DEPARTMENT OF DEFENSE DeCA DIRECTIVE HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee VA August 1, Information Management

Size: px
Start display at page:

Download "DEPARTMENT OF DEFENSE DeCA DIRECTIVE 35-30 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee VA 28301-6300 August 1, 1995. Information Management"

Transcription

1 DEPARTMENT OF DEFENSE DeCA DIRECTIVE HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee VA August 1, 1995 Information Management INFORMATION SYSTEMS SECURITY (INFOSEC) AWARENESS TRAINING DIRECTIVE BY ORDER OF THE DIRECTOR RALPH R. TATE Chief, Safety, Security and Administration RONALD P. McCOY Colonel, USAF Chief of Staff AUTHORITY: Defense Commissary Agency Directives Management Program is established in compliance with DoD Directive , Defense Commissary Agency (DeCA), November MANAGEMENT CONTROLS: This directive contains Management Control provisions that are subject to evaluation and testing as required by DeCAD 70-2 and as scheduled in DeCAD The OPR is responsible for conducting the evaluation, testing controls, and documenting the evaluation. The Assessable Unit Manager for testing the controls addressed in this directive is the OPR. APPLICABILITY: This directive applies to the Defense Commissary Agency (DeCA) activities. HOW TO SUPPLEMENT: Regions may not supplement this directive. HOW TO ORDER COPIES: Stores needing additional copies will submit requirements on DeCA Form to Region/IM. Regions will consolidate requirements and order per published schedule. SUMMARY: This directive sets forth the policies and procedures that will be used for the operation of the DeCA Computer Security Awareness Training Program. SUPERSEDES: DeCAD 30-19, Information Systems Security (INFOSEC) Awareness Training Directive, dated September 1, 1994 OFFICE OF PRIMARY RESPONSIBILITY (OPR): HQ DeCA/IMP COORDINATORS: DeCA/DP DISTRIBUTION: E

2 DeCAD August 1, 1995 TABLE OF CONTENTS Para Page Chapter 1 - Introduction PURPOSE SCOPE BACKGROUND REFERENCES DEFINITIONS TRAINING OBJECTIVES Chapter 2 - Training Audiences TRAINING AUDIENCES SENIOR EXECUTIVES FUNCTIONAL MANAGERS IM AND SYSTEMS DEVELOPMENT PERSONNEL COMPUTER SECURITY PERSONNEL END USERS Chapter 3 - Training levels and subjects TRAINING LEVELS AND SUBJECTS TRAINING LEVELS TRAINING SUBJECT AREAS TRAINING AUDIENCE/SUBJECT RELATIONSHIPS Chapter 4 - Training methods TRAINING METHODS Chapter 5 - Responsibilities DIRECTORATE OF INFORMATION RESOURCES MANAGEMENT (IM) DIRECTORATE OF PERSONNEL & MANPOWER (DP) SERVICING CIVILIAN PERSONNEL OFFICES MANAGEMENT PERSONNEL COMPUTER SECURITY PERSONNEL DeCA EMPLOYEES REGIONAL DIRECTORS DISTRICT DIRECTORS i

3 DeCAD August 1, 1995 Para Page Chapter 5 (Con't) COMMISSARY OFFICERS FUNCTIONAL PROPONENT ORGANIZATIONS APPENDIXES A. REFERENCES... A-1 B. DEFINITIONS AND ACRONYMS... B-1 C. RELATIONSHIPS BETWEEN TRAINING AUDIENCES AND TRAINING SUBJECTS... C-1 ii

4 DeCAD August 1, 1995 Chapter 1 INTRODUCTION 1-1. PURPOSE. This directive provides the fundamental concepts, audience categories, and training subjects required to implement a Defense Commissary Agency (DeCA) Computer Security Awareness Training Program (CSATP). The program is intended for all DeCA and contractor personnel who use DeCA computer resources. The goal is to increase the level of automated information system security (AIS) within DeCA and to ensure that the computer resources are used properly, securely, and in accordance with various Federal and DeCA policies SCOPE. The computer security awareness training guideline is applicable for all DeCA organizations. This directive will ensure that DeCA satisfies the requirements of the Computer Security Act of 1987 (PL ); the Office of Management and Budget (OMB) Circular A-130, Appendix III, "Security of Federal Automated Information Systems"; DOD Directive , "Security Requirements for Automated Information Systems (AISs)"; and DeCA Directive 30-10, "INFOSEC Program Guideline", 9 September 1994 (Draft) BACKGROUND. In December 1985, OMB issued Circular A-130, "Management of Federal Information Resources." Appendix III to Circular A-130 contains specific INFOSEC requirements for Federal systems that process sensitive but unclassified information. One of those requirements calls for Federal agencies to establish a security awareness and training program. In 1987 Congress passed The Computer Security Act, PL , which requires computer security awareness training. PL applies only to systems that process sensitive but unclassified information. It requires "mandatory periodic training for all persons involved in management, operation, or use of Federal computer systems that contain sensitive information." In March 1988, DOD Directive was published requiring DOD components to "establish and maintain an AIS security training and awareness program for all DOD military, civilian, and contractor personnel requiring access to AISs." a. To help government agencies develop and implement a computer security awareness training program, the National Institute of Standards and Technology (NIST) prepared Special Publication , Computer Security Training Guidelines, in That publication placed employees to receive training into five categories: Executives. Program/Functional Managers. Information Resources Management (IM), Security, and Audit Personnel. ADP Management, Operations, and Programming Staff. End Users. b. The audience categories were based on the concept that employees within a given category generally need to know or be able to perform the same or similar types of tasks. The publication also divided the training content or subject matter into five areas: Computer Security Basics. Security Planning and Management. Computer Security Policy and Procedures. Contingency Planning. Systems Life Cycle Management. 1-1

