For Security Professionals

For Security Professionals

1

INFORMATION SYSTEM

SECURITY

INFORMATION SYSTEM

SECURITY

ObjectivesObjectives

oDiscuss the principles of Computer Security

o Identify required IS security documentation

o Identify the purpose of a System Security Plan (SSP)

oDiscuss the principles of Computer Security

o Identify required IS security documentation

o Identify the purpose of a System Security Plan (SSP)

Foundations of Computer Security

Foundations of Computer Security

Confidentiality

Integrity

Availability

Confidentiality

Integrity

Availability

C

I

A

Paragraph 8-401 NISPOM

CONFIDENTIALITYCONFIDENTIALITY

PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE

PROTECTION OF DATA IN OR PROCESSED BY THE COMPUTER SYSTEM FROM DISCLOSURE

4

INTEGRITYINTEGRITY

Protection of data software used or processed on classified systems.

FROM: MANIPULATION DELETION

Protection of data software used or processed on classified systems.

FROM: MANIPULATION DELETION

5

AVAILABILITYAVAILABILITY

Protecting the computer from malicious logic

or natural disasters

Protecting the computer from malicious logic

or natural disasters

Protection LevelsNISPOM 8-402

Protection LevelsNISPOM 8-402

7

PL-3

Compartmented

PL-2System High

PL-1 Dedicated

Protection Level (PL) 1Dedicated Security ModeProtection Level (PL) 1

Dedicated Security Mode Clearance, N-T-K and, if

applicable, all formal access approvals for all information

Clearance, N-T-K and, if applicable, all formal access approvals for all information

TS

TS

Protection Level (PL) 2 System High Security Mode

Protection Level (PL) 2 System High Security Mode

Clearance and access approvals for all information but with different N-T-K

Clearance and access approvals for all information but with different N-T-K

TS TSa b

Protection Level (PL) 3Compartmented Security Mode

Protection Level (PL) 3Compartmented Security Mode

Clearance for most restrictive information, but different formal access approvals

Clearance for most restrictive information, but different formal access approvals

TOP SECRET TS- NATOSAP

CRYPTONATO

CNWDI

Confidentiality MatrixConfidentiality Matrix

Requirements (Paragraph) P L 1 PL 2 PL 3

Audit Capability (8-602) Audit 1, Audit 2, Audit 3 Audit 4

Data Transmission (8-605) Trans 1, ISL62 Trans 1 Trans 1

Access Controls (8-606) Access 1, Access 2 Access 3

Identification & Authentication (8-607) I&A 1, I&A 2,3,4 I&A2,4,5

Resource Control (8-608) ResrcCtrl 1, ResrcCtrl 1 Session Controls (8-609) SessCtrl 1, SessCtrl 2 SessCtrl 2

Security Documentation (8-610) Doc 1, Doc 1 Doc 1

Separation of Functions (8-611) Separation

System Recovery (8-612) SR 1 SR 1 SR 1

System Assurance (8-613) SysAssur 1, SysAssur 1 SysAssur 2

Security Testing (8-614) Test 1, Test 2 Test 3

11

TABLE 5 - Protection Profile Table for Confidentiality

Levels of Concern 8-403Confidentality

Levels of Concern 8-403Confidentality

Level of Concern Qualifiers

HighTOP SECRET and SECRET Restricted Data

(SIGMAs 1,2,14,15)

Medium

SECRETSECRET Restricted Data

BasicCONFIDENTIAL

12

Integrity Matrix Integrity Matrix

13

Must be contractually imposed.

Levels of Concern 8-403Integrity

Levels of Concern 8-403Integrity

Level of Concern

Qualifiers

High

Absolute accuracy required for mission accomplishment; or loss of life might result from loss of integrity; or loss of integrity will have an adverse effect on national-level interests; or loss of integrity will have an adverse effect on confidentiality.

Medium

High degree of accuracy required for mission accomplishment, but not absolute; or bodily injury might result from loss of integrity; or loss of integrity will have an adverse effect on organizational-level interests.

Basic Reasonable degree of accuracy required for mission accomplishment.

14

Must be contractually imposed.

Availability Matrix Availability Matrix

15

Must be contractually imposed.

Levels of Concern 8-403Availability

Levels of Concern 8-403Availability

Level of Concern Qualifiers

High

Information must always be available upon request, with no tolerance for delay; or loss of life might result from loss of availability; or loss of availability will have an adverse effect on national-level interests; or loss of availability will have an adverse effect on confidentiality.

Medium

Information must be readily available with minimum tolerance for delay; or bodily injury might result from loss of availability; or loss of availability will have an adverse effect on organizational-level interests.

Basic Information must be available with flexible tolerance for delay.

16

Must be contractually imposed.

Cognizant Security AgencyCognizant Security Agency

Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC.

Agencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC.

8-101a, NISPOM

Cognizant Security OfficeCognizant Security Office

The entity

designated by the Head of a CSA to administer industrial security on behalf of the CSA.

