Monday, December 8, 2008
Information systems allow businesses to increase work productivity at blinding speeds. Documents, images, and media can be duplicated, printed, emailed and faxed much quicker than technology allowed just a few years ago. The lightening fast capabilities enable enterprise to perform on contracts more efficiently and in less time. However, because of fast distribution and processing speeds, measures must be in place to prevent unauthorized disclosure, spillage and compromise of classified information. Once a spillage occurs, the errant person cannot take the action back. Information systems identified to process classified information is marked according to the highest classification.
As with protecting physical classified properties, information systems and their products must also be safeguarded at the appropriate level. Computers used for uploading, storing, processing, disseminating, printing and other functions are protected at the level of the information being worked. These protection levels include creating an environment where users of IS understand the policies, threat, and that they operate in such a way that security plays a primary role in the development, procurement, operating, processing, and storage of classified information.
As with the entire spectrum of a security program, the safeguarding of the information systems reflects the compliance with agency regulations as well as the results of thorough risk management. The security manager’s responsibility is not to look at the effectiveness of protection measures as they relate only to the computer or system, but as it affects the entire organization mission and perhaps even our national security. The FSO or security manager invites and involves senior organization officers to take part in the risk management to ensure the vision incorporates the protection of classified information. This allows industrial security specialists and others in a security discipline to provide proactive security measures and not play catch-up with expenses and security policy.
Key control custodians maintain accountability of combinations, locks and keys used in the storage of classified material. In the same way, an administrator controls the authentication and identification and ensures measures are in place for the proper access of the classified information stored or processed on the IS. The authentication, user identification and logon information acts as “keys” controlling when the classified information is available on the system. Without the strict control, there is no way to prevent unauthorized persons from getting to the data stored in computers or components.
To protect the data, all information regarding authentication is restricted to only those with the proper clearance and need to know. Each user has the ability to access only the data authorized. The segregation of access and need to know per user can be affected on either individual systems or components dedicated to only one access requirement or one entire system or component capable of allowing many user level accesses. The custodian, ISSM or ISSO can protect the authentication data by making it unreadable or file access controls. This system is the same theory as controlling access to security combinations and storing them in a security container affording the proper level of protection.
Just as combinations and keys are rotated and changed during certain events, user identification, removal and revalidation are also in place. These similar measured are used to ensure the proper users have access and those who have moved, lost their clearance or need to know, changed jobs or otherwise no longer require access are no longer given the capability to access the IS. This control is in place through removing the user identification. Additionally, each user identification is revalidated at least yearly for those who still require access. Authenticators such as the keys, passwords, smartcards, etc as discussed earlier are to be protected at the highest level of classified information accessed. The users are not authorized to share, loan out or otherwise give to others. They are personal and access to individual logons are audited.
Passwords are to be protected at the level of classification of the data stored or processed by the IS. If, as in our earlier example, XYZ Contractor’s IS is configured to process data classified at the SECRET level, then the password is classified at SECRET. It cannot be stored in a phone, personal data assistant, or otherwise written down unless stored in a security container. The pass words are at least eight characters long and are generated by an approved method. This approval is based on length of password, structure and size of password space as described in the SSP designed by the ISSM. The passwords are changed annually. Passwords already installed in software and operating systems are always replaced prior to giving users access to the IS.
Physical access to IS is controlled to prevent unauthorized personnel from obtaining and or otherwise compromising classified material. This also applies to the maintenance of IS. Information systems do often require repair, upgrades and other maintenance that is not normally performed by the ISSM or ISSO. When necessary and available, maintenance should be performed by cleared personnel with need to know or at least with an ability to control the need to know. This is the least risky of all options as a technically knowledgeable employee can escort and monitor the repairs and ensure security processes are in place.
However in many cases maintenance personnel without security clearances or if they do have clearances are not cleared to the level of IS classification. They are not employees of the company and do not have the need to know. These maintenance professionals must be U.S. citizens and require constant escort. The escort or other employee will conduct all login and logoff procedures as well as have a keystroke monitoring system in place. All classified data and media should be cleared and removed to deny access to the unauthorized repair persons. These controls prevent the un-cleared persons from gaining access to passwords, authentications and classified data. They are only allowed to work on the system after system access is granted. The system is similar to opening a combination and removing contents of a security container prior to granting authorization for a locksmith to make repairs.