for security professionals

Download For Security Professionals

If you can't read please download the document

Post on 11-Jan-2016




1 download

Embed Size (px)


INFORMATION SYSTEM SECURITY. For Security Professionals. Objectives. Discuss the principles of Computer Security Identify required IS security documentation Identify the purpose of a System Security Plan (SSP). C. I. A. Foundations of Computer Security. Confidentiality - PowerPoint PPT Presentation



For Security Professionals1

INFORMATION SYSTEMSECURITYThis presentation highlighting the changes to chapter 8 which went into effect on 1 May 2001, was developed by the North East Region Information System Security Managers Association (NERISSMA). It has been modified only slightly to cover any unique information.ObjectivesDiscuss the principles of Computer SecurityIdentify required IS security documentationIdentify the purpose of a System Security Plan (SSP)

A. Tie In This section provides an overview of what needs to be included in the System Security Plan

B. ObjectivesUsing NISPOM, Chapter 8 Section 6, paragraph 610:

Define the security documentation that is needed for accredited Iss Define the purpose of the SSP Identify what information must be included in an SSP.

Foundations of Computer Security Confidentiality Integrity Availability



INTEGRITY Protection of data software used or processed on classified systems. FROM: MANIPULATIONDELETION5

AVAILABILITY Protecting the computer from malicious logic or natural disasters

Protection LevelsNISPOM 8-402

7PL-3CompartmentedPL-2System HighPL-1 DedicatedProtection Level (PL) 1Dedicated Security ModeClearance, N-T-K and, if applicable, all formal access approvals for all information

TSTSIt equates to having the combination to a container. Before you are given that combination, it is verified that you have the appropriate clearance and need-to-know for all information in that container.Most systems accredited out there are in this mode

No technical IS security is required. Access is determined by physical and administrative controlsJust keep unauthorized persons out of the area.Protection Level (PL) 2 System High Security ModeClearance and access approvals for all information but with different N-T-K

TSTSabThere are systems out there accredited at this level, but much less than dedicated mode.

It is more complicated, there more stringent protection requirements-need-to-protection or discretionary access controls - the owner of a file has control over who gains access to it, through logical partitions = including user ids and passwords. Object reuse issues are addressed here.

Includes physical partitions = printers/monitors segregated to protect NTK Protection Level (PL) 3Compartmented Security ModeClearance for most restrictive information, but different formal access approvals


Its the sensitivity level of the information thats the concern

Confidentiality Matrix

11TABLE 5 - Protection Profile Table for ConfidentialityLevels of Concern 8-403ConfidentalityLevel of ConcernQualifiersHighTOP SECRET and SECRET Restricted Data (SIGMAs 1,2,14,15) MediumSECRETSECRET Restricted DataBasicCONFIDENTIAL12Integrity Matrix 13 Must be contractually imposed.

Levels of Concern 8-403Integrity

14 Must be contractually imposed.Availability Matrix

15 Must be contractually imposed.

Levels of Concern 8-403Availability

16 Must be contractually imposed.Cognizant Security AgencyAgencies of the Executive Branch authorized to establish an Industrial Security program The agencies are: DoD, DoE, CIA, and NRC.8-101a, NISPOM

Provide oversight for information systems that process classified information. This includes the review of your security program to get to a point where DSS can certify and accredit information systems to process classified information.

Establish a line of authority for training. Well talk later bout some recommended methods and resources you can use.

Segue: Remember from this morning, who administers the program for DoD, the CSA? DSS, who is the CSO.Cognizant Security Office The entitydesignated by the Head of a CSA to administer industrial security on behalf of the CSA.

8-101a, NISPOMPerforms oversight, program review, training, and certification and accreditation of ISs used by its contractors

Provide oversight for information systems that process classified information. This includes the review of your security program to get to a point where DSS can certify and accredit information systems to process classified information.

Establish a line of authority for training. Well talk later bout some recommended methods and resources you can use.

Segue: Remember from this morning, who administers the program for DoD, the CSA? DSS, who is the CSO.Contractor RolePublish and promulgate an IS Security PolicyAppoint and train an Information Systems Security Manager (ISSM)8-101b, NISPOM

Contractor Role

Contractor management will publish and promulgate an IS Security Policy addressing the classified processing environment. Appoint ISSM (old ISSR). An IS Security Manager will be appointed with oversight responsibility for the development, implementation and evaluation of the facilitys IS security program.

Train ISSM. Contractor management will assure that the ISSM is trained to a level commensurate with the complexity of the facilitys IS. This course meets that requirement. You can also take any nationally known or government agency information system security training which includes testing or certification. IS Security Manager (ISSM)Not necessarily theFacility Security Officer(FSO) Designated by ManagementThe CSAs point ofcontact for IS securityGenerally a very nice guy

ISSM The ISSM can be the FSO or it can be delegated to someone else. In any case, the ISSM should have a background in computers.

The ISSM is appointed by manaagement

If FSO and ISSM different people, ISSM reports security issues and problems to the FSO

The FSO has overall security responsibility, however, relies on the ISSM for technical issues just as the ISRep relies on their ISSP for technical issues.

The ISSM will be the point of contact for the CSA regarding information systems that process classified information. IS Security Officer (ISSO)Appointed by ISSM in facilities with multiple accredited ISAssists in day-to-day IS security operationsHas PCL, NTK, and formal access approvals for all information processed on accredited ISNot so nice


The ISSO is appointed by ISSM in facilities with multiple accredited Iss Assists in day-to-day IS security operations Has PCL, NTO, formal access approvalsHave students turn to paragraph 8-104Examples of responsibilities ISSM can assign:Prepare, maintain, implement the SSP for the assigned IS. Implement security measures in accordance with facility procedures: CM program, unauthorized personnel not granted access to IS, proper marking, handling, controlling of accredited IS, proper media and equipment destruction Notify ISSM when an IS no longer processes classified information or when changes occur that might affect accreditation

Security Documentation8-610 NISPOM

System Security PlanProfile Configuration PlanRisk Acceptance LetterMemorandum of UnderstandingProtected Distribution System

Lesson Title: Certification and AccreditationDate Prepared: March 2001

Time Required for Lesson: 25 min (.5 hr)Method(s) of Instruction: LectureInstructor(s): OneClassroom(s) Requirements: One Instructional Aids: Powerpoint slidesEquipment: Computer/projector/screenHandout Materials: Copy of slides

Basis for Accreditation

34System Security Plan Defines Security PolicyIncludes Configuration Management PlanCovers the life-cycle of systemTarget audience includes users, system administrative, government, and security staffBest single security tool 248-610The NISPOM identifies specific security documentation for Iss processing classified information.

Before any processing of classified information on an IS, these documents must be written: Managements information systems security policy.

A Configuration Management Plan which includes a list of the hardware and software.

System Security Plan. The SSP

Certification and Accreditation documentation

These documents can be rolled up into the SSP

Self-Certification Master/Profile ConceptMaster/Profile System Security Plan

What is the purpose of the SSP?

The SSP is the basic system protection document and evidence that the proposed system or update to an existing system, meets the protection profile requirements.

It provides the Users with their instructions on how to process classified information-it is their guide.

The SSP also serves as the basis for inspections of the system.

Additionally, if you use the DSS provided template, it allows for uniformity, consistency. DSS has over 11,500 facilities. It would be very difficult to review this required documentation if there wasnt some uniformity.

Practical Exercise will be required, writing an SSP Self-Certification ConceptProfile RequirementsSame classificationSame PL levelSame Level of ConcernSame EnvironmentApproved O/SSame system type

Approved TDApproved Periods ProcessingApproved Mobile Sys


View more >