatelydocumented,communicated,andtested.3.6.2 DECLASSIFICATIONAND DOWNGRADINGOFDATA A NDEQUIPMENT
Declassifications rocedurendndministrativectionoemovehesecuritylassificationfheubjectmedia.owngradings rocedurendnadministrativectionoowerheecuritylassificationfheubjectmedia.heproceduralaspectofdeclassificationstheactualurgingfth emediaandemovalofnyabelsenotinglassification,ossiblyeplacinghemwithabelsenotingthatthestoragemediaisunclassified.heproceduralaspectofdowngradingisth eactualurgingfheediandem ovalfnyabelsenotinghereviousclassification,eplacinghemithabelsenotingheewlassification.headministrativeaspectisealizedthroughth eubmissiontotheappropriateuthorityofadecisionmemorandumtodeclassifyordowngradethestoragemedia.
TheISSOm u stensurethat:urging,eclassification,ndowngradingroceduresreevelopedndimplemented.Procedures areollowed for purging, declassifying, downgrading, and
destroyingstoragemedia.Procedures are followed for marking, handling, and disposing of the
computer,itsperipherals,andremovableandnonremovablestoragemedia.Anypecialoftwareeededoverwriteheite-uniquetorageedias
developedoracquired.Anyspecialhardware,suchasdegaussers,isavailable.
15
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
22/68
ISSORESPONSIBILITIESGUIDE
3.7 ADMINISTRATIVE SECURITY PROCEDURES Administrativesecurityincludesth epreparation,distribution,ndmaintenanceof
plans,nstructions,uidelines,ndoperatingproceduresegardingecurityofAISs.ItsheesponsibilityfheSS Oossistnheevelopmentfdministrativeprocedures,frequired,andtoconductperiodicreviewstoensurecompliance.3.7.1ERSONNELSECURITY
O necomponentofadministrativesecurityispersonnelsecurity.ngeneral,tisth eresponsibilityofth eISSOto :
Ensurehatllersonnelnd,henequired,pecifiedaintenancepersonnelwhonstall,perate,maintain,rseheystem,oldheropersecurityclearancesandaccessauthorizations.
nsurethatal lystemsers,ncludingmaintenanceersonnel,reeducatedbyheirespectiveecurityfficernpplicableecurityequirementsndresponsibilities.
Maintainarecordfvalidecurityclearances,hysicalaccessauthorizations, andAISaccessauthorizationsfo rpersonnelusingthecomputerfacility.
nsurethatmaintenancecontractorswhoworkonth eystemreupervisedbyanauthorizedknowledgeableperson.3.7.2ECURITYINCIDENTSREPORT ING
Asecurityincidentoccurswheneverinformationsompromised,whentheresariskofcompromiseofinformation,whenrecurringorsuccessfulattemptstoobtainunauthorizedccesso ystemreetected,rwheremisusefheystemssuspected.
TheSS Oreates eportingechanism,sartfheecurityncidentreportingprocedure,fo ruserstokeepth eSS Oinformedofsecurity-relevantactivitythattheyobserveonthesystem.hisreportingmechanismshallnotuseth eAISto reportsecurity-relevantactivityabouttheAIS.
16
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
23/68
ISSOA R E A SOFRESPONSIBILITY
Themechanism,ataminimum,ncludesthefollowing:Descriptionofincident. dentificationofth eindividualreportingth esecurityincident.dentificationoftheloss,otentialloss,accessattempt,ormisuse.dentificationoftheperpetrator(ifpossible).Notificationfppropriateecurityndanagementersonnelndivil
authorities,ifrequired.Reestablishmentofprotection,ifneeded.Restartfperations,fheystemadeenakenownoacilitateheinvestigation.
TheISSOperformsthefollowinginsupportofthistask:Preparesroceduresormonitoringndeactingoystemecuritywarning
messagesandreports.Develops,eviews,evises,ndubmitsorpprovaloheAAnd
technicalupervisor,roceduresoreporting,nvestigating,ndesolvingsecurityincidentsatthesite.
mmediatelyeportsecurityncidentshroughheppropriateecurityndmanagementhannelse.g.,SS Mndrogramanager).heSSO submitsnnalysisfheecurityncidentoheppropriateuthorityorcorrectiveanddisciplinaryactions.
Performsnnitialvaluationfecurityroblems,nd,fecessary,temporarilyeniesccessoffectedystems.heSS OnsureshatTerminalreaecurityfficersTASOs)valuate,eport,ndocumentsecurityproblemsandvulnerabilitiesattheirrespectiveremoteterminalareas.
artiallyrompletelyuspendsperationsfnyncidentsetectedhataffectsecurityofoperations.hiswouldncludenyystemailure.Note:thism ayenrealisticfheystemerforms riticalperationalmission.
17
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
24/68
ISSORESPONSIBILITIESGUIDE
Alternativeroceduresayeequirednhisituation.heAAustweighheis kf ecurityncidentagainstheotentialamagenhuttingdownth esystem.)
nsureshatllasesfctualruspectedompromiseflassifiedpasswordsareinvestigated.
nsureshatoccurrenceswithinheystemhatm ayaffectthentegrityndsecurityfheataeingrocessedrenvestigated.fheystemmalfunctions,itisimportanttoaccountforth edata.
Assistshenvestigatingfficialsnnalyzingctualruspectedcompromisesofclassifiedinformation.
3.7.3 TERMINATIONPROCEDURESTheSS Oisesponsiblefo rperformingthefollowingtaskswheneveranyuser's
accessserminated.romptctionsequired,articularlyfheerminationrknowledgeofth ependingterminationmightprovokeausertoretaliate.
Removesth euserfromallaccesslists,othmanualandautomated.Removeshendividual'sccountro mllystems,ncludingheser's
password.nsuresthatth endividualasurnednlleys,okens,rcardsthatllow
accesstoth eAIS. nsuresthatcombinationsfanycombinationocks,ssociatedwithhe IS
anditsphysicalspace,thatth eindividualaccessedarechanged. nsuresthatallremainingpersonnelusingsystemsprocessingclassifieddata
changetheirpasswordstopreventunauthorizedaccess.3.8 SECURITYTRAINING
Becau sepersonnelareanintegralartofth esecurityprotectionsurroundingan AIS,heym u stnderstandheulnerabilities,hreats,ndisksnherentwithIS usage.herefore,omputerecurityhallencludednriefingsivenollew personnel. Toeinforcethisnitialrainingndontroduceewconcepts,eriodic
18
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
25/68
ISSOA R E A SOF RESPONSIBILITY
trainingndecuritywarenessrogramshouldeonducted.heSSOhallcontinuetrainingtokeepurrentnecurityproductsndprocedures.heSSOsresponsibleforensuringthat:
llersonnelincludinganagement)aveomputerecuritywarenesstrainingndaveeadpplicableectionsfheISecuritylan.his includestraininginsecurityproceduresandtheuseofsecurityproducts.
llsersreducatedegardingasswordanagemente.g.,eneratinguniqueasswords,eepingasswordsdequatelyrotected,otharingpasswords,hangingasswordsn egularasis,ndeneratingifferentpasswordsforeachsystemaccessed).
Usersnderstandhemportancefonitoringheiruccessfulndunsuccessfulogins,fossible.fheseootorrespondoheser'sactualsage,heserhouldnowtheroperroceduresoreportinghediscrepancy.
TheSS Oaneepsersnformedboutecuritynanyifferentays.Someapproachesfollow:
PeriodicallyisplayessagesnheIShenheserogsnohesystem.
Developanddistributesecurityawarenessposterstofosterinterest.Disseminateewecuritynformationboutheystemndssueeminder
noticesaboutprotectionprocedures.ssuememostonotifyusersofchanges. rovidehands-on"demonstrationsofAI Ssecurityfeaturesandprocedures.
3.9 SECURITY CONF IGURAT IONMANAGEMENT Configurationanagementontrolshangesoystemoftware,irmware,
hardware,ndocumentationhroughoutheifefheIS .hisncludeshedesign,evelopment,esting,istribution,ndperationfodificationsndenhancementsohexistingystem. TheSS Ortheresignatedndividual
19
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
26/68
ISSORESPONSIBILITIESGUIDE
awarefheecurityssueshallencludednheonfigurationanagementprocessonsurehatmplementedhangesootompromiseecurity.tsparticularlymportantortheSS OoeviewndmonitorroposedhangesohetrustedomputingaseTCB)sefinednheecurityarchitecture.ppropriatetestshouldeonductedohowhatheCBunctionsroperlyfterhangesarem adeot.onfigurationmanagementaskshatreheesponsibilityfheISSOareasfollows:
Maintainnnventoryfecurity-relevantardwarendecurity-relevantsoftwareandtheirlocations.
