DEPARTMENT OF DEFENSE DeCA DIRECTIVE 35-30 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee VA 28301-6300 August 1, 1995. Information Management

DEPARTMENT OF DEFENSE DeCA DIRECTIVE 35-30 HEADQUARTERS DEFENSE COMMISSARY AGENCY Fort Lee VA 28301-6300 August 1, 1995 Information Management INFORMATION SYSTEMS SECURITY (INFOSEC) AWARENESS TRAINING DIRECTIVE BY ORDER OF THE DIRECTOR RALPH R. TATE Chief, Safety, Security and Administration RONALD P. McCOY Colonel, USAF Chief of Staff AUTHORITY: Defense Commissary Agency Directives Management Program is established in compliance with DoD Directive 5105.55, Defense Commissary Agency (DeCA), November 1990. MANAGEMENT CONTROLS: This directive contains Management Control provisions that are subject to evaluation and testing as required by DeCAD 70-2 and as scheduled in DeCAD 70-3. The OPR is responsible for conducting the evaluation, testing controls, and documenting the evaluation. The Assessable Unit Manager for testing the controls addressed in this directive is the OPR. APPLICABILITY: This directive applies to the Defense Commissary Agency (DeCA) activities. HOW TO SUPPLEMENT: Regions may not supplement this directive. HOW TO ORDER COPIES: Stores needing additional copies will submit requirements on DeCA Form 30-21 to Region/IM. Regions will consolidate requirements and order per published schedule. SUMMARY: This directive sets forth the policies and procedures that will be used for the operation of the DeCA Computer Security Awareness Training Program. SUPERSEDES: DeCAD 30-19, Information Systems Security (INFOSEC) Awareness Training Directive, dated September 1, 1994 OFFICE OF PRIMARY RESPONSIBILITY (OPR): HQ DeCA/IMP COORDINATORS: DeCA/DP DISTRIBUTION: E

DeCAD 35-30 August 1, 1995 TABLE OF CONTENTS Para Page Chapter 1 - Introduction PURPOSE... 1-1 1-1 SCOPE... 1-2 1-1 BACKGROUND... 1-3 1-1 REFERENCES... 1-4 1-2 DEFINITIONS... 1-5 1-2 TRAINING OBJECTIVES... 1-6 1-2 Chapter 2 - Training Audiences TRAINING AUDIENCES... 2-1 2-1 SENIOR EXECUTIVES... 2-2 2-1 FUNCTIONAL MANAGERS... 2-3 2-1 IM AND SYSTEMS DEVELOPMENT PERSONNEL... 2-4 2-1 COMPUTER SECURITY PERSONNEL... 2-5 2-1 END USERS... 2-6 2-1 Chapter 3 - Training levels and subjects TRAINING LEVELS AND SUBJECTS... 3-1 3-1 TRAINING LEVELS... 3-2 3-1 TRAINING SUBJECT AREAS... 3-3 3-1 TRAINING AUDIENCE/SUBJECT RELATIONSHIPS... 3-4 3-5 Chapter 4 - Training methods TRAINING METHODS... 4-1 4-1 Chapter 5 - Responsibilities DIRECTORATE OF INFORMATION RESOURCES MANAGEMENT (IM) 5-1 5-1 DIRECTORATE OF PERSONNEL & MANPOWER (DP)... 5-2 5-1 SERVICING CIVILIAN PERSONNEL OFFICES... 5-3 5-1 MANAGEMENT PERSONNEL... 5-4 5-1 COMPUTER SECURITY PERSONNEL... 5-5 5-1 DeCA EMPLOYEES... 5-6 5-1 REGIONAL DIRECTORS... 5-7 5-1 DISTRICT DIRECTORS... 5-8 5-2 i

DeCAD 35-30 August 1, 1995 Para Page Chapter 5 (Con't) COMMISSARY OFFICERS... 5-9 5-2 FUNCTIONAL PROPONENT ORGANIZATIONS... 5-10 5-2 APPENDIXES A. REFERENCES... A-1 B. DEFINITIONS AND ACRONYMS... B-1 C. RELATIONSHIPS BETWEEN TRAINING AUDIENCES AND TRAINING SUBJECTS... C-1 ii