5 DeCAD August 1, 1995 c. However, since the different audience categories do not all need the same level of knowledge of the training subject areas, the NIST publication created levels of training (See Appendix C): Awareness. Implementation. Performance. None d. The combination of audience categories, subject training areas, and levels of training were illustrated graphically in the NIST publication in a matrix. The final section of the NIST publication outlines training subjects for each audience class. By using these outlines, a government agency could develop a general awareness training program. e. Computer security awareness training is vital to DeCA's computer security program. It addresses three general areas of concern: protecting computer resources from abuse and misuse; protecting sensitive information from unauthorized access, disclosure, alteration or destruction, and improper use; and ensuring that applications performing mission critical functions are not subject to processing delays. Employees who understand their responsibilities, the need for security, and how their actions contribute to security can reduce risks to DeCA information and systems. This plan intends to bring about that awareness and knowledge REFERENCES. References used in this document are listed in Appendix A DEFINITIONS. Definitions and acronyms used in this document are found in Appendix B TRAINING OBJECTIVES. The following training objectives are established for the DeCA computer security and awareness training program: a. Upon completing the training, all attendees will be able to: (1) Identify general automated information systems security threats and vulnerabilities. (2) Discuss the basic DeCA INFOSEC requirements. (3) Demonstrate effective computer security techniques for DeCA systems. (4) Identify their ISSO and their TASO as applicable. b. Upon completing the training, DeCA senior executives and functional management personnel will be able to: (1) Discuss management computer security responsibilities. (2) Explain the security life cycle process for systems development. (3) Identify the certification and accreditation requirements for a DeCA AIS. (4) Discuss the roles and responsibilities of the DeCA CISSM, ISSMs, an ISSO, a NSO, and a TASO. (5) Discuss the contents of the DeCA AIS security policy guideline. 1-2

6 able to: DeCAD August 1, 1995 c. Upon completing the training, the DeCA CISSM, ISSMs, ISSOs, NSOs, and TASOs will be (1) Discuss in detail the roles and responsibilities of DeCA security officers. (2) Identify the certification and accreditation requirements for a DeCA AIS. (3) Explain the purpose and conduct of a risk analysis. (4) Explain the various types of contingency plans and their purpose. d. Upon completing the training, DeCA computer operations and development personnel will be able to: (1) Explain the security life cycle process for systems development. (2) Identify the certification and accreditation requirements for a DeCA AIS. e. Upon completing the training, DeCA end users will be able to: (1) Demonstrate proper log-on procedures. (2) Discuss password security requirements. (3) Discuss good personal computer security practices. 1-3

7 DeCAD August 1, 1995 Chapter 2 TRAINING AUDIENCES 2-1. TRAINING AUDIENCES. All users of DeCA computer systems, regardless of their rank or position, require a basic level of knowledge of computer security techniques. However, once users have this basic knowledge, the specialized security knowledge required by a DeCA employee varies based on his/her rank or position. For example, a data entry clerk at the commissary store does not need any knowledge about the security life cycle development process, whereas a management employee does. A software development employee should know the subject in detail. All recommended training, to ensure implementation of computer security, must be supported by management personnel. The following sections provide information on the DeCA audience categories SENIOR EXECUTIVES. Senior executives are responsible for setting DeCA policies, assigning responsibilities for meeting those policies, determining acceptable levels of risk, and providing resources and support for the DeCA computer security program. Their training should focus on creating an awareness and knowledge of Federal law and policies related to INFOSEC. They must also understand the certification and accreditation process for AISs HEADQUARTERS FUNCTIONAL MANAGERS. These individuals have a program or functional responsibility, excluding the functional area of computer security, within DeCA, i.e., commissary officers or headquarters, regional staff, and section or branch heads. The functional managers are involved primarily in DeCA policy and administration functions. Accordingly, their training should be broad, focusing on how their functional responsibilities interact with the objectives of the DeCA computer security program. Functional managers usually own the data and are responsible for designating the sensitivity and criticality of the information in their systems. They are also responsible for implementing contingency plans to ensure continued availability of their data. Their training should demonstrate how computer security is important in the day-to-day operations of their organizations and contingency planning IM AND SYSTEMS DEVELOPMENT PERSONNEL. Individuals within this category are involved with managing DeCA's automated information resources daily or with testing and developing new or improved systems. These individuals are expected to be the most familiar with the DeCA systems. The IM personnel are responsible for providing integrated IM services and support to DeCA. They prepare and issue procedures, guidelines and standards, develop systems throughout the agency, and coordinate administrative and logistical support of DeCA ISs. Individuals within this category provide secure, timely automated data processing (ADP) support to all DeCA users COMPUTER SECURITY PERSONNEL. This category includes the DeCA CISSM, ISSM, ISSOs, NSOs, TASOs and CSATP monitors. These individuals are responsible for overseeing the day-today secure operation of the DeCA automated systems. Their training should be indepth because they perform tasks requiring the implementation of computer security. They provide technical security assistance to users, enforce the DeCA security policy guidelines, perform or supervise risk analyses, and develop or coordinate the development of contingency plans. They oversee the certification and accreditation effort of those systems under their direct supervision and control. They are also responsible for the expeditious and secure handling of automated information security incidents END USERS. End users are all DeCA employees who have access to any DeCA computer system, including standalone personal computers. End users use the computer full- or part-time to perform their jobrelated tasks. Everyone in the previously identified training audience, would normally receive instruction in 2-1

8 DeCAD August 1, 1995 the audience category related to his or her primary job. Required knowledge for end users are also required for all DeCA users. This knowledge might be considered the core knowledge of this program. 2-2

