United States Department of Agriculture
Research, Education, and Economics
ARS * CSREES * ERS * NASS
Policies and Procedures
Title: |
ARS Information Systems Security Program |
|
|
Number: |
253.3-ARS |
|
|
Date: |
August 19, 1998 |
|
|
Originating Office: |
Information Technology Division, Network Operations Branch,
AFM/ARS |
|
|
This Replaces: |
EMS 3200, dated 9/30/94 |
|
|
Distribution: |
ARS Headquarters, Areas, Locations |
This P&P establishes the policy supporting program goals,
and the assignment of responsibilities for the management, implementation, and operation
of the ARS Information Systems Security Program. |
Table of Contents
1. Authorities
2. Background
3. Applicability
4. Information Systems Security Program Objectives
5. Information Systems Security Program Elements
6. Policy
7. Summary of Responsibilities
Senior Information Resources
Management Officer (SIRMO):
ISSP Officer
Deputy Administrators, Associate
Deputy Administrators, Headquarters Staffs, Administrative Financial Management (AFM)
Divisions, and Area Directors
Area Administrative Officers, With
Assistance from Location Coordinators
Area Deputy Security Officers
Location Security Points of Contact
All Users of Automated Information
Systems
8. Glossary
The Privacy Act of 1974; Federal Managers Financial Integrity Act of 1983; PL 100-235,
The Computer Security Act of 1987; OMB Circular A-130, Appendix III,
Security of Federal Automated Information Systems; OMB Circular A-123,
Internal Control Systems; OMB Circular A-127, Financial Management
Systems; Departmental Regulation (DR) 3140-1, USDA Information System Security
(ISS) Policy.
The use of distributed information systems to store, process, and communicate sensitive
information and the integration of computer and telecommunication technologies have made
information systems security more complex. The benefits of using this technology must be
accompanied by the implementation of an information systems security program (ISSP) that
reduces the associated security risks to an acceptable level.
The policies and associated information systems security standards and guidelines will
apply to all ARS organizational elements and to other components of USDA having data
resident on ARS computer systems. They also apply to all other personnel who have
responsibility for operating automated information systems of ARS or who have access to
ARS data or equipment.
The objectives of the ARS ISSP are to:
- provide uniform policy and centralized guidance on information systems security;
- establish requirements for the protection of sensitive information against disclosure,
modification, or destruction;
- protect information resources from fraud, theft, or misuse;
- maintain the continuity of ARS operations by preventing or minimizing the impact of
events that interfere with normal information processing operations;
- ensure that security planning and risk management requirements are integrated into the
ARS systems development process; and
- provide training to promote information systems security awareness and accountability at
all levels within ARS.
The ISSP is a balanced combination of management and staff actions, operational
activities, and technological control measures. The following ISSP elements will be
addressed in more detail in the forthcoming ARS Information Systems Security Manual,
253.3-ARS:
- Policies, Standards, and Guidelines. The foundation of the ISSP is the
development and implementation of policies, standards, and guidelines in compliance with
those at the Federal and departmental level.
- Assignment of Security Responsibilities. Managers will ensure that
responsibilities for information systems security are clearly communicated to all
employees. When required by the importance of the computer resources and/or the
sensitivity of the information processed, an information systems security representative
may be formally designated to exercise security management functions on behalf of the
responsible manager.
- Effective Use of Protective Technology. ARS will make full use of available
hardware, software, and communications security technology wherever cost effective to
protect Agency information technology resources. New information technology systems will
be reviewed to ensure that appropriate security is integrated into systems design.
- Security Education and Training. Education and training are key elements in the
ISSP. Information systems managers, technical staff, and users will be familiar with the
established goals and responsibilities of the ISSP. To accomplish this, ongoing security
awareness and education training will be provided to all employees.
- Risk Management. ARS will, to the maximum extent feasible, implement a risk
management program that ensures security risks are identified and evaluated and includes
the development and maintenance of computer security plans, contingency plans, and
certifications and accreditation of sensitive systems and applications.
- Reviews. ARS information systems will be afforded periodic security reviews as
required by Federal regulations and Departmental Directives.
- Contingency Planning. The increased dependence on automated information systems
makes it essential that plans and procedures be prepared and maintained to:
- minimize the damage and disruption caused by undesirable events; and
- provide for the continued performance of essential system functions and services.
