Department of the Interior
Departmental Manual
Effective Date: 7/22/97
Series: Information Resources Management
Part 375: IRM Program Management
Chapter 19: Information Technology Security
Originating Office: Office of Information Resources Management
375 DM 19
19.1 Purpose. This chapter establishes responsibilities, policies, procedures, and minimum requirements for the development, implementation, and maintenance of an information technology (IT) security program for the Department of the Interior.
19.2 Authority.
A. This chapter implements guidance published in: OMB Circular No. A-130, Management of Federal Information Resources; the National Institute of Standards and Technology's (NIST) Federal Information Processing Standards Publications (FIPS PUBS) addressing IT security; NIST Special Publication 800-12, "An Introduction to Computer Security: The NIST Handbook"; the National Archives and Records Administration's regulations on records management; and the Office of Personnel Management's (OPM) guidance on personnel security as they relate to IT resources.
B. The above Federal guidance implements numerous laws addressing IT-security-related issues. These laws include the Federal Records Act of 1950 as amended, the Privacy Act of 1974, the Freedom of Information Act, as amended (5 U.S.C. 552), the Paperwork Reduction Act (44 U.S.C. Chapter 35), the Computer Fraud and Abuse Act of 1986, the Computer Security Act of 1987, and the Information Technology Management Reform Act of 1996.
19.3 Scope.
A. This chapter applies to all Department of the Interior bureaus and offices and their employees. It also applies to the personnel and facilities of contractors and other organizations providing IT resources support to the Department.
B. The provisions of this chapter apply to the protection of:
(1) All IT resources and supporting IT facilities and equipment of the Department whether sensitive or not.
(2) IT general support systems and major applications used in the collection, processing, storage, communication, and retrieval of sensitive information and sensitive electronic records;
(3) Other technical systems, such as supervisory process control systems (except those identified in the Department of Defense Authorization Act of 1982);
(4) The processes, procedures, software, and automated systems involved in activities numbered 19.3B(1) through (3) above.
(5) Personnel involved in any phase of the life cycle (i.e., planning, creating, implementing, and maintaining) of an IT system or who come in contact with automated information, as described in 19.3B(1) above.
C. This chapter does not apply to national security information.
19.4 Policy. It is the policy of the Department of the Interior that bureaus implement and maintain a program to assure that adequate security is provided for all Departmental information collected, processed, transmitted, stored, or disseminated in general support systems and major applications. Each bureau's program shall implement policies, standards and procedures which are consistent with government-wide policies, standards, and procedures issued by the Office of Management and Budget, the Department of Commerce, the General Services Administration, and the Office of Personnel Management. Violations of Federal and Departmental regulations pertaining to IT resources security will result in appropriate administrative, disciplinary, or legal action against the violators. At a minimum, bureau programs shall include the following controls in their general support systems and major applications:
A. Assigning Responsibility. OMB Circular A-130, Appendix III requires that a single individual be assigned operational responsibility for IT security. The individual must be knowledgeable about the IT resources used and how to secure them. For major applications, the assigned individual must be able to give special management attention to the security of the application.
B. Security Planning. In accordance with the requirements of the Computer Security Act of 1987, security plans must be developed for all Federal computer systems containing sensitive information. Good security planning is essential, but it must be more than simply the generation of a review paper. OMB Circular A-130, Appendix III prescribes a series of specific planning activities rather than a theoretical framework. The activities include the development of rules, security training, and the implementation of operational, management, and technical controls. Plans for major applications should be reviewed by the manager of the primary support system which the application uses. Plans for general support systems and major applications should have independent reviews before the plans are implemented. Computer security plans for sensitive systems are sensitive and should be handled appropriately.
C. Review of Controls. The security of a system or application degrades over time, as the technology evolves and as staffing and procedures change. Bureaus should use security reviews to assure that management, operational, and technical controls are appropriate and functioning effectively. These review requirements are much broader than the certification review required under previous policies. The security plan should be the basis for the review. For major applications, reviews must include an independent review or audit. (Independent audits can be internal or external but should be performed by someone free from personal and external constraints which could impair their independence.)
D. Authorization. The authorization of a system to process information, granted by a management official, provides an important quality control. By authorizing processing of a system or application, a manager accepts the associated risk. The authorization, often referred to as an accreditation, should be based on guidance in FIPS PUB 102, "Guideline for Computer Security Certification and Accreditation" and on the review of controls. The authorization of a major application will generally occur at a very high managerial level.
