Cost Benefit Report |
7 |
PREVENTIVE MAINTENANCE - The Preventive Maintenance safeguard refers to having an effective maintenance program in place which should include all computer hardware, generators, air conditioning equipment, grounding systems, lightning arrestors, fire systems and structured components such as vent closures, floor plates, doors, etc.
PROPERTY MANAGEMENT - The Property Management safeguard refers to the organization having a comprehensive and effective program for property inventory control, allocation and accountability.
QUALITY ASSURANCE - The safeguard of Quality Assurance refers to the formal establishment of a program which will
regularly monitor (and find ways to improve) programming quality, user error, communication ability, etc.
REDUNDANT POWER - The safeguard of Redundant Power refers to having a secondary independent source of electrical power to backup the primary power source.
REVIEW OF SENSITIVE APPLICATIONS - The safeguard of Review of Sensitive Applications refers to the need of the
organization to conduct a formal risk assessment of each Sensitive Application program on a regular basis.
RISK ANALYSIS - The safeguard of Risk Analysis refers to the organization having recently conducted a formal risk assessment of each major system and application program.
SECURITY CLASSIFICATION - The Security Classification safeguard requires that each activity have policies in place addressing the proper classification of sensitive materials, including a receipt program, and general handling procedures for all sensitive and classified materials.
SECURITY PLAN - The Security Plan refers to the existence of a document which defines the tasks and charges of the security organization; as well as planning the security procedures necessary for the protection of the organization.
SECURITY POLICY - Security policy refers to the existence of written, defined guidelines which dictate how the organization manages its resources and protects them from both internal and external threats.
SECURITY STAFF - The Security Staff refers to the individuals in the organization who maintain or manage security tasks, as well as addressing full-time security staff, include managers who have part-time security responsibilities for the resources they manage.
SYSTEM SECURITY TEST AND EVALUATION (SST&E) - The safeguard of SST&E (System Security Test and Evaluation) refers to the organization having a formal procedure to test each
individual safeguard for effectiveness and accuracy.
SYSTEM VALIDATION - The System Validation safeguard refers to the practice of ensuring that the operating system contains only approved code; and that changes to the operating system are accounted for, are verified, and are transmitted in a secure and acknowledged mode.
Cost Benefit Report |
8 |
TECHNICAL SURVEILLANCE - This safeguard is applicable to Classified environments and refers to a (possibly external) organization that can conduct a survey to identify potential security problems.
TEMPEST SURVEY - This safeguard is applicable to Classified environments and refers to the gathering of information, by inspection or survey, about all instrumentation and sites that store or process classified information.
TRAINING - The training safeguard refers to the organization having a written implemented program for security training of new employees, and security awareness programs for current employees.
VISITOR CONTROL - The visitor control safeguard refers to ensuring that visitors to a facility are monitored twentyfour hours a day, that an audit trail of visitors exists and that this official record is maintained for at least two years.
WATER DRAINAGE - The Water Drainage safeguard refers to ensuring that the facility is equipped with a drainage system so that water from broken pipes, water from activated sprinkler systems or water used in fire fighting can be easily and effectively drained from the facility.
Vulnerability Distribution Report |
1 |
VULNERABILITY DISTRIBUTION REP0RT
Those individual questions that indicate the largest degree of perceived vulnerability, as tallied from the responses, are shown below.
Following each question is its associated area of vulnerability.
1.Sensitive information is not transmitted electronically over public communication media unless it has been appropriately encrypted or proper authentication of user is achieved?
Vulnerability Area: Disclosure
2.The requirements for the security organization are reflected in an applicable position description?
Vulnerability Area: Policy
3.The organization has a viable, verifiable system of accountability and control for all equipment and material entrusted to the organization?
Vulnerability Area: Accountability
4. The organization provides protection of staff from hostile clients?
Vulnerability Area: Policy
5.The organization has established confidentiality policy and has issued directives, guidelines and operating procedures?
Vulnerability Area: Privacy Act
6.Water detectors are located under raised floors?
Vulnerability Area: Reliability
7.Error checking software is used when performing file transfers using networks?
Vulnerability Area: Data Integrity
8.There is continuous accountability and control for all equipment and materials maintained by the organization?
Vulnerability Area: Accountability
9. The organization has a written computer security policy?
Vulnerability Area: Policy
10.Visitor Logs are always used, maintained and retained for a minimum period of two (2) years?
Vulnerability Area: Access Control
11.The facility has a source of quality electrical power so that it does not experience excessive down time as a result of power fluctuations, power reductions, brownouts, power outages and blackouts?
Vulnerability Area: Reliability
12.The placement of the system security officer within the organization has been reviewed and evaluated to ensure effective and unfiltered reporting structure?
Vulnerability Area: Policy
Vulnerability Distribution Report |
2 |
13.All data files are accounted for on servers or systems?
Vulnerability Area: Accountability
14.Written consent is required and identifies other networks before enabling connection or interconnection?
Vulnerability Area: Administration
15.The organization has a space formulation standard that provides adequate environment and elevates space concerns to management for review and requested modifications?
