600.5 - Information Technology Systems Security

600.5 - Information Technology Systems Security - General Requirements

11/14/07

OPR: Geospatial Information Office

Instructions: This replaces Survey Manual (SM) Chapter SM 600.5 - Automated Information Systems Security - General Requirements, dated June 11, 1993, and Chapter SM 600.2 - Control of the Registration and Deletion of Computer User Identifications (User ID's), dated October 28, 1988.

1. Purpose. This chapter establishes policies, assigns responsibilities, and prescribes standards and procedures for the management of the U.S. Geological Survey’s (USGS) information technology (IT) system security program.

A. This chapter applies to all USGS employees who operate or have programmatic oversight or control of IT systems or develop requirements documents or agreements that involve access to USGS information technology and information resources by contractors, volunteers and other affiliates.

(2) Information in any form when used as input to, output from, or documentation of an IT system.

(3) IT system installations and facilities used in the collection, processing, storage, communication, and retrieval of information.

(4) All software (operating systems, utilities, application programs, etc.) used by an IT system.

B. Federal Information Security Management Act, Title III of the E- Government Act of 2002 (Public Law 107-347).

C. 375 DM 19 - Information Resources Management Information Resources Security Program.

A. All USGS IT facilities and equipment shall be protected against loss, damage, theft, and misuse; and all data processed by USGS IT systems shall be protected against unauthorized disclosure, modification, or destruction. The level of protection shall be commensurate with the criticality of the system to the mission of the organization considering sensitivity of the information created, processed, stored, or transmitted by the IT system.

B. Compliance with Federal, Departmental, and Bureau regulations and policies pertaining to IT systems is required. Violations of said regulations and policies shall result in appropriate administrative, disciplinary, or legal action against the violators.

C. The USGS IT security handbook and/or Web site maintained by the Bureau IT security office is the authoritative guidance source for USGS standards, procedures, and other related IT security requirements.

B. Application. Computer programs and routines that run on one or more computers that are designed to accomplish automated tasks in support of administrative or mission oriented functions.

C. Computer/ADP Designated Position. Any position where the duties involve participation in designing, developing, operating, or maintaining computer installations or applications as well as those positions requiring administrative access to such systems.

D. IT System. The combination of computer equipment, operating system software, applications, and established methods and procedures designed to collect, process, store, and/or communicate information for the purpose of supporting specific administrative or program related requirements.

E. IT Security. The management, operational, and technical controls designed to protect IT resources from loss, damage, or misuse.

F. Keystroke Monitoring. A methodology of capturing a computer user’s keystrokes in an effort to obtain sensitive information such as passwords or encryption keys.

G. Media Sanitization. A process to remove information from media such that data recovery is not possible; data erasure.

H. National Institute of Standards and Technology (NIST) guidance. OMB Circular A-130 requires that NIST guidance be followed to “achieve adequate security commensurate with the level of risk and magnitude of harm.” An explanation must be provided for “any planned or actual variance from National Institute of Standards and Technology (NIST) security guidance” in a system security plan.

I. Personnel Security. The safeguards established to ensure that all personnel who have access to IT systems have the required authorities and the appropriate levels of training, Computer/ADP position designations, and security clearances.

J. Physical Security. The use of locks, guards, badges, and similar safeguards to control access to a computer installation and the safeguards required for protecting the facility and the IT system resources from the threat of fire, water, electrical, and other environmental hazards.

K. Public Trust Positions. Positions that meet the high and moderate risk levels of the Suitability and Computer/ADP position criteria as defined in 441 DM 1, “Personnel Security and Suitability Requirements” and appropriate Bureau directives.

L. Risk Analysis. An analysis (assessment) used to minimize risk by effectively applying security safeguards commensurate with the relative threats, vulnerabilities, and values of the resources to be protected. A risk analysis provides management with information on which to base decisions, for example, whether it is best to prevent the occurrence of a situation, to mitigate the effect it may have, or simply to recognize that a potential for loss exists.

M. Security Specifications. A detailed description of the safeguards required to protect a system/application.

N. Sensitive Data. Data that require protection due to the risk and magnitude of the loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data. Sensitive data include proprietary data, records about individuals requiring protection under the Privacy Act, data such as payroll, financial, or management information, or data that is critical to the mission of the USGS. Passwords, pass phrases, Personal Identification Numbers (PINs), and Social Security Numbers (whole or partial) are among items that are considered sensitive data.

