Documente Academic
Documente Profesional
Documente Cultură
Pg.1
Policies5.1.5.1.3. Pg.2
Standards5.2.5.2.1. Controls5.3.5.3.1.
(6)WAN Pg.810
GroupContract
Thiscontractisalegalandbindingdocumentthatgovernsthisgroupuntiltheassignmentdeadline.
Members
Pg.3
DoDspecificpolicies,standards,andcontrolsintheUser,Workstation,LAN,andLANto_WAN, RemoteAccess,System/Applicationdomains
1. 1.1. 1.1.1.
Servers
Policies Theintentofthispolicyistoensurethatallserversaremaintainedregularlyatanappropriatelevel ofsecurityandareconstantlybeingmonitoredforunusualactivity. Allserverscontaininganythingsensitivewillhavemethodsinstalledandenabledtoprotectdata. Datathatisstoredonanyportionoftheserversmustbekeptuptodateandbackeduponadaily basis. Standards ServermaintenanceismanagedbytheITworkerswhoareassignedtoservers.Itisimportantto maintainconfidentiality,integrity,andavailabilityoftheprotectedinformation.Credentialstrengthis usedtopreventforgeryandfraudulentuse.Incorporationofadditionalauthenticationfactorsis necessaryfortheconfidentialityandintegrityofinformationassurance. Controls IT(s)(InformationTechstaffthatareassignedtoservermaintenance)followsourBackupRecovery Plan(BRP)tokeeptheavailabilityofdata.TomaintainInformationassurancedatawillbeseparated intodifferentclassificationlevelsdependingonthesensitivityofthedata(TopSecret,Secret, Confidential,SensitivebutUnclassified,andUnclassified).Informationsystemswithadministrative rolesornotthathandleclassifieddataarerequiredtouseaminimumofCredentialStrengthHto mitigateknownorunanticipatedvulnerabilities.
Users
1.1.2. 1.1.3.
1.2.1.
1.3.1.
2. 2.1. 2.1.1.
Policies Thispolicystatesthatitismandatoryforallstaffthathasaccesstoourorganizationssystemsto keeptheinformationconfidential.Confidentialityistheassurancethatthedataisnotdisclosedto unauthorizedindividuals,processesordevices.Failuretodosowillresultinterminationfromour organizationandpossiblyfines. Employeesmustcompleteourorganizationscomputerawarenesstrainingprogramandagreeto upholdtheacceptableusepolicies(AUP). Allemployeesthatwillbeusersofthesystemissubjecttobackgroundinvestigationsatanytime duringemployment. UsersmustbeincompliancewithDepartmentofDefenseInstruction8500.2,subjectInformation AssuranceImplementation. Pg.5
2.1.2.
2.1.3.
2.1.4.
AcceptableUsePolicy
Email Limitations a. Useofsystemsthatcouldbeexpectedtocausedirectlyorindirectlycongestion,delay,or disruptionofservicestoanycomputingfacilitiesorcauseinterferencewithothersuseof communications. b. Unauthorizedusesinclude i. Distributingcopyrightedmaterialsbyelectronicmessagingwithoutconsentfromthe owner ii. Sendingorreceivingelectronicmessagesforcommercialorpersonalfinancialgain iii. Intentionallyorunlawfullymisrepresentingyouridentityoraffiliation iv. Sendingharassing,intimidating,abusive,oroffensivematerialto,oraboutothers v. Causingcongestiononthenetworkbysuchthingsaschainletters,junkEmails,and broadcastinginappropriatemessagestogroupsandindividuals Standards Itismandatorythatconfidentialityagreementsbesignedandsecuredfromusersaccessingdata whichneedstobeprotectedfromunauthorizedaccess.Credentialstrengthisusedtoprevent forgeryandfraudulentuse.Incorporationofadditionalauthenticationfactorsisnecessaryforthe confidentialityandintegrityofinformationassurance. Controls Sensitivityofdatawithinthefirmmakespasswordstrengthsimportant.Informationsystemswith administrativerolesornotthathandleclassifieddataarerequiredtouseaminimumofCredential StrengthHtomitigateknownorunanticipatedvulnerabilities.
Workstations
2.3. 2.3.1.
2.4.1.
3. 3.1. 3.1.2.
Policies Theintentofthisdocumentistodescribethepolicyunderwhichonlyauthorizedenduserscan havepermissiontousetheorganizationsworkstations Appropriatemeasuresmustbetakenwhenusingworkstationstoensuretheconfidentiality, integrityandavailabilityofsensitiveinformation. Alldesktopsandcompanylaptopscontainingsensitiveorconfidentialdatamustbepassword protectedandhavebuiltinsecuritytoprotectdata. Ifanemployeelosesordamagesaworkstation,he/sheshouldnotifytheirmanager(s),sothatit canbereportedtolawenforcementorbedismantled.Thisisdonesotheorganization'sprivate informationisnotleftvulnerabletoothers. Standards Pg.6
3.1.3.