9 DeCAD August 1, 1995 Chapter 3 TRAINING LEVELS AND SUBJECTS 3-1. TRAINING LEVELS AND SUBJECTS. DeCA employees require different levels of knowledge about a particular subject. Not every training level is needed for a given audience on a given content area. This section identifies three training levels for the subjects. It also identifies and discusses the general training subjects to be included in the DeCA computer security awareness training program TRAINING LEVELS. The three training levels for the DeCA program are: a. Awareness. The awareness level creates a sensitivity to the subject matter. The employee recognizes the need to protect data and information. b. Implementation. Provides the ability to recognize and assess threats and vulnerabilities to automated information resources so that they can set security requirements which implement agency security policies. The end-user audience category is the only audience category not involved with implementing subject matters. c. Performance. At the performance level of understanding, an employee is expected to have the skill to execute computer security practices and procedures. The employee understands the subject in detail, and can properly demonstrate the required skills and knowledge of a particular subject matter. It may requires education in basic principles and training in state-of-the-art applications. d. None. Not required for a specific combination of training audience and training subjects TRAINING SUBJECT AREAS. The following list of training subject areas shall be incorporated into the DeCA computer security awareness training program. The subject areas are listed in the order in which they should be covered, but the order of presentation is not mandatory. a. Reasons for Security. This subject area makes employees sensitive and aware of the need for computer security. It relates how computer security affects DeCA organizations, systems, and individuals if it is not adequately maintained. Illustrative examples of problems on Federal systems may be used to reinforce the need for security. b. Federal Laws and Policies. Pertinent laws and policies should be identified in this subject area, with emphasis on those that directly relate to the DeCA automated systems. The amount of detail presented for this subject area will vary significantly by the target audience. Information within this training area may include the following: (1) Privacy Act of 1974 (PL ). (2) Federal Manager's Financial Integrity Act of 1982 (PL ). (3) Computer Fraud and Abuse Act of 1986 (PL ). (4) Computer Security Act of 1987 (PL ). (5) Computer Matching and Privacy Protection Act (PL ). 3-1

10 DeCAD August 1, 1995 (6) OMB Circular A-127, "Financial Management Systems." (7) OMB Circular A-130, "Management of Federal Information Resources." c. DOD and DeCA Policies. The DOD and DeCA policies directly related to information security should be covered. The amount of detail presented for this subject area will vary by the target audience. Information within this subject area may include (but is not limited to) the following: (1) DODD , "Security Requirements for Automated Information Systems." (2) DODD , "Life-Cycle Management (LCM) of Automated Information Systems (AISs)." (3) DeCAD 30-8, "Automated Information Systems (AIS) Testing Procedures." (AIS)." (4) DeCAD 30-9, "Configuration Management for Automated Information Systems (5) DeCAD 30-10, "INFOSEC Security Program Guideline", 9 Sep 1994 (Draft). d. Guidelines and Standards. Other Federal guidelines and standards related to INFOSEC fall within this subject area. The amount of detail presented for this subject area will also vary by the target audience. Information within this subject area may include (but is not limited to) the following: (1) NIST standards and guidelines. (2) National Computer Security Center (NCSC) reports. (3) Office of Personnel Management (OPM) guidelines. (4) Government Accounting Office (GAO) reports on IS deficiencies and remedies. (5) General Services Administration (GSA) standards, guidelines, and training reports. e. Security Personnel. The DeCA computer security administration hierarchy should be described in this subject area. The duties of the Designated Approving Authority (DAA), CISSM, ISSMs, NSO and TASO would be covered, and, for a given target audience, the individuals filling those positions would be identified. f. Security Life-Cycle Development. The DeCA security life cycle for AIS development should be discussed in this subject area and related to the system life cycle model. End users would not receive information on this subject area. Information within this subject area may include (but is not limited to) the following: (1) Selecting and implementing a Configuration Management (CM) policy. (2) Designing systems to include security features. (3) Auditing documents and procedures to support certification and accreditation. (4) Planning security tests. 3-2

11 (5) Planning risk assessments. DeCAD August 1, 1995 g. Threats and Vulnerabilities. All employees should be made aware of potential threats and vulnerabilities which may affect the DeCA systems. Although much of this information affects all DeCA systems, the threats and vulnerabilities affecting the systems used by the attendees should be stressed during training. Procedures for reporting technical vulnerabilities under the DOD Computer Security Technical Vulnerability Reporting Program (CSTVRP) may be discussed. h. Automated Information Systems. This topic includes the responsibilities of reporting INFOSEC violations or incidents of AIS fraud, waste, and abuse. Areas to specifically address include (but are not limited to) the following: (1) Types of violations and method for reporting. (2) Types of incidents and method for reporting. (3) DeCA policy for the identification of violations of DeCA regulations. (4) DeCA policy for determining the severity of disciplinary actions to be applied. i. Sensitive Information (Data Security). This will expand on the introductory reasons for security emphasis on sensitive information. Identification, marking, accountability, transmission, destruction, and disclosure of sensitive information will be covered in the DeCA context, i.e., minimize concerns for classified information, but maximize concerns for personal and financial information. j. Computer Security Practices. Effective computer security practices should be covered in this area. End-user practices in this subject area include: (1) Log in/log out procedures. (2) Password security techniques. (3) Protecting sensitive printouts. (4) Effective backup techniques. (5) Controlling visitors. (6) Protecting magnetic media. k. Malicious Code. This section covers computer viruses and worms. Training areas will include prevention and defense techniques, identification of effects, requirements for notification, and countermeasures. l. Software Security. This section discusses purchasing and licensing software. Training will also include procedures to ensure all DeCA software is developed, managed, and stored in a manner which assures that it is free of errors, bugs, and malicious code. m. Security Planning. Security plans are required by a number of laws, regulations, and directives. This section will discuss security plans, plan writing, and the approval process. 3-3