Maintainocumentationetailinghe ISardware,i rmware,ndoftwareconfigurationandallsecurityfeaturesthatprotectit.
Evaluateheffectnecurityfroposedentrallyevelopednddistributedandsite-uniquemodificationstosoftwareandapplications.ubmitcommentstoappropriatepersonnel.
dentifyandanalyzesystemmalfunction. Preparesecurityincidentreports.Assistnheevelopmentfystemevelopmentotificationsndystem
changeproposals.MonitorDAA-approvediteproceduresorontrollinghangesoheurrentsystem. nsurehatnyystemonnectivitysnesponseo alidperational
requirement. nsurethatontinuingestsfheiteecurityeaturesreerformed,nd
maintaindocumentationofth eresults.CoordinateAISecuritychangeswithheSSM.eviewal liteonfiguration
changesandystemomponentchangesrmodificationstoensurethatsitesecurityisnotcompromised.Reviewphysicalinventoryreportsofsecurity-relevantAISequipment.
20
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
27/68
ISSOAREASOF RESPONSIBILITY
HardwareandSoftwarenstallationndaintenance.heSS Onsuresthatheesignndevelopmentfewystemsrheaintenancerreplacementfxistingystemsncludesecurityeatureshatillupportcertificationndccreditationreaccreditation.nupportfhisffort,nformalreviewswithheiteertifiersanelpdentifyotentialroblems,husnablingpotentialecurityisksoedentifiedarly.eforenstallingnyewystem release,th esiteshallcompletesufficienttestingtoverifythattheystemmeetsth edocumentedndpprovedecuritypecificationsndoesotiolatexisting securitypolicy.heSS Oshall,taminimum,observeth etestingfnewreleases.SpecificISSOtasksare:
nsurehatllecurity-relevantevelopmentndlanningctivitiesre reviewedandapproved.
articipatenhecquisitionlanningrocessorroposedcquisitionsoensurethatthesitesecuritypolicyhasbeenconsidered.hisappliestobothth eacquisitionofnewsystemsortheupgradeofexistingsystems.
nsurethatecurityfeaturesrenlacebytesting)opreventapplicationsprogramsfrombypassingecurityfeaturesrfromaccessingensitivereasofth esystem.
Developprocedurestoreventth enstallationfoftwareromnauthorizedorquestionablesources.
nsurehatystemupportersonnelnowowonstallndaintainsecurityfeatures.
3.10 ACCESS CONTROL Accessisconsideredfromdifferentperspectives:hysicalaccesstoth eacility
andystemfacilityccess),ogicalccessoheystemidentificationndauthentication),ndogicalccessoheystem'silesndtherbjectsdataaccess). Eachoftheseisdiscussedseparatelybelow.
21
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
28/68
ISSORESPONSIBILITIESGUIDE
3.10.1 FACILITYACCESSProcedureshalledevelopedorontrollingaccessoheitendheite's
resources.nccordancewithpplicableecurityolicy,ystemccesshalledeniedonyser,ustomer,risitorhoasoteenrantedpecificauthorization. Generalguidancefo rtheISSOfollows:
stablishprocedurestoensurethatonlypersonnelwhohaveaneed-to-knowhaveaccesstoclassifiedorsensitivebutunclassifiedinformation.
stablishroceduresonsurehatnlyersonnelhoaveheroperclearancesndormalccesspprovalrellowedhysicalccessonysystemontaininglassifiednformation.llndividualshoaveoutineaccesstoth esystemshouldbeproperlyclearedandaveavalidoperationalrequirementforaccess.
Denyccessonyser,ustomer,risitorhosnauthorizedrsuspectedofviolatingsecurityprocedures.
nsureallvisitorsaresigned-inndescorted,fnecessary.isitorshalleundervisualobservationbyanauthorizedperson.
eeprecordsofmaintenanceperformedatth esite. stablishndmplementroceduresoontrolISquipmentomingnto andoingutfheite,ncluding,orxample,estevices,able,nd
systemdisks.Developandmaintainafacilitysecurityplanthatcontainsatleastarchitectural
drawingsandbuildingplans,floorplans,andinventories.nsurethatmaintenancecontractorsw howorkonthesystemreupervised
byanauthorizedknowledgeableperson.3.10.2 IDENTIFICATIONANDAUTHENTICATION( l&A)
Thedentificationomponentofan&Asystemonsistsfaetofniqueseridentifiers. Authenticationnvolveserifyinghedentityf ser. If ser's
22
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
29/68
ISSOAREASOF RESPONSIBILITY
identifierdoesotremainnique, subsequentuserm aygaintheaccessightsfaprevioususeronthesystem.eneralguidancetotheISSOfollows:
nsurethatth edatabasesrequiredtosupportthe&AfunctionareaccessibleonlybytheISSO.
Obtainalistofalldentifications(IDs)presetatthefactory.hangeordeleteal lserDsndasswordshatomeithendoroftwareoreventunauthorizedaccess.efaultasswordshalleheckedndhanged,snecessary,tystemnstallationndodification,henheSSOirstassumesesponsibilityfheystem,ndfternyaintenanceohesystem.
Developnddminister asswordmanagementystemhatncludeshegenerationfystemasswordsndevelopmentfroceduresoraddressingpasswordlossorcompromise.
nsurehatnlyuthorizedersonsxecuteystemtilityrogramsndroutinesthatbypasssecuritychecksorcontrols.
Maintain iteseris thatontainsheame,serD,ccessevel,ndwhetherth euseristohaveoperatororadministrativeprivileges.
3.10.3 DATA ACCESS Thefocusfdataaccessproceduresstoreventdisclosurefnformationo
unauthorizedindividuals.eneralguidancefortheISSOfollows: nsurehatheite-specificiscretionaryccessontrolDAC)olicys
definedndmplemented.heolicyhouldefinehetandardsndregulationshatheSS Omustmplementonsurehatatasisclosedonlytoauthorizedindividuals.
Controlaccesstollunctionshatanffectheecurityrntegrityfhesystem.ccessofthistypeshallbekepttoth eabsoluteminimumnumberofpersonnel.
23
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
30/68
ISSORESPONSIBILITIESGUIDE
nsurehatnyequiredccessontroloftwareubsystemsrthersecuritysubsystemsarenstalledndoperatedn mannerthatsupportsth esecuritypolicyofth eAIS.
3.11 RISK MANAGEMENT Riskmanagementdentifies,easures,ndinimizesheffectfncertain
eventsnystemesources.is kmanagementdetermineshealuefheata,whatrotectionlreadyxists,ndowm u chmorerotectionheystemeeds.Therocessncludesis knalysis,ostenefitnalysis,afeguardelectionndimplementation,ppropriateecuritytests,ndystemseview.iskmanagementisnongoingrocessthatwilleaffirmhealidityfreviousnalysis.heSSO supportstheriskmanagementprocessbyperformingth efollowingtasks:
Assistinth edevelopmentofth eriskmanagementplan. erform is kassessmentndnalysisynalyzinghreatsoheitend
vulnerabilitiesftheitenelationshiptoth eensitivityofth enformationnth esystem.ocumenttheresultsandprepareappropriatecountermeasures.(Thisisexpandedbelow.)
nsure ontingencyla nsnlaceorontinuityfperationsnnemergencysituationandthatthedevelopedplansareexercised.
nsurethatapprovedcountermeasuresareimplemented.Periodicallyeviewheis kssessmentorewhreatsueo hanged
configurationrhangesnheperationalnvironmentndeviewcontingencyplanstoensurethattheyarestillapplicable.
Ensurehatecurityests,isknalysis,EMPESTests,ndtherinspectionsreonductedsequired.aintain ileforkingapersconcerningecurityests,is knalysis,ndtheracetsfheiskmanagementprogram.
Maintainafileofal lsitesecurity-relatedwaivers.
24
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
31/68
ISSOAREASOF RESPONSIBILITY
TheSS Oocumentsndeportsomputerecurityechnicalulnerabilitiesdetectedn ISs,nccordancewithDODnstruction215.2.heeportncludesinformationegardingechnicalolutionsradministrativeroceduresmplementedtoeduceheisk.achSS Odministersheechnicalulnerabilityeportingprogramand:
Reportsdentifiedechnicalulnerabilities.s urtherayfharinginformationboutvulnerabilities,maintainsontactwiththerystemecurityofficersandwithotherusersofthesametypeofsystem.
