Transcription of DHS Sensitive Systems Policy Directive 4300A
1 DHS Sensitive Systems Policy Directive 4300A Version April 30 , 2014 This Policy implements DHS Management Directive 140-01, Information Technology system security , July 31, 2007 Protecting the Information that Secures the Homeland DHS Sensitive Systems Policy Directive 4300A This page intentionally left blank , April 30, 2014 ii DHS Sensitive Systems Policy Directive 4300A FOREWORD The Department of Homeland security (DHS) 4300 series of information security policies are the official documents that create and publish Departmental standards and guidelines in accordance with DHS Management Directive 140-01 Information Technology system security .
2 Comments concerning DHS Information security publications are welcomed and should be submitted to the DHS Director for Information Systems security Policy at or addressed to: DHS Director of security Policy and Remediation OCIO CISO Stop 0182 Department of Homeland security 245 Murray Lane SW Washington, DC 20528-0182 /S/ Jeffrey Eisensmith Chief Information security Officer Department of Homeland security April 30, 2014 , April 30, 2014 iii DHS Sensitive Systems Policy Directive 4300A This page intentionally left blank , April 30, 2014 iv DHS Sensitive Systems Policy Directive 4300A TABLE OF CONTENTS Information security Program.
3 1 Policy Sensitive Information ..2 Public Information ..3 Classified National security Information ..3 National Intelligence Information ..3 Foreign Intelligence Information ..3 Information Technology ..3 DHS system ..4 General Support system ..4 Major Application ..4 Component ..4 Trust Zone ..4 Continuity of Continuity of Operations Plan ..5 Essential Functions ..5 Vital Records ..5 Operational Data ..5 Federal Information security Management Act (FISMA)..5 Personally Identifiable Information ..7 Sensitive Personally Identifiable Information ..7 Privacy Sensitive system .
4 7 Strong Authentication ..7 Two-Factor Authentication ..7 Waivers ..8 Waiver Requests ..8 Requests for Exception to Citizenship Requirement ..10 Electronic Signature ..10 Information Sharing ..11 Insider Threats ..12 Criminal Threats ..12 Foreign Threats ..13 Lost or Stolen Equipment ..13 Supply Chain Threats ..13 Changes to Policy ..13 ROLES AND RESPONSIBILITIES ..15 Information security Program Roles ..15 DHS Senior Agency Information security Officer ..15 DHS Chief Information security Officer ..15 Component Chief Information security Officer ..17 , April 30, 2014 DHS Sensitive Systems Policy Directive 4300A Component Information Systems security Manager.
5 20 Risk Executive ..21 Authorizing Official ..22 security Control Assessor ..23 Information Systems security Officer ..24 Ongoing Authorization Manager and Operational Risk Management Board ..24 DHS security Operations Center ..25 DHS Component security Operations Centers ..27 Other Roles ..28 Secretary of Homeland security ..28 Under Secretaries and Heads of DHS Components ..29 DHS Chief Information Officer ..29 Component Chief Information Officer ..30 DHS Chief security Officer ..32 DHS Chief Privacy Officer ..32 DHS Chief Financial Officer ..34 Program Managers ..35 system Owners.
6 35 Common Control Provider ..36 DHS Employees, Contractors, and Others Working on Behalf of DHS ..36 MANAGEMENT POLICIES ..37 Basic Requirements ..37 Capital Planning and Investment Control ..38 Contractors and Outsourced Operations ..39 Performance Measures and Metrics ..40 Continuity Planning for Critical DHS Assets ..41 Continuity of Operations Planning ..41 Contingency Planning ..42 Systems Engineering Life Cycle ..43 Configuration Management ..44 Risk Management ..45 security Authorization and security Control Assessments ..46 Ongoing Authorization ..48 Information security Review and Assistance.
7 50 security Working Groups and Forums ..51 CISO Council ..51 DHS Information security Training Working Group ..51 DHS security Policy Working DHS Enterprise Services security Working Group ..52 Information security Policy Violation and Disciplinary Action ..52 Required Reporting ..53 Privacy and Data security ..53 Personally Identifiable Information ..54 Privacy Threshold Analyses ..57 Privacy Impact Assessments ..57 , April 30, 2014 i DHS Sensitive Systems Policy Directive 4300A system of Records Notices ..60 Protecting Privacy Sensitive Systems ..61 Privacy Incident Reporting.
8 63 E- Authentication ..63 Use Limitation and External Information DHS CFO Designated Systems ..65 Social Media ..67 Health Insurance Portability and Accountability Act ..68 Cloud Services ..70 OPERATIONAL POLICIES ..71 Personnel ..71 Citizenship, Personnel Screening, and Position Categorization ..71 Rules of Behavior ..72 Access to Sensitive Information ..73 Separation of Duties ..73 Information security and Privacy Awareness, Training, and Education ..73 Separation from Duty ..75 Physical security ..76 General Physical Access ..76 Sensitive Facility ..77 Media Media Protection.
9 78 Media Marking and Transport ..78 Media Sanitization and Disposal ..79 Production, Input/Output Controls ..79 Voice Communications security ..79 Private Branch Exchange ..79 Telephone Communications ..80 Voice Mail ..80 Data Communications ..80 Telecommunications Protection Techniques ..80 Facsimiles ..80 Video Teleconferencing ..81 Voice over Data Networks ..81 Wireless Network Communications ..81 Wireless Systems ..82 Wireless Mobile Devices ..83 Cellular Phones ..84 Pagers ..84 Multifunctional Wireless Devices ..85 Wireless Tactical Systems ..85 Radio Frequency Identification.
10 86 Overseas Equipment ..87 Workstations ..87 Laptop Computers and Other Mobile Computing Devices ..87 , April 30, 2014 ii DHS Sensitive Systems Policy Directive 4300A Personally Owned Equipment and Software ..88 Hardware and Personal Use of Government Office Equipment and DHS Wireless Settings for Peripheral Equipment ..90 Department Information security Operations ..91 security Incidents and Incident Response and Law Enforcement Incident Response ..94 Documentation ..95 Information and Data Backup ..95 Converging Technologies ..96 TECHNICAL POLICIES ..98 Identification and Authentication.