The entity

designated by the Head of a CSA to administer industrial security on behalf of the CSA.

8-101a, NISPOM

Performs oversight, program review, training, and certification and accreditation of ISs used by its contractors

Contractor RoleContractor Role

Publish and promulgate an IS Security Policy

Appoint and train an Information Systems Security Manager (ISSM)

Publish and promulgate an IS Security Policy

Appoint and train an Information Systems Security Manager (ISSM)

8-101b, NISPOM

IS Security Manager (ISSM)

IS Security Manager (ISSM)

o Not necessarily theFacility Security Officer(FSO)

o Designated by Managemento The CSA’s point of

contact for IS securityo Generally a very nice guy

o Not necessarily theFacility Security Officer(FSO)

o Designated by Managemento The CSA’s point of

contact for IS securityo Generally a very nice guy

IS Security Officer (ISSO)IS Security Officer (ISSO)

Appointed by ISSM in facilities with multiple accredited IS

Assists in day-to-day IS security operations

Has PCL, NTK, and formal access approvals for all information processed on accredited IS

Not so nice

Appointed by ISSM in facilities with multiple accredited IS

Assists in day-to-day IS security operations

Has PCL, NTK, and formal access approvals for all information processed on accredited IS

Not so nice21

Security Documentation8-610 NISPOM

Security Documentation8-610 NISPOM

System Security Plan Profile Configuration Plan Risk Acceptance Letter Memorandum of

Understanding Protected Distribution

System

System Security Plan Profile Configuration Plan Risk Acceptance Letter Memorandum of

Understanding Protected Distribution

System

Basis for AccreditationBasis for Accreditation

Safeguards

Documentation(SSP)

Policy

Evaluationof security risks

System Security Plan System Security Plan

Defines Security Policy Includes Configuration Management

Plan Covers the life-cycle of system Target audience includes users,

system administrative, government, and security staff

Best single security tool

Defines Security Policy Includes Configuration Management

Plan Covers the life-cycle of system Target audience includes users,

system administrative, government, and security staff

Best single security tool

24

8-610

Self-Certification Master/Profile Concept

Self-Certification Master/Profile Concept

Master/Profile Master/Profile System Security Plan System Security Plan

MSSP

PP PP PP

SSP

PP

Self-Certification ConceptProfile Requirements

Self-Certification ConceptProfile Requirements

o Same classificationo Same PL levelo Same Level of

Concerno Same Environmento Approved O/So Same system type

o Same classificationo Same PL levelo Same Level of

Concerno Same Environmento Approved O/So Same system type

o Approved TDo Approved Periods

Processingo Approved Mobile

Systemso Approved Test

Equipment

o Approved TDo Approved Periods

Processingo Approved Mobile

Systemso Approved Test

Equipment

Self-Certification ConceptNot Authorized

Self-Certification ConceptNot Authorized

o SIPRNETo WAN self-certso Systems requiring

variances o Audit varianceso Alternate TD

procedures o Legacy O/S

o SIPRNETo WAN self-certso Systems requiring

variances o Audit varianceso Alternate TD

procedures o Legacy O/S

SSP INCLUDESSSP INCLUDES

System Identification Purpose Security personnel System description Mission or purpose Architecture Classification Level Formal Access Approvals

System Identification Purpose Security personnel System description Mission or purpose Architecture Classification Level Formal Access Approvals

System requirements Personnel Clearance

Level of Users Need to Know of Users Protection Level Physical controls Marking requirements

System requirements Personnel Clearance

Level of Users Need to Know of Users Protection Level Physical controls Marking requirements

288-610a.(1)(a)

SSP-Protection MeasuresSSP-Protection Measures

Audit Capabilities Access Controls Resource

Controls System Recovery Security Testing

Audit Capabilities Access Controls Resource

Controls System Recovery Security Testing

Data Transmission I & A Session Controls System Assurance Physical Security

Data Transmission I & A Session Controls System Assurance Physical Security

29

Trusted Downloading Software controls Media controls Maintenance Clearing and sanitization Self Inspections

Trusted Downloading Software controls Media controls Maintenance Clearing and sanitization Self Inspections

30

SSP-Protection Measures

SSP-Variances and RAL letters

SSP-Variances and RAL letters

o Description of approved variances from protection measuresoAttach documentation

o Documentation of any unique threat or vulnerabilities to systemoDocument if none exists

o Description of approved variances from protection measuresoAttach documentation

o Documentation of any unique threat or vulnerabilities to systemoDocument if none exists