Assumesesponsibilityorecommendingnynecessaryndeasiblectiontoreduceriskspresentedbyth evulnerabilities.
Developsocalroceduresoreportingndocumentingechnicalvulnerabilities,ndnsureshatllsersndperatorseceiverainingorcarrying-outth eprocedures.
nsuresthatvulnerabilityinformationisproperlyclassifiedandprotected.3.12 AUD ITS
TheSSOasherimaryesponsibilityoonductecurityuditsoroperationalystemssellsorystemsnderevelopment.onitoringfvariancesnecurityroceduressls omportantndsestontrolledyheISSO.spartofvariancemonitoring,th eSS Oreviewsnyrelevantaudittrailata fromth esystem.inally,th eSS Oprovidesseniormanagementwitheportsontheeffectivenessfecurityolicy,ithdentificationfeaknessesndrecommendationsforimprovements.3.12.1 AUDITTRAILS
Theuditrailrovides ecordfystemecurity-relatedctivityndl lowsth eSS Oomonitoractivitiesnheystem.oenffectiveecurityool,heauditrailhouldebleoonitor,orxample,uccessfulndnsuccessfulaccessttempts,ileccesses,ypefransaction,ndasswordhanges.fmanualuditsreecessary,heSS Ohallocumentandomhecksadeoverifythatsersreecordingystemsage.udittraililesm u sterotectedopreventunauthorizedchangesordestruction.
25
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
32/68
ISSORESPONSIBILITIESGUIDE
3.12.2 AUDITINGRESPONSIBILITIESAppropriateaudittrailatashalleeviewedyth eSSO.esidesth eystem
audittrail,etworkuditeportsanrovideetailednformationnetworktrafficandrovidesummaryaccountingnformationnachserD,ccount,rprocess.TheresponsibilitiesoftheISSOfollow:
Reviewspecificationsfornclusionfaudittraileductionoolsthatwillassistinaudittrailanalysis.
Selectecurityventsoeudited.nsurehatheuditrailseviewedandavethecapabilitytouditeveryaccesstoontrolledystemesources(e.g.,verysensitivefiles).rchiveauditdata.
Developndmplementuditndeviewroceduresonsurehatll IS functionsremplementednccordanceithpplicableoliciesndprograms.xistingoliciesndrogramssuallystablishheinimumamountofmaterialthatshallbeaudited.
Conductauditsandmaintaindocumentationonth eresults.Superviseeviewfecurityuditarameters.evelop,eview,evise,
submitforapproval,andmplementproceduresfo rmonitoringndeactingtosecuritywarningmessagesandreports.
Conductandomhecksoerifyomplianceithheecurityroceduresandrequirementsofth esite.
Gathernformationromuditrailsoreaterofilesfystemsers.Observeseratternsuchsheerminalsuallysed,ilesccessed,normaloursfccess,ndermissionssuallyequested,oeterminewhichactionsareunusualandshallbeinvestigated.
Reviewseraccesseportseneratedyheuditrail,nompliancewithpoliciesandpractices.
26
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
33/68
ISSOAREASOF RESPONSIBILITY
Reviewaudittrailreportsfo ranomalies:-ookorultiplensuccessfulogonttempts.hisoulden
indicationfnnexperiencedser, serwhoasecentlyhangedpasswordsandforgottenth enewone,oranattemptedintrusion.
-ookforanattemptbyauser,whosalreadyoggednt terminal,olo gngainotheameystemro m econderminal.hisouldecausedynnadvertentailureoogut,nntentionalogonooth terminals,oranattemptedintrusion.
-elerttondividualsoggingnfterormalours.hism aymeanheuserhasadeadlinetomeetandsworkingovertimeorthatanntruderisattemptingaccess.
-ookorighumbersfnsuccessfulileccesses.hisouldepromptedyheser'sailureoememberileamesrynattemptedintrusion.
-ookforunexplainedchangesinsystemactivity.-ookfo rcovertchannelactivity.
3.13 CERTIF ICATION ANDACCRED ITAT IONCertificationsheechnicalvaluationfnAIS'securityeatures,ncluding
non-AISecurityfeaturese.g.,dministrativeproceduresndhysicalafeguards),againstaspecifiedetofecurityequirements.heobjectivestodetermineowwellheISesignndmplementationeethisre-definedetfecurityrequirements.ertificationserformedsartfheccreditationrocess.Accreditationisth eformalmanagementdecisionm adebyth eD AAtomplementan AISretworkn pecificperationalnvironmenttncceptableevelfisk.Thecertificationpackagespecifiesth efollowinginsupportofaccreditation:
Securitym ode.Setofadministrative,environmental,andtechnicalsecuritysafeguards.Operationalenvironment.
27
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
34/68
ISSORESPONSIBILITIES GUIDE
nterconnectionstootherAISornetworks.Vulnerabilitiesaswellasproceduralandphysicalsafeguards.TheSS Osrequentlyesponsibleorth eollowingis tftasksnreparation
fo raccreditationofaparticularAIS:Assistinpreparingtheaccreditationmaterialrequiredbyth eDAA.Assistintheevaluationoftheaccreditationpackage.Assistinthesitesurveys. repare tatementoheAAboutheertificationeport.heeport
shouldnclude descriptionfheystemndtsmission;heesultsro m th etesting,documentreviews,ndhardwareandsoftwarereviews;emainingsystemulnerabilities;ndnydditionalontrolsrnvironmentalrequirementsthatm aybenecessary.
nsurethatthesitemaintainsth esystemsecuritybaselinethroughaudits.Notifyth eD AArtheDAA'sepresentativefllonfigurationhangeshat
m aychangeth esite'ssecuritybaseline.
28
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
35/68
4. SECURITYPERSONNELROLESAlthoughthisuidelineocusesnheolendesponsibilityfth eSSO,ts
importanttonderstandowth eSSOositionelatesotherositionshatave somesecurityresponsibilitywithinanorganization.hissectionoutlinestheseotherpositionswithsecurityresponsibilities.
DO Degulationsefineecurityolesndesponsibilitiesorersonnelresponsibleor ISecurity.verallolesndesponsibilitiesreimilarcrossDOD,utareassigneddifferenttitlesnachervice/agency.able ummarizesth etitlesandpositionsacrossth eDODcomponents.
O neoftherolesnotaddressednTable r2sthatofthe rogramManager(PM).hilethisisnotspecificallyasecurityfunction,theMm u stbeawareoftheAISecurityequirements.heMhouldstablish omputerecurityworkinggroup(CSWG )consistingfindividualsfromtheprogramoffice,sers,rocurementspecialists,onsultants,ocalomputerecurityrganizations,ndheevelopers.Duringtheacquisitionprocess,hisgrouphalleviewandvaluateecurity-relateddocumentsndssuesuchspecifications,ecurityestlansndrocedures,andiskanagementlansndrocedures.heollowingectionsistresponsibilitiesorachfhedentifiedecurityoles.ependingnheize,geographicalistribution,ndomplexityfheite,heolefheSSM (Informationystemecurityanager)/NSMNetworkecurityanager)ayefilledbythesameindividual(s)astheISSO/NSO(NetworkSecurityOfficer).
29
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
36/68
ISSORESPONSIBILITIESGUIDE
TableServiceandAgencySecurityPersonnelTitles
Level AirForce1 Army1 Navy 1 DIA SystemWide MAJCOM
2'3
MCSSM M A C O M2
ISSPM COM NAVCOM TE L.COM2 MDICorSI O2
AISSite BCSSM CFM4CSSO TASO
ISSMISSO TASO
ADPSOADPSSO/ISSO MSO TASO ISSO
NetworkSite1 M^tono,
NM NSM NSO NSO NSO NSO
2.3. 4. OperationalPlan-ExtremelySensitiveInformation)DAATheremanybemultipleMAJCOMsatabase,eachwithon eormoreAIS sitesThereisonlyoneB CS S OperbasetowhichallCFMsprovideinformation
ADPSOADPSSOB CS S M B CS S OC FM COMNAVCOMTELCOMCSSM CSSO D AA ISSM ISSO ISSPM M A C O M MAJCOMM CS S M M D I C M SO NM NSM NSO SIO SSM TASO
AD PSecurityOfficerAD PSystemSecurityOfficerBaseCommunications-ComputerSystemsSecurityManagerBaseCommunications-ComputerSystemsSecurityOfficerComputerFacilityManagerCommander,NavalComputerandTelecommunicationsCommandCommunications-ComputerSystemSecurityManagerComputerSystemSecurityOfficerDesignatedApprovingAuthority/DesignatedAccreditationAuthorityInformationSystemSecurityManagerInformationSystemSecurityOfficerInformationSystemSecurityProgramManagerMajorArmyCommandMajorCommand(AirForce)MAJCOMCSSM MilitaryDepartmentIntelligenceOfficerMediaSanitationOfficerNetworkManagerNetworkSecurityManagerNetworkSecurityOfficerSeniorIntelligenceOfficerSystemSecurityManagerTerminalAreaSecurityOfficer
30
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
37/68
SECURITY PERSONNELROLES
Table resents niformetfecurityolesnditlesha twillese dthroughoutthisguideline.
