INFORMATION SYSTEMS SECURITY OFFICER (ISSO) …

1 DEPARTMENT OF THE NAVYNAVSO P-5239-07 FEBRUARY 1996 INFORMATION SYSTEMS SECURITYOFFICER ( isso )GUIDEBOOKMODULE 07 INFORMATION SYSTEMS SECURITY (INFOSEC)PROGRAM GUIDELINESNAVSO P-5239-07 FEBRUARY 1996iiDistribution: Submit requests for placement on distribution (including supportingjustification), or amendment to the existing distribution, to:Commanding OfficerNaval Command, Control and Ocean Surveillance CenterIn-Service Engineering East Coast DivisionCode 4234600 Marriott DriveNorth Charleston, SC 29406-6504 Commercial: 1-800-304-4636E-Mail: versions of this document may be downloaded via anonymous ftp or :Additional copies of NAVSO P-5239-07 can be obtained from the NavyAviation Supply Office (Code 03415), 5801 Tabor Avenue, PhiladelphiaPA 18120-5099, through normal supply channels in accordance withNPFC PUB 2002D, NAVSUP P-437, orNAVSUP P-485, using AUTODIN, DAMES, or MILSTRIP messageformat to DAAS, Dayton, stock number reproduction is P-5239-07 FEBRUARY 1996iiiFOREWORDNavy Staff Office Publication 5239 (NAVSO P-5239) series, INFORMATION SYSTEMS (IS) SECURITY (INFOSEC) Program Guidelines, is issued by the Naval INFORMATION SystemsManagement Center.

2 It consists of a series of modules providing procedural, technical,administrative, and supplemental guidance for all INFORMATION SYSTEMS , whether business ortactical. It applies to INFORMATION SYSTEMS used in the automated acquisition, storage,manipulation, management, movement, control, display, switching, interchange, transmission,or receipt of data. Each module focuses on a distinct program element and describes astandard methodology for planning, implementing, and executing that element of theINFOSEC program within the Department of the Navy (DON).This module, The INFORMATION SYSTEMS SECURITY OFFICER ( isso ) guidebook , provides adescription of the roles and responsibilities of the isso within the DON INFOSEC associated with INFORMATION SYSTEMS in general, and INFOSEC specifically, varies from service to service and from Command to Command. The AutomatedData Processing system SECURITY OFFICER (ADPSSO) from a decade ago is now called anISSO.

3 (Common DON terms for roles are discussed in Section 2 of this guidebook .)Organizational differences make it difficult to precisely define discrete roles andresponsibilities. Organizations may choose to implement the isso responsibilities defined inthis guidebook differently. The location and size of the activity or Command, as well as thecomplexity of the INFORMATION SYSTEMS and networks, may dictate how the role of the isso isimplemented. In large Commands, the SECURITY responsibilities defined in this document maybe divided among numerous SECURITY personnel. Conversely, smaller Commands may have asingle individual performing all of the functions guidebook applies only to classified General Service (GENSER), and/orUnclassified But Sensitive ISs. It does not apply to ISs processing Special CompartmentedInformation, Cryptographic, Cryptologic, Special Access Program, Single IntegratedOperation Plan-Extremely Sensitive INFORMATION , or North Atlantic Treaty Organizationinformation.

4 Those SYSTEMS are under the purview of their respective the preparation of this guidebook , several activities were contacted andinterviewed for technical inputs. SECURITY personnel at Commander-in-Chief, AtlanticFleet (CINCLANTFLT), the Space and Naval Warfare SYSTEMS Command (SPAWAR),Naval Sea SYSTEMS Command Automated Data system Activity (SEAADSA), Headquarters, Marine Corps (HQMC), the Office of Naval Intelligence (ONI), Naval SECURITY Group(NAVSECGRU), and Naval Command, Control and Ocean Surveillance Center, In-ServiceEngineering (NISE)-East were extremely helpful in providing INFORMATION and P-5239-07 FEBRUARY 1996 TABLE OF and INFORMATION SYSTEMS SECURITY OFFICER and INFORMATION SYSTEMS SECURITY OFFICER SECURITY POLICY AND PROCEDURES and Document WITH SECURITY with the with and Oversight of the with Other ISSOs and WITH THE system ADMINISTRATOR(S).. or Routine FOR Administrative ASSET P-5239-07 FEBRUARY 1996 TABLE OF CONTENTSviIS Resources , Declassifying, and Downgrading SOFTWARE CONTROL AND Software WATCHDOG.

5 SECURITY Training and USER SECURITY Development and Physical IDENTIFICATION AND AUTHENTICATION Control and Utilities HAZARDS P-5239-07 FEBRUARY 1996 TABLE OF CONTENTSviiMonitoring system Trail Incident and Violations in Support of Reporting Risk MANAGEMENT OF RISK TEST AND SECURITY Configuration List Contingency SECURITY SECURITY Plan (SSP)..39 SECURITY Operating Procedures (SOP)..40 Authorized User and Awareness Incident and P-5239-07 FEBRUARY 1996 TABLE OF CONTENTS viiiAPPENDIX SECURITY Policy, Procedure, and P-5239-07 FEBRUARY progress and growth in INFORMATION SYSTEMS (IS) have increasedinformation transfer, processing, and storage capabilities worldwide. These advances havealso increased the risk of exploitation by accidental exposure and malicious threat agents toinformation SYSTEMS . INFORMATION SYSTEMS SECURITY (INFOSEC) is the discipline thatprovides an integrated and systematic approach to the SECURITY of all aspects of ISs.