12 DeCAD August 1, 1995 n. Risk Assessment. This area will discuss the role of risk assessment within a total risk management plan. Topics discussed will include requirements for conducting risk assessments, techniques for conducting them, and procedures for reporting their results. The amount of required information will vary considerably among the target audiences. o. Contingency Planning and Disaster Recovery. The types of required contingency plans, their contents, and testing requirements will be addressed as they relate to individual target audiences. Disaster recovery procedures will be emphasized. p. Security Test and Evaluation. This section will discuss the need for security test and evaluation (ST&E), the techniques to perform an ST&E, and the procedures to report the test results. q. Certification and Accreditation. For certification and accreditation, the amount of information presented will vary considerably by target audience. Accreditation is the formal approval to operate an AIS and is based on certifying that the IS provides an appropriate degree of security for the information it handles. The processes and techniques involved in the certification of an IS will be identified and discussed. These include (but are not limited to) the following: (1) Categories of data. (2) Accreditation authority. (3) Support documentation. (4) Certification team requirements. r. Hardware Security. This section may include discussions on hardware, firmware, and encryption devices as appropriate for the IS audience. s. Physical Security. Topics for discussion in this section may include (but are not limited to) the following: (1) Access to the computer facility. (2) Physical layout inside the facility. (3) Fire protection. (4) Environmental control support systems. (5) Building construction. (6) Housekeeping procedures. t. Personnel Security. Topics for discussion in this section may include (but are not limited to) the following: (1) Selection and hiring procedures. (2) Personnel controls. (3) Security awareness training program. 3-4

13 (4) Access and clearances. DeCAD August 1, 1995 (5) Screening techniques. (6) Security briefings. (7) Disciplinary actions. (8) Substance abuse. u. Communications and Network Security. This section discusses communications and network security requirements and processes as used in DeCA. Topics will include (but are not limited to) the following: (1) Communications lines and links. (2) Terminal identification. (3) Authentication procedures. (4) Telephone devices. (5) Level of access and data base hierarchy. v. Security and Contractor Interface. Senior executives and the computer security staff should be aware of agency requirements and laws regarding contractor involvement in an IS. Contractors must comply with security awareness and training provisions whenever they develop, acquire, manage, or use government information. This topic will address the requirements that contractors must meet when using DeCA ISs. w. Office Automation Security. Office automation security will encompass the procedures and techniques for using the equipment, networks, and information in DeCA offices. x. Software Piracy. This section discusses software piracy and other legal aspects of computing. The DeCA employees will be made aware of their legal responsibilities and those of the agency TRAINING AUDIENCE/SUBJECT RELATIONSHIPS. The training levels will vary between subjects based on the subject matter area. Appendix C contains a matrix that identifies the level of training for each audience and subject matter pair. 3-5

14 DeCAD August 1, 1995 Chapter 4 TRAINING METHODS 4-1. TRAINING METHODS. Effective computer security awareness training will require a variety of training methods. Each employee will attend, at a minimum, annual computer security awarness training. The methods that will be used within DeCA to foster an awareness of computer security for all employees should include but is not limited to the following: a. Computer Security Courses. A number of computer security courses are taught throughout the government and in the private sector. This type of training is only appropriate for individuals assigned duties as a DeCA CISSM, ISSM, ISSO, NSO, TASO, or CSATP monitor. b. Formal Presentations. The DeCA computer security awareness training will be conducted for all employees through periodic formal presentations. This directive provides the basis for developing the course materials for these presentations. The presentations shall be delivered by experienced and knowledgeable instructors. This training may be performed by contractors. c. New Employee Orientations. Computer security awareness shall be made a part of the new employee orientation program. All new employees shall be required to receive this awareness training before they are authorized to access a DeCA system. d. Training Films and Videos. A number of training films and videos may be used to supplement the awareness training efforts. These films can be obtained from government and private sector sources and shall be used whenever possible to enhance the training. e. Newsletters. Computer security shall be a frequent topic on existing newsletters within DeCA. Newsletters are another way to regularly stress computer security to all employees. f. Posters. Computer security awareness posters shall be displayed throughout DeCA offices. As with the use of security information in newsletters, posters will help to achieve the necessary awareness level through continued emphasis of computer security. 4-1

15 DeCAD August 1, 1995 Chapter 5 RESPONSIBILITIES 5-1. DIRECTORATE OF INFORMATION RESOURCES MANAGEMENT (IM). IM chief is assigned responsibility to develop policy for the DeCA INFOSEC program. The DeCA CISSM is found in IM. As part of the CSATP effort, the DeCA CISSM will assist the IM in establishing policy and maintaining the DeCA CSATP in accordance with this guideline. This effort is also supported by the Directorate of Personnel and Manpower (DP) DIRECTORATE OF PERSONNEL AND MANPOWER (DP). DP is responsible for establishing training policy and providing overall guidance and oversight in support of the DeCA CSATP. DP responsibilities include developing or obtaining training materials for the CSATP and providing staff supervision over the scheduling and conducting of the CSATP training sessions. All AIS Security Awareness training shall be documented. As requested, DP will brief management on INFOSEC awareness training status SERVICING CIVILIAN PERSONNEL OFFICES. Servicing Civilian Personnel Offices are responsible for programming individuals to attend CSATP training sessions, scheduling and providing training sessions as required, funding costs of training (other than travel and per diem for attendees), and maintaining indivudual training records MANAGEMENT PERSONNEL. Although SA establishes policy for the computer security awareness training program, all DeCA managers are to support the training program and ensure that all their subordinates attend the training. Those individuals who meet a specialized training category for an audience other than end users should attend that training and are not required to attend the end user training COMPUTER SECURITY PERSONNEL. The DeCA CISSM and all ISSMs, ISSOs, NSOs, and TASOs shall attend appropriate security training. They shall ensure that all automated information systems users within their organization attend the training. They should also ensure that all new employees have received automated information security awareness training before they are allowed to use a DeCA system. The computer security personnel may also be required to present computer security awareness classes DeCA EMPLOYEES. All DeCA employees are responsible for safe and secure operation of their assigned computer and for the security of their data. All DeCA employees must attend awareness training when scheduled. Each employee will attend, at a minimum, annual computer security awarness REGIONAL DIRECTORS. Regions are responsible for monitoring and coordinating CSATP training sessions to ensure that personnel are being trained as required. Each regional director will appoint in writing a monitor to manage the computer security awareness training program (CSATP) at the region. When it is practical to do so, the CSATP monitor may be a security specialist already assigned to the region. A copy of the letter of appointment will be forwarded to HQ DeCA/SAS, Fort Lee, VA Additional responsibilities are: a. Appoint TASO(s) as required for the regional offices. b. Ensure all individuals who operate or use the AIS attend security awareness training DISTRICT DIRECTORS/COMMANDERS. Each district director will appoint in writing a monitor to manage the computer security awareness training program (CSATP) for their district. Where it is 5-1

