APAN Group Owner Training

APAN Groups Overview FOUO PII Other types Information Categories Aggregate data impacts OPSEC Group Owner Responsibilities Business Rules Wrap up Conclusion

APAN Group Owner Training APAN Groups Overview What is APAN –  The All Partners Access Network (APAN) is an internet based network that facilitates a multinational communication & collaboration environment that allows selective sharing of knowledge and information among military, other government and non-government agencies in support of conferences, Humanitarian Assistance/Disaster Relief and Peace Keeping Operations. APAN Groups –  In order to logically separate data, Groups have been instituted for dedicated information sharing and access control. Each group will have a dedicated group owner in charge of the information posted to their respected portal.

APAN Group Owner Training FOUO PII Other types Information Categories Information Categories –  Data can fall under a variety of classifications, handling guidelines and protection mechanisms. Under the Unclassified data category, there are several well known handling categories such as For Official Use Only (FOUO), Personally Identifiable Information (PII), Health Insurance Portability and Accountability Act (HIPAA) & Sensitive But Unclassified (SBU).  Although all these categories are unclassified, each of these data types have their own unique criteria for ing, posting to web servers and dissemination. As a group owner, it is important to understand the proper DoD and USG guidelines and policy for handling this data.

APAN Group Owner Training FOUO Information Categories For Official Use Only (FOUO) –  FOUO is a document designation and not a classification. This is used by DoD and other federal agencies to identify information that is not appropriate for public release.  Posting of FOUO to web sites is restricted to web servers that have access controls restricted to user based PKI certificates. APAN servers are not certified for this.  ing of FOUO documents outside of DoD networks require encrypted communications, such as digitally signed and encrypted.  FOUO data must be encrypted at all times to protect the information and restrict its access.

APAN Group Owner Training PII Information Categories Personally Identifiable Information (PII) –  Information that can be used to distinguish or trace someone’s identity. Information such as SSN, age, home phone numbers, passport numbers, birthday or spouses name.  Mandates to protect come from Federal law (as defined in Privacy Act of 1974) and DoD guidance (OMB Circular A-130).  PII data must be encrypted at all times (when placed on a file or web server) and in transit (when ing).  PII data lost or stolen is considered a security breach. It is everyone’s responsibility to properly store, protect and safeguard PII data.

APAN Group Owner Training Aggregate data OPSEC Operational Security (OPSEC) -  While some unclassified data in and of itself does not pose an issue, the aggregate of several pieces of data can cause an OPSEC issue.  OPSEC denies the adversary the information needed to correctly assess friendly capabilities and intentions.  OPSEC is concerned with identifying, controlling, and protecting unclassified evidence that is associated with General military operations and activities. OPSEC and security programs must be closely coordinated to ensure appropriate aspects of military operations are protected.  OPSEC can be viewed like a puzzle: one piece of data on a document, in combination with another piece of data from another document can be combined to create an OPSEC picture by revealing the whole puzzle.

APAN Group Owner Training Aggregate data OPSEC (cont) Operational Security (OPSEC) – Examples of OPSEC critical information Politico-Military Crisis Management Military Intervention Mobilization Peacetime Weapons and Other Military Movements Command Post, Computer-Aided, and Field Training Exercises Participating units OPLANs, CONPLANs, or other contingencies that are being exercised Command relationships Communication systems connections and weaknesses Noncombatant Evacuation Operations (Permissive/Nonpermissive) Targets Forces Logistic constraints Safe havens Battlespace Awareness Counterdrug Operations Counterterrorism Open Hostilities Diplomatic Negotiations

APAN Group Owner Training Group Owner Responsibilities Business Rules APAN Groups business rules –  Each group owner is responsible for the authorization for access to their respective site and the data posted to the site.  Validate need-to-know prior to granting access  Limit the number of members who can post information  Ensure postings are appropriate  Review activity of users periodically  The APAN networks are certified and accredited up to Unclassified. APAN is not authorized to host, disseminate or handle FOUO, PII, SBU, HIPAA or any other types of special handling unclassified data.  Review content weekly  Limit the amount of personal information available via portal  Remove content that is FOUO/PII/inappropriate

APAN Group Owner Training Parting thoughts Conclusion APAN is a UNCLASSIFIED system, all data contained on the group sites should be publically releasable without violating Federal laws or DoD policies. It is everyone’s responsibility to ensure all the data residing on the APAN sites are cleared for public release. Group owners must be vigilant in identifying potential OPSEC violations. Groups that are found to repeatedly violate standards will be suspended, and group owner rights revoked pending refresher training and site “policing.”