Information systems allow businesses to increase work productivity at blinding speeds. Documents, images, and media can be duplicated, printed, emailed and faxed much quicker than technology allowed just a few years ago. The lightening fast capabilities enable enterprises to perform on contracts more efficiently and in less time. However, because of fast distribution and processing speeds, measures must be in place to prevent unauthorized disclosure, spillage and compromise of classified information.
As with protecting physical classified properties, information systems and their products must also be safeguarded at the appropriate level. Primarily classified processing is conducted in controlled areas. Computers used for uploading, storing, processing, disseminating, printing and other functions are protected at the level of the information being worked. These protection levels include creating an environment where users of Information Systems (IS) understand the policies, threat, and their role in enforcing security measures.
Know your NISPOM
The safeguarding of the IS should reflect compliance with the National Industrial Security Operating Manual (NISPOM) as well as the results of thorough risk management. The security manager’s responsibility is not only to look at the effectiveness of protection measures as they relate to the computer or system, but as it affects the mission and national security. As the senior security professional, the Facility Security Officer (FSO) should involve senior officers to take part in the strategic risk management. This management cooperation ensures the enterprise’s vision incorporates the protection of classified information. In such an environment FSOs, industrial security specialists and others in a security discipline provide proactive measures.
The NISPOM describes roles of key control custodians as they maintain accountability of combinations, locks and keys used in the storage of classified material. In the same way, an IS administrator controls the authentication and identification and ensures measures are in place for the proper access of the classified information stored or processed on the computer system or network. The authentication, user identification and logon information acts as “keys” controlling access to classified information on the system. Without the strict control, there is no way to prevent unauthorized persons from getting to the data stored in computers or components.
Proper Clearance and Need to Know
All information regarding authentication must be restricted to only those with the proper clearance and need to know. Each user should have the ability to access only the data authorized. The segregation of access and need to know can be affected on either individual systems or components or an entire system capable of allowing access to many user levels. The Information System Security Manager (ISSM) or Information Security Officer (ISSO) can protect the authentication data by making it unreadable or simply controlling the file access. This system is the same theory as controlling access to security combinations and storing them in a security container affording the proper level of protection.
Just as combinations and keys are rotated and changed during certain events, user identification, removal and revalidation must also be in place. These similar measured are used to ensure the proper users have access and deny access to those who have lost their clearance or need to know, changed jobs or otherwise no longer require access to the IS. Each authorized user identification procedure is revalidated at least yearly for those who still require access. Authenticators such as the keys, passwords and smartcards, must be protected at the highest classification level needed.
Protect Passwords and Physical Access
Passwords must be protected at the level of classification of the data stored or processed by the IS. If an information system is configured to process SECRET information, then the password is also classified SECRET. It cannot be stored in a phone, personal data assistant, or otherwise written down unless stored in a security container. According to the NISPOM the password must be at least eight characters long and generated by an approved method. This approval is based on length of password, structure and size of password space as described in the System Security Plan designed by the ISSM. The passwords are changed annually and those passwords pre-installed in software and operating systems must be replaced before users can access the IS.
Physical access is controlled to prevent unauthorized personnel from obtaining and or compromising classified material. This also applies during maintenance operations. Information systems may require repair, upgrades and other maintenance that may not be performed by the ISSM or ISSO. When necessary and available, maintenance should be performed by cleared personnel with need to know or at least with an ability to control the need to know. This is the least risky of all options as a technically knowledgeable employee can escort and monitor the repairs and ensure security processes are in place.
In many cases maintenance personnel without security clearances or if they do have clearances, are not cleared to the level of IS classification. They are not employees of the company and do not have the need to know. These maintenance professionals must be U.S. citizens and be escorted. The escort conducts all login and logoff and remove all classified data and media to deny access to the unauthorized repair persons. These controls prevent the un-cleared persons from gaining access to passwords, authentications and classified data. They are only allowed to work on the system after system access is granted. The system is similar to opening a combination and removing contents of a security container prior to granting authorization for a locksmith to make repairs.