DeCAD 35-30 August 1, 1995 Chapter 1 INTRODUCTION 1-1. PURPOSE. This directive provides the fundamental concepts, audience categories, and training subjects required to implement a Defense Commissary Agency (DeCA) Computer Security Awareness Training Program (CSATP). The program is intended for all DeCA and contractor personnel who use DeCA computer resources. The goal is to increase the level of automated information system security (AIS) within DeCA and to ensure that the computer resources are used properly, securely, and in accordance with various Federal and DeCA policies. 1-2. SCOPE. The computer security awareness training guideline is applicable for all DeCA organizations. This directive will ensure that DeCA satisfies the requirements of the Computer Security Act of 1987 (PL 100-235); the Office of Management and Budget (OMB) Circular A-130, Appendix III, "Security of Federal Automated Information Systems"; DOD Directive 5200.28, "Security Requirements for Automated Information Systems (AISs)"; and DeCA Directive 30-10, "INFOSEC Program Guideline", 9 September 1994 (Draft). 1-3. BACKGROUND. In December 1985, OMB issued Circular A-130, "Management of Federal Information Resources." Appendix III to Circular A-130 contains specific INFOSEC requirements for Federal systems that process sensitive but unclassified information. One of those requirements calls for Federal agencies to establish a security awareness and training program. In 1987 Congress passed The Computer Security Act, PL 100-235, which requires computer security awareness training. PL 100-235 applies only to systems that process sensitive but unclassified information. It requires "mandatory periodic training for all persons involved in management, operation, or use of Federal computer systems that contain sensitive information." In March 1988, DOD Directive 5200.28 was published requiring DOD components to "establish and maintain an AIS security training and awareness program for all DOD military, civilian, and contractor personnel requiring access to AISs." a. To help government agencies develop and implement a computer security awareness training program, the National Institute of Standards and Technology (NIST) prepared Special Publication 500-172, Computer Security Training Guidelines, in 1989. That publication placed employees to receive training into five categories: Executives. Program/Functional Managers. Information Resources Management (IM), Security, and Audit Personnel. ADP Management, Operations, and Programming Staff. End Users. b. The audience categories were based on the concept that employees within a given category generally need to know or be able to perform the same or similar types of tasks. The publication also divided the training content or subject matter into five areas: Computer Security Basics. Security Planning and Management. Computer Security Policy and Procedures. Contingency Planning. Systems Life Cycle Management. 1-1

DeCAD 35-30 August 1, 1995 c. However, since the different audience categories do not all need the same level of knowledge of the training subject areas, the NIST publication created levels of training (See Appendix C): Awareness. Implementation. Performance. None d. The combination of audience categories, subject training areas, and levels of training were illustrated graphically in the NIST publication in a matrix. The final section of the NIST publication outlines training subjects for each audience class. By using these outlines, a government agency could develop a general awareness training program. e. Computer security awareness training is vital to DeCA's computer security program. It addresses three general areas of concern: protecting computer resources from abuse and misuse; protecting sensitive information from unauthorized access, disclosure, alteration or destruction, and improper use; and ensuring that applications performing mission critical functions are not subject to processing delays. Employees who understand their responsibilities, the need for security, and how their actions contribute to security can reduce risks to DeCA information and systems. This plan intends to bring about that awareness and knowledge. 1-4. REFERENCES. References used in this document are listed in Appendix A. 1-5. DEFINITIONS. Definitions and acronyms used in this document are found in Appendix B. 1-6. TRAINING OBJECTIVES. The following training objectives are established for the DeCA computer security and awareness training program: a. Upon completing the training, all attendees will be able to: (1) Identify general automated information systems security threats and vulnerabilities. (2) Discuss the basic DeCA INFOSEC requirements. (3) Demonstrate effective computer security techniques for DeCA systems. (4) Identify their ISSO and their TASO as applicable. b. Upon completing the training, DeCA senior executives and functional management personnel will be able to: (1) Discuss management computer security responsibilities. (2) Explain the security life cycle process for systems development. (3) Identify the certification and accreditation requirements for a DeCA AIS. (4) Discuss the roles and responsibilities of the DeCA CISSM, ISSMs, an ISSO, a NSO, and a TASO. (5) Discuss the contents of the DeCA AIS security policy guideline. 1-2

