Overview
The primary objectives of the Department of Labor (DOL) information
security effort are:
- Ensuring the confidentiality of sensitive information processed by,
stored in, and moved through information systems and applications belonging to
the Department of Labor (DOL). Examples of sensitive information processed by
DOL include: personally identifiable information and other Privacy Act
protected records; pre-release economic statistics; information provided by
companies and citizens under the assumption of confidentiality; and pre-award
contract financial information.
- Ensuring the integrity of the DOL information such that decisions and
actions taken based upon the data processed by, stored in, and moved through
DOL information systems can be made with the assurance that the information has
not been manipulated, the information is not subject to repudiation, the source
of the changes to information can be determined as best as possible.
- Ensuring the availability of the DOL information systems and
applications during routine operations and in crisis situations to support the
DOL Mission.
The Department of Labor (DOL), Office of the Chief Information Officer
(OCIO), maintains a team of security professionals responsible for the
oversight of information security practices at the department. Their
responsibility is to develop and maintain the programs that help the department
meet its information security objectives.
Security Initiatives - The OCIO
Security Officer is responsible for a wide variety of initiatives that
continuously improve the information security stance of the department.
Guiding Policies - Listed here are many
of the laws, regulations, and guidance that the OCIO Security Officer uses to
generate internal guidance and perform oversight review and reporting.
Contact Us - If you are
interested in finding out more information about the DOL OCIO Security programs
or seek contact information of specific DOL component agencies.
Security
Initiatives
- Regulatory Compliance And
Oversight
The Department of Labor (DOL) OCIO is responsible
for providing regulatory oversight for information technology (IT) security.
This oversight includes the development of department-wide policy, procedures,
and guidance for compliance with Federal laws, regulations, and guidelines, and
sound security and privacy practices. Additionally, OCIO Security is
responsible for reviewing security program documentation developed to ensure
compliance and further enhance security practices across all component
agencies. Documents reviewed include, but are not limited to:
- Security Program Plans
- Risk Assessments
- System Security Plans
- Contingency Plans
- Certification and Accreditation Documents
Government Information Security Reform Act
(GISRA) Implementation and Reporting
The OCIO Security team is responsible for compiling
the Department's quarterly and annual reporting of information security under
GISRA. This includes the collection, review, and aggregation of reports on the
plans of action and milestones to mitigate security weaknesses, as well as the
annual review of departmental security programs. DOL uses the National
Institutes of Standards (NIST) Special Publication 800-26, Security
Self-Assessment Guide for Information Technology Systems, to conduct this
annual review. Computer Security Awareness and Training
DOL OCIO Security is responsible for developing the
department-wide minimum training requirements for all employees, computer
security professionals, and executive management. This includes hosting the
annual computer security awareness week and other activities throughout the
year to bolster the IT security knowledge of DOL employees. DOL component
agencies are required to add depth to the department-wide training requirement
to bring system users up to speed on security requirements particular to the
systems and applications they operate.
Computer Security Incident Response
The OCIO maintains a computer security incident
response capability to address incidents across the department. The DOL
Computer Security Incident Response Capability (CSIRC) functions in dual modes
- proactive and reactive. The team proactively monitors federal and commercial
computer incident response and homeland security groups (FedCIRC, CERT, etc.)
to determine potential threats to DOL systems and newly discovered
vulnerabilities in DOL systems and applications. The team then notifies the
security officers at each component agency, and, as required, collects feedback
on the mitigation of new vulnerabilities and threats.
Furthermore, the OCIO CSIRT is responsible for
response to anomalies and incidents related to computer security in DOL systems
and applications. The OCIO coordinates anomaly reporting to determine if
potential threat activity is directed against one component agency or across
all of DOL. Additionally, the OCIO is responsible for coordinating incident
reporting to outside organizations, including law enforcement and
government-wide incident response.
OCIO Process Synchronization
Capital Planning
The OCIO Security team routinely interacts with the
OCIO Capital Planning team to ensure that the fiscal decisions related to IT
across the department maintain and enhance our already strong information
security posture. The Security team participates in the quarterly capital
planning control reviews to follow the progress of projects and initiatives in
progress and ensures continued compliance with security requirements and best
practices.
The OCIO Security team also ensures that the System
Development Lifecycle Management (SDLCM) methodology is synchronized with the
security requirements of sound systems development. Research indicates that
there is a 10 fold cost savings when security is designed into a system or
application from the outset as opposed to re-engineering after it is already
operational.
Enterprise Architecture
The OCIO Security team is actively involved in the
efforts of DOL to establish and manage an enterprise architecture. The team
routinely reviews enterprise architecture guidance documents to ensure that
they are in compliance with current security laws, regulations, guidelines, and
best practices. Part of this effort is directed at maintaining a common and
uniform architecture for security protection at DOL to maximize
interoperability of component agency information systems. Furthermore, this
commonality is extended to maximize government-wide information sharing and
interoperability under the EGovernment initiative and the President's
Management Agenda.
