Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY."— Presentation transcript:

1 1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY

2 Objectives  Discuss the principles of Computer Security  Identify required IS security documentation  Identify the purpose of a System Security Plan (SSP)  Discuss the principles of Computer Security  Identify required IS security documentation  Identify the purpose of a System Security Plan (SSP)

3 Foundations of Computer Security  Confidentiality  Integrity  Availability C I A

4 4 CONFIDENTIALITY PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE

5 5 INTEGRITY PROTECTION OF ALL COMPONENTS OF HARDWARE AND SOFTWARE USED DURING CLASSIFIED PROCESSING FROM:  MANIPULATION  DELETION PROTECTION OF ALL COMPONENTS OF HARDWARE AND SOFTWARE USED DURING CLASSIFIED PROCESSING FROM:  MANIPULATION  DELETION

6 AVAILABILITY Protecting the computer from malicious logic or natural disasters Protecting the computer from malicious logic or natural disasters

7 Protection Levels NISPOM 8-402 PL-1 Dedicated PL-2 System High PL-4 Multilevel PL-3 Compartmented

8 Protection Level (PL) 1 Dedicated Security Mode  Clearance, N-T-K and, if applicable, all formal access approvals for all information TS

9 Protection Level (PL) 2 System High Security Mode  Clearance and access approvals for all information but with different N-T-K TS a b

10 Protection Level (PL) 3 Compartmented Security Mode  Clearance for most restrictive information, but different formal access approvals TOP SECRET TS- NATO SAP CRYPTO NATO CNWDI

11 Protection Level (PL) 4 Multilevel Security Mode  All users are cleared, but may not have a clearance for all levels of classified information on the IS TS S S S

12 Security Documentation NISPOM 8-610 ISSM SSPSecurityPolicy CM Plan

13 13 Confidentiality Matrix

14 14 Required Security Documentation  Information System Security Policy  Configuration Management Plan  System Security Plan (SSP)  Certification and Accreditation Documentation  Information System Security Policy  Configuration Management Plan  System Security Plan (SSP)  Certification and Accreditation Documentation 8-610

15 Basis for Accreditation  Documentation (SSP)  Analysis and evaluation of security risks  Safeguards associated with operation of the AIS  Documentation (SSP)  Analysis and evaluation of security risks  Safeguards associated with operation of the AIS

16 What is the purpose of an SSP?  Implements security policy  User’s How-To guide  “Inspection” guide  Implements security policy  User’s How-To guide  “Inspection” guide 8-610a(1) SSP

17 17 SSP INCLUDES  System Identification  Security personnel  System description  Mission or purpose  System architecture  block diagram  security support structure  System Identification  Security personnel  System description  Mission or purpose  System architecture  block diagram  security support structure 8-610a.(1)(a)

18 18 SSP Includes, cont  System Requirements  Classification Level (C-S-TS)  Personnel Clearance Level of Users  Need to Know of Users  Formal Access Approvals involved  Protection Level (PL1, 2, 3, or 4)  System Requirements  Classification Level (C-S-TS)  Personnel Clearance Level of Users  Need to Know of Users  Formal Access Approvals involved  Protection Level (PL1, 2, 3, or 4)

19 19 SSP-Protection Measures  Audit Capabilities  Access Controls  Resource Controls  System Recovery  Security Testing  Audit Capabilities  Access Controls  Resource Controls  System Recovery  Security Testing  Data Transmission  I & A  Session Controls  System Assurance  Physical Security

20 20 SSP-Protection Measures  Trusted Downloading  Software controls  Media controls  Maintenance  Clearing and sanitization  Self Inspections  Trusted Downloading  Software controls  Media controls  Maintenance  Clearing and sanitization  Self Inspections SSP B 4 U Can, Put It In The Plan!