able to: DeCAD 35-30 August 1, 1995 c. Upon completing the training, the DeCA CISSM, ISSMs, ISSOs, NSOs, and TASOs will be (1) Discuss in detail the roles and responsibilities of DeCA security officers. (2) Identify the certification and accreditation requirements for a DeCA AIS. (3) Explain the purpose and conduct of a risk analysis. (4) Explain the various types of contingency plans and their purpose. d. Upon completing the training, DeCA computer operations and development personnel will be able to: (1) Explain the security life cycle process for systems development. (2) Identify the certification and accreditation requirements for a DeCA AIS. e. Upon completing the training, DeCA end users will be able to: (1) Demonstrate proper log-on procedures. (2) Discuss password security requirements. (3) Discuss good personal computer security practices. 1-3

DeCAD 35-30 August 1, 1995 Chapter 2 TRAINING AUDIENCES 2-1. TRAINING AUDIENCES. All users of DeCA computer systems, regardless of their rank or position, require a basic level of knowledge of computer security techniques. However, once users have this basic knowledge, the specialized security knowledge required by a DeCA employee varies based on his/her rank or position. For example, a data entry clerk at the commissary store does not need any knowledge about the security life cycle development process, whereas a management employee does. A software development employee should know the subject in detail. All recommended training, to ensure implementation of computer security, must be supported by management personnel. The following sections provide information on the DeCA audience categories. 2-2. SENIOR EXECUTIVES. Senior executives are responsible for setting DeCA policies, assigning responsibilities for meeting those policies, determining acceptable levels of risk, and providing resources and support for the DeCA computer security program. Their training should focus on creating an awareness and knowledge of Federal law and policies related to INFOSEC. They must also understand the certification and accreditation process for AISs. 2-3. HEADQUARTERS FUNCTIONAL MANAGERS. These individuals have a program or functional responsibility, excluding the functional area of computer security, within DeCA, i.e., commissary officers or headquarters, regional staff, and section or branch heads. The functional managers are involved primarily in DeCA policy and administration functions. Accordingly, their training should be broad, focusing on how their functional responsibilities interact with the objectives of the DeCA computer security program. Functional managers usually own the data and are responsible for designating the sensitivity and criticality of the information in their systems. They are also responsible for implementing contingency plans to ensure continued availability of their data. Their training should demonstrate how computer security is important in the day-to-day operations of their organizations and contingency planning. 2-4. IM AND SYSTEMS DEVELOPMENT PERSONNEL. Individuals within this category are involved with managing DeCA's automated information resources daily or with testing and developing new or improved systems. These individuals are expected to be the most familiar with the DeCA systems. The IM personnel are responsible for providing integrated IM services and support to DeCA. They prepare and issue procedures, guidelines and standards, develop systems throughout the agency, and coordinate administrative and logistical support of DeCA ISs. Individuals within this category provide secure, timely automated data processing (ADP) support to all DeCA users. 2-5. COMPUTER SECURITY PERSONNEL. This category includes the DeCA CISSM, ISSM, ISSOs, NSOs, TASOs and CSATP monitors. These individuals are responsible for overseeing the day-today secure operation of the DeCA automated systems. Their training should be indepth because they perform tasks requiring the implementation of computer security. They provide technical security assistance to users, enforce the DeCA security policy guidelines, perform or supervise risk analyses, and develop or coordinate the development of contingency plans. They oversee the certification and accreditation effort of those systems under their direct supervision and control. They are also responsible for the expeditious and secure handling of automated information security incidents. 2-6. END USERS. End users are all DeCA employees who have access to any DeCA computer system, including standalone personal computers. End users use the computer full- or part-time to perform their jobrelated tasks. Everyone in the previously identified training audience, would normally receive instruction in 2-1

DeCAD 35-30 August 1, 1995 the audience category related to his or her primary job. Required knowledge for end users are also required for all DeCA users. This knowledge might be considered the core knowledge of this program. 2-2