E. Rules. Bureaus are required to develop security rules. Rules are the same as system-specific policy. They are the decisions made about security-related options and required trade-offs, since all desired security objectives will probably not be achievable. The system-specific policy, stated as operational rules, will have technical and operational implications. The requirement for rules is designed to ensure IT managers address and document security-related decisions. The rules should become an intergral part of computer security training.
F. Risk Management. A formal risk assessment is not required, however, a risk-based approach should be used to define adequate security. This risk-based approach should include a consideration of the major factors in risk management: the value of the system or application, threats, vulnerabilities, and the effectiveness of current proposed safeguards. Bureaus may still choose to perform a traditional risk assessment which remains a valuable tool. Risk assessments are most effective in areas where risk and safeguards can be quantified or otherwise discretely measured of described.
G. Personnel Controls. Since the greatest threat to most computer systems comes from authorized users, bureaus should institute personnel controls such as least privilege, separation of duties, and individual accountability. An initial background investigation and periodic reinvestigation is required in accordance with Departmental Manual Chapter 441 DM 1-6, "Personnel Suitability and Security Investigation Requirements" before authorizing personnel (such as system administrators, security managers and officers, emergency personnel, etc.) to bypass technical and operational controls in sensitive systems.
H. Incident Handling. Bureaus need to establish an incident handling capability, which is the ability to detect and react quickly and efficiently to disruptions in normal processing caused by malicious technical threats. Since information technology is so complex and widely distributed and users are often unfamiliar with the technology, an incident handling capability is imperative to provide security support. The development of an incident handling capability does not have to involve a separate staff; it could be a service of a Help Desk (with appropriate training). Bureaus are directed to share information about common vulnerabilities so that the Department can improve its overall ability to respond to security threats.
I. Training. The Computer Security Act requires Federal agencies to provide mandatory periodic training in computer security awareness and accepted computer security practice of all employees who manage, use, or operate a Federal computer system. This includes contractors as well as employees of the Department. The training should take place before allowing the IT user access to the IT system. IT users should be trained about the specific general support systems or applications they use, based on the system of rules, specifically including how to handle incidents. The training should use media appropriate for the audience and the risk. Hence, the training need not be formal classroom instruction; it could use interactive computer sessions or well-written and understandable brochures. Specialized training is required for users of major applications. The training shall assure that IT users are versed in the rules of the system, be consistent with guidance issued by NIST and OPM, and apprise them about available assistance and technical security products and techniques. Behavior consistent with the rules of the system and periodic refresher training is required for continued access to the system.
J. Network Interconnectivity. Very few Departmental general support systems will exist as closed systems. Most are networked to other Departmental systems and to external public and private networks. The gateways where networks meet serve an important security role. System rules in the "other" network may be very different or enforced differently. These system interconnections should be explicitly approved by appropriate managers.
K. Contingency Planning. Contingency planning is a vital element of a computer security program. Not only must contingency plans be developed, but they must also be tested. Bureaus should expand the scope of their contingency plans to include more than just large data centers. The emphasis should be on assuring that all the IT resources needed for mission and business critical functions will be available. This includes people, communications, support equipment, services, and many other resources in addition to computing power. A contingency plan (CP) will be developed for each general support system and major application to ensure that interruptions of service are kept to a minimum. The CP will be evaluated periodically to determine the continued appropriateness of established procedures and will be revised when required by changes in software, equipment, or other related factors. At a minimum, the CP will address the following:
(1) Procedures for backup storage and recovery of data and software;
(2) Establishment of alternate processing capabilities and procedures for transferring operations to an alternate site; and
(3) The CP may be included in, or be consistent with the general support system CP; and
(4) Annual testing of the CP at large mainframe installations and other installations that support sensitive systems.
L. Public Access. Bureaus are encouraged to provide public access to information. Bureaus should reduce their risks by separating public access systems or records from agency internal systems.
M. Protection. Specific safeguards should be employed to provide a reasonable means of detecting actual or potential security violations and for counteracting each threat described in the risk assessment. The following procedures should be considered:
(1) Physical Security. Appropriate practices and safeguards must be utilized to minimize the following threats to those places where IT are located: theft, unauthorized or illegal access, accidental or intentional damage or destruction, improper use, and unauthorized disclosure of information.
(2) Personnel Security. In accordance with Departmental Manual Part 441, Personnel Suitability, certifications of favorable determination for sensitive IT positions are required for Federal and contractor employees commensurate with the sensitivity of the IT resources or installations these employees manage or use.