Table2Uniform SecurityPersonnelTitlesLEVEL STAFFPOSITIONSystemWide (NotSCI,SIOP-ESI) D AACISSM AISSite ISSM ISSO TASO NetworkSite NSM NSO
CISSMomponentInformationSystem SecurityManagerDAAesignatedApprovingAuthority ISSMnformationSystemSecurityManagerISSOnformationSystemSecurityOfficerNSMetworkSecurityManagerNSOetworkSecurityOfficerSC IensitiveCompartmentedInformation SIOP-ESIingleIntegratedOperationalPlan-ExtremelySensitiveInformation TASOerminalAreaSecurityOfficer
31
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
38/68
ISSORESPONSIBILITIESGUIDE
4.1ESIGNATED APPROVINGAUTHORITY (DAA)TheAArantsinalpprovaloperatenISretworkn pecified
securitym ode.2]eforeccrediting ite,heAAeviewsheccreditationdocumentationndonfirmshatheesidualis kswithincceptableimits.heDAAlsoerifieshatachISomplieswithheISecurityequirements,sreportedbytheISSOs.pecificsecurityresponsibilitiesareasfollows:
stablish,dminister,ndoordinateecurityorystemshatgency,service,rommandersonnelrontractorsperate.ssistheMndefiningsystemsecurityrequirementsfo racquisitions.
Appointtheindividualswhowilldirectlyreporttoth eDAA.Approvehelassificationevelhatsequiredorpplicationshatre implementedn etworknvironment.lso,pprovedditionalecurityserviceshatreecessarye.g.,ncryptionndon-repudiation)o
interconnecttoexternalsystems.Reviewheccreditationla nndignheccreditationtatementorhe
networkandach ISndefineheriticalityndensitivityevelsfachAIS.
ReviewheocumentationonsurehatachISupportsheecurityrequirementsasdefinedintheAISandnetworksecurityprograms.4.2OMPONENTNFORMATIONSYSTEMSECURITYMANAGER(CISSM)
TheISSMsheocalointorolicynduidancenISndetworksecuritymattersandreportstoandsupportsth eDAA.heCISSMadministersoth theAISandetworksecurityprogramswithinheomponentdefinedsheOfficeofth eSecretaryofDefense,th emilitarydepartmentsandth emilitaryserviceswithinthosedepartments,theJointChiefsofStaff,th eJointStaff,heUnifiedndSpecifiedCommands,theDefenseagencies,heDODieldctivities,ndotheruchffices,agencies,activities,andcommandsasm aybeestablishedbylaw,ythePresident,oryheSecretaryfDefensehatrocessatanISs).2]dditionally,heCISSM is responsibleorubcomponentsuch ashe M A J C O M , M A C O M , or
32
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
39/68
SECURITY PE R S O N N E LROLES
C O M N A V C O M T E L C O M ,whichredentifiednTable. TheISSM,herefore,m ayberesponsiblefo rmultipleAISs. Securityresponsibilitiesshouldinclude:
Developnddminister jSndetworkecurityrogramshatmplementpolicyndegulationsndreonsistentwithheccreditationlan.henetworkprogramshalldefineintrasystemandintersystemconnectivity.
stablish is kanagementrogramorhentireISifeycle.his includesddressingetwork-wideecurityndroblemsssociatedithinterconnectingtoexternalsystems.
dentifyth eDAAforeachunclassifiedsystemandeachclassifiedsystem.dentifyachystemnheertificationndccreditationla nrnhe
systemsecurityplan.Adviseth eDAAaboutth euseofspecificsecuritymechanisms. rovideperiodicbriefingstoth ecomponentmanagementandtotheDAA.Reportecurityvulnerabilities,maintain ecordfecurity-relatedncidents,
andreportseriousandunresolvedviolationstotheDAA.Administerasecurityandtrainingawarenessprogram.Overseemaintenanceofaccreditationdocumentation. rovidefo roverallkeydistributionandencryptionmanagement.nforce,hrougholicy,omplianceithomponentomputerecurity
program.4.3 I NFORMAT IONSYSTEM SECURITY MANAGER( ISSM)
TheSSMeportsoheCISSMndmplementsheverallecurityrogramapprovedyth eDAA.heSS Mocusesn ISecurity.herem ayemultipleISSMs.heISSMshouldnotparticipateinth eday-to-dayoperationoftheAIS.
33
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
40/68
ISSORESPONSIBILITIESGUIDE
Specificsecurityresponsibilitiesare:nsurethatth eAISsecurityprogramrequirementsaremet,ncludingefining
th eecuritym ode,pecificecurityequirements,rotocols,ndtandards.DevelopapplicableAISsecurityprocedures.
mplementtheis kmanagementrogramefinedyheCISSM.erifyhattheiskssessmentserformedndhathreatsndulnerabilitiesre reviewedtoevaluaterisksproperly.
Verifyhatppropriateecurityestsreonductedndhatheesultsre documented.
Reviewheccreditationla nndheeaccreditationctivities,evelopscheduleorheeaccreditationasks,ndnitiateecertificationndreaccreditationtasksunderthedirectionoftheDAA.
Assistniteonfigurationanagementyeviewingroposedystemchangesndeviewingmplementedystemodificationsordversesecurityimpact.
nsurethatAISsecurityisincludedinallth econtingencyplans. rovideth eDAAwithheertificationackagetohowthatth e ISatisfiestheecuritypecificationsorheatatrocesses,tores,rransmits.Documentandmaintaintheevidencecontainedinthecertificationpackage.MonitorISersonnelecurityroceduresonsurehatheyreeing
followed;oordinatendmonitornitialndollow-upecurityrainingor IS personnel.
MaintainacurrentAISsecurityplan.4.4 NETWORK SECURITY MANAGER (NSM)
TheNSMsesponsiblefo rth everallecurityoperationfth eetworkndsth eocalointfo rolicy,uidance,ndssistancenetworkecuritymatters.naddition,heSMnsureshatheetworkompliesithheequirementsorinterconnectingoxternalystems. TheNSMeportsoheCISSMndhallot
34
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
41/68
SECURITY PERSONNELROLES
participatenheay-to-dayperationfheetwork.heasksfheNS Mre comparableohosefheSSM.heecurityesponsibilitiesreistednhesamerdershoseorheSSM,orasefomparison,ithifferencesindicatedbyitalics:
nsurethatanNSOisappointedfo reachnetwork. nsurethatth eAISsecurityprogramequirementsaremet,ncludingefining
theecuritym ode,pecificecurityequirements,rotocols,ndtandards.Developapplicablenetworksecurityprocedures.
mplementtheis kmanagementprogramefinedyth eCISSM.erifythatth eis kssessmentserformedndhathreatsndulnerabilitiesre reviewedtoevaluaterisksproperly.
Verifythatppropriateecurityestsreonductedndhatheesultsre documented.
Reviewheccreditationla nndheeaccreditationctivities,evelopscheduleorheeaccreditationasks,ndnitiateecertificationndreaccreditationtasksunderthedirectionoftheDAA.
Assistniteonfigurationanagementyeviewingroposedystemchangesandreviewingimplementedsystemmodificationsforadversesystemimpact.
nsurethatnetworksecurityisincludedinallth econtingencyplans. rovideheAAithheertificationackageohowhatheetwork
satisfiesheecuritypecificationsorheatatrocesses,tores,rtransmits.ocumentandmaintainheevidenceontainedntheertificationpackage.
rovideheAAithrittenertificationhatheatisfiesheecurityspecificationsforth eataitprocesses,tores,rtransmits.nsurethatthedocumentationtosupportthecertificationisdevelopedandmaintained.
35
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
42/68
ISSORESPONSIBILITIESGUIDE
Monitormplementationf ISersonnelecurityroceduresonsurehattheyreeingollowed;oordinatendmonitornitialndollow-upecuritytrainingfo rAISpersonnel.
