U. S. Department of the Interior - OCIO


	PMB Home

	About Hord Tipton

	Overview

	Strategic Plan

	Programs

	Enterprise Architecture

	E-Authentication

	IT Capital Planning

	Section 508

	Records Management

	Privacy

	FOIA

	Enterprise Licensing Agreements/Contracts

	Government Paperwork Elimination Act - GPEA

	Telecommunications

	IT Security

	Employee Corner

	Employment

IT Security Program

OVERVIEW

The Department of the Interior has a long-standing concern for the protection of its vital information and technology resources. The first Departmental computer security policy was issued in May 1980. Since that time, information technology has undergone significant changes. The Department's dependence on automation to accomplish its mission has led to extensive growth in the number and types of computer systems in operation or planned throughout the Department. As a result, automated information security concerns at the Department have increased.

The Department created its first full-time computer security position on August 15, 1988, because of increased Departmental awareness of potential security threats. The Department continues to modify and improve its information technology security program and policies in an effort to try to keep up with changing technology. The latest edition of the Departmental IT Security Plan was published in April 2002.

The Chief Information Officer (CIO) of the Department is responsible for providing policy, guidance, advice and oversight for IT security. The CIO is supported by the Departmental IT Security Manager (DITSM).

The senior official for IT systems (or Information Resources) management at each bureau is responsible for the security and protection of bureau IT systems. Each bureau shall appoint a Bureau IT Security Manager (BITSM) and an alternate to serve as the focal point for IT security matters and to coordinate IT security program requirements with the Department. In addition, each IT installation shall appoint an Installation IT Security Officer to ensure that users know and understand the security responsibilities for the IT resources they control.

Departmental policy requires managers and users, including contractors, at all levels to be responsible and accountable for protecting the information technology resources they utilize. Departmental policy also places emphasis on risk management, contingency planning, and awareness training.

Objectives.

DOI will safeguard its IT systems through the implementation of the DOI IT Security Program, which will accomplish the following:

Establish a level of IT security for all unclassified IT systems and information commensurate with the sensitivity of the information and with the risk and magnitude of loss or harm resulting from improper operation or losses resulting from fraud, waste, abuse, disasters, or mismanagement.
Define, manage, and support the security planning process for all DOI systems.
Establish a program to formally certify and authorize processing of SBU data on all systems within DOI.
Define and manage the contingency planning process, including training and testing, to provide IT systems with adequate continuity of operations upon disruption of normal operations.
Understanding, by all levels of DOI, the critical role of IT security to achieve DOI�s missions and be appropriately and periodically trained through an IT security awareness and training program.
Define and manage the computer security incident response capability program for all DOI employees.
Use the procedures outlined in Federal Information Processing Standards (FIPS) and other Federal government guidance except where the costs of using such standards exceed the benefits or where use of the standards will impede DOI in accomplishing its mission.

Policies and Bulletins

Several documents establish and define the Department's policy for the security of its information technology resources. These include:

Departmental Manual Chapter 375 DM 19, "Information Technology Security Program"
Departmental Information Technology Security Plan (ITSP), April 2002
Risk Assessment Guide
Contingency Planning Guide
System Security Plan for General Support Systems
System Security Plan for Major Applications
Asset Valuation Guideline

Interior IT Security Guidance

Information Technology Security Team

The Department established the IT Security Team (ITST) in January 2002. The Team's mission is to ensure the successful implementation of the Office of Management and Budget (OMB) Circular A-130, Appendix III. The ITST is chaired by the DITSM with membership comprised of BITSMs and representatives from the Inspector General�s office. The team works on issues relating to IT security such as policy, procedures and reporting to oversight agencies.

Training and Awareness

Awareness training plays an important role in achieving the Department's goal for computer security. Periodic computer security awareness training is provided to employees who are involved with the management, use, or operation of computer systems under its control. The training objectives are to enhance employee awareness of the threats to and vulnerability of computer systems; and to encourage the use of improved computer security practices within the Department.

Personnel

IT related supervisors, in conjunction with their respective personnel and security officers, review positions within the Department and assigned a sensitivity level based on the program supported and duties assigned. Personnel Officers arrange for background investigations for personnel assigned to sensitive positions.

U.S. Department of the Interior
This is an Official Government Website
Office of the Chief Information Officer
http://www.doi.gov/ocio/
Contact the DOI Webmaster
Last Updated on 08/10/04