Upload
everett-woods
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIED
Meeting and Sustaining the Standard
US Army IA Compliance Inspection
Information Exchange ForumSessions: 1 and 3
IEF IA
LTC Rob TurkU.S. Army Inspector General Agency (USAIGA)
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIED 2
PurposeDAIG Information Assurance Mission Information Assurance ActionsWhat does DAIG IA Inspect? Army IA Functional
Areas Information Assurance Take-AwaysPanel Member IntroductionForum Discussion/Question and Answer PeriodClosing
IEF Sessions: 1 and 3, USAIGA2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 3
To provide insights from the Department of the Army Inspector General Information Assurance Team and organizations
that have met the standard the last two years
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 4
IA Establishment: 12 May 2005, the CSA directs The Inspector General (TIG) to establish an Information Assurance (IA) Inspection Division to conduct cyclical IA compliance inspections across the Army (Active, Guard and Reserve).
The purpose of IA Inspections:• Measure level of deviation from established Army IA polices, regulations, doctrine, and
procedures (compliance)• Identify systemic IA problems, determine root causes, develop recommendations, and fix
responsibilities for corrective action
Information Assurance Inspections conducted:• 74 inspections from FY 08 to 1 Aug 11 (57 Active, 12 ARNG, 3 USAR, 2 MWR)• Fiscal Year Annual Army Information Assurance (IA) Reports published (FY 08, 09 and 10 (Trends and Recommendations))
BLUF: DAIG IA Division is the eyes and ears for Army Senior Leaders in evaluating the Army’s IA posture IAW Army CIO/G-6 IA checklist, regulations, and policy
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 5
Information Assurance key insights:- Establish command/leadership accountability- Establish the need for continuous oversight (Command Channels)- Formalize an acceptable level of risk/compliance for existing IA policies and standards
VCSA action Memorandum to Commanders (28 Nov 10)Subject: Commander and Leader Responsibilities for Information Assurance Capabilities and Standards Enforcement
The VCSA memo directed:• Army CIO/G-6 & the CDR, ARCYBER to review & improve, where necessary, IA
processes/policies• CDR, ARCYBER to monitor & assist commanders in the enforcement of IA compliance• Senior Installation Commanders are responsible for their organization’s complying with
the Army Information Assurance Program
• Commanders (Brigade equivalent and higher) will assess their organization’s IA program using the Army IA Self-Assessment Tool
• Every organization will incorporate IA into its organizational inspection program at all levels
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 6
Army Focus Areas are those that pose a significant risk to the Army LandWarNet
(Army IA Functional Areas and Army Focus Areas are established by Army CIO/G-6)
Inspection Breakout(FY 08-11)
Type Qty
AC 57
ARNG 12
USAR 3
MWR 2
Total 74
Checklist Functional Areas Army Focus Areas
1. Incident Handling 2. IA Training and Certification3. IA Vulnerability Management (IAVM)4. IA Program Management5. Public Key Infrastructure (PKI)6. Certification and Accreditation7. Contingency Planning8. Wireless Security9. Portable Electronic Device (PED)10. Army Web Risk Content Management11. Personally Identifiable Information (PII)12. Minimum IA Technical Requirements13. Classified Systems Management14. Physical Security
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 7
Accountability: Information Assurance requires Command/Leader accountability and oversight in order to protect and defend operational information
Self Assessment: Conduct an honest self assessment – develop realistic goals and empower subordinates
Standard: Be willing to make hard decisions – enforce the standard otherwise you allow deviations to become the new baseline
Assets: Ensure assets are configured IAW current DISA STIGs (to include manual checks)
PII: Complete your PII assessment (DD Form 2930, Privacy Impact Assessments) and coordinate with your customer organizations
Audits: Conduct full audit scans and review audit logs - Retina/Q-Tip scans – all assets, vulnerabilities (conduct one week prior to inspection)
Document: Document your internal and command wide procedures Record: Establish a formal record retention program (hard drive and
media destruction, wireless scanning/war driving (5yrs / 1yr)
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 8
Identify: IT Contingency alternate site and document the results from the last contingency plan exercise
Develop: Build the IT Contingency Plan around supporting mission essential services
Ensure: - POA&M for all past due IAVAs are entered into NETCROP or VMS- Waivers are submitted for all deviations from the AGM and/or DISA STIGS- Incident Response Plans are complete and personnel are trained- Webmaster, OPSEC & PAO are trained in OPSEC WEB content vulnerability
and web risk assessment training- Marking and labeling of media and peripheral devices are completed- Wireless security - complete scans (war drive, protocol analysis) are done- Register and track all IA Workforce personnel in ATCTS
Verify: SF700, SF701 forms are properly filled out (Safes/offices)
A vulnerability allowed by one is a vulnerability assumed by all !2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 9
Panel Member Introduction
Forum Discussion/Question and Answer
Period
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 10
DAIG AKO Portal: https://www.us.army.mil/suite/page/475521
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx
LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED
UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 11
DAIG Office Phone NumberCommercial (703) 545-4398
DSN: 865-4398
2011-08-23// LWN11_IA_DAIG IA Compliance.pptx