232 of 234

First Highlight
Graphics, exponents, and equations will not display within the text file. A link to the PDF version of this section will be in this spot in the future.
                                 CHAPTER XII

            SECURITY REQUIREMENTS FOR STANDALONE SINGLE-USER AIS

1.  SINGLE-USER CLASSIFIED AIS.  A single-user Classified AIS is a
    Classified AIS in which only one user controls all system resources at
    any specific time.  For a single-user Classified AIS that is not
    connected to another classified AIS, administrative controls such as
    accountability, personnel controls, and physical controls appropriate to
    the classification level of the data being processed are sufficient
    protection.

    NOTE:  "Personal workstation" is defined as a general purpose classified
    AIS used by a single user.  This includes personal computers,
    microcomputers, and minicomputers.  It does not include special purpose
    computers such as numerical control or process control machines.

2.  SECURITY REQUIREMENTS.  Personal workstations shall comply with the
    requirements for the Protection Index zero.  These requirements include:
    a Classified AIS Security Plan; testing, certification and accreditation
    of the security procedures; physical security protections appropriate to
    the classification level of the data processed, stored, transferred, or
    accessed on the classified AIS; personnel security protections; and
    administrative protections.

3.  ADMINISTRATIVE PROCEDURES.  The administrative procedures required for
    personal workstations are addressed below:

    a.   Waste, Fraud, and Abuse Review.  Each personal workstation and the
         information therein shall be reviewed annually to determine that
         the workstation and the data are not being used to defraud the
         Government or that the workstation and data are not being used in
         an inappropriate manner that could constitute waste or abuse of the
         equipment or data (see page I-10, paragraph 15, and page IX-8,
         paragraph 15).  Where large numbers of AIS are involved, at least
         one-third of the classified AISs shall be reviewed annually.  As an
         alternative, a statistical sampling method of reviewing may be
         approved by the DAA.

    b.   Marking.

         (1)  All personal workstations shall be clearly marked to indicate
              the classification level and most restrictive classification
              category of information that can be processed, stored,
              transferred, or accessed on the classified AIS.

         (2)  Media containing classified information shall be visibly
              marked with the accreditation level authorized for processing
              on the AIS unless an appropriate review has been conducted or
              it is output by a tested program or methodology verified to
              produce consistent results and approved by the DAA.

         (3)  All printed matter from the personal workstation shall be
              marked at the accreditation level of the classified AIS unless
              an appropriate review has been conducted or it is output from
              a tested program verified to produce consistent results and
              approved by the DAA.

    c.   Protection of Media Containing Software.  All media containing
         software including operating systems, security systems, utilities,
         vendor supplied diagnostics, and applications program which have
         been used on the classified AIS shall be protected at the
         accreditation level of the classified AIS.

    d.   Protection of Media Containing Data.  All media containing data
         used on a single-user Classified AIS shall be protected at the
         accreditation level of the AIS.

    e.   Media Clearing, Sanitization, and Destruction.  Clearing,
         sanitization, and destruction procedures are detailed in Chapter
         IX.  Users of personal workstations shall follow these procedures.

    f.   Removal of Classified AIS Equipment.  No user of a personal
         workstation shall move any of the components of the classified AIS
         from the location specified in the Classified AIS Security Plan
         without approval of the CSSO.

4.  SPECIAL EMPHASIS.  Requirements needing special emphasis for personal
    workstations are as follows:

    a.   User Responsibility.  Each user of a personal workstation is
         responsible for assuring that it is used in accordance with the
         procedures specified in the Classified AIS Security Plan.

    b.   Removable Media Handling.  Removable media shall be properly
         labeled and stored.

    c.   Release of Removable Media.  Before removable media is released, it
         shall be properly sanitized.

    d.   Viruses and Intruders.  All users of personal workstations shall be
         advised by the CSSO of procedures for preventing viruses and
         reporting suspected viruses or intruders (e.g., hackers).

    e.   Physical Access.  The CSSO is responsible for informing users of
         personal workstations about their responsibilities concerning
         access to the workstation by unauthorized users (including visual
         access).

    f.   Backup Procedures.  Each user is responsible for assuring that the
         information on his/her personal workstation is backed up in
         accordance with procedures in the Classified AIS Security Plan.
Top of Document