16 DeCAD August 1, 1995 practical to do so, the monitor may be a security specialist already assiagned to the District. A copy of the letter of appointment will be provided to the appropriate region CSATP monitor. Additional responsibilities are: a. Appoint TASO(s) as required for their respective work centers. b. Ensure all individuals who operate or use the AIS attend security awareness training COMMISSARY OFFICER. Each commissary officer will appoint in writing a monitor to manage manage the computer the security awareness training program (CSATP) for their store. Where it is practical to do so, the CSATP duties may be absorbed by personnel currenty performing TASO duties in order to take advantage of the existing security knowledge base and to build and maintain a cohesive DeCA security infranstructure. A copy of the letter of appointment will be provided to the appropriate region/district CSATP monitor. Additional responsibilities are: a. Appoint TASO(s) as required for their respective stores. b. Ensure all individuals who operate or use the AIS attend security awareness training FUNCTIONAL PROPONENT AT HEADQUARTERS ORGANIZATIONS. General requirements which are to be met by the head of the DeCA functional proponents are: a. Ensure the security awareness and security requirements are identified early in the requirements definition effort for systems or software development projects for which their organization is the functional proponent. b. Designate in writing an Information Systems Security Manager (ISSM) for all systems under the direct ownership or sponsorship of the functional proponent. c. Ensure that each AIS under his/her direct control has an ISSO appointed, and that TASOs and NCOs are appointed as necessary. All appointments shall be in writing. d. Identify training needs for incumbents of these positions ensuring that training requests are submitted to DP so that individuals can receive their necessary training. 5-2

17 DeCAD Appendix A August 1, 1995 REFERENCES a. Privacy Act of 1974 (PL ). b. Federal Manager's Financial Integrity Act of 1982 (PL ). c. Computer Fraud and Abuse Act of 1986 (PL ). d. Computer Security Act of 1987 (PL ). e. Computer Matching and Privacy Protection Act (PL ). f. Office of Management and Budget (OMB) Circular A-127, "Financial Management Systems." g. OMB Circular A-130, "Management of Federal Information Resources," December 12, h. DODD , "Security Requirements for Automated Information Systems (AISs)," March 21, i. DODD , "Life-Cycle Management (LCM) of Automated Information Systems (AISs)," January 14, j. DeCAD 30-8, "Automated Information Systems (AIS) Testing Procedures." k. DeCAD 30-9, "Configuration Management for Automated Information Systems (AIS)." l. DeCAD 30-10, "INFOSEC Program Guideline", 9 September 1994 (Draft). m. National Computer Security Center (NCSC), "A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems," NCSC-TG-027, Version-1, May n. National Institute of Standards and Technology (NIST), Special Publication , Computer Security Training Guidelines, o. National Security Telecommunications and Information Systems Security (NSTISS) Publication 4009, "National Information Systems Security (INFOSEC) Glossary," June 5, A-1

18 DeCAD Appendix B August 1, 1995 DEFINITIONS AND ACRONYMS 1. DEFINITIONS. The definitions in this glossary were taken from the National Security Telecommunications and Information System Security (NSTISS) Publication 4009 [ref o] unless otherwise noted. access - A specific type of interaction between a subject (person, process, or input device) and an object (record, file, program, or output device) that results in the flow of information from one to the other; the ability and opportunity to obtain knowledge of information in a system. access control - Process of limiting access to the resources of an AIS only to authorized users, programs, processes, or other systems. accountability - Property that allows auditing of activities on an AIS to be traced to persons who may then be held responsible for their actions. accreditation - Formal declaration by a designated approving authority that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards. accreditation authority - Synonymous with designated approving authority. audit - Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. authentication - Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's eligibility to receive specific categories of information. automated information systems (AIS) - Any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data and includes computer software, firmware, and hardware. NOTE: Included are standalone systems, personal computers, networks, word processing systems, networks, or other electronic information handling systems and associated equipment. automated information systems security - Synonymous with computer security. availability - The property that ensures the information system data, services, and resources are available to authorized users reliably, consistently, and in a timely manner. NOTE: Definition derived from various sources. availability of data - Data that is in the place, at the time, and in the form needed by the user. certification - The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a particular design and implementation meet a specified set of security requirements. B-1

19 DeCAD Appendix B August 1, 1995 classified information - National security information that has been classified pursuant to Executive Order component information system security manager (CISSM) - Person who is the focal point for policy and guidance in AIS and network security matters and who reports to and supports the DAA. NOTE: Definition extracted from NCSC-TG-027 [ref m]. computer security (COMPUSEC) - Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer. computer security incident - Any event in which a computer system is attacked, intruded, or threatened with an attack or intrusion. Computer Security Technical Vulnerability Reporting Program (CSTVRP) - A program that focuses on technical vulnerabilities in commercially available hardware, firmware, and software products acquired by DOD. CSTVRP provides for the reporting, cataloging, and discreet dissemination of technical vulnerability and corrective measure information to DOD components on a need-to-know basis. configuration management (CM) - The management of security features and assurances by controlling changes made to a system's hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system. contingency plan - Plan maintained for emergency response, backup operations, and post-disaster recovery for an AIS, as a part of its security program, that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. countermeasure - Any action, device, procedure, technique, or other measure that reduces the vulnerability of or threat to a system. Designated Approving Authority (DAA) - The official who has the authority to decide on accepting the security safeguards prescribed for an AIS or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards. environment - Procedures, conditions, and objects that affect the development, operation, and maintenance of an AIS. identification - Process that enables recognition of an entity by an AIS. NOTE: This is generally accomplished by the use of unique machine-readable user names. information system - Any telecommunications or computer related equipment or interconnected system or subsystems of equipment that is used in acquiring, storing, manipulating, managing, moving, controlling, displaying, switching, interchanging, transmitting, or receiving voice or data, and includes software, firmware, and hardware. information systems security (INFOSEC) - The protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. B-2