MaintainacurrentAISsecurityplan.Manageoutingontrolorecurityithinheetworkspecifyinksrsubnetworksthatareconsideredtobetrustedbasedonspecificcriteria).
4.5NFORMATIONSYSTEMSECURITYOFFICERISSO)TheSSOctsorheISSMonsureomplianceithISecurity
procedurestheperationaliternstallation.ependingnheiz endcomplexityfhe IS ,heSSOls oayunctionsheSS MndSO .hedutiesofth eISSOaredetailedinsection3. 4.6ETWORKSECURITYOFFICERNSO)TheSOmplementsheetworkecurityrogramndctssheointfcontactfo ral letworkecuritymatters.heesponsibilitiesfth eNSOreimilartothoseoftheSSO,withtheNSOconcentratingnetworksecurityandth eSS OconcentratingonAISsecurity. Thesecurityresponsibilitiesofth eNSOare:
Obtainrittenpprovalro mheAAorocesslassifiedrensitiveunclassifiedinformationonth enetwork.
Maintainthesecurityprocessingspecificationsfo rth enetwork. nsurehattandardecurityroceduresndeasureshatupporthe
securityfhentireetworkreevelopedndmplemented.onductperiodicreviewstoensurecompliancewithnetworksecurityprocedures.
nsurethatnetworkecuritysncludednllheontingencylansndhatth econtingencyplansaretested.
Maintainthesite-specificportionoftheaccreditationdocumentation.nsurehathysicaleasuresorotectheacilityrenffectndhat
measurestoprotectmission-essential,ensitivedataprocessingactivitiesare implemented. Maintainiaisonithrganizationshatreesponsibleor
36
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
43/68
SECURITY PERSONNELROLES
physicalecurity,.g.,militaryolice,ireontrolfficials,aseowerlantofficials,andemergencyservices.
Reviewetworkonfigurationhangesndetworkomputerhangesrmodificationsonsurehatetworkecuritysotegradedincludinginterfacesoeparatelyccredited ISs).nsurehatetworkomponents(i.e.,ardware,oftware,ndirmware)rencludednheonfigurationmanagementprogram.
Selectecurityeventsthatreoeauditedremotelyollected;stablishproceduresfo rcollectingtheauditinformation;andreviewauditreports.
Verifyecuritylearancesndccesspprovalorersonnelsinghenetwork.
Coordinatendonitornitialnderiodicecurityrainingoretworkpersonnel.erifythatallusersreceivenetworksecuritytrainingbeforeeinggrantedaccesstothenetwork.
rovidesersithlans,nstructions,uidance,ndtandardperatingproceduresegardingetworkperations.onducteriodiceviewsoensurecompliance.
Verifyhatersonnelecurityrocedurespplicableoheperationfhecomputerfacilityarefollowed.Reporthysical,ersonnel,nd ISecurityiolationsoheNSM.eport
systemfailuresthatcouldleadtounauthorizeddisclosure.Reviewreportedsecurityproblemsandnformth eNS Mfsecuritydifficulties.
EnsurehatASOsvaluate,ocument,ndeportecurityroblemsndvulnerabilitiesattheirrespectivesites.
Recommendartialrompleteuspensionfperationsfnyncidentsdetectedthatm ayaffectsecurityofth eoperation.Monitorheystemecoveryrocessesossurehatecurityeaturesre
correctlyrestored.
37
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
44/68
ISSORESPONSIBILITIESGUIDE
Maintainuidelineshatnsurehathehysical,dministrative,ndpersonnelsecurityproceduresarefollowed.
4.7ERMINALAREA SECURITY OFFICER(TASO)TheTASOreportstotheSS Ondsesponsibleforsecurityproceduresinnassignedemoteterminalrea.ystemccessro mheTASO'sssignedemote
terminalswillnotbeallowedwithoutauthorizationfromthecognizantsecurityofficer.TheTASOhasth efollowingsecurityresponsibilities:
nsurethattherearewrittennstructionsspecifyingecurityrequirementsandoperationalproceduresforeachterminalarea.
nsureccesso erminalsnlyosersithheeed-to-know,clearance,ndccesspprovaloratahatayeccessedro mhatterminal.
erformnnitialvaluationfecurityroblemsnhessignederminalarea(s)ndotifyheSS Ofllecurityiolationsndnyracticeshatm aycompromisesystemsecurity.
Verifyhathehysicalecurityontrolsrenlacendperational,orexample,physicallyprotectingth enetworkinterfaces(hardwareconnections).
Collectndeviewelectedemoteacilityuditecords,ocumentnyreportedproblems,andforwardthemtoth eISSO. articipateinsecuritytrainingandawareness.Ensurehathequipmentustodianasllheomponenterialumbers
writtendownandstoredinasecureplace.4.8ECURITYRESPONSIBILITIES OFOTHERSITEPERSONNEL
Becau setheverallecurityof itesubjecttoth eooperationfeveryoneinvolvednheystem,heiscussionfolesndesponsibilitieswouldotecompleteithoutentioningheystemdministrator,heomputeracilitypersonnel,heatadministrator,heaintenanceersonnel,ndhesers.Everyonesesponsibleornowingheecurityproceduresndmechanismshat
38
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
45/68
SECURITY PERSONNELROLES
arenffector articularystem,orollowingllrocedurespplicableosecurity,ndoreportingotentialecurityncidents.nddition,pecificresponsibilitiesfo rotherindividualsarelistedbelow.
Thedataadministratorandclassifiershall:CoordinatewithheSSOnnformationecurityequirementsndwithhe
NSO fornetworksecurityrequirements. stablishronfirmheverallecuritylassificationfhepplicable
resourcesndstablishestrictionsrpecialonditionsorhesefhedata.
Periodicallyreviewth eatatoverifythattheecurityclassificationsorrect.Recommenddowngradingdata,fapplicable.
Authorizeindividualorgroupaccesstospecificresources.Participateinth edevelopmentofaformalneed-to-knowpolicy.Theusersshall:U sethesystemnlyfo rauthorizedpurposesandnaccordancewithecurity
proceduresan dguidelines.Maintainindividualaccountability(e.g.,donotsharepasswords). rotectclassifiedandothersensitivematerial.
4.9 ASSIGNMENTOFSECURITY RESPONS IB IL IT IES Table3resents amplehartfo rdentifyingheolesndesponsibilitiesf
th eariousndividualswhoaveecuritytasks.herimaryoalsodentifyllth etasksandensurethatatleastoneindividualisassignedtoperformeachtask.
39
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
46/68
ISSORESPONSIBILITIESGUIDE
Table3FunctionMatrixFunction DAA CISSM ISSM NSM ISSO NSO TASOOverallSecurity PR IM IM IM IM IM IMAccreditationProcess PR IM IM IM IN IN RecertificationandReaccreditation PR IM IM IM IN IN AIS SecurityProgram PR IM IM IM IMNetworkSecurityProgram PR IM IM IMNetworkAccess PR PR VE D O ,VESecurityThreats/Vulnerabilities
PR DO D O D O IN ,D O DO,IN DOSecurityRegulationsandolicies IM IM IM IM IM IM IMSecurityDocumentation VE DO D O D O IN IN IN RiskManagementProgram PR IM IM IM,IN IM,IN SecurityTrainingandAwarenessProgram PR VE VE IM,VE IM,VE IMSecurity Violations DO D O D O D O D O D O SecurityConfigurationManagement VE IM IM IM IMAIS SecurityProcedures PR IM,VE IM,VE IM,VE ContingencyPlans PR ,VE PR,VE IM,IN IM,IN IMNetworkSecurityProcedures PR IM,VEAudit PR PR PR ,D O AccessControl IM IM VEPhysicalSecurity VE VE VEDeclassificationandDowngrading VE
PR :asprimaryresponsibilityIM :mplements/enforcestaskorprogram DO :reparesdocumentationan dsubmitstoappropriateauthority,fapplicableVE :erifiescomplianceorperformanceofactivitiesIN:ssistsinth epreparationofreports,lans,rocedures,tc .
40
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
47/68
BIBL IOGRAPHY Thisbibliographyincludesdocumentsthatm aybeusefultoth eSSO.ncluded
areirectives,egulations,anuals,irculars,tc .itedeferencesrelsoincluded.hisis tisotintendedtoeomprehensive;hats,dditionaleadingsm aypplyto articularorganizationndystem,ndheSS Ohoulddentifyllth erelevantsecuritydocuments.ComputerSecurityActof987,ublicaw00-235,01T AT.724, anuary
1988.Defensentelligencegency,hysicalecuritytandardsoronstructionf
Sensitiveompartmentednformationacilities,efensentelligencegency(DIA)Manual50-3,ebruary1990.