DeCAD 35-30 August 1, 1995 Chapter 3 TRAINING LEVELS AND SUBJECTS 3-1. TRAINING LEVELS AND SUBJECTS. DeCA employees require different levels of knowledge about a particular subject. Not every training level is needed for a given audience on a given content area. This section identifies three training levels for the subjects. It also identifies and discusses the general training subjects to be included in the DeCA computer security awareness training program. 3-2. TRAINING LEVELS. The three training levels for the DeCA program are: a. Awareness. The awareness level creates a sensitivity to the subject matter. The employee recognizes the need to protect data and information. b. Implementation. Provides the ability to recognize and assess threats and vulnerabilities to automated information resources so that they can set security requirements which implement agency security policies. The end-user audience category is the only audience category not involved with implementing subject matters. c. Performance. At the performance level of understanding, an employee is expected to have the skill to execute computer security practices and procedures. The employee understands the subject in detail, and can properly demonstrate the required skills and knowledge of a particular subject matter. It may requires education in basic principles and training in state-of-the-art applications. d. None. Not required for a specific combination of training audience and training subjects. 3-3. TRAINING SUBJECT AREAS. The following list of training subject areas shall be incorporated into the DeCA computer security awareness training program. The subject areas are listed in the order in which they should be covered, but the order of presentation is not mandatory. a. Reasons for Security. This subject area makes employees sensitive and aware of the need for computer security. It relates how computer security affects DeCA organizations, systems, and individuals if it is not adequately maintained. Illustrative examples of problems on Federal systems may be used to reinforce the need for security. b. Federal Laws and Policies. Pertinent laws and policies should be identified in this subject area, with emphasis on those that directly relate to the DeCA automated systems. The amount of detail presented for this subject area will vary significantly by the target audience. Information within this training area may include the following: (1) Privacy Act of 1974 (PL 93-579). (2) Federal Manager's Financial Integrity Act of 1982 (PL 97-255). (3) Computer Fraud and Abuse Act of 1986 (PL 99-474). (4) Computer Security Act of 1987 (PL 100-235). (5) Computer Matching and Privacy Protection Act (PL 100-503). 3-1

DeCAD 35-30 August 1, 1995 (6) OMB Circular A-127, "Financial Management Systems." (7) OMB Circular A-130, "Management of Federal Information Resources." c. DOD and DeCA Policies. The DOD and DeCA policies directly related to information security should be covered. The amount of detail presented for this subject area will vary by the target audience. Information within this subject area may include (but is not limited to) the following: (1) DODD 5200.28, "Security Requirements for Automated Information Systems." (2) DODD 8120.1, "Life-Cycle Management (LCM) of Automated Information Systems (AISs)." (3) DeCAD 30-8, "Automated Information Systems (AIS) Testing Procedures." (AIS)." (4) DeCAD 30-9, "Configuration Management for Automated Information Systems (5) DeCAD 30-10, "INFOSEC Security Program Guideline", 9 Sep 1994 (Draft). d. Guidelines and Standards. Other Federal guidelines and standards related to INFOSEC fall within this subject area. The amount of detail presented for this subject area will also vary by the target audience. Information within this subject area may include (but is not limited to) the following: (1) NIST standards and guidelines. (2) National Computer Security Center (NCSC) reports. (3) Office of Personnel Management (OPM) guidelines. (4) Government Accounting Office (GAO) reports on IS deficiencies and remedies. (5) General Services Administration (GSA) standards, guidelines, and training reports. e. Security Personnel. The DeCA computer security administration hierarchy should be described in this subject area. The duties of the Designated Approving Authority (DAA), CISSM, ISSMs, NSO and TASO would be covered, and, for a given target audience, the individuals filling those positions would be identified. f. Security Life-Cycle Development. The DeCA security life cycle for AIS development should be discussed in this subject area and related to the system life cycle model. End users would not receive information on this subject area. Information within this subject area may include (but is not limited to) the following: (1) Selecting and implementing a Configuration Management (CM) policy. (2) Designing systems to include security features. (3) Auditing documents and procedures to support certification and accreditation. (4) Planning security tests. 3-2

