AUTOMATED DATA PROCESSING (ADP) SECURITY PLAN
MULTINATIONAL INDUSTRIAL SECURITY WORKING GROUP
25 June 1993 MISWG DOCUMENT Number 13
AUTOMATED DATA PROCESSING (ADP) SECURITY PLAN
This document describes the responsibilities and procedures for the protection of classified information that is processed on Automated Data Processing Systems and/or networks and contains the following sections:
Section A Purpose
Section B Applicability
Section C Responsibilities
Section D System Identification
Section E Physical Security
Section F Personnel Security
Section G Document Security
Section H Hardware and Software Security
Section I Communication Security
Section J Emergency Procedures
Section K Security Education
Section L Security Operational Procedures (SECOPS)
Each paragraph describes the elements of information that should be included in each paragraph. When specific elements of information are provided in this document, they are provided only as examples. Detailed information must be obtained and tailored for each programme.
AUTOMATED DATA PROCESSING (ADP) SECURITY PLAN
The purpose of this plan is to describe the responsibilities and procedures for the protection of (name of programme/project) classified information that is processed using ADP.
This plan will be incorporated in the Programme/Project Security Instruction (PSI) and will apply to all persons and facilities involved in the programme/project.
1. The Facility Security Officer (FSO). The FSO has overall responsibility for the ADP security.
2. Automated Data Processing (ADP) Security Officer. An ADP Security Officer (ADPSO) shall be appointed at each location that uses ADP in the programme/project. Examples of the ADPSO responsibilities are listed below.
a. Prepare and maintain Security Operating Procedures (SECOPS) -see section XII - based on the System Specific Requirement Statement (SSRS) for the ADP system, and circulate the SECOPS on a regular basis;
b. Provide system security advice to the Facility Security Officer and system users;
c. Brief system users on system security responsibilities;
d. Ensure that all personnel authorized to use any part of the ADP system are aware of the extent of their authorization (access control);
e. Maintain a record of all persons authorized to use any part of the ADP system;
f. Define the boundaries of the ADP system and designate secure areas;
g. Issue and control passwords or other access control devices;
h. Monitor the implementation of hardware, firmware, and software modifications and enhancements to the ADP system to ensure that the security is not breached;
i. Ensure that records of hardware, firmware, and software changes and defects are kept and regularly compositely examined for unusual trends;
j. Liaise with contractors to ensure that maintenance is carried out without endangering security;
k. Ensure the proper custody of classified media and other ADP documents;
l. Carry out periodic checks, at specified and random intervals, on the presence of classified magnetic media and on the accuracy of their markings, and maintain records of the checks;
m. Before the release of media that have undergone an approved declassification procedure, ensure that they do not contain classified data and that external signs are removed that might permit deductions to be drawn about previous usage;
n. Maintaining journals or logs that should record sufficient details about the activities of the system to enable a history of events to be reconstructed and facilitate audits. The journal or log should include records of activities (against times and dates) which could jeopardize the security of the system, including:
- abnormal termination of a job or abnormal system shutdown;
- failure of system security mechanics; and
- unauthorized attempts to gain access to classified data or to make use of system facilities in an unauthorized way.
o. Monitor the configuration management aspects of changes to security-related hardware, firmware, or software and associated documentation;
p. Report to the Facility Security Officer any system security loopholes, infringements, and vulnerabilities that may come to light; and
q. Initiate security investigations into possible system security breaches.
D. SYSTEM IDENTIFICATION
This section should describe the equipment, to include the manufacturer, model of each component, configuration, description, disconnect or disabling methods, and size and type of memories and media. The type of media should be defined based on whether information is retained on the media once the power is removed (either volatile or non-volatile); whether the media is fixed or removable; whether the software has a feature that will not allow information to be stored on fixed media; whether it can be declassified through overwrite or maintained at a constant secure level. A description of each item of equipment should show links to other equipment, whether connected or not. A separate description should explain any networking, to include level of classified information to be processed.
E. PHYSICAL SECURITY
1. Access control. This item should describe the controls to be used to prevent the entry of unauthorized personnel and the introduction of unauthorized equipment to the area:
a. access control for personnel and equipment should be described, including procedures and records maintained for the control of visitors and measures applied to prevent unauthorized and inadvertent access to classified output;
b. types of access control in use and responsibility for authorization, procedures, and records;
c. procedures in place to control the introduction, storage, operation, and removal of miscellaneous equipment;
d. procedures to control maintenance, moving, and cleaning personnel; and,
e. procedures for security checks.
2. Security Reviews. This section should describe security review requirements that will be met by the ADPSO, the FSO, and the user on a daily basis. Suggested topics for these items are:
a. Physical Security
b. Personnel Security
c. Document Security
d. Standby/Contingency Plans
e. Communication Security
f. Configuration Management
g. Hardware Maintenance
h. Remote Devices
i. Security Incidents
j. Report Distribution
F. PERSONNEL SECURITY
1. Clearances. This section should describe the level of security clearance required for access to the ADP system and how clearances will be verified for users and/or for maintenance personnel and other visitors.