O. Significant IT Security Responsibilities. Positions that may impact the mission of the agency through a loss of confidentiality, integrity and/or availability of the IT system are to be designated as having significant IT security responsibilities. Some of the determining factors are: requiring advanced rights to a system beyond that of a regular user to include database, network, mail and IT system administrators, programmers, IT security managers, IT system owners, information owners, and IT system program managers. In addition, positions that have programmatic and/or management control over IT system resources are also included. Note: Users granted administrative access only to their own desktops and/or laptops are not considered to have significant IT security responsibility.

6. Responsibilities. All personnel who manage, operate, or use USGS information technology share the responsibility for protecting USGS IT-related resources. Specific responsibilities for IT system security are listed below.

A. Bureau IT Security Manager (BITSM). The BITSM is the Chief Information Security Officer for the Bureau. The BITSM responsibilities include the following:

(1) Managing, implementing, and enforcing an effective and sound Information Technology Security Program for the USGS in accordance with USGS, DOI, and Federal laws, policies, directives, standards, and guidelines.

(2) Establishing policies, standards and guidelines for controlling access to USGS networks and systems and developing bureau-wide guidance for addressing IT security requirements for USGS IT systems or resources.

(3) Coordinating periodic computer security reviews of USGS workstation and network environments, reporting control weaknesses, and recommending additional security measures.

(4) Ensuring that an effective security awareness training program is in place to educate all managers, users, and IT officials on the importance of maintaining and safeguarding all USGS systems and information.

(5) Communicating all computer security incidents in writing to appropriate officials with recommendations for immediate and future corrective actions.

(6) Ensuring that all Federal Information Security Management Act (FISMA) reporting requirements are met for the Bureau.

(7) Ensuring that the IT portion of annual Management Control Review reporting requirements is met.

(8) Ensuring that IT security control weaknesses are documented and managed in a Departmental Plan of Action and Milestone (POA&M) process.

B. Information Technology Security Steering Committee (ITSSC). This committee is responsible for the development of policy, standards, and guidance for the Bureau’s IT security network infrastructure including: wide and local area networks, federally-owned desktops, laptops, server computer systems, host and network based security controls, and other elements of the Bureau’s IT network infrastructure.

C. Regional Information Technology Security Operations Officers (RITSOOs). Regional IT Security Operations Officers work as members of the IT Security Operations Team and serve as liaisons with the security points of contact at the distributed science centers.

D. Information Technology Security Operations Team (ITSOT). The IT Security Operations Team is responsible for implementation of IT security standards and guidelines throughout the Bureau. The ITSOT is responsible for deployment and day-to-day operations of the Bureau's security systems, including administering firewalls, monitoring intrusion detection systems, routinely reviewing security logs, and conducting vulnerability scans to detect weaknesses in system security.

E. Bureau Security Manager. The USGS Security Manager provides policy formulation, security management, and oversight for the bureau’s national security classification, personnel security, physical security, law enforcement, and counter terrorism programs. This includes the management of foreign intelligence materials and sites; the employment and retention of persons in sensitive positions; establishment of the Homeland Security Advisory System nationwide; and the protection of the bureau’s facilities/sites, property assets to include mission-essential infrastructures, and approximately 12,000 personnel. The Bureau Security Manager is designated as the Facility Security Officer for the National Center, Reston, Virginia, responsible for all National Center physical security and law enforcement to include the contract management of National Center guard and physical security contracts. The USGS Security Manager provides technical assistance to all levels of management as well as to employees and full-time and collateral-duty professional security personnel.

F. Bureau Human Resources Officer. The USGS Human Resources Officer will ensure that all positions are assigned a Computer/ADP designation commensurate with the documented duties and responsibilities. The Human Resources officer is responsible for initiating requests for appropriate background investigations for all employees assigned to public trust positions.

G. Chief, Office of Acquisition and Grants. The Chief, Office of Acquisition and Grants, is responsible for ensuring that award documents involving IT systems or services address IT security requirements.

H. IT System Owner. IT system owners are the Bureau officials who are responsible for the proper use of the system and for adequately protecting the system's information resources. IT system owners are accountable for the confidentiality, integrity, and availability of the system and/or data.

(1) IT system owners are responsible for ensuring that a risk management program is implemented for each IT system installation and/or IT system application under their control and that the program includes conducting initial and periodic risk analyses and management control reviews to ensure that (a) adequate security requirements are incorporated into system or contract specifications prior to the design or acquisition of the system, (b) an adequate level of protection is maintained throughout the system's life cycle, and (c) compliance with Federal, Departmental, and Bureau regulations and standards are maintained. In addition, IT system owners are responsible for properly certifying the system as meeting all Federal regulations for management of IT systems. For systems involving access by non-employees, this includes (a) identifying any appropriate nondisclosure agreement required for nonfederal users and retaining those signed agreements and (b) maintaining a listing of all individuals who have been granted user IDs to access the system.

