Presentation is loading. Please wait.

Presentation is loading. Please wait.

For Security Professionals 1 INFORMATION SYSTEM SECURITY SECURITY.

Similar presentations


Presentation on theme: "For Security Professionals 1 INFORMATION SYSTEM SECURITY SECURITY."— Presentation transcript:

1 For Security Professionals 1 INFORMATION SYSTEM SECURITY SECURITY

2 Objectives o Discuss the principles of Computer Security o Identify required IS security documentation o Identify the purpose of a System Security Plan (SSP) o Discuss the principles of Computer Security o Identify required IS security documentation o Identify the purpose of a System Security Plan (SSP)

3 Foundations of Computer Security Confidentiality Integrity Availability C I A Paragraph NISPOM

4 CONFIDENTIALITY PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE 4

5 INTEGRITY Protection of data software used or processed on classified systems. FROM: MANIPULATION DELETION Protection of data software used or processed on classified systems. FROM: MANIPULATION DELETION 5

6 AVAILABILITY Protecting the computer from malicious logic or natural disasters Protecting the computer from malicious logic or natural disasters

7 Protection Levels NISPOM PL-3 Compartmented PL-2 System High PL-1 Dedicated

8 Protection Level (PL) 1 Dedicated Security Mode Clearance, N-T-K and, if applicable, all formal access approvals for all information TS

9 Protection Level (PL) 2 System High Security Mode Clearance and access approvals for all information but with different N-T-K TS a b

10 Protection Level (PL) 3 Compartmented Security Mode Clearance for most restrictive information, but different formal access approvals TOP SECRET TS- NATO SAP CRYPTO NATO CNWDI

11 Confidentiality Matrix 11 TABLE 5 - Protection Profile Table for Confidentiality

12 Levels of Concern Confidentality Level of Concern Qualifiers High TOP SECRET and SECRET Restricted Data (SIGMAs 1,2,14,15) Medium SECRET SECRET Restricted Data Basic CONFIDENTIAL 12

13 Integrity Matrix 13 Must be contractually imposed.

14 Levels of Concern Integrity 14 Must be contractually imposed.

15 Availability Matrix 15 Must be contractually imposed.

16 Levels of Concern Availability 16 Must be contractually imposed.

17 Cognizant Security Agency Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC a, NISPOM

18 Cognizant Security Office The entity designated by the Head of a CSA to administer industrial security on behalf of the CSA. The entity designated by the Head of a CSA to administer industrial security on behalf of the CSA a, NISPOM Performs oversight, program review, training, and certification and accreditation of ISs used by its contractors

19 Contractor Role Publish and promulgate an IS Security Policy Appoint and train an Information Systems Security Manager (ISSM) 8-101b, NISPOM

20 IS Security Manager (ISSM) o Not necessarily the Facility Security Officer (FSO) o Designated by Management o The CSAs point of contact for IS security o Generally a very nice guy o Not necessarily the Facility Security Officer (FSO) o Designated by Management o The CSAs point of contact for IS security o Generally a very nice guy

21 IS Security Officer (ISSO) Appointed by ISSM in facilities with multiple accredited IS Assists in day-to-day IS security operations Has PCL, NTK, and formal access approvals for all information processed on accredited IS Not so nice 21

22 Security Documentation NISPOM System Security Plan Profile Configuration Plan Risk Acceptance Letter Memorandum of Understanding Protected Distribution System

23 Basis for Accreditation Safeguards Documentation (SSP) Policy Evaluation of security risks

24 System Security Plan Defines Security Policy Includes Configuration Management Plan Covers the life-cycle of system Target audience includes users, system administrative, government, and security staff Best single security tool Defines Security Policy Includes Configuration Management Plan Covers the life-cycle of system Target audience includes users, system administrative, government, and security staff Best single security tool

25 Self-Certification Master/Profile Concept Master/ProfileMaster/ProfileSystem Security Plan MSSP PP SSP PP

26 Self-Certification Concept Profile Requirements o Same classification o Same PL level o Same Level of Concern o Same Environment o Approved O/S o Same system type o Approved TD o Approved Periods Processing o Approved Mobile Systems o Approved Test Equipment

27 Self-Certification Concept Not Authorized o SIPRNET o WAN self-certs o Systems requiring variances o Audit variances o Alternate TD procedures o Legacy O/S

28 SSP INCLUDES System Identification Purpose Security personnel System description Mission or purpose Architecture Classification Level Formal Access Approvals System requirements Personnel Clearance Level of Users Need to Know of Users Protection Level Physical controls Marking requirements a.(1)(a)

29 SSP-Protection Measures Audit Capabilities Access Controls Resource Controls System Recovery Security Testing Audit Capabilities Access Controls Resource Controls System Recovery Security Testing Data Transmission I & A Session Controls System Assurance Physical Security 29

30 Trusted Downloading Software controls Media controls Maintenance Clearing and sanitization Self Inspections Trusted Downloading Software controls Media controls Maintenance Clearing and sanitization Self Inspections 30 SSP-Protection Measures

