OVERVIEW
The Department of the Interior has a long-standing concern
for the protection of its vital information and technology resources.
The first Departmental computer security policy was issued in May 1980.
Since that time, information technology has undergone significant changes.
The Department's dependence on automation to accomplish its mission
has led to extensive growth in the number and types of computer systems
in operation or planned throughout the Department. As a result, automated
information security concerns at the Department have increased.
The Department created its first full-time computer security
position on August 15, 1988, because of increased Departmental awareness
of potential security threats. The Department continues to modify and
improve its information technology security program and policies in
an effort to try to keep up with changing technology. The latest edition
of the Departmental IT Security Plan was published in April 2002.
The Chief Information Officer (CIO) of the Department is
responsible for providing policy, guidance, advice and oversight for
IT security. The CIO is supported by the Departmental IT Security Manager
(DITSM).
The senior official for IT systems (or Information Resources)
management at each bureau is responsible for the security and protection
of bureau IT systems. Each bureau shall appoint a Bureau IT Security
Manager (BITSM) and an alternate to serve as the focal point for IT
security matters and to coordinate IT security program requirements
with the Department. In addition, each IT installation shall appoint
an Installation IT Security Officer to ensure that users know and understand
the security responsibilities for the IT resources they control.
Departmental policy requires managers and users, including
contractors, at all levels to be responsible and accountable for protecting
the information technology resources they utilize. Departmental policy
also places emphasis on risk management, contingency planning, and awareness
training.
Objectives.
DOI will safeguard its IT systems through the implementation
of the DOI IT Security Program, which will accomplish the following:
- Establish a level of IT security for all unclassified
IT systems and information commensurate with the sensitivity of the
information and with the risk and magnitude of loss or harm resulting
from improper operation or losses resulting from fraud, waste, abuse,
disasters, or mismanagement.
- Define, manage, and support the security planning process
for all DOI systems.
- Establish a program to formally certify and authorize
processing of SBU data on all systems within DOI.
- Define and manage the contingency planning process,
including training and testing, to provide IT systems with adequate
continuity of operations upon disruption of normal operations.
- Understanding, by all levels of DOI, the critical role
of IT security to achieve DOI’s missions and be appropriately and
periodically trained through an IT security awareness and training
program.
- Define and manage the computer security incident response
capability program for all DOI employees.
- Use the procedures outlined in Federal Information Processing
Standards (FIPS) and other Federal government guidance except where
the costs of using such standards exceed the benefits or where use
of the standards will impede DOI in accomplishing its mission.
Policies and Bulletins
Several documents establish and define the Department's
policy for the security of its information technology resources. These
include:
- Departmental Manual Chapter 375 DM 19, "Information
Technology Security Program"
- Departmental Information Technology Security Plan (ITSP),
April 2002
- Risk Assessment Guide
- Contingency Planning Guide
- System Security Plan for General Support Systems
- System Security Plan for Major Applications
- Asset Valuation Guideline
Interior IT Security Guidance
Information Technology Security Team
The Department established the IT Security Team (ITST)
in January 2002. The Team's mission is to ensure the successful implementation
of the Office of Management and Budget (OMB) Circular A-130, Appendix
III. The ITST is chaired by the DITSM with membership comprised of BITSMs
and representatives from the Inspector General’s office. The team works
on issues relating to IT security such as policy, procedures and reporting
to oversight agencies.
Training and Awareness
Awareness training plays an important role in achieving
the Department's goal for computer security. Periodic computer security
awareness training is provided to employees who are involved with the
management, use, or operation of computer systems under its control.
The training objectives are to enhance employee awareness of the threats
to and vulnerability of computer systems; and to encourage the use of
improved computer security practices within the Department.
Personnel
IT related supervisors, in conjunction with their respective
personnel and security officers, review positions within the Department
and assigned a sensitivity level based on the program supported and
duties assigned. Personnel Officers arrange for background investigations
for personnel assigned to sensitive positions.
|