6 Inimplementing INFOSEC, the Navy has developed the NAVSO P-5239 series of documents toincrease personnel understanding and awareness of INFOSEC requirements among ISsponsors, developers and users, and to reduce risk in ISs to acceptable levels. NAVSO P-5239-01, Introduction to INFORMATION SYSTEMS SECURITY , explains INFOSEC P-5239-02, Terms, Abbreviations, and Acronyms, defines terms used within guidebook is a module within the NAVSO P-5239 series ofdocuments which have been developed to assist in planning andoperating ISs and to help system users maintain INFOSEC guidebook provides guidance and direction to current, new, andprospective ISSOs in implementing INFOSEC programs. Specifically,it describes the responsibilities of the isso and provides instructionfor implementing these andGuidanceModule NAVSO P-5239-07 was developed in accordance withDepartment of Defense (DOD) and Department of the Navy (DON)policy.

7 Appendix A provides a bibliography of SECURITY policy,procedure, and guidance 2 briefly describes the isso s role, qualifications andprerequisites, and working relationships. Section 3 describes theISSO s responsibilities, which are organized in 11 task areas. The firsttask area, SECURITY Management, can be considered an umbrella overthe remaining 10 task areas. Specifically, the performance or conductof the other 10 task areas is planned, coordinated, and facilitated underthis overall management function. The 11 task areas are as follows: SECURITY Management Administrative Functions Training and Awareness Physical SECURITY AuditingNAVSO P-5239-07 FEBRUARY 19962 Incident and Violations Reporting Risk Management Accreditation SECURITY Configuration Management Contingency Planning SECURITY P-5239-07 FEBRUARY SYSTEMS SECURITY OFFICER ROLEThe isso is formally appointed in writing by the program manager of a specificbranch, division, or department, as appropriate, based on the structure and needs of thespecific Command or activity.

8 The INFORMATION system SECURITY Manager (ISSM) providesinput to the program manager regarding the appointment decision. If requested, the ISSMmay provide technical assistance in the development of appointment memos or letters. TheISSO appointment letter briefly summarizes the duties and responsibilities of the on the Command structure, more than one isso may be appointed. Commandshaving complex ISs may need more ISSOs to perform day-to-day activities and to respond tosecurity problems and IS user needs. For example: Multiple ISSOs may be assigned to a single, large IS Site-specific ISSOs may be assigned for geographically distributed ISs A single isso may be assigned within a Command for multiple isso is responsible for implementing and maintaining SECURITY for an IS on behalf of theISSM. The isso reports to the Command s ISSM for INFOSEC matters and implements theoverall INFOSEC program approved by the Designated Approving Authority (DAA).

9 Defined RolesThe isso is responsible for the following: Ensuring that the IS is operated, used, maintained, and disposedof in accordance with Command SECURITY policies and practices(see Sections through ) Enforcing SECURITY policies and safeguards on all personnelhaving access to the IS (see Sections through ) Reporting the SECURITY status of the IS to the ISSM, as requiredby the DAA (see Sections through ) Maintaining a system SECURITY Plan (SSP) (see Sections ) Ensuring that TEMPEST measures have not been altered (seeSection ) Ensuring that users and system support personnel have therequired SECURITY clearances, authorizations ( , have beenapproved by a designated person of authority [ , ProgramManager, Division Head, Commanding OFFICER ] to perform workon the IS), and need-to-know (see Sections and ) Ensuring that all computers display access warning banners (seeSections and )NAVSO P-5239-07 FEBRUARY 19964 Conducting user training and awareness activities under thedirection of the ISSM (see Section ) Working with physical SECURITY personnel to ensure the physicalprotection of IS assets (see Section ) Conducting SECURITY audits and ensuring that audit trails arereviewed periodically and that audit records are archived forfuture reference (see Section ) Creating a SECURITY incident reporting mechanism and reportingincidents to the ISSM when the IS is compromised (see and ) Initiating protective or corrective measures if a SECURITY problemis discovered (see Section ) Conducting the Risk Assessment of the IS using themethodology determined by the ISSM and approved by theDAA (see Sections and ) Ensuring that the IS is accredited (see Section )

10 Assisting the ISSM in IS configuration management activities toensure that implemented changes do not compromise thesecurity of the system (see Section ) Providing technical contributions to the ISSM for thedevelopment of contingency plans for the IS for which he or sheis responsible (see Sections and ).Qualifications andPrerequisitesNo specific formal college or other degree program is required for theISSO. However, extensive experience in INFOSEC, combined with astrong technical background in computer science, mathematics,engineering, or a related field is extremely beneficial. This technicalbackground must be balanced with effective communications andinterpersonal skills, because the isso must associate with staff at alllevels of the organization. An isso should have: Two years of experience in a computer-related field One year of working experience in INFOSEC An understanding of the operational characteristics of the IS Education and training in computer science, mathematics,electrical engineering, and related fields Periodic attendance at an appropriate-level INFOSEC isso s SECURITY education and work experience should providefamiliarity with all aspects of INFOSEC.