(5) Planning risk assessments. DeCAD 35-30 August 1, 1995 g. Threats and Vulnerabilities. All employees should be made aware of potential threats and vulnerabilities which may affect the DeCA systems. Although much of this information affects all DeCA systems, the threats and vulnerabilities affecting the systems used by the attendees should be stressed during training. Procedures for reporting technical vulnerabilities under the DOD Computer Security Technical Vulnerability Reporting Program (CSTVRP) may be discussed. h. Automated Information Systems. This topic includes the responsibilities of reporting INFOSEC violations or incidents of AIS fraud, waste, and abuse. Areas to specifically address include (but are not limited to) the following: (1) Types of violations and method for reporting. (2) Types of incidents and method for reporting. (3) DeCA policy for the identification of violations of DeCA regulations. (4) DeCA policy for determining the severity of disciplinary actions to be applied. i. Sensitive Information (Data Security). This will expand on the introductory reasons for security emphasis on sensitive information. Identification, marking, accountability, transmission, destruction, and disclosure of sensitive information will be covered in the DeCA context, i.e., minimize concerns for classified information, but maximize concerns for personal and financial information. j. Computer Security Practices. Effective computer security practices should be covered in this area. End-user practices in this subject area include: (1) Log in/log out procedures. (2) Password security techniques. (3) Protecting sensitive printouts. (4) Effective backup techniques. (5) Controlling visitors. (6) Protecting magnetic media. k. Malicious Code. This section covers computer viruses and worms. Training areas will include prevention and defense techniques, identification of effects, requirements for notification, and countermeasures. l. Software Security. This section discusses purchasing and licensing software. Training will also include procedures to ensure all DeCA software is developed, managed, and stored in a manner which assures that it is free of errors, bugs, and malicious code. m. Security Planning. Security plans are required by a number of laws, regulations, and directives. This section will discuss security plans, plan writing, and the approval process. 3-3

DeCAD 35-30 August 1, 1995 n. Risk Assessment. This area will discuss the role of risk assessment within a total risk management plan. Topics discussed will include requirements for conducting risk assessments, techniques for conducting them, and procedures for reporting their results. The amount of required information will vary considerably among the target audiences. o. Contingency Planning and Disaster Recovery. The types of required contingency plans, their contents, and testing requirements will be addressed as they relate to individual target audiences. Disaster recovery procedures will be emphasized. p. Security Test and Evaluation. This section will discuss the need for security test and evaluation (ST&E), the techniques to perform an ST&E, and the procedures to report the test results. q. Certification and Accreditation. For certification and accreditation, the amount of information presented will vary considerably by target audience. Accreditation is the formal approval to operate an AIS and is based on certifying that the IS provides an appropriate degree of security for the information it handles. The processes and techniques involved in the certification of an IS will be identified and discussed. These include (but are not limited to) the following: (1) Categories of data. (2) Accreditation authority. (3) Support documentation. (4) Certification team requirements. r. Hardware Security. This section may include discussions on hardware, firmware, and encryption devices as appropriate for the IS audience. s. Physical Security. Topics for discussion in this section may include (but are not limited to) the following: (1) Access to the computer facility. (2) Physical layout inside the facility. (3) Fire protection. (4) Environmental control support systems. (5) Building construction. (6) Housekeeping procedures. t. Personnel Security. Topics for discussion in this section may include (but are not limited to) the following: (1) Selection and hiring procedures. (2) Personnel controls. (3) Security awareness training program. 3-4

(4) Access and clearances. DeCAD 35-30 August 1, 1995 (5) Screening techniques. (6) Security briefings. (7) Disciplinary actions. (8) Substance abuse. u. Communications and Network Security. This section discusses communications and network security requirements and processes as used in DeCA. Topics will include (but are not limited to) the following: (1) Communications lines and links. (2) Terminal identification. (3) Authentication procedures. (4) Telephone devices. (5) Level of access and data base hierarchy. v. Security and Contractor Interface. Senior executives and the computer security staff should be aware of agency requirements and laws regarding contractor involvement in an IS. Contractors must comply with security awareness and training provisions whenever they develop, acquire, manage, or use government information. This topic will address the requirements that contractors must meet when using DeCA ISs. w. Office Automation Security. Office automation security will encompass the procedures and techniques for using the equipment, networks, and information in DeCA offices. x. Software Piracy. This section discusses software piracy and other legal aspects of computing. The DeCA employees will be made aware of their legal responsibilities and those of the agency. 3-4. TRAINING AUDIENCE/SUBJECT RELATIONSHIPS. The training levels will vary between subjects based on the subject matter area. Appendix C contains a matrix that identifies the level of training for each audience and subject matter pair. 3-5