20 B-3 DeCAD Appendix B August 1, 1995 information system security manager (ISSM) - Person who reports to the CISSM and who is responsible for implementing the overall security program approved by the DAA. NOTE: Definition extracted from NCSC-TG-027 [ref m]. information system security officer (ISSO) - Person responsible to the designated approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and secure disposal stages. network security - Protection of networks and their services from unauthorized modifications, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side-effects. network security officer (NSO) - Individual formally appointed by a designated approving authority to ensure that the provisions of all applicable directives are implemented throughout the life cycle of an automated information system network. (See information system security officer.) password - Protected and private character string used to authenticate an identity or to authorize access to data. resource - Any material, time, device, memory, media, process, or data used or consumed by users or services of an information system. NOTE: Definition derived from various resources. risk analysis - Synonymous with risk assessment. risk assessment - Process of analyzing threats to and vulnerabilities of an information system, and the potential impact that the loss of information or capabilities of a system would have on national security and using the analysis as a basis for identifying appropriate and cost-effective measures. risk management - Process concerned with the identification, measurement, control, and minimization of security risks in information systems. security requirements - Types and levels of protection necessary for equipment, data, information, applications and facilities to meet security policy. security test and evaluation (ST&E) - Examination and analysis of the safeguards required to protect an AIS, as they have been applied in an operational environment, to determine the security posture of that system. sensitive information - Information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. NOTE: Systems that are not national security systems, but contain sensitive information are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L ). system security evaluation - Determination of the risk associated with the use of a given system, considering its vulnerabilities and perceived security threat.

DEPARTMENT OF DEFENSE DeCAD 35-31 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee, VA 23801-1800 August 1, 1996. Information Management

DEPARTMENT OF DEFENSE DeCAD 35-31 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee, VA 23801-1800 August 1, 1996. Information Management DEPARTMENT OF DEFENSE DeCAD 35-31 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee, VA 23801-1800 August 1, 1996 Information Management DeCA AUTOMATED INFORMATION SYSTEMS SECURITY (INFOSEC) PROGRAM BY ORDER

More information

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES

More information

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY. NOTICE: This publication is available digitally on the AFDPO WWW site at: http://afpubs.hq.af.mil.

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY. NOTICE: This publication is available digitally on the AFDPO WWW site at: http://afpubs.hq.af.mil. BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION 33-204 21 September 2001 Communications and Information INFORMATION ASSURANCE (IA) AWARENESS PROGRAM COMPLIANCE WITH THIS PUBLICATION IS

More information

Minimum Security Requirements for Federal Information and Information Systems

Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory

More information

Standards for Security Categorization of Federal Information and Information Systems

Standards for Security Categorization of Federal Information and Information Systems FIPS PUB 199 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Standards for Security Categorization of Federal Information and Information Systems Computer Security Division Information Technology

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

FOREWORD. NCSC-TG-027 Library No. 5-238,461 Version-I

FOREWORD. NCSC-TG-027 Library No. 5-238,461 Version-I NCSC-TG-027 Library No. 5-238,461 Version-I FOREWORD The National Computer Security Center is issuing A Guide to Understanding Information System Security Officer Responsibilities for Automated Information

More information

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION Department of Defense INSTRUCTION NUMBER 5200.40 December 30, 1997 SUBJECT: DoD Information Technology Security Certification and Accreditation Process (DITSCAP) ASD(C3I) References: (a) DoD Directive

More information

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS 1. Purpose This directive establishes the Department of Homeland

More information

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1 APPENDIX A Appendix A Learning Continuum A-1 Appendix A Learning Continuum A-2 APPENDIX A LEARNING CONTINUUM E D U C A T I O N Information Technology Security Specialists and Professionals Education and

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

APHIS INTERNET USE AND SECURITY POLICY

APHIS INTERNET USE AND SECURITY POLICY United States Department of Agriculture Marketing and Regulatory Programs Animal and Plant Health Inspection Service Directive APHIS 3140.3 5/26/2000 APHIS INTERNET USE AND SECURITY POLICY 1. PURPOSE This

More information

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.2 9/28/11 INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) I. PURPOSE This directive

More information

United States Antarctic Program Information Resource Management Directive 5000.01 The USAP Information Security Program

United States Antarctic Program Information Resource Management Directive 5000.01 The USAP Information Security Program The National Science Foundation Office of Polar Programs United States Antarctic Program Information Resource Management Directive 5000.01 The USAP Information Security Program Organizational Function

More information

This directive applies to all DHS organizational elements with access to information designated Sensitive Compartmented Information.

This directive applies to all DHS organizational elements with access to information designated Sensitive Compartmented Information. Department of Homeland Security Management Directives System MD Number: 11043 Issue Date: 09/17/2004 SENSITIVE COMPARTMENTED INFORMATION PROGRAM MANAGEMENT I. Purpose This directive establishes Department

More information

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines

IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines U.S. Department of Health and Human Services Administration for Children and Families Washington, D.C. 20447 Information

More information

TITLE III INFORMATION SECURITY

TITLE III INFORMATION SECURITY H. R. 2458 48 (1) maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible; and (2) promote the development of interoperable

More information

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview

Risk Management Guide for Information Technology Systems. NIST SP800-30 Overview Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve

More information

DIVISION OF INFORMATION SECURITY (DIS)

DIVISION OF INFORMATION SECURITY (DIS) DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new

