EXECUTIVE SUMMARY
The Systems Security Policy (SSP) identifies security objectives, defines roles and responsibilities, prescribes network security measures, identifies contingency and emergency plans, specifies training requirements, and establishes incident and vulnerability reporting.
When a facility has appropriate security measures implemented, it has enhanced protection from unauthorized personnel, destruction by malicious users, and ensures incidents caused by technical vulnerabilities are held to a minimum, thus reducing risks and vulnerabilities.
This security policy requires certain security measures to ensure data confidentiality, integrity, non-repudiation, and information assurance. It provides minimum-security measures for computer systems, and for systems interfacing with Coast Guard networks.
This security policy describes ideal requirements and realistic guidelines for security management. All areas of non-compliance must be documented as weaknesses in the organizational risk assessment and noted in any certification presented to the Approval Authority (AO) for accreditation. Non-compliance does not automatically preclude accreditation, but all reasonable measures must be implemented.
Failure to comply may constitute grounds for the termination of Authority to Operate (ATO) granted by the Approval Authority (AO) and this termination could remain in effect until corrective actions have been taken and approved by the AO Office.
This SSP is based on Coast Guard, Department of Homeland Security and Department of Defense directives and publications.
System Identification
The Systems Security Policy (SSP) provides an overview of security requirements for United States Coast Guard (USCG) Command, Control and Computers Engineering Center (C3CEN) located on USCG Base Portsmouth, Portsmouth, VA and identifies information security objectives, defines roles and responsibilities, prescribes network security measures, identifies contingency and emergency plans, specifies training requirements, and establishes incident and vulnerability reporting.
When a network has appropriate security measures implemented, it has enhanced protection from unauthorized personnel, destruction by malicious users, and ensures incidents caused by technical vulnerabilities are held to a minimum, thus reducing risks and vulnerabilities.
1.1 Purpose
This policy provides procedures, standards, and guidance for implementing the security program for C3CEN.
1.2 Network Security
All systems shall meet the Department of Homeland Security (DHS) Management Directive MD 140-01, Information Technology Systems Security, July 31, 2007, shall be maintained with tight configuration control, and shall be supported by the current Coast Guard support structure augmented with contractor and uniformed personnel.
The safeguarding of this infrastructure against sabotage, tampering, denial of service, espionage, fraud, misappropriation, misuse, or release to unauthorized persons shall be accomplished through the continuous employment of safeguards consisting of administrative, procedural, physical and/or environmental, personnel, communications security, emanations security, and computer security (i.e., hardware, firmware, and software), as required. The mix of safeguards selected shall achieve the requisite level of security or protection and shall be approved by the Approval Authority (AO). This policy establishes responsibilities for acquiring, operating, managing, and protecting the Local and Wide Area Networks.
This System Security Policy (SSP) requires certain security measures to ensure data confidentiality, integrity, non-repudiation, and information assurance.
1.3 Scope
This policy applies to all systems within C3CEN, and to all persons authorized access to Coast Guard information systems and electronic information; this includes employees, contractors, consultants, auxiliaries, and other service personnel.
1.4 Information Classification
The Coast Guard One network (CGOne) and all peripheral systems and hardware are sensitive but unclassified systems and shall not be used to process any information higher than the unclassified classification.
SYSTEM ATTRIBUTES
1.5 Confidentiality, Integrity, Availability and Accountability
The primary objective of the SSP is to address requirements, provide data integrity, and ensure continuity of service for the CGOne network at C3CEN.
1.5.1 Confidentiality
All users of the CGOne have the responsibility to protect data from disclosure to unauthorized individuals or entities, regardless of the form of data, e.g., electronic, magnetic, hard copy, etc. Assurances must be in place that data processed within the CGOne network is available only to individuals having the need to know.
1.5.2 Integrity
All users of the CGOne network require system integrity (the ability to function unimpaired, free from deliberate or inadvertent unauthorized manipulation) and data integrity (i.e., data represents correct information).
1.5.3 Accountability
Administrative support personnel must have the ability to identify, verify, and trace system entities and to verify that changes in status are initiated by and traceable to authorized users. Accountability includes authentication and non-repudiation. An identification and authentication procedure is utilized to include auditing that ensures user and systems accountability.
1.5.4 User Training
Provide and require initial Information Assurance (IA) indoctrination prior to the creation of a workstation user account. Upon completion of the new users account, the user is required to complete the mandated Federal Cyber Awareness Challenge and digitally accept the Automated Information Systems (AIS) User Acknowledgement within 96 hours of initial network access. All CGOne users are then required to complete this training annually.
1.5.5 Access
Prior to being granted access to the CGOne network and connected workstations, the following minimum requirements must be met:
- Must have completed the mandated Federal Cyber Awareness Challenge.
- Must possess a Common Access Card (CAC).
- Must have a need to know.