DeCAD 35-30 August 1, 1995 Chapter 4 TRAINING METHODS 4-1. TRAINING METHODS. Effective computer security awareness training will require a variety of training methods. Each employee will attend, at a minimum, annual computer security awarness training. The methods that will be used within DeCA to foster an awareness of computer security for all employees should include but is not limited to the following: a. Computer Security Courses. A number of computer security courses are taught throughout the government and in the private sector. This type of training is only appropriate for individuals assigned duties as a DeCA CISSM, ISSM, ISSO, NSO, TASO, or CSATP monitor. b. Formal Presentations. The DeCA computer security awareness training will be conducted for all employees through periodic formal presentations. This directive provides the basis for developing the course materials for these presentations. The presentations shall be delivered by experienced and knowledgeable instructors. This training may be performed by contractors. c. New Employee Orientations. Computer security awareness shall be made a part of the new employee orientation program. All new employees shall be required to receive this awareness training before they are authorized to access a DeCA system. d. Training Films and Videos. A number of training films and videos may be used to supplement the awareness training efforts. These films can be obtained from government and private sector sources and shall be used whenever possible to enhance the training. e. Newsletters. Computer security shall be a frequent topic on existing newsletters within DeCA. Newsletters are another way to regularly stress computer security to all employees. f. Posters. Computer security awareness posters shall be displayed throughout DeCA offices. As with the use of security information in newsletters, posters will help to achieve the necessary awareness level through continued emphasis of computer security. 4-1

DeCAD 35-30 August 1, 1995 Chapter 5 RESPONSIBILITIES 5-1. DIRECTORATE OF INFORMATION RESOURCES MANAGEMENT (IM). IM chief is assigned responsibility to develop policy for the DeCA INFOSEC program. The DeCA CISSM is found in IM. As part of the CSATP effort, the DeCA CISSM will assist the IM in establishing policy and maintaining the DeCA CSATP in accordance with this guideline. This effort is also supported by the Directorate of Personnel and Manpower (DP). 5-2. DIRECTORATE OF PERSONNEL AND MANPOWER (DP). DP is responsible for establishing training policy and providing overall guidance and oversight in support of the DeCA CSATP. DP responsibilities include developing or obtaining training materials for the CSATP and providing staff supervision over the scheduling and conducting of the CSATP training sessions. All AIS Security Awareness training shall be documented. As requested, DP will brief management on INFOSEC awareness training status. 5-3. SERVICING CIVILIAN PERSONNEL OFFICES. Servicing Civilian Personnel Offices are responsible for programming individuals to attend CSATP training sessions, scheduling and providing training sessions as required, funding costs of training (other than travel and per diem for attendees), and maintaining indivudual training records. 5-4. MANAGEMENT PERSONNEL. Although SA establishes policy for the computer security awareness training program, all DeCA managers are to support the training program and ensure that all their subordinates attend the training. Those individuals who meet a specialized training category for an audience other than end users should attend that training and are not required to attend the end user training. 5-5. COMPUTER SECURITY PERSONNEL. The DeCA CISSM and all ISSMs, ISSOs, NSOs, and TASOs shall attend appropriate security training. They shall ensure that all automated information systems users within their organization attend the training. They should also ensure that all new employees have received automated information security awareness training before they are allowed to use a DeCA system. The computer security personnel may also be required to present computer security awareness classes. 5-6. DeCA EMPLOYEES. All DeCA employees are responsible for safe and secure operation of their assigned computer and for the security of their data. All DeCA employees must attend awareness training when scheduled. Each employee will attend, at a minimum, annual computer security awarness. 5-7. REGIONAL DIRECTORS. Regions are responsible for monitoring and coordinating CSATP training sessions to ensure that personnel are being trained as required. Each regional director will appoint in writing a monitor to manage the computer security awareness training program (CSATP) at the region. When it is practical to do so, the CSATP monitor may be a security specialist already assigned to the region. A copy of the letter of appointment will be forwarded to HQ DeCA/SAS, Fort Lee, VA 23801-6300. Additional responsibilities are: a. Appoint TASO(s) as required for the regional offices. b. Ensure all individuals who operate or use the AIS attend security awareness training. 5-8. DISTRICT DIRECTORS/COMMANDERS. Each district director will appoint in writing a monitor to manage the computer security awareness training program (CSATP) for their district. Where it is 5-1