(2) IT system owners must ensure that regular backups are made of all critical data stored on their computing system components and ensuring that sensitive data is erased from all related media (disk drives, tapes, etc.) prior to disposal.

I. Employees who draft specifications and statements of work, other requirements documents, volunteer agreements, or other business arrangements that involve access to USGS IT systems by nonfederal employees must ensure that all nonfederal users to be given access are evaluated against criteria for equivalent Computer/ADP positions and have appropriate public trust or low risk position designations assigned (see 441 DM and subsequent Survey Manual guidance), and that the requirements of this chapter as they apply to nonfederal users are included or referenced in such documents.

(1) Appropriate IT security policies and procedures are adhered to and that management controls and security safeguards are implemented for acquiring, accessing, using, maintaining, disseminating, or otherwise disposing of information and technology resources under their control.

(2) Appropriate security goals, functional security requirements, and security specifications for IT system resources are included in procurement specifications and statements of work as appropriate.

(3) Appropriate individuals have been assigned responsibilities for IT asset ownership, management, and IT security. This includes roles of Asset Owner, Security Point of Contact, and IT Lead/ System Administrator.

(4) USGS program planning addresses, as part of the annual budget process, the requirements necessary to ensure that all IT system resources supported by the program are adequately protected.

(1) Ensuring employees observe computer security policy within their areas of responsibility; and that employee performance standards and position descriptions contain appropriate references to their IT system security responsibilities.

(2) Ensuring employees complete annual computer security awareness training and are knowledgeable of their responsibilities associated with the use of USGS computing resources and the consequences for misuse.

(3) Ensuring computer security requirements are included in requirements documents involving acquisition or operation of computer facilities, equipment, software packages, or related computer services.

(4) Ensuring that all breaches of computer security, events that may indicate a computer security incident or violation, or attempts to gain unauthorized access to computers, information systems, or data resident on USGS information resources are reported.

(5) Ensuring that IT system access for employees or contractors who are terminated is removed and files assigned to those accounts are reassigned to another authorized user in the organization.

(6) In cooperation with the Human Resources Officer, all IT-related positions under their management control are properly designated as Computer/ADP positions and have appropriate public trust or low risk position designations assigned in accordance with 441 DM and subsequent Survey Manual guidance.

(7) Employees receive background investigations commensurate with their IT-related duties and responsibilities.

L. Security Point of Contact (SPOC). The SPOC is the primary contact for IT security issues with the Information Technology Security Operations Team (ITSOT). The minimum requirements for each appointed SPOC are as follows:

(1) Complete general annual security awareness training and specialized computer incident response training in the identification, correction, and reporting of IT security events.

(2) Serve as the primary point-of-contact to the USGS Computer Security Incident Response Team (CSIRT) incident manager in the classification, correction, and reporting of security incidents. CSIRT incident manager duties are assigned on an incident-by-incident basis.

(3) Work with local employees on behalf of the USGS and the Bureau security operation and incident response teams, when requested, in the implementation of USGS, Department, and Federal security requirements and standards.

(6) Ensure system information, such as log files, are maintained and reviewed as required per DOI directives.

(7) Work with USGS IT security and incident response teams, local management, and local end-users in the identification and correction of known security weakness or potentially vulnerable computers, servers, or local-area-network IT systems.

(8) Distribute information technology security related material, alert notifications, and information to asset owners, operators, administrators, and staff in the local organization.

(1) Following and adhering to USGS computer and information systems security policies, standards, procedures, and guidelines to safeguard and protect all USGS data and applications, including the utilization of file protection mechanisms to maintain appropriate file access control.

(4) Selecting hard-to-guess passwords, per Departmental and Bureau guidance, and ensuring that passwords are held in strict confidence and properly safeguarded from unauthorized access and unauthorized use.

(5) Ensuring that regular backups are made of all critical data stored on their own workstation(s) and ensuring that sensitive data is erased from the hard drive(s) prior to disposal of the machine. Accordingly, any sensitive data on other storage media (such as compact discs and diskettes) must also be erased when the media is no longer needed.

(6) Obtaining IT approval prior to introducing any nongovernment purchased software, including freeware, into USGS computing environments.

(7) Ensuring that all software and documents are scanned for viruses prior to loading to USGS workstations or network devices.

(9) Reporting any observed or suspected computer security incident or violation to your immediate supervisor, Security Point of Contact (often a local IT Specialist), or the BITSM.

(10) Ensuring that workstations are rendered inaccessible to unauthorized users by suspending, closing, or password protecting the session prior to leaving the device.

