Embed Size (px)
Citation preview
Section Seven: Information Systems Security
Note: All classified markings contained within this presentation are for training purposes only.
• Protect {Company}, U.S. Government Sponsor, industry, and partner information from unauthorized disclosure
• Protect computer systems and networks from unauthorized access/compromise
• Maintain confidentiality, integrity and availability of information and systems
• Provide clear and concise direction to personnel regarding proper methods of protecting information and information systems
• Culpability for cyber security incidents now a key component of security clearance determination
Information Systems SecurityWhy do we need IT security procedures?
• Malware/Spyware Incidents
‒ Most entry points are from users unknowingly surfing compromised web sites
• Improper use of IT systems
‒ Connecting personal media (i.e., thumb drives, cameras, cell phones, etc.)
‒ Viewing/Creating Pornography
‒ Visiting inappropriate web sites
‒ Downloading/installing prohibited software
Information Systems SecurityCommon IT Security Incidents
Information Systems SecurityAcceptable Use of Information Systems
• {Company} systems are for official use in support of its mission‒ “Occasional and limited” personal use is acceptable
‒ All electronic information and communications are subject to monitoring
‒ “No expectation of privacy”
• Personnel must – Access “authorized” systems only
– Process {Company} data on {Company} systems only
– Connect {Company} devices/media to {Company} systems only
• No connecting personal iPods, media players, cameras, disk drives or USB drives
• Data Preservation‒ Intentional alteration or destruction of data, systems, or media is
prohibited‒ System maintenance or upgrades acceptable‒ Anti-forensics software not authorized‒ Encryption keys must be made available
• Ethical and Professional Conduct ‒ Offensive, harassing, obscene, or threatening communications‒ Violation of copyright laws‒ Visiting inappropriate Websites‒ Commercial or promotional activities prohibited‒ All software must be professional in nature and support {Company}
business needs
• Violations will result in management review and possible disciplinary action to include termination
Information Systems SecurityAcceptable Use of Information Systems
Information Systems Security Protecting Networks and Information Systems
• Access to {Company} networks and systems require a background investigation
• Direct dial-in to networked systems is not authorized (e.g., connecting a modem to your desktop)
• All users must Lock/Log out of system before leaving systems unattended
• Keep antivirus software current
• All external communications must go through the {Company} firewall
• Network bridging is prohibited‒ Network bridging can occur when a user has accessed the {Company} using
one computer while still connected to another Two network cards in use on a single machine (i.e. connections to the Local Area
Network (LAN) and the External Network simultaneously)
Connecting to a wireless network while connected to the LAN via a wired connection
Using software products that enable remote access to/from {Company} computer systems and the Internet
Information Systems Security Classified Information Systems
• Classified information systems (IS) must be certified and accredited through the Security Department before use– Systems must be labeled with the highest classification level that
can be processed on them
• All users of a classified IS must know:‒ The programs (contracts) authorized for processing ‒ The highest level of classified information which can be processed‒ Users must protect their passwords for the systems at the same
level as the system it is used for‒ Hard copy and media handling and marking procedures‒ The required notifications to be made prior to any hardware,
software, location, or security-relevant configuration changes
• No classified processing on unclassified systems• Timing is a critical factor if suspected or actual classified
contamination occurs‒ Immediate reporting limits further distribution and costs
• Remote access to classified systems is prohibited unless documented and approved
• Remote access to unclassified systems requirements (Tailor to your facility policy)
‒ Department of Defense (DoD) Security clearance
‒ {Company}-owned equipment only
‒ Two-factor authentication
‒ One-time passwords
‒ Virtual Private Network
‒ Personal Firewall Solution
Information Systems Security Remote Access to Networks and Information Systems
Information Systems Security Disposition of Computers
• Decommissioned or unused equipment must be returned to Security Department to
– Ensure system hard drives are
• Overwritten
• Degaussed
• Destroyed
– Ensure no media is left in the systems
Information Systems Security Wireless Technology
• Wireless devices are prohibited in all areas processing classified data and must be disabled during classified discussions, briefings and presentations
• No wireless device usage within 10 ft “3-meters” of Secure Areas
• Any wireless device accessing {Company} networks or processing its information must be {Company}-owned
• Bluetooth may not be used at any time while at the facility‒ Exceptions: mice or pointers used to advance slides
• Personal cell phones are permitted in the unclassified areas of the facility with specified restrictions
• The introduction of wireless devices by external personnel and visitors is restricted
• Users should exercise professional behavior when using authorized wireless devices
• Embedded cameras
‒ Can be carried by employees and “cleared” visitors
‒ Prohibited for Foreign Nationals
‒ Camera functionality cannot be used on {Company} property
• Standalone cameras
‒ {Company}-owned only
‒ DoD Clearance required
• Personally owned
‒ Prohibited from {Company} facilities
• Camera use within the {Company} is audited periodically by the Security Department
Information Systems Security Camera Uses and Restrictions