2. Passwords and user ID. Explain the use of and special handling procedures for passwords and user IDs.
3. Other relevant topics
a. A list of personnel who require routine daily entry to the area (e.g., programme personnel);
b. A list of personnel who require periodic entry to the area (e.g., maintenance); and,
c. Security education/training requirements and requirements for periodically briefing and re-briefing personnel, including the need for formal acknowledgement of the appropriate security briefings.
G. DOCUMENT SECURITY
1. This section should specify that it is important to remember that "document" covers all forms of media holding classified information; for example, paper documents, all machine-readable media, microfilm and fiche, printer ribbons, etc.
2. Include details of, where appropriate, the following:
a. A description of types of documents in use;
b. Prescribe the types of register sheets, marking conventions, and storage requirements;
c. Responsibilities and procedures for making back-ups;
d. Responsibilities and procedures for record inspection including frequency of inspection;
e. Procedures for the acquisition, storage, and control of and accounting for documents;
f. Procedures for receipt, exchange and dissemination of documents;
g. Procedures for the appropriate classification marking of documents;
h. Responsibilities and procedures for the de-classification of documents; and,
i. Instructions relating to the de-classification and destruction of documents.
H. HARDWARE AND SOFTWARE SECURITY
Hardware security refers to the protective security features provided by the physical components of an ADPS or network. This paragraph should provide details of, or make reference to, where appropriate, the following aspects of hardware security:
a. Security-related equipment disconnect/connect instructions and procedures;
b. Procedures for the institution of regular checks for signs of tampering with equipment and to ensure that hardware cabinets are kept locked in normal circumstances;
c. The computer configuration to be employed for processing under various conditions; for example, which terminals should be disconnected and/or peripherals disabled when specific processing is to be carried out;
d. Procedures for securing the computer in preparation for engineer maintenance and repair; for example:
(1) A description of the level of authorization required for equipment modification, introduction of new hardware and software, or removal of any item(s) of hardware, including processor boards, that may process, store, or transmit classified data;
(2) A description of any restrictions imposed and when scheduled maintenance may or may not be carried out;
(3) Details of any diagnostics routines to be installed either on a routine basis or following scheduled maintenance or modifications to hardware. In the exceptional circumstances that remote diagnostics/maintenance techniques have been considered and deemed acceptable by the NSA/DSA, details of these together with relevant security procedures should be specified;
(4) Specification of any scheduled maintenance programs, including instructions for the identification of any diagnostic printout that might contain classified material; and,
(5) Procedures for the identification, storage, and control of security-related spare parts.
e. Procedures to be followed in the event of hardware failure describing actions to be carried out, and by whom, for securing the computer at breakdown and the records of the failure that should be kept; and,
f. Tempest protection should be described when it is provided for the system.
This paragraph should describe the protective security features that are to be provided by the programme related software, such as:
a. Operating system software;
b. Microcode (or firmware) - software instructions (usually written by the hardware supplier) that simulate hardware and are conceptually replaceable by actual hardware implementation;
c. Utility program - providing common and frequently used facilities such as program compilation and the sorting or merging of files of data and word processing; and,
d. The measures to guard against and detect inappropriate or undesirable changes to the software.
I. COMMUNICATION SECURITY
COMSEC measures, approved by the nations COMSEC authorities, must be in place before classified information may be transmitted. (MISWG Document Number 3, "Use of Cryptographic Systems", should be included in this ADP security plan, as applicable).
J. EMERGENCY PROCEDURES
This section should describe actions to be taken in case of emergency. Important names and phone numbers should be included.
K. SECURITY EDUCATION
The ADPSO will brief all persons prior to being granted access to an ADP system for processing classified information. The briefing should include a review of the details of the security plan, in addition to a review of the sections of the general security procedures which may apply. Persons who commit violations must be rebriefed on their ADP responsibilities and of the possibility of losing their access privileges. This briefing should be based on this ADP Security Plan in connection with MISWG Document Number 9, "Security Education and Awareness".
L. SECURITY OPERATIONAL PROCEDURES (SECOPS)
This section should describe the security procedures to be followed during processing. At a minimum, it should cover:
a. Arrangements for liaison with the National Security Authority/Designated Security Authority;
b. Details of the security mode(s) of operation;
c. Periodic accountability control, inventories, and audit of all classified holdings within an ADP or remote terminal/workstation area;
d. Computer configuration to be used for processing under various conditions, including any terminals/workstations to be denied access and any peripheral equipment which is to be disabled;
e. How to report problems, malfunctions, and suspected or known security breaches;
f. System start-up and close-down procedures;
g. Identification (user ID) concept - procedure for allocation and delegation;
h. Authentication concept - including password control and change procedures; and,
i. Access control mechanisms - the procedures for implementing discretionary on mandatory control of access to data/devices.