(11) Reading and acknowledging a Bureau-approved logon warning as part of the logon process.

7. IT System Security Program Components. For an IT system security program to be effective, it must be sufficiently comprehensive to enable the identification of potential risks and vulnerabilities and the institution of safeguards to minimize them. The basic requirements for ensuring adequate protection are outlined below.

A. Program Planning. Adequate planning is the first component of any effective IT security program. Since all USGS IT activities support USGS programs, planning for IT security must be made an integral part of the program planning process. USGS program planning must address, as part of the annual budget process, the requirements necessary to ensure that all IT system resources supported by the program are adequately protected.

B. Information Resources Protection. Specific safeguards must be implemented by IT system owners to provide reasonable assurance that USGS information resources are adequately protected from the threats and vulnerabilities determined during the risk analysis. The following safeguard categories must be considered:

(1) Physical Security. Appropriate practices and procedures must be utilized to minimize the following threats to places where IT resources are located: theft, accidental, or intentional damage, unauthorized or illegal access, or unauthorized disclosure of information.

(2) Technical Security. Appropriate safeguards (for example, passwords, personal identification devices, anti-virus software, access control lists, user activity monitoring software, encryption, or dial-back modems) will be used to protect against unauthorized access to or use of IT system software or data.

C. Certification and Accreditation of IT Systems. All IT systems shall be formally certified and accredited in accordance with NIST, Departmental, and Bureau directives prior to being placed into operational status.

D. Computer Security Awareness and Training Activities. The USGS will provide mandatory periodic computer security awareness training for all users of Bureau computing resources.

(1) All new employees who are to use or manage any USGS IT system shall review IT security awareness training materials as part of the enter-on-duty process.

(2) All users of USGS computing resources shall annually complete the mandatory IT security awareness training.

(3) All users of USGS computing resources with significant IT security responsibilities shall also complete specialized role-based IT security training.

E. Requirements Development. Having appropriate safeguards included in specifications and statements of work for acquisitions of IT system resources will help ensure that USGS information resources are protected at the time of implementation and that the cost of security over the system's life cycle is minimized. To guarantee this is accomplished, managers of IT systems shall assure that appropriate security goals, functional security requirements, and security specifications for IT system resources are included in procurement specifications and/or statements of work.

F. Reporting Security Incidents. It is the responsibility of all users to report any incident resulting in the loss of IT system technology, data, or services, fraud, or unauthorized disclosure of sensitive information.

(1) Incidents involving the theft of or malicious damage to IT equipment, fraud, national security violations, or other misuse of IT system resources shall be reported immediately to the Bureau Security Officer and /or other local law enforcement officials depending on the circumstances and location.

(2) Incidents involving attempts to gain unauthorized access to any USGS IT resource, malicious code occurrences, or unauthorized disclosure of sensitive information shall be reported immediately to the local Security Point of Contact (SPOC).

A. Confidentiality of log records. Access to IT system log and other sensitive network security information is restricted to authorized personnel and is not to be posted to bulletin boards, telephone directories, or other publicly viewable systems or services. System, web, and other IT log information is a potential source of valuable IT security information detailing architecture and topology information along with a potential for identifying server vulnerability and potential exploits. The logs may also identify directories, files, and other elements of data and information that are unavailable to the general public; including employees of the Geological Survey. Generally these logs are maintained by the designated local Science Center IT Lead or assembled into a central logging facility and access controlled by the system’s owner, manager, or administrator.

B. Keystroke Monitoring. Keystroke monitoring, per the Department Manual, is to be done only with consent of the BITSM and the DOI Office of the Solicitor.

10. Network Protection Authorization. To ensure continued connection of USGS networks to the Internet, the Geospatial Information Office (GIO) is authorized to:

A. Centralize management and maintenance of the network security equipment and routers installed on all USGS networks.

C. Place controls at the ingress/egress points on USGS networks for the purpose of selectively allowing/denying traffic.

D. Replace or remove any network security equipment that does not fit into the design approved by the USGS Chief Information Officer and the DOI Chief Information Officer.

E. Place access controls, analysis software and/or hardware on any computer system or network, at any point in the network stream, in order to detect unauthorized activity or to selectively monitor and/or deny traffic.

F. Block network access to any host or device that poses a risk to USGS information assets.

11. Use of Network Analysis Tools. Use of network analysis software or hardware shall be restricted to system, network, or security administrators, as authorized by the manager of a given network. Authorized use shall also include employees or contractors working at the Bureau or Departmental enterprise network management level.

(signed) Karen D. Baker                                                                   11/14/07
_____________________________________________                  _______________
Karen D. Baker                                                                                    Date
Associate Director, Administrative Policy and Services