Information Collection
The OCIO Security team actively participates in the
information collection efforts at DOL. Initiatives undertaken in support of the
Paperwork Reduction Act (PRA) and the Government Paperwork Elimination Act
(GPEA) strive to improve information sharing within and across federal
departments and agencies and increase the use of electronic collection
processes. The systems at DOL contain a wide variety of sensitive, but
unclassified, information - personally identifiable information, corporate
sensitive data, or leading economic indicators. Any efforts to increase
information sharing or change information collection practices should carefully
review the security impact of the effort and find ways to eliminate, as much as
possible, the risk to compromise of this information.
Government-Wide Outreach
The OCIO Security team participates in several
government-wide initiatives to share lessons learned and ensure compliance with
the objectives of EGovernment on the President's Management Agenda. These
activities include, but are not limited to:
- Risk Grading - the government seeks to establish
a universal risk grading methodology to allow (?)
- Policy and Guidance Review - the OCIO security
team routinely reviews policies and guidance from the Office of Management and
Budget (OMB) and NIST to provide (?)
- EGovernment Initiative Oversight - DOL is
designated as the lead agency for GovBenefits. In this capacity, the OCIO
Security team reviews the GovBenefits security practices to maximize the
security posture of this critical government-wide initiative.
- CIO Council
- Committee on National Security Systems
Guiding
Policies
The Office of the Chief Information Officer uses
the following Laws, Regulations, and Guidance when setting the department's
policies, procedures, and practices:
- Public Law (PL) 93-579, 5 U.S.C. 552a, the
Privacy Act of 1974 (5 U.S.C. 552a)
- PL 100-235, "Computer Security Act of 1987"
- PL 100-503, the Computer Matching and Privacy
Protection Act
- PL 104-106, Division E, the Information
Technology Management Reform Act (Clinger-Cohen Act) of 1996
- PL 106-398, Title X, Subtitle G, the Government
Information Security Reform Act (GISRA)
- 5 CFR Part 930, Subpart C OPM Regulations
Implementing Training Requirements of Computer Security Act of 1987
- 29 CFR Part 71, DOL Regulations Implementing the
Privacy Act
- Office of Management and Budget (OMB) Circular
No. A-130, Revised (Transmittal Memorandum No. 4), "Management of Federal
Information Resources, " November 30, 2000.
- OMB Circular No. A-123, "Management
Accountability and Control," June 21, 1995.
- OMB Memorandum M-00-07, "Incorporating and
Funding Security in Information Systems Investments", February 28, 2000.
- OMB Memorandum M-01-08, "Guidance on Implementing
the Government Information Security Reform Act", January 16, 2001.
- OMB Memorandum M-01-24, "Reporting Instructions
for the Government Information Security Reform Act", June 22, 2001.
- OMB Memorandum M-02-01, "Guidance for Preparing
and Submitting Security Plans of Action and Milestones", October 17, 2001.
- National Security Telecommunications and
Information Systems Security Instruction (NSTISSI) No. 1000, "National
Information Assurance Certification and Accreditation Process (NIACAP),"April
2000.
- NSTISSI 4009, "National Information Systems
Security (INFOSEC) Glossary," January 1999.
- National Institute of Standards and Technology
(NIST) Special Publication (SP) 500-165, "Software Verification and Validation:
Its Role in Computer Assurance and Its Relationship with Software Project
Management Standards," September 1989.
- NIST SP 800-4, "Computer Security Considerations
in Federal Procurements: A Guide for Procurement Initiators, Contracting
Officers, and Computer Security Officials, March 1992.
- NIST SP 800-6, "Automated Tools for Testing
Computer System Vulnerability," December 1992.
- NIST SP 800-12, "An Introduction to Computer
Security: The NIST Handbook," October 1995.
- NIST SP 800-14, "Generally Accepted Principles
and Practices for Securing Information Technology Systems", September 1996
- NIST SP 800-16, "Information Technology Security
Training Requirements: A Role- and Performance-based Model", April 1998
- NIST SP 800-18, "Guide for Development of
Security Plans for Information Technology Systems", December 1998
- NIST SP 800-27, Engineering Principles for
Information Technology Security (A Baseline for Achieving Security), June 2001
- FIPS Publication 31, "Guidelines for Automatic
Data Processing Physical and Risk Management," June 1974.
- FIPS Publication 65, "Guideline for Automatic
Data Processing Risk Analysis," August 1, 1993.
- FIPS Publication 87, "Guidelines for ADP
Contingency Planning," March 27, 1981.
- FIPS Publication 101, "Guideline for Life Cycle
Validation, Verification, and Testing of Computer Software," June 6, 1983.
- FIPS Publication 112, "Password Usage," May 30,
1985.
- FIPS Publication 113, "Computer Data
Authentication," May 30, 1985.
- Department of Labor Systems Development and Life
Cycle Management Manual, Version 2.0, July 2000
- U.S. Department of Labor Information Technology
Architecture, January 2000
- U.S. Department of Labor Computer Security
Handbook
- U.S. Department of Labor Manual Series-9 (DLMS-9,
Information Technology, Security - 400)
| |
|