DefensentelligenceAgency,SecurityofCompartmentedComputerOperationsU),DIAManual50-4,CONFIDENTIAL ,980.
DefensentelligenceAgency,SecurityRequirementsforAutomaticDataProcessing(ADP)Systems,DIA Regulation50-23,4March979.
Defensentelligencegency,ensitiveompartmentednformationontractorAdministrativeSecurity,DIAManual0-5,OROFFICIALUSEONLYFOU O),Vol.,0M ay1983.
Departmentfheirorce,omputerecurityolicy,Fegulation05-16,FOUO,28April989.
Departmentfth e rmy,ecurity:nformationSystemsSecurity,ArmyRegulationNo.380-19,4September1990.
DepartmentfDefense,AutomatedDataProcessingSecurityManual-Techniquesandroceduresormplementing,eactivating,esting,ndvaluating, DepartmentofDefenseDOD)200.28-M, anuary973withhangeagesinJune1979(nowunderrevision).
41
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
48/68
ISSORESPONSIBILITIESGUIDE
Departmentfefense,ommunicationsecurityCOMSEC)U),epartmentfDefenseDirective(DODD)C-5200.5,CONFIDENTIAL ,21pril990.
Departmentfefenseomputerecurityenter,omputerecurityRequirementsGuidanceorpplyingheepartmentfefenserustedComputerystemvaluationriterianpecificnvironments,CSC-STD-003-85,25June985.
Departmentfefenseomputerecurityenter,asswordManagementGuideline,CSC-STD-002-85,2April985.
Departmentfefenseomputerecurityenter,echnicalationaleehindCSC-STD-003-85:omputerSecurityRequirementsGuidanceorApplyingth eepartmentofDefenserustedComputerSystemvaluationriterianSpecificEnvironments,CSC-STD-004-85,25June985.
Departmentfefense,omputerecurityechnicalulnerabilityeportingProgram(CSTVRP),DODInstruction5215.2,2September986.
DepartmentofDefense,ControlofCompromisingEmanations(U),DODDS-5200.19,SECRET,23February1990.
Departmentfefense,ODnformationecurityrogram,O D D200.1,7June1982.
Departmentfefense,ODersonnelecurityrogram,ODD200.2,20December1979.
Departmentfefense,ndustrialecurityanualorafeguardinglassifiedInformation,DOD5220.22-M,3January1991.
Departmentfefense,ndustrialecurityrogram,ODD220.22,1November1986.
DepartmentfDefense,ndustrialSecurityRegulation,DO DRegulation220.22-R,December1985.
DepartmentfDefense,nformationSecurityProgramRegulation,ODRegulation5200.1-R,June986.
42
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
49/68
B IB L IO G R A PHY
Departmentfefense,nformationecurityrogramegulation,OD5200.1-R/AFR205-1,April987.
DepartmentofDefense,SecurityRequirementsforAutomatednformationystems(AISs),DODD5200.28,21arch988.
Departmentfefense,rustedomputerystemvaluationriteria,O D 5200.28-STD,December1985.
Departmentfheavy,epartmentfheav yutomaticatarocessingSecurityProgram,ChiefofNavalOperationsInstruction(OPNAVINST)5239.1 Awithchange,3August1982.
DepartmentfheNavy,epartmentofth eNavyAutomatednformationystems(AIS)SecurityProgram,SECNAVINST5239.2,5November1989.
DepartmentfheavyensitiveompartmentednformationSCI)/lntelligence,AutomatednformationystemAIS)ecurityrogram,AVINTCOMINST5239.3,23July1990.
Directorfentralntelligence,ecurityanualorheniformrotectionfIntelligenceProcessedinAutomatednformationSystemsandNetworksU),SupplementoirectorfentralntelligenceirectiveDCID)/1 6U),SE CRE T,9July1988.
DirectorofCentralntelligence,SecurityPolicyforUniformProtectionofIntelligenceProcessednAutomatednformationystemsndNetworksU),irectorfCentralIntelligenceDirective(DCID)/16,SE CRE T,9July1988.
ExecutiveOrder,NationalSecurityInformation,ExecutiveOrder12356,2April982.Ferdman,aurondarriet.oldmanndohn.unter,Proposed
Managementla norComputerSecurityCertificationfAirorceSystems,"MTR-10774,TheM ITRECorporation, edford,MA,November989.
Headquartersepartmentfheirorce,nformationystems:nformationSystemsSecurity,AFR700-10,5March985.
43
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
50/68
ISSORESPONSIBILITIESGUIDE
JointChiefsofStaff,Safeguardingth eSingleIntegratedOperationalPlan(SIOP)(U),MemorandumM JCS75-87,SECRET,20M ay987.
Jointhiefsftaff,ecurityolicyorheWMCCSntercomputeretwork,JCSPub.6-03.7,April988.
NationalomputerecurityenterNCSC),omputeriruses:revention,Detection,andTreatment,C1-TechnicalReport-001,2March990.
NationalComputerSecurityCenterNCSC),GlossaryofComputerSecurityerms,NCSC-TG-004,21October1988.
NationalComputerSecurityCenter, GuideoUnderstandingDataRemanencenAutomatedInformationSystems,NCSC-TG-025,September1991.
Nationalomputerecurityenter, uideonderstandingrustedacilityManagement,NCSC-TG-015,8October989.
Nationalomputerecurityenter,rustedetworknterpretationnvironmentsGuideline,NCSC-TG-011, ugust990.
NationalComputerSecurityCenter,rustedNetworknterpretationfherusted ComputerSystemEvaluationCriteria,NCSC-TG-005,July987.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,omputeratauthentication,ederalnformationrocessingSystemPublication(FIPSPU B)13,30M ay985.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,lossaryoromputerystemsecurity,IPSU B9,February1976.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,uidelineorutomaticatarocessingisknalysis,FIPSPUB 65,August979.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,uidelineoromputerecurityertificationndAccreditation,FIPSPUB02,27September983.
44
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
51/68
B IB L IO G R A PHY
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,uidelinesorDPAutomaticatarocessing)ontingencyPlanning, IP SPUB87,27March981.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,uidelinesorSecurityofComputerApplications,IP SUB3,30 June980.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,verviewfomputerecurityertificationndccreditation,SpecialPublication(SPECPUB)500-109,April984.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,ecurityofPersonalComputerSystems: ManagementGuide,SPECPUB500-120,January1985.
Nationalnstituteftandardsndechnology,nitedtatesepartmentfCommerce,echnologyssessment:MethodsorMeasuringheevelfComputerSecurity,SPECPUB500-133,October1985.
Nationalecuritygency/CentralecurityerviceNSA/CSS),heSA/CSSOperationalomputerecurityanual,SA/CSSanual30-1,O U O ,17 October1990.
Nationalecuritygency/Centralecurityervice,ecurityorutomatedInformationSystemsandNetworks,NSA/CSSDirective0-27,4January1990.Nationalecuritygency,nformationystemecurityroductsndervices
Catalogue,quarterlyupdates. Thecataloguecontainsth efollowing:CryptographicProductsListEndorsedDataEncryptionStandard(DES)ProductsListProtectedServicesListEvaluatedProductsListU.S.GovernmentPreferredProductsListDegausserProductsList
45
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
52/68
ISSORESPONSIBILITIESGUIDE
Nationalelecommunicationsndnformationystemsecurityommittee,AdvisoryMemorandumnfficeutomationecurityuideline,ationalTelecommunicationsndnformationSystemsSecurityAdvisoryMemorandum(NTISSAM)COMPUSEC/1-87,6January1987.
Nationalelecommunicationsndnformationystemsecurityommittee,TEMPESTountermeasuresoracilitiesU),ationalelecommunicationsandnformationystemsecuritynstructionNTISSI)000,ECRET,17October1988.
OfficefManagementndudgetOM B),nternalControlSystems,OM BCircularNo.A-123,983.
OfficefManagementandudget,ManagementofFederalInformationResources,OM BCircularNo .A-130,December1985.
Officefheresident,ationalolicyorheecurityfationalecurityTelecommunicationndnformationystemsU),ationalecurityirective (NSD)42,CONFIDENTIAL , July1990.
Officefheresident,ationalolicynelecommunicationsndutomatedInformationystemsecurity,ationalecurityecisionirectiveNSDD)145,7September1984.