(3) Technical Security. Appropriate safeguards (such as passwords, call back devices, encryption, data authentication, security software) will be used to prevent unauthorized access to or use of information, data, and software resident on computers, peripheral devices, storage media, or transmitted over communication lines or networks.
(4) Administrative Security. Detailed procedural guidelines will be established and distributed to ensure that all IT resources are properly protected and used only by authorized personnel.
N. Information Technology Safeguards. Specific procedures must be followed to ensure that appropriate safeguards are incorporated into IT systems. These procedures include:
(1) Determining appropriate security safeguards prior to system development or acquisition;
(2) Conducting design reviews and system tests prior to system implementation to ensure that the system satisfies the approved security requirements;
(3) Certifying prior to implementation that a new system, substantially modified system, or reconfigured system satisfies applicable IT security policies, regulations, and standards, and that its security safeguards are adequate; and
(4) Evaluating the sufficiency of security safeguards and controls for sensitive systems at least every 3 years or whenever significant modifications are made to the system.
O. Acquisition Planning. Appropriate safeguards must be determined before acquiring information technology resources not only to ensure the wise expenditure of funds but also to ensure that the resources may be protected from the time of installation or implementation. To accomplish this, all contract specifications for the acquisition of hardware, software, software development, equipment maintenance, facility management, and related services will contain requirements for safeguards that encompass technical, administrative, personnel, and physical security.
19.5 Definitions. The following definitions apply for the purpose of this chapter.
A. Adequate Security. Security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the Department operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost effective management, personnel, operational, and technical controls.
B. Bureau. Includes all independent offices within the Office of the Secretary as well as all organizations under the jurisdiction of the Assistant Secretaries even though the organization is titled other than "bureau".
C. General Support System. An interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental data processing center including its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO).
D. Information Technology Facility. An organized grouping of personnel, hardware, software, and physical facilities, a primary function of which is the operation of information technology.
E. Information Technology Installation. One or more computer or office automation systems including related telecommunications, peripheral or storage units, central processing units, and operating and support system software. Information technology installations may range from information technology facilities, such as large centralized computer centers, to individual stand-alone microcomputers such as personal computers, or workstations.
F. Information Technology Resources. Any equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the Department. The term "information technology resources" includes computers, telecommunications equipment, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
G. Information Technology System. An organized combination of ADP equipment, software, and established methods and procedures designed to collect, process, and/or communicate data or information for the purposes of supporting specific administrative, mission, or program requirements. This includes the areas of application systems, data bases, and management information systems.
H. Information Technology Security. The management controls and safeguards designed to protect IT resources and safeguard governmental assets and individual privacy.
I. Major Application. An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All Federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.
J. Risk Assessment. An evaluation of IT assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. A risk assessment identifies potential threats and their probability of occurrence and proposes safeguards to combat these threats and provides management with information on which to base decisions, e.g., whether it is best to prevent the occurrence of a situation, to contain the effect it may have, or simply to recognize that a potential for loss exists.
K. Security Specifications. A detailed description of the safeguards required to protect a sensitive system/application.
L. Sensitive System. A system containing information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes information whose improper use or disclosure could adversely affect the ability of the Department of the Interior to accomplish its mission, e.g., proprietary information, information about individuals requiring protection under the Privacy Act, and information not releasable under the Freedom of Information Act. (For more information, refer to 383 DM 1-15.)
19.6 Responsibilities. All personnel responsible for, or associated with, the collection, creation, storage, use, transmission, handling, and dissemination of automated data or information share responsibility for its protection. The specific responsibilities assigned to Departmental organizations and employees are listed below.
A. The Chief Information Officer (CIO) is responsible for overall management of IT resources and IT security programs of the Department of the Interior.
B. The Office of Information Resources Management (PIR), in the Office of the Assistant Secretary - Policy, Management and Budget, is responsible for development, coordination, and interpretation of IT security policy. PIR also oversees bureau compliance with Federal and Departmental policies, guidelines, and regulations governing IT security. The Departmental IT Security Manager (DITSM), in the IRM Program Planning, Review, and Standards Division, has specific responsibility for the performance of these functions.
C. The Office of Managing Risk and Public Safety in the Office of the Assistant Secretary - Policy, Management and Budget is responsible for the development, coordination, direction, interpretation, and inspection of the physical, personnel, and document security programs.