DeCAD 35-30 August 1, 1995 practical to do so, the monitor may be a security specialist already assiagned to the District. A copy of the letter of appointment will be provided to the appropriate region CSATP monitor. Additional responsibilities are: a. Appoint TASO(s) as required for their respective work centers. b. Ensure all individuals who operate or use the AIS attend security awareness training. 5-9. COMMISSARY OFFICER. Each commissary officer will appoint in writing a monitor to manage manage the computer the security awareness training program (CSATP) for their store. Where it is practical to do so, the CSATP duties may be absorbed by personnel currenty performing TASO duties in order to take advantage of the existing security knowledge base and to build and maintain a cohesive DeCA security infranstructure. A copy of the letter of appointment will be provided to the appropriate region/district CSATP monitor. Additional responsibilities are: a. Appoint TASO(s) as required for their respective stores. b. Ensure all individuals who operate or use the AIS attend security awareness training. 5-10. FUNCTIONAL PROPONENT AT HEADQUARTERS ORGANIZATIONS. General requirements which are to be met by the head of the DeCA functional proponents are: a. Ensure the security awareness and security requirements are identified early in the requirements definition effort for systems or software development projects for which their organization is the functional proponent. b. Designate in writing an Information Systems Security Manager (ISSM) for all systems under the direct ownership or sponsorship of the functional proponent. c. Ensure that each AIS under his/her direct control has an ISSO appointed, and that TASOs and NCOs are appointed as necessary. All appointments shall be in writing. d. Identify training needs for incumbents of these positions ensuring that training requests are submitted to DP so that individuals can receive their necessary training. 5-2

DeCAD 35-30 Appendix A August 1, 1995 REFERENCES a. Privacy Act of 1974 (PL 93-579). b. Federal Manager's Financial Integrity Act of 1982 (PL 97-255). c. Computer Fraud and Abuse Act of 1986 (PL 99-474). d. Computer Security Act of 1987 (PL 100-235). e. Computer Matching and Privacy Protection Act (PL 100-503). f. Office of Management and Budget (OMB) Circular A-127, "Financial Management Systems." g. OMB Circular A-130, "Management of Federal Information Resources," December 12, 1985. h. DODD 5200.28, "Security Requirements for Automated Information Systems (AISs)," March 21, 1988. i. DODD 8120.1, "Life-Cycle Management (LCM) of Automated Information Systems (AISs)," January 14, 1993. j. DeCAD 30-8, "Automated Information Systems (AIS) Testing Procedures." k. DeCAD 30-9, "Configuration Management for Automated Information Systems (AIS)." l. DeCAD 30-10, "INFOSEC Program Guideline", 9 September 1994 (Draft). m. National Computer Security Center (NCSC), "A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems," NCSC-TG-027, Version-1, May 1992. n. National Institute of Standards and Technology (NIST), Special Publication 500-172, Computer Security Training Guidelines, 1989. o. National Security Telecommunications and Information Systems Security (NSTISS) Publication 4009, "National Information Systems Security (INFOSEC) Glossary," June 5, 1992. A-1