More information

CTR System Report - 2008 FISMA

CTR System Report - 2008 FISMA CTR System Report - 2008 FISMA February 27, 2009 TABLE of CONTENTS BACKGROUND AND OBJECTIVES... 5 BACKGROUND... 5 OBJECTIVES... 6 Classes and Families of Security Controls... 6 Control Classes... 7 Control

More information

National Information Assurance Certification and Accreditation Process (NIACAP)

National Information Assurance Certification and Accreditation Process (NIACAP) NSTISSI No. 1000 April 2000 National Information Assurance Certification and Accreditation Process (NIACAP) THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7 PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255

More information

Information Security Policy

Information Security Policy Essay 7 Information Security Policy Ingrid M. Olson and Marshall D. Abrams This essay discusses information security policy, focusing on information control and dissemination, for automated information

More information

BPA Policy 434-1 Cyber Security Program

BPA Policy 434-1 Cyber Security Program B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy

More information

Information Technology Security Certification and Accreditation Guidelines

Information Technology Security Certification and Accreditation Guidelines Information Technology Security Certification and Accreditation Guidelines September, 2008 Table of Contents EXECUTIVE SUMMARY... 3 1.0 INTRODUCTION... 5 1.1 Background... 5 1.2 Purpose... 5 1.3 Scope...

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Public Law 113 283 113th Congress An Act

Public Law 113 283 113th Congress An Act PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it

More information

Guide for the Security Certification and Accreditation of Federal Information Systems

Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems Ron Ross Marianne Swanson Gary Stoneburner Stu Katzke Arnold Johnson I N F O R M A

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS Department of Veterans Affairs VA Directive 6004 Washington, DC 20420 Transmittal Sheet September 28, 2009 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS 1. REASON FOR ISSUE: This Directive establishes

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Compliance Risk Management IT Governance Assurance

Compliance Risk Management IT Governance Assurance Compliance Risk Management IT Governance Assurance Solutions That Matter Introduction to Federal Information Security Management Act (FISMA) Without proper safeguards, federal agencies computer systems

More information

Reference Guide for Security in Networks

Reference Guide for Security in Networks Reference Guide for Security in Networks This reference guide is provided to aid in understanding security concepts and their application in various network architectures. It should not be used as a template

More information

FSIS DIRECTIVE 1306.3

FSIS DIRECTIVE 1306.3 UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS

More information

Department of Defense INSTRUCTION. SUBJECT: Information Assurance (IA) in the Defense Acquisition System

Department of Defense INSTRUCTION. SUBJECT: Information Assurance (IA) in the Defense Acquisition System Department of Defense INSTRUCTION NUMBER 8580.1 July 9, 2004 SUBJECT: Information Assurance (IA) in the Defense Acquisition System ASD(NII) References: (a) Chapter 25 of title 40, United States Code (b)

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS

REMOTE ACCESS POLICY OCIO-6005-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER REMOTE ACCESS POLICY OCIO-6005-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III.

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION Department of Defense INSTRUCTION NUMBER 8580.02 August 12, 2015 USD(P&R) SUBJECT: Security of Individually Identifiable Health Information in DoD Health Care Programs References: See Enclosure 1 1. PURPOSE.

More information

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich NIST 800-53A: Guide for Assessing the Security Controls in Federal Information Systems Samuel R. Ashmore Margarita Castillo Barry Gavrich CS589 Information & Risk Management New Mexico Tech Spring 2007

More information

EPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015

EPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM MAINTENANCE PROCEDURES V1.8 JULY 18, 2012 1. PURPOSE The purpose of this procedure

More information

Identification and Authentication on FCC Computer Systems

Identification and Authentication on FCC Computer Systems FCC Computer Security TABLE OF CONTENTS Desk Reference 1 INTRODUCTION...1 Identification and Authentication on FCC Computer Systems 1.1 PURPOSE...1 1.2 BACKGROUND...1 1.3 SCOPE...2 1.4 AUTHORITY...2 2

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Dr. Ron Ross National Institute of Standards and Technology

Dr. Ron Ross National Institute of Standards and Technology Managing Enterprise Risk in Today s World of Sophisticated Threats A Framework for Developing Broad-Based, Cost-Effective Information Security Programs Dr. Ron Ross National Institute of Standards and

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT

REVIEW OF NASA S MANAGEMENT AND OVERSIGHT SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat Centers for Disease and Prevention National Center for Chronic Disease Prevention and Health

More information

Security Framework Information Security Management System

Security Framework Information Security Management System NJ Department of Human Services Security Framework - Information Security Management System Building Technology Solutions that Support the Care, Protection and Empowerment of our Clients JAMES M. DAVY

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

COORDINATION DRAFT. FISCAM to NIST Special Publication 800-53 Revision 4. Title / Description (Critical Element)

COORDINATION DRAFT. FISCAM to NIST Special Publication 800-53 Revision 4. Title / Description (Critical Element) FISCAM FISCAM 3.1 Security (SM) Critical Element SM-1: Establish a SM-1.1.1 The security management program is adequately An agency/entitywide security management program has been developed, An agency/entitywide

More information

Information System Security

Information System Security October 11, 2002 Information System Security Security Controls for the Defense Procurement Payment System (D-2003-009) Department of Defense Office of the Inspector General Quality Integrity Accountability

More information

EPA Classification No.: CIO-2150.3-P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015

EPA Classification No.: CIO-2150.3-P-02.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM AWARENESS AND TRAINING PROCEDURES V3.1 JULY 18, 2012 1. PURPOSE The purpose of this

More information

National Training Standard for System Certifiers

National Training Standard for System Certifiers December 2000 National Training Standard for System Certifiers THIS DOCUMENT PROVIDES MINIMUM STANDARDS. FURTHER INFORMATION MAY BE REQUIRED BY YOUR DEPARTMENT OR AGENCY. National Security Telecommunications

More information

DBIDS/IACS PRIVACY IMPACT ASSESSMENT (PIA) 2. Name of IT System: Defense Biometric Identification System (DBIDS)

DBIDS/IACS PRIVACY IMPACT ASSESSMENT (PIA) 2. Name of IT System: Defense Biometric Identification System (DBIDS) DBIDS/IACS PRIVACY IMPACT ASSESSMENT (PIA) (Use N/A where appropriate) 1. DoD Component: Defense Manpower Data Center (DMDC) 2. Name of IT System: Defense Biometric Identification System (DBIDS) 3. Budget

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

NOTICE: This publication is available at: http://www.nws.noaa.gov/directives/.