D. The Office of Inspector General conducts periodic reviews of bureau IT security programs in conjunction with its ongoing audits of Departmental operations; and evaluates reported security incidents for determination of investigative merit.
E. Heads of Bureaus are responsible for:
(1) Developing, maintaining, and implementing a bureau management plan that provides for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of the bureau.
(2) Ensuring the implementation of computer security plans required by the Computer Security Act of 1987 for general support systems and major application systems containing sensitive information. The plan must also include a description of:
(a) the involvement of bureau management in the overall computer security planning process in the bureau;
(b) the integration of computer security plans into bureau information resources management plans; and
(c) the process for ensuring that computer security funds, personnel, and equipment are planned for and budgeted.
(3) Promoting an attitude of concern for security among bureau employees. Ensuring that bureau IT security programs comply with Federal laws and regulations and Departmental regulations, and have adequate resources to function properly.
(4) Designating a Bureau Information Technology Security Manager (BITSM) and an alternate who are knowledgeable in IT security matters. Both security managers must be Departmental employees unless an exception is granted by the DITSM.
F. The Bureau IT Security Manager is responsible for: managing the bureau IT security program, coordinating all bureau activities designed to protect IT resources, coordinating bureau IT security training programs, and reporting on the effectiveness of these activities to bureau and Departmental management.
(1) In fulfilling these responsibilities, the BITSM will consult with all bureau officials having IT security responsibilities to ensure that IT resources are adequately safeguarded throughout the bureau.
(2) The responsibilities of the BITSM do not supersede or replace the physical and personnel security responsibilities assigned to other bureau officials. The BITSM should coordinate all pertinent IT security matters pertaining to physical and personnel security with these bureau officials.
(3) The BITSM must be at an organizational level commensurate with the responsibilities assigned and must be delegated sufficient authority to exercise these responsibilities.
(4) The BITSM will maintain a current inventory of sensitive general support systems and sensitive major application systems, including sensitive system certification and accreditation status, and a schedule for testing sensitive system contingency plans.
(5) The BITSM will report to or work closely with the Bureau IRM Coordinator to ensure the proper coordination of bureau IT security activities.
G. Installation IT Security Manager (IITSM). An IITSM and an alternate will be designated for each information technology installation. Both individuals must be knowledgeable in information technology and IT security matters and be Departmental employees, unless an exception is granted by the DITSM. These officials shall not be, or report to, any individual who is directly responsible for systems analysis, programming, equipment operation, or equipment maintenance. Small IT installations with limited staff may request an exception from the BITSM as to the location in the organization of these employees. The IITSM is responsible for:
(1) coordinating all activities designed to protect an IT installation or any other technical system, such as supervisory process control systems, designated by management;
(2) providing technical assistance to installation management on IT security requirements; and
(3) approving the IT security safeguards included in contract specifications for the acquisition or operation of hardware, software development, or equipment maintenance services for the installation.
H. Bureau IRM Coordinators are responsible for performing all IRM program coordination functions for their respective bureau. The Bureau IRM Coordinator also serves as the primary liaison with PIR.
I. Bureau Security Officers are responsible for implementing Departmental policies regarding physical, personnel, and national security information/document security for their respective bureau. This includes ensuring the appropriate background investigation is conducted on each employee based on the position sensitivity designation level of the position, conducting periodic reviews of sites to ensure the adequacy of their physical security, safeguarding national security information, and investigating security incidents involving their area of jurisdiction.
J. Program Managers are responsible for:
(1) properly identifying all IT systems containing sensitive information;
(2) implementing appropriate operational procedures and safeguards for acquiring, accessing, using, maintaining, or disposing of information and technological resources under their control;
(3) ensuring that IT security policies and procedures are adhered to for those resources they control;
(4) developing employee performance standards which contain appropriate references to their IT security responsibilities;
(5) ensuring that employees receive security clearances and ADP access certifications appropriate to the job they will perform if necessary; and
(6) ensuring that employees receive computer security training as required by the Computer Security Act of 1987 and the prevailing OMB Circular A-130, Appendix III.
K. System Owners are responsible for the overall security and proper use of the IT system, ensuring that all information and data is labeled according to sensitivity, and ensuring that adequate security requirements are incorporated into system or contract specifications prior to the acquisition or design of these systems. They are also responsible for identifying sensitive major application systems, preparing general support system and sensitive major application system security plans, and providing for the continuity of operations for sensitive applications and the systems which process them.