31 SSP-Variances and RAL letters o Description of approved variances from protection measures o Attach documentation o Documentation of any unique threat or vulnerabilities to system o Document if none exists o Description of approved variances from protection measures o Attach documentation o Documentation of any unique threat or vulnerabilities to system o Document if none exists 31

32 o MOU for connections to separately accredited networks & systems o Special purpose type systems o embedded systems o Other contractual issues o MOU for connections to separately accredited networks & systems o Special purpose type systems o embedded systems o Other contractual issues 32 SSP-May Also Include

33 Audit Records o Who fills out what? o ISSOs & Users o What logs are required? - Manual o Maintenance o Hardware & Software o Upgrade/Downgrade o Sanitization o Weekly Audit Log o Seal Log (If Applicable) o Receipt/Dispatch (If Applicable) o Who fills out what? o ISSOs & Users o What logs are required? - Manual o Maintenance o Hardware & Software o Upgrade/Downgrade o Sanitization o Weekly Audit Log o Seal Log (If Applicable) o Receipt/Dispatch (If Applicable) 33

34 Audit Records - contd o What logs are required - Automated o if technically capable o Successful and unsuccessful logons and logoffs o Unsuccessful accesses to security- relevant objects and directories, including: o creation o open o modification and deletion o What logs are required - Automated o if technically capable o Successful and unsuccessful logons and logoffs o Unsuccessful accesses to security- relevant objects and directories, including: o creation o open o modification and deletion 34

35 Audit Records - contd o Changes in user authenticators, i.e., passwords o Denial of system access resulting from an excessive number of unsuccessful logon attempts. o If not technically capable, the Authorized Users list will be retained as an audit record o Changes in user authenticators, i.e., passwords o Denial of system access resulting from an excessive number of unsuccessful logon attempts. o If not technically capable, the Authorized Users list will be retained as an audit record 35

36 Re-Accreditation & Protection Measures o Re-Accreditation o Every Three Years o Major Changes o If no changes updated o SSP may not be required. o Re-Accreditation o Every Three Years o Major Changes o If no changes updated o SSP may not be required. 36

37 Passwords o Minimum 8* Characters o Classified to the highest level of the system o Changed at least every 365* days o Changed when compromised o Automated generation when possible o Minimum 8* Characters o Classified to the highest level of the system o Changed at least every 365* days o Changed when compromised o Automated generation when possible 37

38 DoD Warning Banner o Required o Positive User Action o Prominently displayed o Required o Positive User Action o Prominently displayed 38

39 Login Attempts o Maximum of 5* attempts o Lockout for 15* minutes o Maximum of 5* attempts o Lockout for 15* minutes 39

40 Special Categories Section 5, Chapter 8 May not meet all NISPOM Requirements o Single-users Stand-alones o Only one users accesses system o Pure Servers o No user code on system o Tactical, Embedded Special-Purpose Systems o Configured as directed by customer o Single-users Stand-alones o Only one users accesses system o Pure Servers o No user code on system o Tactical, Embedded Special-Purpose Systems o Configured as directed by customer 40 Customer can require additional requirements above NISPOM

41 Clearing and Sanitization 41

42 Clearing Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes). DCID 6/3 Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes). DCID 6/3

43 Sanitization The process of removing information from media or equipment such that data recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings. DCID 6/3

44 Clearing and Sanitization Matrix Clearing and Sanitization Matrix Clearing and Sanitization Matrix Clearing and Sanitization Matrix o Hard drives o May be degaussed or destroyed at end of life cycle o CPUs o Remove power for one minute o Printers o Print one page (font test) then power down o Hard drives o May be degaussed or destroyed at end of life cycle o CPUs o Remove power for one minute o Printers o Print one page (font test) then power down 44

45 Configuration Management Plan o Formal change control procedures for security- relevant hardware and software o Management of all documentation o Implement, test and verify CM plan o Formal change control procedures for security- relevant hardware and software o Management of all documentation o Implement, test and verify CM plan 45

46 CM Plan Documents: o Procedures to identify and document type, model and brand of IS hardware o Procedures to identify and document product names and version or release numbers and location of security relevant software o System connectivity o Procedures to identify and document type, model and brand of IS hardware o Procedures to identify and document product names and version or release numbers and location of security relevant software o System connectivity

47 Periods Processing o Separate Sessions o Different Classification o Levels o Different Need-To-Know o Removable Media for each processing session o Separate Sessions o Different Classification o Levels o Different Need-To-Know o Removable Media for each processing session 47

48 Summary o Principals of Computing Security o System Security Plan o Purpose o Contents o NISPOM = What o SSP = How o Principals of Computing Security o System Security Plan o Purpose o Contents o NISPOM = What o SSP = How

49 49


Download ppt "For Security Professionals 1 INFORMATION SYSTEM SECURITY SECURITY."

Similar presentations


Ads by Google