- Security Accreditation of Sensitive Information Applications. A formal security
accreditation process will be implemented to ensure that appropriate controls have been
designed into sensitive computer applications. An essential feature of this process will
be the responsibility of management in the determination of control requirements and the
assessment of the internal control environment for the application.
- Protection. ARS will establish appropriate safeguards and procedures to detect
actual or potential security violations and to counteract each threat as identified in a
risk analysis. The various types of security procedures will include the following:
- Physical security practices that focus on required measures for protecting the structure
housing automated information systems and related equipment from damage by accident, fire,
or environmental hazards.
- Personnel security practices that focus on procedures established to ensure that all
personnel who have access to sensitive information have the required authorities and
clearance.
- Communications security practices that focus on required measures such as passwords,
encryption, data authentication, and security software used to prevent unauthorized access
to information or data resident on information systems or peripheral devices.
- Equipment security practices that combine with physical security to ensure the
protection of hardware components of a system.
- Software and data security practices that focus on the protection of operating systems,
applications software, and database files.
- Administrative security practices that include those planning and procedural measures
associated with the implementation and administration of the computer security program.
It is the policy of ARS to establish and maintain an effective ISSP that complies with
applicable Federal and Department information systems security policies and addresses ARS
requirements for confidentiality, integrity, and availability.
ARS information systems security responsibilities are implemented through, but not
limited to, the following:
Senior Information Resources Management Officer (SIRMO):
- Develops and maintains a cost effective ISSP that assures compliance with established
Federal mandates and Department requirements.
- Implements the ISSP through the ARS ISSP Officer.
ISSP Officer
- Plans, develops, and directs a comprehensive ISSP.
- Monitors and reports on ARS compliance with Federal and Department information system
security policies and standards.
- Oversees the development and implementation of ARS information system security goals and
objectives.
- Develops, coordinates, implements, and maintains security policies, procedures, and
guidelines for the protection of all ARS information sources.
- Designs and implements a comprehensive risk management program.
- Conducts periodic information systems security risk assessments and security reviews of
operational or proposed automated information systems and computer facilities.
- Provides consolidated budgetary planning and review for information systems security
equipment, training, control software, and services.
- Serves as the principal information systems security consultant to ARS components that
use, develop, or operate automated information systems.
- Supports the goals and objectives of the Privacy Act of 1974 by establishing appropriate
physical, systematic, and procedural safeguards to assure the confidentiality of personal
information processed by ARS automated systems.
- Represents ARS at Department and other Federal Government organizations and specialized
groups on information systems security activities.
- Issues standards for the development and maintenance of contingency plans for emergency
response, backup operations, and post-disaster recovery of ARS information systems and
facilities.
- Provides guidance to the Deputy Security Officers and all Security Points of Contact.
- Establishes criteria for computer security awareness and training and ensure that a
security training program is implemented to meet the requirements of the Computer Security
Act of 1987.
- Issues appropriate instructions needed to implement provisions of computer security
policies and standards established in ARS Directives, Department Regulations, and Federal
laws.
Deputy Administrators, Associate Deputy Administrators,
Headquarters Staffs, Administrative Financial Management (AFM) Divisions, and Area
Directors
- Appoint a Deputy Security Officer at each ARS Area.
- Implement established information security policies within their areas of
responsibilities.
- Promote information systems security awareness and ethical use of automated information
systems.
- Ensure appropriate security requirements are included in specification and contract
documents for acquisition or operation of computer facilities, equipment, software
packages, or related computer services.
- Promptly report to the ISSP Officer any breaches of security; events that may indicate
security violations; or attempts to gain unauthorized access to computers, information
systems, or data resident on information resources.
- Develop security plans for each general support system and major application identified
in accordance with OMB Circular No. A-130, Appendix III, and OMB Bulletin 90-08 as a minimum.
These plans are due to AFM/Information Technology Division (ITD) on March 1 of each year.
Area Administrative Officers, With Assistance from
Location Coordinators
- Appoint a Security Point of Contact at each ARS location.
Area Deputy Security Officers
- Serve as the main contact point for Information Systems Security for their designated
program area and as liaison between Security Points of Contact and the ISSP Officer.
- Implement computer security policies, procedures, and guidelines for the protection of
information resources.
- Participate in the development of computer security plans and contingency plans as well
as certifications and accreditation of sensitive systems and applications.