DeCAD 35-30 Appendix B August 1, 1995 DEFINITIONS AND ACRONYMS 1. DEFINITIONS. The definitions in this glossary were taken from the National Security Telecommunications and Information System Security (NSTISS) Publication 4009 [ref o] unless otherwise noted. access - A specific type of interaction between a subject (person, process, or input device) and an object (record, file, program, or output device) that results in the flow of information from one to the other; the ability and opportunity to obtain knowledge of information in a system. access control - Process of limiting access to the resources of an AIS only to authorized users, programs, processes, or other systems. accountability - Property that allows auditing of activities on an AIS to be traced to persons who may then be held responsible for their actions. accreditation - Formal declaration by a designated approving authority that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards. accreditation authority - Synonymous with designated approving authority. audit - Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. authentication - Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's eligibility to receive specific categories of information. automated information systems (AIS) - Any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data and includes computer software, firmware, and hardware. NOTE: Included are standalone systems, personal computers, networks, word processing systems, networks, or other electronic information handling systems and associated equipment. automated information systems security - Synonymous with computer security. availability - The property that ensures the information system data, services, and resources are available to authorized users reliably, consistently, and in a timely manner. NOTE: Definition derived from various sources. availability of data - Data that is in the place, at the time, and in the form needed by the user. certification - The comprehensive evaluation of the technical and nontechnical security features of an AIS and other safeguards, made in support of the accreditation process, that establishes the extent to which a particular design and implementation meet a specified set of security requirements. B-1

DeCAD 35-30 Appendix B August 1, 1995 classified information - National security information that has been classified pursuant to Executive Order 12356. component information system security manager (CISSM) - Person who is the focal point for policy and guidance in AIS and network security matters and who reports to and supports the DAA. NOTE: Definition extracted from NCSC-TG-027 [ref m]. computer security (COMPUSEC) - Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer. computer security incident - Any event in which a computer system is attacked, intruded, or threatened with an attack or intrusion. Computer Security Technical Vulnerability Reporting Program (CSTVRP) - A program that focuses on technical vulnerabilities in commercially available hardware, firmware, and software products acquired by DOD. CSTVRP provides for the reporting, cataloging, and discreet dissemination of technical vulnerability and corrective measure information to DOD components on a need-to-know basis. configuration management (CM) - The management of security features and assurances by controlling changes made to a system's hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system. contingency plan - Plan maintained for emergency response, backup operations, and post-disaster recovery for an AIS, as a part of its security program, that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation. countermeasure - Any action, device, procedure, technique, or other measure that reduces the vulnerability of or threat to a system. Designated Approving Authority (DAA) - The official who has the authority to decide on accepting the security safeguards prescribed for an AIS or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards. environment - Procedures, conditions, and objects that affect the development, operation, and maintenance of an AIS. identification - Process that enables recognition of an entity by an AIS. NOTE: This is generally accomplished by the use of unique machine-readable user names. information system - Any telecommunications or computer related equipment or interconnected system or subsystems of equipment that is used in acquiring, storing, manipulating, managing, moving, controlling, displaying, switching, interchanging, transmitting, or receiving voice or data, and includes software, firmware, and hardware. information systems security (INFOSEC) - The protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. B-2

B-3 DeCAD 35-30 Appendix B August 1, 1995 information system security manager (ISSM) - Person who reports to the CISSM and who is responsible for implementing the overall security program approved by the DAA. NOTE: Definition extracted from NCSC-TG-027 [ref m]. information system security officer (ISSO) - Person responsible to the designated approving authority who ensures that security of an information system is implemented through its design, development, operation, maintenance, and secure disposal stages. network security - Protection of networks and their services from unauthorized modifications, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side-effects. network security officer (NSO) - Individual formally appointed by a designated approving authority to ensure that the provisions of all applicable directives are implemented throughout the life cycle of an automated information system network. (See information system security officer.) password - Protected and private character string used to authenticate an identity or to authorize access to data. resource - Any material, time, device, memory, media, process, or data used or consumed by users or services of an information system. NOTE: Definition derived from various resources. risk analysis - Synonymous with risk assessment. risk assessment - Process of analyzing threats to and vulnerabilities of an information system, and the potential impact that the loss of information or capabilities of a system would have on national security and using the analysis as a basis for identifying appropriate and cost-effective measures. risk management - Process concerned with the identification, measurement, control, and minimization of security risks in information systems. security requirements - Types and levels of protection necessary for equipment, data, information, applications and facilities to meet security policy. security test and evaluation (ST&E) - Examination and analysis of the safeguards required to protect an AIS, as they have been applied in an operational environment, to determine the security posture of that system. sensitive information - Information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. NOTE: Systems that are not national security systems, but contain sensitive information are to be protected in accordance with the requirements of the Computer Security Act of 1987 (P.L. 100-235). system security evaluation - Determination of the risk associated with the use of a given system, considering its vulnerabilities and perceived security threat.