3.1.4.
3.1.5.
3.2.
Policies ThispolicyensuresthatallresourcestravelingoveraLANaretobeencrypted LANconnectionsarenottobetamperedwithandaresolelyusedforbusinesspurposeswithinthe organization CompanymustbeincompliancewithDoDInformationAssuranceCertificationandAccreditation Standards WhentheLANisbeingimplemented,encryptionmeasuresmustbeestablishedtosecurethedata inthenetwork.ThingslikefirewallswillbeusedtofilterWeb,email,andTelnettraffic. Controls Firewallswillblockinboundtrafficthatreekssuspiciousactivitythatarecomingfromunknown sources,orfromthesamesourceasthedestination.RouterSecuritycontrolswillbeinplacefora formofsecurityforroutersandswitches.WifiSecuritywilldefinetheuseofwifionthefirms network.Securityassessmentswillbedoneevery90daystodetermineifsecuritycontrolsare workingasconfigured.AuditEventswilldescribeimportanteventsthatmustbeauditedand reported.
LANtoWAN
4.3. 4.3.1.
5. 5.1. 5.1.2.
5.1.3.
5.2. 5.2.1.
5.3. 5.3.1.
6. 6.1.
Policies
6.1.1.Thispolicyistoensurethatdatatravelingoverawideareanetworkisprotectedatalltimes. 6.2. 6.2.1. Procedures UnclassifiedDoDinformationthathasnotbeenclearedforpublicreleasemaybedisseminatedby thecontractor,grantee,orawardeetotheextentrequiredtofurtherthecontractprovidedthatthe informationisdisseminatedwithinthescopeofassigneddutiesandwithclearexpectationthat confidentialitywillbepreserved.Examplesare:Nonpublicinformationprovidedtocontractor, informationdevelopedduringthecourseofacontract,andprivilegedinformationcontainedin transactions. Adequatesecuritywillvarydependingonthenatureandsensitivityoftheinformationonanygiven nonDoDinformationsystem.However,allunclassifiedDoDinformationinthepossession,or controlofnonDoDentitiesonnonDoDinformationsystemsshallminimallybesafeguardedas follows: a. DonotprocessunclassifiedDoDinformationonpubliclyavailablecomputers(e.g.,those availableforusebythegeneralpublicinkiosksorhotelbusinesscenters). b. ProtectunclassifiedDoDinformationbyatleastonephysicalorelectronicbarrier(e.g., lockedcontainerorroom,logicalauthenticationorlogonprocedure)whennotunderdirect individualcontrolofanauthorizeduser c. Ataminimum,overwritemediathathavebeenusedtoprocessunclassifiedDoD informationbeforeexternalreleaseordisposal. d. Encryptallinformationthathasbeenidentifiedascontrolledunclassifiedinformation(CUI) whenitisstoredonmobilecomputingdevicessuchaslaptopsandpersonaldigital assistants,compactdisks,orauthorizedremovablestoragemediasuchasthumbdrives andcompactdisks,usingthebestencryptiontechnologyavailabletothecontractoror teamingpartner. e. LimittransferofunclassifiedDoDinformationtosubcontractorsorteamingpartnerswitha needtoknow,andobtainacommitmentfromthemtoprotecttheinformationtheyreceive toatleastthesamelevelofprotectionasthatspecifiedinthecontractorotherwritten agreement. Pg.8
6.2.2.
f.
