San Diego ISAC: AIS News

Text Box: AIS News

Updated 11/13/2002

This page contains sample documents which may prove helpful when clearing Information Systems, adding procedures or when developing a plan for DISN implementation.

Contact the San Diego region's DSS Information Systems Security Professional (ISSP), Jim Sexton for IS and DISN information.

Mr. Sexton can be reached at (858) 674-4211 or james.sexton@dss.mil

SAMPLE CONTRACTOR DOCUMENTS

Contractors in the IS community have generously provided the following IS documents as samples that have worked for them.

AI Guide, created by Southern California contractors, is a guide for conducting an Administrative Inquiry when classified information is on an unclassified system.

aiguide.doc

The sample MOA provided by SAIC is an MOA format useful when a company is going to connect to a user agency other than with PC to PC via STU III. DISN determination must also be considered.

moaguide.doc

AIS Review Guide - An IS Security Plan Review Guide.

The STU 3 Inst. are instructions SAIC compiled for connecting STU III

stu3inst.doc
laptop.doc - Metron's policy for laptops in closed areas

Lap-Tvl.doc - Metron's procedures for laptops on travel

nes_proc.doc - Sample NES Operating Procedures
Sample System Security Plans - The Florida Association of Information Systems Security Representatives (FAISSR) has released a new version of the Master System Security Plan (includes the new Chapter 8). This site includes a new master plan with a network security plan as well as for standalone systems and small area networks with removable media.
The FAISSR's plans may also be downloaded:
- FAISSR Version 3 Zip Package for Non-Standalones
- FAISSR Version 3 Standalone

SIPRNET DOCUMENTS PROVIDED BY DISA

DISA's website for downloading SIPRNET Customer Connection Process Guide as well as other useful documents is available at www.disa.mil/apps/apm/civ_agencies.html
disn-waiv.doc - DISN Waiver Requirements

HELPFUL SIPRNET/DISN DOCUMENTS

The following files may be used when developing a DISN waiver, DISN determination or when a DISN plan must be written:

accctrl.doc is a sample document from a local company's IS Security Plan (ISSP) to describe access controls within the system. Each company also needs to include in the plan a provision for automated audit trails and a weekly check.

siprxmpl.doc - Sample letter, provided by the Joint Chiefs, that a contractor's customer can submit to the Joint Staff when requesting access to the SIPRNet

contrltr.doc is a sample letter which DSS sends to contractors once SIPRNET approval is received.

OTHER IS INFORMATION

NSA Destruction Facility Guidelines

NSA Approved Destruction Devices

New Chapter 8 - The new NISPOM Chapter 8, Information System Security

Chapter 8 with ISL - The new Chapter 8 with ISL questions and answers inserted into the appropriate place in Chapter 8

Windows NT Auditing - Procedures for auditing Windows NT systems. Contributed by Lockheed Palmdale via San Diego's Northrop Grumman.

Unix Auditing - Procedures for auditing Unix systems. Contributed by Lockheed Palmdale via San Diego's Northrop Grumman.

Computer Security Vulnerabilities - A Powerpoint presentation by Robert Koepke, Raytheon, Dallas Texas.

Cyberliability - Presentation by Stan Gatewood, Chief Information Assurance Officer and Privacy Officer for USC, presented at a joint NCMS/CISSO (LA ISAC) INFOSEC Seminar on October 10, 2001 in Los Angeles.

European Privacy - Andrea Hoy's Briefing on European Privacy Directive

Setting Up WIN 2000 Audit - Contributed by Raytheon, San Diego

Assessed Products List - List of overwrite software programs that have been authorized for use, from DSS Information Assurance website

Clearing and Sanitization Matrix - Revised clearing and sanitization matrix from DSS Information Assurance website

Magnetic Tape Degaussing - Guidance on degaussing magnetic tapes, from DSS Information Assurance website

Security Seals - List of security seal vendors, from DSS Information Assurance website

Protective Distribution Systems - NSTISSI 7003 guidance on protection of transmissions

DOD Warning Banner - For installation on classified systems, from DSS Information Assurance website

RELATED AIS LINKS

Motorola Secure Products

SANS Institute

SANS Institute/Computer Security and Intrusion Detection Glossary

BC Wipe, a Program Sometimes Authorized By The Navy For Overwriting Disks

Data Eraser Version 2.0

Format (Sun Solaris)

FX Utility (Silicon Grahics)

Norton Utilities Version 5.0

Uni-Shred Pro Version 3.2.3

ITEMS OF INTEREST

Bluetooth Technology - http://news.cnet.com/news/0-1004-200-6182176.html?tag=dd.ne.dhm.nl-sty.0

Sanitization of Laser Printers (Guidance from our DSS Information Systems Security Specialist) - Run 1 page (font test acceptable) when print cycle not completed (e.g. paper jam or power failure). Dispose of output as unclassified if visual examination does not reveal any classified information." You may want to start including that in plans you are submitting. It will save paper. The Clearing & Sanitization Matrix with the above new guidance can be found on the DSS Web Site, look under Information Assurance.

If the file you want to download is not in text form or in printed form, you must have the data owners permission in writing to download it. A trusted download procedure that is a sample can be found in the new draft version of the new Chapter 8 boilerplate on the Central Florida ISAC website at www.cfisac.org. DSS HQ will have some DSS-approved procedures posted soon on the DSS website under Information Assurance.

Examples of things you can continue to download and that we will work the accreditation on are: Word documents, Excel spreadsheets, PowerPoint slides (without graphics or multimedia embedded), and WordPerfect documents. You can open these files and look at them in ASCII with a hex editor.

Examples of things you cannot download without written consent are as follows: embedded graphics, sound, video, pictures and other non-text data.

Sometimes, DSS will receive a request from a contractor to have classified data run through a specialized program which will strip out all classified data and produce an unclassified file on a floppy. Since we cannot adequately review the source code on such programs, we cannot ensure the program is doing its job. Therefore, you must get something in writing, as well, from your government customer that they will accept the risk of using such programs.

Key Ghost - Information on Key Ghost can be found at www.keyghost.com/newproducts.htm.

Key Ghost comes as a full keyboard or as a little device (flash) that sits between the keyboard jack and the back of the computer. The keyghost II Pro can store over 500,000 keystrokes, which would at least be a full day of classified out the door if it were in a restricted area and no one would potentially know. It is readable with any text editor with their "keystroke ghosting technique". It's a good idea to put in startup procedures for computers especially in restricted areas to check the keyboards and backs of computer systems.

Orb Drives - Orb Drives are made by a company called Castlewood, located in Pleasanton, CA (Phone: 750-291-1800). It's also available from computer vendors. The Orb Drive a 2.2 GB rigid media cartridge that fits into a drive that can be put into a slot in the computer. The disk drive is $137.50 and the 2.2 gb cartridges are $30 each. They also come in larger sizes. Some companies are removing the internal fixed disks and using Orb Drives as boot disks for their classified systems.