L. System Managers are responsible for ensuring that adequate physical and administrative safeguards are operational within their areas of responsibility and that access to information and data is restricted to authorized personnel on a need-to-know basis. They are also responsible for developing the IT installation contingency plan and assisting system owners with sensitive system security plans.
M. Users of IT resources are responsible for complying with all security requirements pertaining to the IT resources they utilize and are accountable for all activity performed under their User ID's/passwords.
19.7 Other Applicable Regulations. Personnel responsible for IT security must be knowledgeable of, and conform to, the Departmental Manual Parts listed below to ensure proper adherence to security program components.
376 DM Automated Data Processing
377 DM Telecommunications
383 DM Policies and Procedures for Implementing the Privacy Act of 1974
384 DM Records Disposition
436 DM Vital Records
441 DM Clearances and Suitability Investigation Requirements
444 DM Physical Security
19.8 Review.
A. PIR will conduct periodic reviews of bureau IT security programs to ensure compliance with Federal and Department directives.
B. Each bureau will conduct periodic reviews of its IT security program to determine its effectiveness and to recertify the adequacy of the installed security safeguards. These reviews may use existing reports, such as those prepared for risk analyses, IT certifications, Privacy Act inspections, Departmental Management Control Evaluations, and Inspector General audits. The results of these reviews should serve as a basis for the annual bureau IT security plan.
C. Copies of the bureau reviews will be provided upon completion to the Departmental IT Security Manager and the Office of Inspector General. PIR will work with the bureaus to help resolve any identified problems.
19.9 Reporting Requirements.
A. Security Plan. Each BITSM will annually develop a security planning document as an appendix to the Bureau IRM Strategic Plan. The security planning document should describe bureau IT security activities and contain pertinent information required by the Computer Security Act of 1987. This document will be submitted for review to the DITSM by December 31 of each year and will include the following:
(1) An overview of bureau IT security activities as they pertain to security issues, problems, and solutions.
(2) A description of the previous fiscal year's accomplishments in implementing the bureau IT security program.
(3) A list of activities which must be accomplished to improve the IT security program in the bureau.
(4) A milestone schedule of IT security activities planned for the current fiscal year to include such activities as risk assessments, new or modified security procedures, evaluations of existing security procedures, and security awareness activities.
(5) Identification of major application systems that contain sensitive information. Include all major application systems under development within or under the supervision of the Department that contain sensitive information.
(6) Security plans for: all major application systems that contain sensitive information for which an acceptable plan was not previously prepared; new or significantly changed sensitive systems; and sensitive major application systems for which the Department advised the bureau to revise the plan. Plans should be commensurate with the risk and magnitude of the harm resulting from the loss, misuse, unauthorized access to, or modification of the information contained in the system. Plans should be prepared in accordance with the latest Office of Management and Budget computer security planning guidance.
(7) A statement of the bureau's or office's training objectives in complying with the training requirement of the Computer Security Act of 1987. Include the number of people in each category (management, technical, and user) trained in the previous fiscal year and the number of people the bureau/office plans to train in the current fiscal year in those categories.
(8) The bureau management plan for ensuring implementation of security plans for sensitive major application systems and general support systems.
B. Security Incidents. All security incidents must be reported to the appropriate authorities. The type of incident encountered will determine the reporting requirement. It is the responsibility of each employee to report all suspected, actual, or threatened incidents involving automated information systems to the authorities indicated below.
(1) Incidents involving physical, personnel, and national security complaints and violations will be reported to the Bureau Security Officer. This includes incidents involving the destruction, physical abuse, or loss of technological resources.
(2) Incidents involving IT resources resulting in the loss of technology, fraud, compromise, or disclosure of sensitive material should be reported to the BITSM by telephone at the time of discovery, followed by sending a completed "Computer Security Incident Report," form DI-1974 or equivalent bureau form, to the BITSM. The BITSM should immediately report the incident to the Department by telephoning the DITSM, then forward a completed "Computer Security Incident Report," form DI-1974 or equivalent bureau form, to the DITSM. All serious computer hacker and virus incidents, judged by the BITSM to significantly impact on bureau IT systems, must be reported to the OIG. Other types of IT security incidents should be reported to the BITSM.
C. IT Security Managers. Each BITSM should maintain a current listing of names and locations of all bureau employees that have computer security duties within the bureau.
7/22/97 #3165
Replaces 9/27/93 #2987