Officefheecretaryfefense,utomatednformationystemecurity,MemorandumorheMembersfheilitaryDepartments,hairmanfheJointChiefsofStaff,UnderSecretariesofDefense,GeneralCounsel,nspectorGeneral,Assistantstoth eSecretaryfDefense,ndDirectorsfth eDefenseAgencies,985.
46
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
53/68
REFERENCES1.ationalomputerecurityenterNCSC),lossaryfomputerecurity
Terms,NCSC-TG-004,Version-1,21October1988.2.epartmentfefenseDOD),ecurityequirementsorutomatedInformationSystems(AISs),DO DDirective5200.28,21March988.3.epartmentfefense,epartmentfDefenserustedomputerystem
EvaluationCriteria,DOD5200.28-STD,5August1983.4.ationalomputerecurityenter,rustedetworknterpretationfhe
TrustedComputerSystemEvaluationCriteria,NCSC-TG-005,July1987.5.epartmentfefense,nformationecurityrogramegulation,DOD5200.1-R,June986.6.epartmentfefenseomputerecurityenter,omputerecurity
Requirements-GuidanceorpplyingheepartmentfefenserustedComputerystemvaluationriterianpecificnvironments,CSC-STD-003-85,25June985.
7.irectorfentralntelligence,ecurityolicyorniformrotectionfIntelligencerocessednutomatednformationystemsndNetworksU),DCID1/16,SE CRE T,- 9 July988.
47
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
54/68
ACRONYMSADP ADPSO ADPSSO AFR A IS AR
AutomaticDataProcessingADPSecurityOfficerAD PSystemSecurityOfficerAirForceRegulationAutomatedInformationSystem ArmyRegulation
BCSSM BCSSO
BaseCommunications-ComputerSystemsSecurityManagerBaseCommunications-ComputerSystemsSecurityOfficer
CFM CISSM COMNAVCOMTELCOM COMPUSEC COMSEC COTS CSSM CSSO CSTVRP CSWG
ComputerFacilityManagerComponentInformationSystemSecurityManag erCommander,NavalComputerandTelecommunicationsCommandComputerSecurityCommunicationsSecurityCommercial-Off-The-ShelfCommunications-ComputerSystemSecurityManagerComputerSystemSecurityOfficerComputerSecurityTechnicalVulnerabilityReporting Program ComputerSecurityWorkingGroup
DAA DAC DCID
DesignatedApprovingAuthority/DesignatedAccreditationAuthorityDiscretionaryAccessControlDirectorofCentralIntelligenceDirective
49
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
55/68
ISSORESPONSIBILITIESGUIDE
DES DataEncryptionStandard DIA DefenseIntelligenceAgencyDIAM DefenseIntelligenceAgencyManualDO D DepartmentofDefenseDODD DepartmentofDefenseDirective
EO ExecutiveOrderEPL EvaluatedProductsList
FIPSPUB FederalInformationProcessingSystemPublicationFOIA FreedomofInformationAct
l& A IdentificationandAuthenticationISSM InformationSystemSecurityManag erISSO InformationSystemSecurityOfficerISSPM InformationSystemSecurityProgramManager
M AC MandatoryAccessControlM ACOM MajorArmyCommandM AJCOM MajorCommand(AirForce)MCSSM MAJCOMCSSM MDIC MilitaryDepartmentIntelligenceOfficerMLS MultilevelSecurityMSO MediaSanitationOfficer
NNACSINCSCNM
NotClassifiedbutSensitiveNationalCommunicationsSecurityInstructionNationalComputerSecurityCenterNetworkManag er
50
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
56/68
ACRONYMS
NSA NSD NSDD NSM NSO NST ISSAM NSTISSD NSTISSINSTISSP NTCB NT ISSAM NTISSD NTISSINTISSP
NationalSecurityAgencyNationalSecurityDirectiveNationalSecurityDecisionDirective NetworkSecurityManagerNetworkSecurityOfficerNationalSecurityTelecommunicationsandnformationSystemsSecurityAdvisoryMemorandumNationalSecurityTelecommunicationsandInformationSystemsSecurityDirective NationalSecurityTelecommunicationsandInformationSystemsSecurityInstructionNationalSecurityTelecommunicationsandInformationSystemsSecurityPolicyNetworkTrustedComputingBaseNationalTelecommunicationsandInformationSystemsSecurityAdvisoryMemorandumNationalTelecommunicationsandInformationSystemsSecurityDirectiveNationalTelecommunicationsandInformationSystemsSecurityInstructionNationalTelecommunicationsandInformationSystemsSecurityPolicy
OMB OPNAVINST
OfficeofManagementandBudgetChiefofNavalOperationsInstruction
PM ProgramManager
Rl RiskIndex
51
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
57/68
ISSORESPONSIBILITIESGUIDE
SAPI SpecialAccessProgramfo rIntelligenceSC I SensitiveCompartmentedInformationSFUG SecurityFeaturesUser'sGuideSIO SeniorIntelligenceOfficerSIOP-ESI SingleIntegratedOperationalPlan-ExtremelySensitive InformationSPECPUB SpecialPublicationSP M SecurityProgramManag erSS M SystemSecurityManager
TASO TerminalAreaSecurityOfficerTCB TrustedComputingBaseTCSEC TrustedComputerSystemEvaluationCriteriaTEMPEST (Notanacronym)TFM TrustedFacilityManualTN I TrustedNetworkInterpretationTNIEG TrustedNetworkInterpretationEnvironments
Guideline
W W M C C S WorldwideMilitaryCommandandControlSystem
52
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
58/68
GLOSSARY Aftereachdefinition,thesourceislisted.Access .specifictypefnteractionetween ubjecti.e.,erson,rocess,rinputdevice)andanobject(i.e.,nAISresourcesuchasarecord,ile,rogram,routputdevice)thatresultsintheflowofinformationfromonetotheother.lso,theabilityndpportunityobtainnowledgeflassified,ensitivenclassified,runclassifiedinformation.(DODD5200.28)Accountabi l i ty .heropertyhatnablesctivitiesnnISoeracedoindividualswhom ayheneeldesponsibleorheirctions.D O D D200.28;AFR205-16)Accreditation.formaldeclarationbyth eD AAthatth eAISisapprovedtooperateinaparticularsecuritymodesing prescribedetofsafeguards.ccreditationsthefficialmanagementuthorizationorperationfn ISndsasednhecertificationprocessaswellasothermanagementconsiderations. (DODD5200.28) AdministrativeSecur i ty .hemanagementonstraintsndupplementalontrolsestablishedtoprovidenacceptableevelfprotectionfordata.ynonymouswithproceduralsecurity. (NCSC-TG-004-88)AuditTrail.hronologicalecordfystemctivitieshatsufficientonablethereconstruction,eviewing,andexaminationofthesequenceofenvironmentsandactivitiesurroundingreadingonperation, rocedure,rnventntransactionfromitsinceptiontofinalresults. (DODD5200.28;IP SPUB39)Authenticate.ostablishhealidityf laimeddentity.DO D200.28-STD;JCSPUB6-03.7)Authorization.rantingheightfccesso ser, rogram,r rocess.(FIPSPUB39)
53
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
59/68
ISSORESPONSIBILITIESGUIDE
AutomatednformationystemAIS) .nssemblyfomputerardware,f irmware,ndoftwareonfiguredoollect,reate,ommunicate,ompute,disseminate,rocess,tore,nd/orontrolatarnformation.D O D D200.28;DCID/16)Certi fication.heechnicalvaluation,adesartfndnupportfheaccreditationrocess,hatstablisheshextentohich articularomputersystemretworkdesignndmplementationmeet re-specifiedetfecurityrequirements. (A R380-19;DODD5200.28)Classifiednformation.nformationrmaterialhatsa)wnedy,roducedorory,rnderheontrolfhe.S .overnment;ndb)eterminednderExecutiveOrder2356,rriorrder,DOD200.1 -R ,oequirerotectiongainstunauthorizeddisclosure;and(c )sodesignated. (DODD5200.28)Closedecuritynvi ronment .nnvironmenthatncludeshoseystemsnwhichbothofth efollowingconditionsholdtrue:
a.pplicationdevelopers(includingmaintainers)havesufficientclearancesandauthorizationsorovidencceptableresumptionhatheyaveotintroducedmaliciousogic.ufficientlearancesefinedsollows:hereth em axi m u mlassificationfataoerocessedsonfidentialrelow,developersreclearednduthorizedotheameevelshemostensitivedata;wherehem axi m u mlassificationfataoerocessedsSecretrabove,developershaveatleastaSecretclearance.b.onfigurationontrolrovidesufficientssurancehatpplicationsre protectedgainsthentroductionfaliciousogicrioronduringoperationofsystemapplications. (CSC-STD-003-85;CSC-STD-004-85)