1.5.6 Configuration Management
The Configuration Management (CM) Team provides C3CEN with support in complying with the requirements for CM provided by COMDTINST 4130.6B, Coast Guard Configuration Management Policy and COMDTINST 5230.69, Command, Control, Communications, Computers, and Information Technology (C4&IT) Configuration Management Policy including baseline auditing and control and change management of organizational configuration items.
1.6 Emergency Planning
Plan for contingency and emergency situations. Ensure that written plans and procedures are in place and that these procedures are tested periodically. Procedures and policies must be in place for full and incremental backups, backup storage on-site, and off-site storage of contingency backup tapes.
1.6.1 Vulnerability Reporting
Follow procedures for incident and vulnerability reporting outlined in COMDTINST M5500.13 (series) Automated Information System (AIS) Security Manual. Vulnerabilities shall be reported to the ISSO who will then report to the Coast Guard AO, TISCOM Certification Authority and the CG Computer Incident Response Team (CGCIRT) as appropriate.
AUTHORITY AND RESPONSIBILITY
All personnel associated with C3CEN and, support, or use, are responsible to protect information stored or processed on the system. Safeguarding sensitive, proprietary, and valuable information within these systems is becoming more and more difficult as computer systems evolve and the networks that connect them grow in reach and capability. While networks and systems become more powerful and capable, outside threats have become more sophisticated and malevolent.
1.7 Enterprise Management
C3CEN’s ISSO will maintain risk analysis documentation that will include:
a) Network risks and weaknesses.
b) Security Test and Evaluation results.
c) Configuration Management Plan and drawings.
d) Memoranda of Agreement for network support, use, or other arrangement with another unit or agency.
e) AO accreditation.
f) Network security and operational procedures.
g) Acceptable use policy.
h) Recovery plan.
i) Contingency plan.
j) Backup Plan.
1.8 Security Positions and Responsibilities
The C3CEN accreditation strategy is based on Risk Management Framework and the Research, Development, Test and Evaluation Overlay. These directives specify the process used and the documentation required for the AO to grant approval to operate.
1.8.1 Information Systems Security Assistant
The ISSA is the organizational commanding officers representative for all issues relating to the security of the CGOne network within C3CEN. Their responsibilities are as follows:
a) Act as the focal point for all CGOne access and security matters.
b) Maintain an inventory of systems and components connected to the CGOne network.
c) Assist the ISSO in collecting and maintaining the Command CGOne Accreditation documentation.
d) Promptly report all information system security violations to the Commanding Officer and District ISSO.
1.8.2 System Administrators
Systems Administrators implement network security policies and directives. They provide proactive security functions to deter, isolate, contain and recover from information system incidents. As such, they perform the following duties:
a) Assist the ISSO and CA in collecting accreditation information for the CGOne network.
b) Maintain historical documentation of the CGOne network and connected systems.
c) Identify weak configurations and security holes by auditing and monitoring events occurring on the network.
d) Monitor server audit logs for security violations and misuse.
e) Maintain automated security incident historical transaction logs.
f) Establish permissions on shared programs or files.
g) Not assign domain administration privileges to their regular user account.
h) Ensure that measures are in place to control access to CGOne based on the users access approval and need to know.
i) Maintain all information systems that process classified and critical information according to configuration management guidelines.
j) Develop local procedures to report and respond to computer security and virus incidents. Works with the ISSO and CGCIRT to identify internal actions such as local reporting channels, criteria for determining who is notified, etc.
k) Review CGCIRT advisories. Implements Information Assurance Vulnerability Alerts (IAVAs) when directed and reviews Information Assurance Vulnerability Bulletins (IAVBs).
l) Assist the ISSO, CA and AO with certification and accreditation efforts.
m) Implement currently required INFOCON measures.
1.8.3 Computer/Network Users
A “user” of an information system is anyone who can receive, enter, or manipulate information in the system directly. A user may, for example, read, create, modify, move, or print files using the system. Users are responsible for protecting computer system resources and information.
User responsibilities include the following:
a) Use the system in accordance with applicable operating instructions and security regulations.
b) Use the system only for official and authorized uses.
c) Access only the data, control information, software, hardware, and firmware for which they are authorized access and have a need-to-know, and assume only those roles and privileges for which they are authorized.
d) Report immediately to the unit ISSO and SMO all security incidents and potential threats and vulnerabilities affecting the system.
e) Adhere to established password policies.
f) Ensure that system media and system output are properly classified, marked, controlled, and stored in accordance with COMDTINST 5510.23, “Classified Information Management Program.”
g) Protect workstations and other system devices from unauthorized access or viewing
h) Inform the System Administrator when access to the system is no longer required (e.g., project completion, transfer, retirement, or resignation).
i) The CGOne network is approved for information classified Sensitive But Unclassified. Under no circumstances shall Secret or special access information information be processed. A user who discovers such data on the system is required to report it to the Command Security Officer (CSO), Special Security Officer and ISSO as appropriate.
j) All output products must be properly marked, handled and controlled.
k) Although C3CEN is in a secure building, users should not have a false belief that viruses and malicious code do not exist. Any files that are received from other users or domains should be scanned for viruses before being opened.