Vulnerability Area: Policy
16.Employees have sufficient and appropriate furniture, equipment and supplies to perform their job functions efficiently?
Vulnerability Area: Administration
17.When an employee notifies of quitting, or is about to be terminated, the supervisor notifies Security when the action becomes known?
Vulnerability Area: Access Control
18.There are at least two independent sources of power available to the computer system and the facility?
Vulnerability Area: Reliability
19.3rd party security software is not used in conjunction with the network?
Vulnerability Area: Data Integrity
20.All communication lines are uniquely identified?
Vulnerability Area: Accountability
21.The organization has implemented policy and guidelines for background checks, investigations and surety programs for new applicants, system users, sensitive operations staff and for verification of contractor personnel clearances?
Vulnerability Area: Policy
22.Communication support equipment such as controllers and modems are located in secure areas?
Vulnerability Area: Access Control
23.The computer room walls, doors, windows, etc., are designed, constructed and/or installed to specifications that would minimize the possibility of access from adjacent areas or from the outside of the facility?
Vulnerability Area: Access Control
24.The organization has attempted to increase performance, and reduce costs by selectively purchasing advanced hardware and software?
Vulnerability Area: Policy
Vulnerability Distribution Report |
3 |
25.The agency security staff is responsible for ensuring that all personnel who install, operate, maintain, or use the computer systems have access authorization?
Vulnerability Area: Access Control
26.Emergency power-off switches for the computers and other equipment are adequately protected to prevent accidental shutdown?
Vulnerability Area: Reliability
27.The network (NOS) system files are kept in a protected directory or are encrypted by the system (i.e.
password files, configuration files, etc.)?
Vulnerability Area: Disclosure
28.There is adequate interior and exterior lighting for the facility during non-daylight hours, and doors and windows have adequate locking devices?
Vulnerability Area: Access Control
29.The organization has a current and effective Life Cycle Management Plan (LCMP) to ensure that the systems meet specified requirements with appropriate internal controls?
Vulnerability Area: Policy
30.Password modification is required by the Network Operating System?
Vulnerability Area: Access Control
31.The facility has adequate electrical power that meets or exceeds local needs and codes? Vulnerability Area: Reliability
32.All supervisors immediately notify the Security Representative of all transfer and employment termination?
Vulnerability Area: Access Control
33.Log-on, system commands, and on-line transaction documentation manuals placed in a secure area when not in use?
Vulnerability Area: Documentation
34.Supporting utilities such as electrical power, air conditioning, natural gas, fuel, water and communication systems are provided with appropriate security?
Vulnerability Area: Reliability
35.Users, networks and computer systems accessing any network take all precautions necessary to protect the networks?
Vulnerability Area: Access Control
36.Sufficient water proof sheets are available for covering computer equipment in an emergency situation?
Vulnerability Area: Reliability
37.The water cooling system is protected from sabotage attempts?
Vulnerability Distribution Report |
4 |
Vulnerability Area: Reliability
38.All network connections via dial-up facilities are managed, controlled and secure?
Vulnerability Area: Access Control
39.Door hinges are installed on the inside of the door or are pinned/welded when installed on the outside to prevent door removal?
Vulnerability Area: Access Control
40.Written policy exists which defines adequate backup frequency and retention periods for backup data?
Vulnerability Area: Policy
41.All external user, network or system access to mission-critical AIS resources are performed through a C2-designated resource?
Vulnerability Area: Access Control
42.All work areas (local and remote) are equipped with security systems?
Vulnerability Area: Access Control
43.The program security staff is responsible for investigating and resolving all computer security incidents?
Vulnerability Area: Policy
44.New communication links are approved by the Security Officer?
Vulnerability Area: Evaluation
45.Reproduction facilities and copy machines are secured or locked to prevent abuse?
Vulnerability Area: Accountability
46.A quantitative risk analysis required by current directives has been performed within the past three years?
Vulnerability Area: Evaluation
47.There is documentation that demonstrates that all network systems are approved by management?
Vulnerability Area: Policy
48.The Program Security Officer has prescribed the security measures to be used at each workstation and work area?
Vulnerability Area: Policy
49.The facility has been audited for security within the last twelve months?
Vulnerability Area: Evaluation
Vulnerability Distribution Report |
5 |
50.Management strives to reduce employee turnover by retaining qualified personnel through fair promotion policies?
Vulnerability Area: Policy
The areas of vulnerability associated with the questions above are shown below, ranked according to the number of questions in each.
Following the table is a chart indicating the relative importance of each area of vulnerability, as determined from the question set.
Vulnerability Areas |
Number of Questions |
|
|
|
1. |
Access Control |
13 |
|
|
2. |
Policy |
13 |
|
|
3. |
Reliability |
8 4. Accountability |
5 5. Evaluation |
3 6. Administration |
|
2 7. Data Integrity |
2 8. Disclosure |
2 |
|
9. |
Privacy Act |
1 |
|
|
10. |
Documentation |
1 |
|
|
5 Others (16.0% )
Access Control (26.0%)
Evaluation (6.0%)
Accountability (10.0%)
Policy (26.0%) |
Reliability (16.0%) |
|