CommunicationsSecurity(COMSEC).heprotectionthatnsurestheauthenticityoftelecommunicationsndwhichesultsro mheapplicationfmeasuresakenodenynauthorizedersonsnformationfaluewhichighteerivedro mheacquisitionoftelecommunications. (FIPSPUB39)
54
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
60/68
GLOSSARY
CompartmentedMode .n ISsperatingnompartmentedmodewhenachuserwithirectrndirectaccessohe IS ,tseripherals,emoteerminals,rremotehosts,asallofth efollowing:
a.validpersonnelclearanceforth emostestrictednformationprocessednth eAIS.b.ormalaccesspprovalor,ndasignedondisclosuregreementsorthatinformationtowhichhe/sheistohaveaccess.c.valideed-to-knowfo rthatinformationtowhiche/shestoaveaccess.(NCSC-TG-004-88)
Compromis ingmanations.nintentionalataelatedrntelligence-bearingsignalshich,fnterceptedndnalyzed,isclosehelassifiednformationtransmissioneceived,andledrtherwiserocessedynynformationprocessingequipment. (A R380-19;NCSC-TG-004-88;AFR205-16)ControlledMode .hem odeofoperationthatisatypeofmultilevelecuritymodeinwhich moreimitedm ou ntftrustslacednheardware/softwareasefth eystem,ithesultantestrictionsnhelassificationevelsndlearancelevelsthatm aybesupported. (CSC-STD-003-85)Countermeasure.nyction,evice,rocedure,echniquerothermeasurehatreducesthevulnerabilityoforthreattoasystem. (NCSC-TG-004-88)Coverthannel .ommunicationshannelhatl lows rocessoransferinformationnannerhatiolatesheystem'securityolicy.(DOD5200.28-STD;AFR205-16)Data.epresentationfacts,oncepts,nformation,rnstructionsuitableorcommunication,nterpretationrrocessingyumansrynIS.(DODD5200.28)Datawner.heuthority,ndividual,rrganizationhoasriginalresponsibilityfo rth edatabystatute,executiveorder,ordirective. (DODD5200.28)
55
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
61/68
ISSORESPONSIBILITIESGUIDE
Declassification.nadministrativedecisionrproceduretoemovereduceth esecurityclassificationofthesubjectmedia. (NCSC-TG-004-88)Dedicatedecurityode.odefperationhereinllsersaveheclearanceorauthorization,documentedformalaccessapproval,frequired,ndtheneed-to-knowforal lataandledyth e IS .fth eAISprocessespecialaccessinformation,llsersequireormalccesspproval.nheedicatedm ode,nAISayandle inglelassificationevelnd/orategoryfnformationrrangeofclassificationlevelsand/orcategories.DODD5200.28)Degauss.opply ariable,lternatingurrentAC)ieldorheurposefdemagnetizingagneticecordingedia,suallyapes.herocessnvolves increasingheCieldraduallyro merooomemaximumaluendackozero,hicheaves eryowesiduefagneticnductionnheedia.(FIPSPUB39)Denia lofService.ctionrctionshatesultnhenabilityfn ISrnyessentialartoerformtsesignatedission,itheryossregradationfoperationalcapability. (DODD5200.28)DesignatedpprovinguthorityDAA) .hefficialhoasheuthorityodecidencceptingheecurityafeguardsrescribedornISrhefficialwhoayeesponsibleorssuingnccreditationtatementhatecordshedecisionoaccepthoseafeguards.heDAAm u stetnrganizationalevelsuchthatheorsheha sauthoritytoevaluatetheoverallmissionrequirementsofth eAISndorovideefinitivedirectionso ISdevelopersrownerselativeoheriskinth esecuritypostureoftheAIS. (DODD5200.28)Emissionecur i ty .herotectionesultingro mlleasuresakenoenyunauthorizedersonsnformationfvaluethatmighteerivedro mnterceptndfromananalysisofcompromisingemanationsfromsystems. (NCSC-TG-004)EvaluatedProductsList(EPL) .documentedinventoryofequipments,ardware,software,nd/orirmwarehataveeenvaluatedgainsthevaluationriteriafoundinDOD5200.28-STD. (DODD5200.28)
56
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
62/68
GLOSSARY
Forma!AccessApproval .ocumentedpprovalyadataownertollowaccesstoaparticularcategoryofinformation. (DODD5200.28)Identi fication.heprocessthatenables,enerallyythesefniquemachine-readableames,ecognitionfsersresourcessdenticalohosereviouslydescribedtoanAIS. (DOD5200.28-M)Information System SecurityOfficer( ISSO).personresponsibletotheDAAforensuringhatecuritysrovidedorndmplementedhroughouttheifeyclefan ISro mheeginningfheonceptevelopmenthasehroughtsesign,development,operation,maintenance,andsecuredisposal. (DODD5200.28)InformationystemsecurityINFOSEC).ompositefeansorotecttelecommunicationsystemsndutomatednformationystems,ndheinformationtheyprocess. (A R380-19)Isolation.heontainmentfsersndesourcesnn ISnuch wayhatusersandprocessesreeparatero mneanotheraswellsro mherotectioncontrolsoftheoperatingsystem. (FIPSPUB39)LeastPrivi lege.hisrincipleequireshatachubjectn ystemerantedtheostestrictiveetfrivilegesorowestlearance)eededorheperformanceofauthorizedtasks.heapplicationfthisprincipleimitsthedamagethatcanresultfromaccident,error,orunauthorizeduse. (DOD5200.28-STD)Multi levelecure.lassfystemontainingnformationithifferentsensitivitieshatimultaneouslyermitsccessysersithifferentecurityclearancesndeed-to-know,utreventssersrombtainingccessoinformationfo rwhichtheylackauthorization. (DOD5200.28-STD)Multilevelecureode.odefperationhatllowswororeclassificationevelsfnformationoerocessedimultaneouslywithinheam esystemhenotllsersave learance,uthorization,rormalccessapprovalforal linformationhandledbyth eAIS. (DODD5200.28)Need-To-Know.heecessityorccesso,nowledgef,rossessionfspecificinformationrequiredtocarryoutofficialduties. (NCSC-TG-004-88)
57
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
63/68
ISSORESPONSIBILITIESGUIDE
Network.etworksomposedf ommunicationsediumndllcomponentsttachedohatediumhoseesponsibilitysheransferencefinformation.uchomponentsayncludeISs,acketwitches,telecommunicationsontrollers,eyistributionenters,ndechnicalontroldevices. (DODD5200.28)NetworkTrustedComput ingBase(NTCB) .hetotalityofprotectionmechanismswithinetworkystem includingardware,irmware,ndoftwarethecombinationofwhichisresponsiblefo renforcingasecuritypolicy.heNTCBisth enetworkgeneralizationofth etrustedcomputingbase(TCB). (NCSC-TG-011)OpenSecurityEnvi ronment .nenvironmentthatincludesthosesystemsinwhichoneofth efollowingconditionsholdstrue:
a.pplicationevelopersincludingaintainers)ootaveufficientclearanceorauthorizationtorovideanacceptablepresumptionthattheyavenotntroducedaliciousogic.Seelosedecuritynvironmentornexplanationofsufficientclearance.)b.onfigurationontroldoesotrovideufficientassurancethatapplicationsareprotectedgainstth entroductionfmaliciousogicriortonduringheoperationofsystemapplications. (NCSC-TG-004-88)
Orangeook.ommonam eorepartmentfefenserustedomputerSystemEvaluationCriteria,DOD5200.28-STD. Parti t ionedMode .modefperationnwhichllersonsavehelearance,butotecessarilyheeed-to-knowndormalccesspproval,orllata handledyth eAIS.hismodeencompassesompartmentedmodesefinedyDCID/16. (DODD5200.28)Password.rivateharactertringhatssedouthenticatendentity.(DOD5200.28-STD)
58
7/30/2019 NCSC-TG-027 a Guide to Understanding ISSO Responsibilites for Automated Information Systems
64/68
GLOSSARY
Per iodsProcessing.ecuritymodefperationnd/orm axi m u mlassificationofdatahandledsestablishedforanntervalft ime,thenhangedorth efollowing intervalfime.heeriodxtendsro mheim ewhenheystemsecurelyinitializedtoth etimewhenthesystemspurgedfallensitivedatahandleduringth eprocessi