NOTICE: This publication is available at: http://www.nws.noaa.gov/directives/. Department of Commerce $ National Oceanic & Atmospheric Administration $ National Weather Service NATIONAL WEATHER SERVICE POLICY DIRECTIVE 80-3 October 28, 2009 Science and Technology SYSTEMS ENGINEERING

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT

More information

Information Security for Managers

Information Security for Managers Fiscal Year 2015 Information Security for Managers Introduction Information Security Overview Enterprise Performance Life Cycle Enterprise Performance Life Cycle and the Risk Management Framework Categorize

More information

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE 5 FAH-11 H-510 GENERAL (Office of Origin: IRM/IA) 5 FAH-11 H-511 INTRODUCTION 5 FAH-11 H-511.1 Purpose a. This subchapter implements the policy

More information

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE Department of Defense DIRECTIVE NUMBER 5400.11 October 29, 2014 DCMO SUBJECT: DoD Privacy Program References: See Enclosure 1 1. PURPOSE. This directive: a. Reissues DoD Directive (DoDD) 5400.11 (Reference

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Evaluation Report. Office of Inspector General

Evaluation Report. Office of Inspector General Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

More information

Legislative Language

Legislative Language Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

PBGC Information Security Policy

PBGC Information Security Policy PBGC Information Security Policy 1. Purpose. The Pension Benefit Guaranty Corporation (PBGC) Information Security Policy (ISP) defines the security and protection of PBGC information resources. 2. Reference.

More information

UNCLASSIFIED NATIONAL POLICY ON CERTIFICATION AND ACCREDITATION OF NATIONAL SECURITY SYSTEMS UNCLASSIFIED. CNSS Policy No.

UNCLASSIFIED NATIONAL POLICY ON CERTIFICATION AND ACCREDITATION OF NATIONAL SECURITY SYSTEMS UNCLASSIFIED. CNSS Policy No. October 2005 NATIONAL POLICY ON CERTIFICATION AND ACCREDITATION OF NATIONAL SECURITY SYSTEMS Committee on National Security Systems FOREWORD 1. The national security community, in order to ensure the security

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Department of Veterans Affairs VA Handbook 6500. Information Security Program

Department of Veterans Affairs VA Handbook 6500. Information Security Program Department of Veterans Affairs VA Handbook 6500 Washington, DC 20420 Transmittal Sheet September 18, 2007 Information Security Program 1. REASON FOR ISSUE: To provide specific procedures and establish

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Audit of Case Activity Tracking System Security Report No. OIG-AMR-33-01-02

Audit of Case Activity Tracking System Security Report No. OIG-AMR-33-01-02 Audit of Case Activity Tracking System Security Report No. OIG-AMR-33-01-02 BACKGROUND OBJECTIVES, SCOPE, AND METHODOLOGY FINDINGS INFORMATION SECURITY PROGRAM AUDIT FOLLOW-UP CATS SECURITY PROGRAM PLANNING

More information

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network

GAO INFORMATION SECURITY. FBI Needs to Address Weaknesses in Critical Network GAO United States Government Accountability Office Report to the Honorable F. James Sensenbrenner Jr., House of Representatives April 2007 INFORMATION SECURITY FBI Needs to Address Weaknesses in Critical

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment Corporate Property Automated Information System CPAIS Privacy Impact Assessment May 2003 CONTENTS Background...3 Access to the Data...5 Maintenance of Administrative Controls...9 1 Introduction The Office

More information

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS POLICY FOR THE INFORMATION SECURITY PROGRAM FINAL Version 4.0 August 31, 2010 Document Number: CMS-CIO-POL-SEC02-04.0

More information

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored

More information

PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE

PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS IN THE DEPARTMENT OF JUSTICE U.S. Department of Justice Office of the Inspector General Audit Division Audit Report 05-32 July 2005 PROCESSING CLASSIFIED

More information

Guidelines 1 on Information Technology Security

Guidelines 1 on Information Technology Security Guidelines 1 on Information Technology Security Introduction The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical

More information

Department of Defense DIRECTIVE

Department of Defense DIRECTIVE Department of Defense DIRECTIVE NUMBER 5505.13E March 1, 2010 ASD(NII)/DoD CIO SUBJECT: DoD Executive Agent (EA) for the DoD Cyber Crime Center (DC3) References: See Enclosure 1 1. PURPOSE. This Directive:

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106

More information

Encl: (1) Information Assurance (IA) Administrative Framework (2) Notice and Consent Log-On Banner

Encl: (1) Information Assurance (IA) Administrative Framework (2) Notice and Consent Log-On Banner UNITED STATES MARINE CORPS MARINE CORPS BASE QUANTICO, VIRGINIA 22134-5001 MCB0 5230.3 B 054 MARINE CORPS BASE ORDER 5230.3 From: Commanding General To: Distribution List Subj: INTERNET ACCESS AND ELECTRONIC

More information

CYBER SECURITY PROCESS REQUIREMENTS MANUAL

CYBER SECURITY PROCESS REQUIREMENTS MANUAL MANUAL DOE M 205.1-5 Approved: Admin Chg 1: 9-1-09 Admin Chg 2: 12-22-09 CYBER SECURITY PROCESS REQUIREMENTS MANUAL U.S. DEPARTMENT OF ENERGY Office of the Chief Information Officer AVAILABLE ONLINE AT:

More information

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NIST Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Pauline Bowen, Arnold Johnson, Joan Hash Carla

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information