21 21 SSP-Variances and Vulnerabilities  Description of approved variances from protection measures  Attach documentation  Documentation of any unique threat or vulnerabilities to system  Document if none exists  Description of approved variances from protection measures  Attach documentation  Documentation of any unique threat or vulnerabilities to system  Document if none exists

22 22 SSP-Might Also Include  MOU for connections to separately accredited networks & systems  Special purpose type systems  embedded systems  Other contractual issues  MOU for connections to separately accredited networks & systems  Special purpose type systems  embedded systems  Other contractual issues

23 23 Audit Records  Who fills out what?  ISSOs & Users  What logs are required? - Manual  Maintenance  Hardware & Software  Upgrade/Downgrade  Sanitization  Weekly Audit Log  Custodian  Seal Log (If Applicable)  Receipt/Dispatch (If Applicable)  Who fills out what?  ISSOs & Users  What logs are required? - Manual  Maintenance  Hardware & Software  Upgrade/Downgrade  Sanitization  Weekly Audit Log  Custodian  Seal Log (If Applicable)  Receipt/Dispatch (If Applicable)

24 24  What logs are required - Automated  if technically capable  Successful and unsuccessful logons and logoffs  Unsuccessful accesses to security-relevant objects and directories, including:  creation  open  modification and deletion  Changes in user authenticators, i.e., passwords  Denial of system access resulting from an excessive number of unsuccessful logon attempts.  If not technically capable, the Authorized Users list will be retained as an audit record  What logs are required - Automated  if technically capable  Successful and unsuccessful logons and logoffs  Unsuccessful accesses to security-relevant objects and directories, including:  creation  open  modification and deletion  Changes in user authenticators, i.e., passwords  Denial of system access resulting from an excessive number of unsuccessful logon attempts.  If not technically capable, the Authorized Users list will be retained as an audit record Audit Records - cont’d

25 25 Re-Accreditation & Protection Measures  Re-Accreditation  Every Three Years  Major Changes  Protection Measures  unique Identifier  individual User Ids and Authentication  passwords  Re-Accreditation  Every Three Years  Major Changes  Protection Measures  unique Identifier  individual User Ids and Authentication  passwords

26 26 Passwords  Minimum 8 Characters  Classified to the highest level of the system  Changed at least every 180 days  Changed when compromised  Automated generation when possible  Minimum 8 Characters  Classified to the highest level of the system  Changed at least every 180 days  Changed when compromised  Automated generation when possible

27 27 DoD Warning Banner  Required  Positive User Action  Prominently displayed  Required  Positive User Action  Prominently displayed

28 28 Login Attempts  Maximum of 5 attempts  Lockout after X minutes  SSP specific - DSS recommends 30 minutes  System Administrator resets account or account disabled for X minutes  SSP specific - DSS recommends 30 minutes  Maximum of 5 attempts  Lockout after X minutes  SSP specific - DSS recommends 30 minutes  System Administrator resets account or account disabled for X minutes  SSP specific - DSS recommends 30 minutes

29 29 Clearing and Sanitization  Hard drives  May be overwritten or destroyed  CPUs  Remove power for one minute  Printers  Print one page (font test) then power down  Hard drives  May be overwritten or destroyed  CPUs  Remove power for one minute  Printers  Print one page (font test) then power down

30 Clearing Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes). DCID 6/3 Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes). DCID 6/3

31 Sanitization The process of removing information from media or equipment such that data recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings. DCID 6/3

32 32 Configuration Management Plan  Formal change control procedures for security- relevant hardware and software  Management of all documentation  Implement, test and verify CM plan  Formal change control procedures for security- relevant hardware and software  Management of all documentation  Implement, test and verify CM plan

33 33 CM Plan Documents:  Procedures to identify and document type, model and brand of IS hardware  Procedures to identify and document product names and version or release numbers and location of security relevant software  System connectivity  Procedures to identify and document type, model and brand of IS hardware  Procedures to identify and document product names and version or release numbers and location of security relevant software  System connectivity 8-311 ISL Q-45

34 34 Periods Processing  Separate Sessions  Different Classification Levels  Different Need-To-Know  Removable Media for each processing session  Separate Sessions  Different Classification Levels  Different Need-To-Know  Removable Media for each processing session

35 Summary  Principals of Computing Security  System Security Plan  Purpose  Contents  NISPOM = What  SSP = How  Principals of Computing Security  System Security Plan  Purpose  Contents  NISPOM = What  SSP = How SSP

36 36

Download ppt "1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
For Security Professionals

For Security Professionals
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 34 Fall 2002.
ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013 1 Nov 2013.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
Auditing Computer Systems

Auditing Computer Systems
MSIA 711 1 Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.

MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google