Transmitemail,textmessages,andsimilarcommunicationscontainingunclassifiedDoD informationusingtechnologyandprocessesthatprovidethebestlevelofprivacyavailable, givenfacilities,conditions,andenvironment.Examplesofrecommendedtechnologiesor processesincludeclosednetworks,virtualprivatenetworks,publickeyenabledencryption, andtransportlayersecurity(TLS). g. Encryptorganizationalwirelessconnectionsanduseencryptedwirelessconnectionswhere availablewhentraveling.Ifencryptedwirelessisnotavailable,encryptdocumentfiles(e.g., spreadsheetandwordprocessingfiles)usingatleastapplicationprovidedpassword protectedlevelencryption. h. Transmitvoiceandfaxtransmissionsonlywhenthereisareasonableassurancethat accessislimitedtoauthorizedrecipients. i. DonotpostunclassifiedDoDinformationtowebpagesthatarepubliclyavailableorhave accesslimitedonlybydomainorInternetprotocolrestriction.Suchinformationmaybe postedtowebsitepagesthatcontrolaccessbyuseridentificationandpassword,user certificates,orothertechnicalmeansandprovideprotectionviauseofTLSorother equivalenttechnologiesduringtransmission.Accesscontrolmaybeprovidedbythe intranet(vicethewebsiteitselfortheapplicationithosts) j. Provideprotectionagainstcomputernetworkintrusionsanddataexfiltration,minimally including: i. Currentandregularlyupdatedmalwareprotectionservices,e.g.,antivirus,anti spyware. ii. Monitoringandcontrolofbothinboundandoutboundnetworktraffic(e.g.,atthe externalboundary,subnetworks,individualhosts),includingblockingunauthorized ingress,egress,andexfiltrationthroughtechnologiessuchasfirewallsandrouter policies,intrusionpreventionordetectionservices,andhostbasedsecurity services iii. Promptapplicationofsecurityrelevantsoftwarepatches,servicepacks,and hotfixes. k. ComplywithothercurrentFederalandDoDinformationprotectionandreporting requirementsforspecifiedcategoriesofinformation(e.g.,medical,proprietary,critical programinformation(CPI),personallyidentifiableinformation). l. ReportlossorunauthorizeddisclosureofunclassifiedDoDinformationinaccordancewith contract,grant,orotherlegalagreementrequirementsandmechanisms. m. DonotuseexternalITservices(e.g.,email,contenthosting,database,document processing)unlesstheyprovideatleastthesamelevelofprotectionasthatspecifiedinthe contract,orotherwrittenagreement. 6.3. 6.3.1. Standards Incomingandoutgoingnetworktrafficaremonitoredandfilteredtolimittoonlycompanyrelated business. Securitytunnelswillbesetupinallofficelocations Controls Firewallsconfiguredtofiltereverythingthatisoutsideofthebusinessnetwork. Pg.9
6.4.2. 6.4.3.
6.4.4.
6.4.5
7. 7.1 7.1.1.
Policies Theintentofthispolicyistoensurethatonlyauthorizedusersareaccessingthecompanysserver remotely.Allremoteaccessactivityissubjecttomonitoringtoensurethatonlycompanyrelated businessistakingplacethroughanauthorizedemployeeaccount.Itismandatorythattheremote accessaddressistobekeptconfidentialbyemployees Standards Monitoringwillbemandatoryeverytimeauseraccessesthesystemremotely ApplyAUPpoliciesforremoteaccess. Controls Monitoringsoftwareisputinplacetopreventhumanmistakes.Thisisforreinforcementandfor extraprotectionjustincasethesecuritydepartmentmissesanintrusion. VPNtunnelswillbeinitiatedforallremoteaccessandrequireadditionalcredentialsforaccessof officeresources.Employeeswillbeissuedapinviacompanyemailandcompanyphonetobe certainoftheemployeeaccessingthenetworkthroughthetunnel.
System/Applications
7.3.2.
8. 8.1. 8.1.1.
8.1.2.
8.1.3.
8.3. 8.3.1.
Pg.11
Sources Bookresources: CompTIASecurity+ EssentialsofInformationSecurity(Security+) Webresources: DodSecurityNeedsandCOTSBasedSystems http://www.sei.cmu.edu/library/assets/dodsecurityneeds.pdf(accessedOctober16th,2012) DoDManual www.dtic.mil/whs/directives/corres/pdf/520001_vol1.pdf(accessedOctober16th,2012) DoD8570RequirementsandTraining https://www.isinc.com/2008/08/05/newdod8570requirements/(accessedOctober16th,2012) GuidanceforapplyingtheDoDtrustedcomputersystemevaluationcriteriainspecific environmentshttp://www.windowsecurity.com/uplarticle/12/std003.txt(accessedOctober16th,2012) EnsuringCompliancewithDoDWirelessPolicies http://wirelessnetworksasia.motorola.com/products/images/air_defense/downloads/White_Paper/Ensuring_ Compliance_with_DoD_Wireless_Policies.pdf(accessedOctober16th,2012) DoDPublications http://www.dtic.mil/whs/directives/corres/pub1.html(accessedOctober16th,2012) U.SGovernmentandITSecurityLaws AguidetoITSecurityLegislationandContractorResponsibilities GIACSecurityEssentialsCertification http://www.cs.jhu.edu/~rubin/courses/sp06/Reading/governmentRules.pdf(accessedOctober16th,2012) UnderstandingtheDepartmentofDefenseNetworkModel http://www.techfaq.com/understandingthedepartmentofdefensenetworkmodel.html(accessed October16th,2012)
DOD8570RequirementsandTraining TheDepartmentofDefensehasputtogetherrequirementslistforanyonewhoworksinInformation
Pg.12
Pg.13