31

o MOU for connections to separately accredited networks & systems

o Special purpose type systemso embedded systems

o Other contractual issues

o MOU for connections to separately accredited networks & systems

o Special purpose type systemso embedded systems

o Other contractual issues

32

SSP-May Also Include

Audit RecordsAudit Records

o Who fills out what?o ISSOs & Users

o What logs are required? - Manualo Maintenance

o Hardware & Softwareo Upgrade/Downgradeo Sanitizationo Weekly Audit Logo Seal Log (If Applicable)o Receipt/Dispatch (If Applicable)

o Who fills out what?o ISSOs & Users

o What logs are required? - Manualo Maintenance

o Hardware & Softwareo Upgrade/Downgradeo Sanitizationo Weekly Audit Logo Seal Log (If Applicable)o Receipt/Dispatch (If Applicable)

33

Audit Records - cont’dAudit Records - cont’d

o What logs are required - Automatedo if technically capable

o Successful and unsuccessful logons and logoffs

o Unsuccessful accesses to security-relevant objects and directories, including:o creationo openo modification and deletion

o What logs are required - Automatedo if technically capable

o Successful and unsuccessful logons and logoffs

o Unsuccessful accesses to security-relevant objects and directories, including:o creationo openo modification and deletion

34

Audit Records - cont’dAudit Records - cont’d

o Changes in user authenticators, i.e., passwords

o Denial of system access resulting from an excessive number of unsuccessful logon attempts.

o If not technically capable, the Authorized Users list will be retained as an audit record

o Changes in user authenticators, i.e., passwords

o Denial of system access resulting from an excessive number of unsuccessful logon attempts.

o If not technically capable, the Authorized Users list will be retained as an audit record

35

Re-Accreditation &Protection MeasuresRe-Accreditation &

Protection Measureso Re-Accreditationo Every Three Years

o Major Changeso If no changes updatedo SSP may not be required.

o Re-Accreditationo Every Three Years

o Major Changeso If no changes updatedo SSP may not be required.

36

PasswordsPasswords

o Minimum 8* Characters

o Classified to the highest level of the system

o Changed at least every 365* days

o Changed when compromised

o Automated generation when possible

o Minimum 8* Characters

o Classified to the highest level of the system

o Changed at least every 365* days

o Changed when compromised

o Automated generation when possible

37

DoD Warning BannerDoD Warning Banner

o Requiredo Positive User Actiono Prominently displayed

o Requiredo Positive User Actiono Prominently displayed

38

DoD Warning Banner Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.

This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.

Login AttemptsLogin Attempts

o Maximum of 5* attempts

o Lockout for 15* minutes

o Maximum of 5* attempts

o Lockout for 15* minutes

39

Special CategoriesSection 5, Chapter 8

May not meet all NISPOM Requirements

Special CategoriesSection 5, Chapter 8

May not meet all NISPOM Requirements

o Single-users Stand-aloneso Only one users accesses

system

o Pure Serverso No user code on system

o Tactical, Embedded Special-Purpose Systemso Configured as directed by

customer

o Single-users Stand-aloneso Only one users accesses

system

o Pure Serverso No user code on system

o Tactical, Embedded Special-Purpose Systemso Configured as directed by

customer

40Customer can require additional requirements above NISPOM

Clearing and SanitizationClearing and Sanitization

41

ClearingClearing

Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes).

DCID 6/3

Removal of data from an IS, its storage devices and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using normal system capabilities (i.e., keyboard strokes).

DCID 6/3

SanitizationSanitization

The process of removing information from media or equipment such thatdata recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings.

DCID 6/3

The process of removing information from media or equipment such thatdata recovery using any known technique or analysis is prevented, as well as the removal of all classified labels and markings.

DCID 6/3

Clearing and Sanitization Matrixwww.dss.mil

Clearing and Sanitization Matrixwww.dss.mil

o Hard driveso May be degaussed or

destroyed at end of life cycle

o CPUs o Remove power for one

minuteo Printers

o Print one page (font test) then power down

o Hard driveso May be degaussed or

destroyed at end of life cycle

o CPUs o Remove power for one

minuteo Printers

o Print one page (font test) then power down

44

Configuration Management Plan

Configuration Management Plan

o Formal change control procedures for security-relevant hardware and software

o Management of all documentation

o Implement, test and

verify CM plan

o Formal change control procedures for security-relevant hardware and software

o Management of all documentation

o Implement, test and

verify CM plan

45

CM Plan Documents:CM Plan Documents:

o Procedures to identify and document type, model and brand of IS hardware

o Procedures to identify and document product names and version or release numbers and location of security relevant software

o System connectivity

o Procedures to identify and document type, model and brand of IS hardware

o Procedures to identify and document product names and version or release numbers and location of security relevant software

o System connectivity

46

8-311

Periods ProcessingPeriods Processing

o Separate Sessions

o Different Classification

o Levels

o Different Need-To-Know

o Removable Media for each

processing session

o Separate Sessions

o Different Classification

o Levels

o Different Need-To-Know

o Removable Media for each

processing session

47

SummarySummary

o Principals of Computing Security

o System Security PlanoPurposeoContents

oNISPOM = Whato SSP = How

o Principals of Computing Security

o System Security PlanoPurposeoContents

oNISPOM = Whato SSP = How

49