SYSTEM SECURITY REQUIREMENTS
The requirements written in this document constitute the minimum set of security practices, procedures, and measures required to create, store, and use sensitive or critical data, information, or equipment. These practices cannot be revised or modified to suit programmatic, environmental or system considerations but should be considered the minimum-security requirements.
1.9 Discretionary Access Control
Discretionary Access Controls (DAC) are those controls not based on the policies of the operating system and are developed locally to ensure that only those individuals and organizations with a “Need-to-know” have access to information contained within the CGOne network. It’s based on the least privileges required to complete tasks assigned.
Discretionary access controls can extend beyond limiting which user's can gain what type of access to which objects. Administrators can limit access to certain times of the day/days of the week. Such a limitation is designed to ensure that access takes place only during the normal duty day and discourages unauthorized use of data. Further, user's’ rights to access might be suspended when they are on vacation or leave of absence. When users leave an organization altogether, their rights must be terminated rather than merely suspended. Discretionary Access Control on a file defines the permissible access to it by its owner, the owner's group, and all others.
Discretionary access controls provide finer access granularity. These permissions should be assigned based on logical groupings of data according to the needs of a set of commands and administrators.
1.10 Procedural Security
Protection of computer systems and information processed by those systems is provided through procedural security that exist both externally and internally.
1.10.1 Reporting Security Incidents and Violations
- A security incidentis any event that results from failure to comply with published security policies and procedures. Security incidents include, but are not limited to abuse and/or misuse (forwarding of chain E-mail such as letters or virus hoaxes, transmission of inappropriate jokes or material, accessing inappropriate web sites, use of government systems for private financial gain), suspected or actual compromise of sensitive information; intentional and unauthorized modification of systems or applications; waste, fraud, loss or damage of property or information, and computer viruses. Incidents of loss, theft or damage to computer equipment, software, and data, or attempts to access sensitive information by persons not properly identified or authorized must be reported to your local ISSO in a timely manner. The ISSO will in turn document the incident(s) and coordinate investigations with the AISSM and/or Security Manager as required.
- Upon discovery or notification of a security incident (significant misuse/abuse of the system and resources, compromise of classified information, intentional malicious actions, significant or new computer viruses, etc.), the ISSO and AISSM shall be notified. If the incident potentially affects the entire Coast Guard network, guidance from CGCIRT in evaluating the incident and making possible modifications to the Coast Guard-wide system to preclude future incidents shall be sought
- In all cases of misuse/abuse, that individual’s supervisor, Executive Officer, or Commanding Officer/Officer-in-Charge shall be notified. Incidents that seriously violate published rules and regulations may be referred to the Coast Guard Investigative Service (CGIS) for further investigation.
1.11 Physical Security
Physical security and environmental control shall be used to provide an acceptable level of security to this and all information systems. All security violations with regards to physical security must be forwarded to ISSO ensuring that all lines of communication remain fluid. This will provide for increased security awareness and reduce security incidents.
Individuals are the most important part of any security program. Each person can enhance the physical security of these systems by:
a) Challenging unknown personnel in your workplace or computer area.
b) Never leaving an active terminal unattended (lock the workstation when not in the immediate vicinity).
c) Logging out when leaving for the day (this also ensures central files are backed up regularly).
d) Not tampering with or alter hardware.
e) DO NOT eat or drink near computer equipment or media
1.11.1 Physical Protection Measures
The use of physical protection measures such as construction methods and techniques, alarms, and fire suppression systems protect C3CEN and the CGOne network from both human and environmental hazards.
1.11.2 Environmental
Protect hardware, firmware, software, and storage media against environmental threats. Include support utilities.
Electrical Power - For critical system components isolated and conditioned power supplies must be installed. Emergency generator power should be available with automatic transfer. Where appropriate in other locations, uninterruptible power supplies are installed. Surge protectors, not just multi-plug power strips, are installed to protect microcomputers and other sensitive equipment.
Temperature and Humidity - Temperature and humidity are monitored and maintained in accordance with General Services Administration (GSA) maintenance procedures and manufacturer’s specifications.
Hazards - Protect computer centers by filters within the air circulation and cooling systems. Coast Guard personnel are trained to avoid and eliminate hazards from static electricity, magnets, and magnetic fields. Eating and drinking close to critical equipment is prohibited.
Natural Disasters - While little can be done to preclude threats from natural events, plans and procedures required by COMDTINST 3010.15, Continuity of Operations, Policy and Planning could greatly reduce potential damage. The local Continuity of Operations plan must address actions required when earthquakes, floods, fire, electrical storms, and other disasters threaten or affect facilities.