- Participate in risk assessments and periodic security reviews of operational or proposed
automated information systems.
- Provide technical guidance to Security Points of Contact.
- Provide authorized users appropriate access to ARS applications, and to NFC and National
Information Technology Center (NITC) remote-based applications following approval from
respective Functional Managers.
Location Security Points of Contact
- Serve as primary security liaison with the Deputy Security Officers and ISSP Officer.
- Promptly report to the Deputy Security Officers any breaches of security; events that
may indicate security violations; or attempts to gain unauthorized access to computers,
information systems, or data resident on information resources.
All Users of Automated Information Systems
- Comply with all security requirements pertaining to the automated information resources
they use.
- Practice good housekeeping with all computer equipment (i.e., computer areas should be
uncluttered, and food, drinks, and smoking should be kept away from computers).
- Safeguard all user ID's and passwords to automated information systems.
- Backup data and systems on a regular basis.
- Understand and comply with all licensed software agreements before using the software at
each work area.
- Report all computer security incidents to the Deputy Security Officer or ISSP Officer.
Accreditation. Authorization and approval of a certified automated information
system to process sensitive data.
Administrative Security. The security discipline which focuses on those planning
and procedural measures associated with the implementation and administration of the
computer security program.
ARS Security Requirements Committee. An ad hoc Information Security Committee
designated by the SIRMO and determined by the security matter being addressed.
Automated Information System. The organized combination of ADP equipment,
software, and established methods and procedures designed to collect, process, and
communicate data or information supporting specific administrative, mission, or program
requirements. This includes application systems, databases, and management information
systems.
Automated Information Systems Security. The managerial, technical, and physical
safeguards used to ensure the confidentiality, integrity, and availability of sensitive
information processed by or transmitted through Federal automated information systems.
Certification. Technical evaluation of automated information systems, made as
part of and in support of the accreditation process, that establishes the extent to which
a particular automated information system or network design and implementation meet
pre-specified security requirements.
Communications Security. The security implemented to ensure that only authorized
users are able to access the system from a remote location.
Confidentiality. Ensuring that sensitive information is kept private and is
accessible only by authorized personnel who have a need to know.
Data. A representation of facts, concepts, or instructions in a formalized
manner suitable for communication, interpretation, or processing by manual or automated
means.
Equipment Security. The security of the hardware components of a system.
ID. User Identification Code
Information. Any communication or representation of knowledge such as facts,
data, or opinions, including numerical, graphic, or narrative maintained in any medium or
form, including computerized databases, paper, microfilm, or magnetic tape.
Information System. The organized collection, processing, maintenance,
transmission, and dissemination of information in accordance with defined procedures.
IRM. Information Resources Management
ISSP. Information Systems Security Program
ITD. Information Technology Division
NFC. National Finance Center
NITC. National Information Technology Center
OMB. Office of Management and Budget
Personnel Security. The procedures established to ensure that all personnel who
have access to sensitive information have the required authorities and clearance.
Physical Security. Procedures required for the protection of the structures
housing automated information systems and related equipment from damage by accident, fire,
or environmental hazards.
Risk Analysis. An evaluation of automated information systems assets and
vulnerabilities to establish an expected loss from certain events based on estimated
probabilities of the occurrence of these events. Identifies potential threats and their
probability of occurrence and proposes safeguards to combat these threats.
Risk Management. The total process to identify, control, and minimize the impact
of uncertain events. The process facilitates the management of security risks by each
level of management throughout the system life cycle. The approval process consists of
three elements: risk analysis, certification, and approval.
Sensitive Information. Information that requires protection because of the risk
and magnitude of loss or harm that could result from inadvertent or deliberate disclosure,
alteration, or destruction of the information. The term includes information whose
improper use or disclosure could adversely affect proprietary data, the ability of an
agency to accomplish its mission, records about individuals requiring protection under the
Privacy Act, and information not releasable under the Freedom of Information Act.
SIRMO. Senior Information Resources Management Officer. The designated official
responsible for carrying out the IRM functions assigned to the Agency by the Paperwork
Reduction Act. The Director of ITD is designated as the ARS SIRMO.
Software and Data Security. The security of operating systems software,
applications software, and database files and the information they contain.
/s/
FLOYD P. HORN
Administrator
Agricultural Research Service