1.11.3 Personnel Security
The personnel security requirements of the Military Personnel Security Program Manual, COMDTINST M5520.12 (series) and for civilian employees DOT Personnel Security Management Program Handbook shall be followed. Personnel security procedures provide effective management oversight, provide supervision of computer system personnel, and ensure employment of authorized, responsible, and trustworthy personnel. Personnel must have the proper need to know before they access classified or sensitive unclassified information. The term “Need to know” refers to an individual’s requirement for access to, knowledge of, or to possess classified information in the performance of their official duties. Actions to take include:
a) Screening, monitoring, and controlling personnel assigned duties that involve access to classified systems and data,
b) The Command Security Officer administers reporting procedures for unfavorable information or personnel actions,
c) Reporting potential, suspected, or actual security incidents that are human oriented,
d) Ensuring assigned personnel meet personal standards of conduct. Specific programs include Privacy Act; Fraud, Waste, and Abuse; and the Coast Guard Standards of Conduct.
1.11.4 Information Security (INFOSEC)
The INFOSEC requirements of COMDTINST M5500.13 (series) must be followed. It is the user’s responsibility to ensure that no information other than that approved for CGOne is processed on the network. Further, actions used to safeguard sensitive information include:
a) Supervise and audit system use by authorized users and operators,
b) Preserve password confidentiality through effective password management procedures.
c) Report potential, suspected, or actual security vulnerabilities or incidents.
d) Train operators and users in the practices and precautions necessary to establish and maintain a secure operating environment.
1.12 Operations Security (OPSEC)
1.12.1 General
OPSEC is the discipline that denies information to people observing external computer system routines. They can infer from non-routine operations that something special is about to happen. Computer system operators can achieve OPSEC program objectives by identifying, controlling, and protecting indicators associated with processing sensitive information and running critical processes. Users must remain aware of visitors to their office areas especially when discussing or processing classified information. Monitors must not be oriented so that they are not viewable from windows or doorways in un-secure areas. There is no expectation of privacy while
Find Out How UKEssays.com Can Help You!
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.
View our academic writing services
1.12.2 Information System and Information Integrity
All parts of the system (hardware, software, firmware, processes, data, documentation, etc…) are protected in a verifiable manner against tampering, loss, or destruction throughout their lifetime. Security software, (e.g., firewalls, guards, etc…) and security related software patches are not made operational until successful testing by the appropriate organization is conducted. All security related alert recommendations (e.g., from CGCyber) are followed as soon as possible.
1.12.3 Configuration Management
Use rigorous configuration management of all hardware. Configuration Management (CM) is concerned with maintaining an accountable inventory of all media, hardware, and configuration baselines loaded on the system. Proper CM processes provide for documented accountability of installed systems. Current CM also helps track those software segments installed that may be used in determining a current IA posture of the system.
1.13 Software Security
Software security requirements include controls to protect software from compromise, subversion, or unauthorized manipulation.
Software security also includes measures to protect computer systems from malicious logic and other security hazards introduced by unauthorized software. Software license or copyright restrictions must also be observed to protect the Government from legal liability. The following software security measures must also be implemented:
- Strictly observe security procedures.
- Certify all software prior to installation and use on an operational accredited system and ensure AO approval is granted.
- Enforce individual accountability through the establishment, distribution, use, and confidentiality of passwords, login sequences, and other authentication methods.
- Use audit trails to track all events on the network/computer system. An important part of this method is systematically reviewing audit trail records.
- A record of any installed software shall be maintained.
- All software must be scanned for viruses and other malicious logic prior to installation.
- Software must be used within the constraints of the license or copyright agreement.
- Establish an effective program to control the use of computer security features, functions, and techniques.
- Control software at the highest level of information or aggregation of information processed or derived from the software.
- Exercise strict configuration management controls on all software to ensure its trustworthiness.
1.13.1 User-Developed Software
User-developed software is strictly prohibited.
References
- Coast Guard System Security Plan Template
- COMDTINST 3010.15, Continuity of Operations, Policy and Planning
- COMDTINST 4130.6B, Coast Guard Configuration Management Policy
- COMDTINST 5230.69, Command, Control, Communications, Computers, and Information Technology (C4&IT) Configuration Management Policy
- COMDTINST 5510.23, Classified Information Management Program
- COMDTINST M5500.13, Automated Information System (AIS) Security Manual
- COMDTINST M5520.12, Military Personnel Security Program Manual
- Department of Homeland Security (DHS) Management Directive MD 140-01, Information Technology Systems Security, July 31, 2007
- DOT Personnel Security Management Program Handbook
- Risk Management Framework and the Research, Development, Test and Evaluation Overlay
Cite This Work
To export a reference to this article please select a referencing style below: