U.S. Customs Security Policy: Automated Information Systems Security Policy, Febraury 1996
e36ea3392a1be2240549286da87eb3acb57a76100159b773fbae84b1369abd62<HTML>
<! Document Number: >
<HEAD>
<TITLE>Automated Information Systems Security Policy</TITLE>
</HEAD>
<BODY BACKGROUND="images/backgnd.jpg" BGCOLOR=#FFFFFF TEXT=#000000 LINK=blue VLINK=red>
<IMG SRC="images/bar1.gif">
<H2>Automated Information Systems Security Policy</H2>
<IMG SRC="images/bar1.gif">
<P>
<h3> Foreword</h3>
<p>
<p>
The U.S. Customs Service, Office of Information and Technology Automated Information
Systems (AIS) Security Policy Manual is intended for those who use Customs AIS services and
systems. Information throughout the manual supports the Customs mission by providing direction
and guidance to protect AIS resources. It establishes uniform policies, responsibilities, and
authorities for carrying out the Customs AIS Security Program. Security is provided for
information that is collected, processed, transmitted, stored, or distributed for all other agencies
utilizing Customs general support systems and major applications. <p>
<p>
This high-level policy manual supplements the AIS security policies established by the U.S.
Department of the Treasury, and is consistent with government-wide policies, standards, and
procedures issued by the Office of Management and Budget, the Department of Commerce, the
General Services Administration, and the Office of Personnel Management. Additional detailed
and specific procedural guidelines, particular to Customs needs and requirements, will be issued in
an iterative fashion, as appropriate. Prior releases of this manual (CIS HB 1400-04) are
superseded.<p>
<p>
Additional copies may be obtained by submitting Customs Form CF 262. Please include your street
address, the number of publications you want, and either your Fed Ex, UPS, or RPS account number
to pay for the shipping costs (publications are free) to: U.S. Customs Service National Distribution
Center, PO Box 68912, Indianapolis, IN 46268. Non-Customs Federal and civil agencies, organizations,
and members of the trade community may contact their Customs representative, or obtain the manual
via the Internet from Customs World Wide Web (WWW) page on the National Technical Information
Service (NTIS) FedWorld, at <b>http://fedworld.gov</b>, as available.<p>
<p>
The U.S. Customs Service wishes to extend special thanks to the Federal Bureau of Investigation,
Information Systems Security Unit, for valuable input which provided the basis for the
development of this document, to the National Security Agency for their review and suggestions,
and to the U.S. Department of the Treasury, Office of Information Systems Security, for their
oversight and guidance.<p>
<p>
<p>
<p>
<p>
(original signd by George J. Weise)<p>
Commissioner<p>
<p>
<p>
Distribution: G-25<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<center></center>
<p>
<p>
<center>Contents<BR>
<IMG SRC="images/bar1.gif">
</center>
<PRE>
INTRODUCTION..................................................................1-1
1.1 PURPOSE...............................................................1-1
1.2 REFERENCES............................................................1-1
1.3 DEFINITIONS...........................................................1-1
1.4 SCOPE.................................................................1-1
1.5 BACKGROUND............................................................1-2
1.6 INFORMATION SECURITY POLICY AND GUIDANCE HIERARCHY....................1-6
GENERAL POLICY................................................................2-1
2.1 GENERAL POLICY STATEMENT..............................................2-1
2.2 ROLES AND RESPONSIBILITIES............................................2-1
AIS SECURITY LIFE CYCLE.......................................................3-1
3.1 SECURITY PLANNING.....................................................3-1
3.1.1 Approvals.......................................................3-1
3.1.2 AIS Security Plan...............................................3-2
3.1.3 Disaster Recovery and Contingency Operations Planning ..........3-3
3.2 SECURITY REQUIREMENTS ................................................3-4
3.2.1 Policy Derived Requirements ....................................3-4
3.2.2 Risk Management ................................................3-5
3.3 DEVELOPMENT ..........................................................3-6
3.4 CERTIFICATION AND ACCREDITATION ......................................3-6
3.4.1 Certification...................................................3-7
3.4.2 Accreditation...................................................3-8
3.5 PROCEDURES AND PRACTICES..............................................3-10
3.6 EDUCATION, TRAINING, AND AWARENESS....................................3-10
3.7 SECURITY OVERSIGHT....................................................3-11
MINIMUM SECURITY REQUIREMENTS.................................................4-1
4.1 FACILITY SECURITY.....................................................4-1
4.1.1 Physical........................................................4-1
4.1.2 Environmental...................................................4-2
4.2 PERSONNEL SECURITY....................................................4-2
4.3 AUTOMATED SECURITY....................................................4-3
4.3.1 Minimum Security Requirements...................................4-3
4.3.2 Security Assurances.............................................4-5
4.3.3 Desirable Security Features.....................................4-7
4.4 ADMINISTRATIVE SECURITY...............................................4-7
4.4.1 Accountability and Access Control Criteria......................4-7
4.4.2 Software and Data Security......................................4-8
4.4.3 Technical Support and Maintenance...............................4-9
4.4.4 Portable Computer Equipment.....................................4-10
4.4.5 Classification and Controls.....................................4-10
4.4.6 External Labels.................................................4-11
4.4.7 Customs Work Performed at non-Customs Locations.................4-11
4.4.8 Use of Non-Customs Owned AISs...................................4-12
4.5 TELECOMMUNICATIONS SECURITY...........................................4-12
4.5.1 Information System Standards....................................4-12
4.5.2 Network Connections.............................................4-12
4.5.4 Electronic Mail (E-Mail)........................................4-13
4.5.5 Facsimile (FAX).................................................4-13
4.5.6 PBX and Voice Mail Systems......................................4-14
4.5.7 Communications Security (COMSEC)................................4-14
SECURITY INCIDENTS AND VIOLATIONS.............................................5-1
GLOSSARY......................................................................Glos-1
BIBLIOGRAPHY..................................................................Bib-1
Selected Readings.........................................................Bib-5
APPENDIX A
Abbreviations and Acronyms................................................A-1
APPENDIX B
Good Security Practices...................................................B-1
APPENDIX C
Controlled Access Protection (C2) Outline.................................C-1
APPENDIX D
Security Plan Format...................................................D-1
APPENDIX E
Computer Security Training.............................................E-1
APPENDIX F
Security Requirements Methodology......................................F-1
APPENDIX G
OMB Circulars..........................................................G-1
OMB Circular No. A-123, Introduction & Comments........................G-1
Circular No. A-123, Revised...........................................G-7
OMB Circular No. A-130, Appendix III, Revised.........................G-16
INDEX......................................................................Index-1
Reader's Comment Form......................................................Comment-1
</PRE>
<p>
<p>
CHAPTER 1<p>
<i>INTRODUCTION</i><p>
<IMG SRC="images/bar1.gif">
<p>
<p>
<b>1.1 PURPOSE</b><p>
<p>
This document establishes uniform policies, responsibilities, and authorities for implementing the U.S.
Customs Service, from now on called <b>Customs</b>, Automated Information Systems (AIS) Security
Program. It promotes the Customs mission and provides guidance to protect Customs AIS resources
and assure adequate security for all agency information collected, processed, transmitted, stored, or
disseminated in its general support systems and major applications.<p>
<p>
Customs AIS security policies are consistent with government-wide policies, standards, and
procedures issued by the Office of Management and Budget (OMB), the Department of Commerce,
the General Services Administration and the Office of Personnel Management (OPM). At a
minimum, the Customs AIS Security Program includes the set of controls established by OMB
Circular A-130, Appendix III, <u>Security of Federal Automated Information Resources</u>, dated February
8, 1996.<p>
<p>
<b>1.2 REFERENCES</b><p>
<p>
The Bibliography contains specific reference citations used in the AIS Security Policy Manual, and
Selected Reading references which support the policies.<p>
<p>
<b>1.3 DEFINITIONS</b><p>
<p>
Appear in the Glossary.<p>
<p>
<b>1.4 SCOPE</b><p>
<p>
This policy manual supplements the AIS security policies established by the U.S. Treasury
Department and presented in the <u>Treasury Security Manual</u>, TD P 71-10.<p>
<p>
(1) <u>Inclusions</u>: Policy provisions apply to all Customs personnel, contractors acting for Customs,
and all authorized users who access Customs AISs, networks, and support facilities. Policy
provisions also apply to non-Customs organizations, or their representatives, who are granted
access to Customs AIS resources, including other government agencies and members of the
trade community.<p>
<p>
(2) <u>Exclusions</u>: Microprocessors embedded in or dedicated to production or process control
equipment (e.g., test and laboratory equipment) are not covered by these policy provisions.<p>
<p>
(3) <u>Point-of-contact</u>: Direct questions concerning this policy manual to the Director, AIS Security
Division, Office of Information and Technology, via the web <A HREF="/log.htm"> feedback</A> button.<p>
<b>1.5 BACKGROUND</b><p>
<p>
<b>Customs Mission</b>: [USCS 96PLAN; USCS IRMPLAN]<p>
<p>
Ensure that all goods and persons entering or exiting the United States do so in compliance
with all the United States laws and regulation.<p>
Protect the public against violations which threaten the national economy and health and
safety.<p>
Be the national resource for information on goods and persons crossing our borders.<p>
<p>
Customs is committed to carry out its mission with increasing effectiveness and efficiency using
information technology as an essential supporting element. Customs employees worldwide use AISs
for all facets of Customs operations and to support law enforcement, government agencies, and the
commercial trade community. These activities facilitate enforcement of United States laws, and the
control and generation of significant financial revenue to the U.S. Treasury.<p>
<p>
(1) AIS Security Program goals:<p>
<p>
"All Federal applications require some level of protection. Certain applications, because of
the sensitive information in them, however, require special management oversight and should
be treated as major. Adequate security for other applications should be provided by security
of the systems in which they operate." [OMB A-130,AIII]<p>
<p>
(a) Establish and maintain adequate and effective AIS security safeguards
(countermeasures) to ensure data confidentiality, integrity, and operational
availability of all Customs AISs that process, store, or transmit non-sensitive, and
sensitive but unclassified (SBU, from now on called "sensitive") information. <p>
<p>
(b) The security program is designed to protect AIS processed information by:<p>
<p>
(i) denying unauthorized AIS access;<p>
<p>
(ii) restricting legitimate users to data or processes for which they are
authorized; and<p>
<p>
(iii) controlling access because of inadequate security design, implementation, or
operation.<p>
<p>
(c) AIS security safeguards will preserve information processing integrity, reliability and
availability to ensure that the data are accurate and relevant to provide law
enforcement and investigative support, help achieve Customs revenue collections,
and meet commercial and administrative requirements. The application of Customs
AIS security policies is evolutionary. When fully implemented, security programs
will conform to an acceptable level of mandated Federal requirements.<p>
<p>
(d) Within operational constraints, AIS security controls will allow required AIS services
to be available to authorized users while denying these services to unauthorized
users.<p>
<p>
(2) Security classification:<p>
<p>
(a) All Federal data, applications, and AISs must be afforded <u>adequate security</u>.<p>
[OMB A-130,AIII]<p>
<p>
(b) Unless otherwise designated, Customs general support systems and major
applications are considered to contain sensitive information.<p>
<p>
. (c) Classified (national security) information policy and procedures are addressed in
<u>Safeguarding Classified Information Handbook</u>, CIS HB 1400-03.<p>
<p>
(3) Information release:<p>
<p>
The public release of information is controlled by statutes (Freedom of Information Act
(FOIA), Privacy Act (PA), Electronic Communications Privacy Act, etc...). Regulations also
control the release of such information, as do interagency agreements.<p>
[OMB A-130; TD P 25-04; TD P 25-05]<p>
<p>
(4) Policy application:<p>
<p>
AIS security includes applicable security life-cycle requirements. Additional related
programs are incorporated in this document by reference and should be considered when
establishing and reviewing AIS security requirements. Their applicable policies and
procedures may be obtained via the appropriate program managers.<p>
<p>
(a) <b>Office of Information and Technology (OIT)</b><p>
<p>
The Office of Information and Technology is responsible for the design,
development, programming, testing, implementation, and maintenance of Customs
automated information systems, and oversight and management of the research and
development and communications functions of the Customs Service. The Office is
responsible for management of all Customs computer facilities, hardware, software,
data and voice telecommunications, and related financial resources. It is responsible
for identifying and evaluating new technologies for application to Customs automated
systems; developing and maintaining all operational aspects of Customs computer
security program; establishing requirements for computer-to-computer interfaces
between Customs and various trade groups and government agencies; representing
Customs on matters related to automated import processing and systems
development; and implementing a viable Information Resources Management (IRM)
program.<p>
<p>
(b) <b>Applications Development Division</b><p>
<p>
The Applications Development Division is responsible for the design, development,
programming, testing, implementation and maintenance of Customs automated
information systems. The Division, in conjunction with the ADP Steering
Committee, is responsible for approving project initiation. Specifically, this
organization will be responsible for: providing system-specific support for users on
existing applications during the transition to new integrated systems; change control
and software release; and correcting system problems that arise after implementation.
In addition, the project teams operating out of this Division are assigned full
responsibility for development of new systems and major enhancements to existing
systems. They are multi-functional and integrated to address both systems
development efforts and new technologies.<p>
<p>
(c) <b>User Support Services Division</b> <p>
<p>
The User Support Services Division is responsible for functions that deal directly
with field users on a daily basis, including training activities supporting mainframe
and distributed/PC/LAN applications, support of field equipment, including
installation of PCs, LANs and peripheral equipment, data and voice communication
lines and circuits; providing user assistance, including LAN administration; operation
of the Customs Help Desk; and supporting all users of Customs automated systems. <p>
<p>
(b) <b>AIS Security Division (AISS)</b><p>
<p>
(i) Develops security policies and standards.<p>
<p>
(ii) Provides liaison activities for AIS security-related policies, issues, and
products:<p>
within Customs,<p>
to the Department of Treasury and outside agencies,<p>
to the trade community,<p>
to other law enforcement agencies, and<p>
to private organizations.<p>
<p>
(iii) Manages security software packages.<p>
<p>
(iv) Administers security access controls for Customs mainframe systems.<p>
<p>
(v) Provides assistance and certification for Customs AIS users.<p>
<p>
(vi) Coordinates the development of disaster recovery and contingency plans.<p>
<p>
(c) <b>Information Resources Management Division (IRM)</b><p>
<p>
(i) Develops guidelines and standards for all developmental activities.<p>
<p>
(ii) Performs and coordinates IRM reviews, and monitors corrective actions.<p>
<p>
(iii) Provides security oversight.<p>
<p>
(iv) Evaluates and plans Customs AIS resource capacity requirements.<p>
<p>
(v) Coordinates strategic planning efforts.<p>
<p>
(vi) Conducts analytical studies as needed in support of all OIT entities.<p>
<p>
(vii) Provides technology assessments.<p>
<p>
(viii) Develops the Information Systems Plan (ISP).<p>
<p>
(ix) Plans and coordinates major procurements for AIS equipment and services.<p>
<p>
(x) Provides Systems Development Life Cycle (SDLC) advice, assistance, and
ensures compliance.<p>
<p>
(d) <b>Systems Operations Division (OPS)</b><p>
<p>
The Systems Operations Division is responsible for managing all new and existing
Customs computer facilities, hardware and software, and for managing the related
financial resources. It is responsible for data base administration; systems
engineering; computer operations; communications software design and
implementation; and management of the Customs Data Center facility. <p>
<p>
(e) <b>Security Programs Division (SPD)</b><p>
<p>
The Security Programs Division prescribes policy, procedures, and specifications for
maintaining Customs personnel security programs.<p>
<p>
The Security Programs Division, Security Management Branch is responsible for
facility and industrial security programs. <p>
<p>
(f) <b>Communications Management Division (CMD)</b><p>
<p>
The Office of Investigations, Communications Management Division,
Communications Security Branch sets policy for handling Customs communications
security (COMSEC) materials and equipment, and establishes standards and
procedures for granting authorization to Customs employees for access or use of
those materials and equipment. They also evaluate and approve AIS cryptography
and communications security measures. [USCS 4300-09]<p>
<p>
(g) <b>Office of Regulations and Rulings (ORR)</b><p>
<p>
The Office of Regulations and Rulings, Disclosure Law Branch, sets policy for
Customs Freedom of Information Act and Privacy Act (FOIA/PA) programs.<p>
[TD P 25-04; TD P 25-05]<p>
<p>
(h) <b>Office of Chief Counsel</b><p>
<p>
The Office of Chief Counsel provides legal advice to all Customs Offices on Customs
enforcement authorities and related subjects.<p>
<p>
<b>1.6 INFORMATION SECURITY POLICY AND GUIDANCE HIERARCHY</b><p>
<p>
The following is for general information purposes. It is copied from <u>Introduction to Certification and
Accreditation</u>. [NCSC-TG-029]<p>
<p>
Security policy exists at different levels of abstraction. Federal and national-level policy is stated in public
laws, Executive Orders (EO), National Security Directives (NSD), National Security Telecommunications and
Information Systems Security (NSTISS) issuances, Federal Information Processing Standard Publications
(FIPS PUBS), Office of Management and Budget (OMB) circulars, and other resources. Federal service and
agency policies interpret Department of Defense (DoD) and national-level policies, as appropriate, and may
impose additional requirements.<p>
<p>
* TEMPEST generally applies to classified information and is not addressed in this manual. It refers
control of electronic emanations and is not authorization to use classified data. TEMPEST issues
should be directed to the Treasury Office of Information Systems Security.<p>
[TD P 71-10; HB 1400-03]<p>
<p>
<p>
Many national and Federal security policy documents exist that apply to both civil and defense agencies.
Current overall security policy does not reflect an interdependent, cohesive collection of security disciplines.
This proliferation of policy makes it difficult for security personnel to keep up with the changes and be aware
of all the applicable policies for a given system. Rapidly changing technology also makes it difficult for policy
to keep up with new security challenges caused by advances in capabilities and technology.<p>
CHAPTER 2<p>
<i>GENERAL POLICY</i><p>
<IMG SRC="images/bar1.gif">
<p>
<p>
<b>2.1 GENERAL POLICY STATEMENT</b><p>
<p>
(1) A Customs AIS is any automated information or telecommunications system owned, leased,
or operated by or for Customs.<p>
<p>
(2) Customs will implement at least the minimum security requirements as identified in this
policy, to protect AIS resources and information (non-sensitive and sensitive data) processed,
stored, or transmitted by Customs AISs. Based on risk management, they may apply
additional safeguards to provide the most restrictive set of controls (privileges) that permit the
performance of authorized tasks (principle of least-privilege). [TD P 71-10]<p>
<p>
(3) Sensitive information in Customs AISs must be safeguarded against unauthorized disclosure,
modification, access, use, destruction, or delay in service.<p>
[USCS 1460-010]<p>
<p>
(4) All AISs processing, storing, or transmitting sensitive information must be accredited.<p>
[TD P 71-10]<p>
<p>
(5) Connectivity is prohibited between Customs AISs which handle sensitive data and any other
systems or networks not under Customs authority, unless formally approved by an appropriate
Customs Accrediting Authority. [USCS 5500-07]<p>
<p>
(6) All Customs AISs are for official Customs business only and users have no expectation of
privacy while using these resources. [USCS 5500-07]<p>
<p>
(7) All persons who use, manage, operate, maintain, or develop Customs AISs, applications, or
data must comply with these policies.<p>
<p>
<b>2.2 ROLES AND RESPONSIBILITIES</b><p>
<p>
Customs performs AIS Security through a variety of roles with specific responsibilities.<p>
The general AIS Security organization is shown in Figure 2. Customs AIS Security Organization.<p>
<p>
(1) <b>Commissioner of Customs</b> responsibilities:<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
(a) Annually certify the adequacy of Customs AIS Security Program to the Department
of the Treasury.<p>
<p>
(b) Ensure that a viable Customs AIS security education, training, and awareness
program is established.<p>
<p>
(c) Ensure that Customs AIS Security Plan documentation is developed and maintained
according to Treasury and Federal standards.<p>
<p>
(d) Designate Accrediting Authorities (AA) for sensitive Customs AISs.<p>
<p>
(e) Designate an oversight authority for review and validation of the AIS Security
Program.<p>
<p>
(f) Delegate to Headquarters and field managers the responsibility for assigning local
AIS security officers, <u>Designated Security Officer</u> (DSO).<p>
<p>
(2) The<b> ADP Steering Committee</b>, <b>Security Subcommittee</b> responsibilities:<p>
<p>
<p>
<p>
<p>
<p>
(a) Provide general oversight authority for the AIS Security Program.<p>
<p>
(b) Conduct independent reviews of the AIS Security Program and assure compliance
with Federal and Treasury policies.<p>
<p>
(c) Report the AIS security posture status to the Commissioner. <p>
<p>
(3) <b>Assistant Commissioner</b>, OIT, responsibilities:<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
(a) Ensure that an operational AIS security program is in place which provides a
centrally administered security policy. The AIS Security program must comply with
at least the minimum security requirements defined by Treasury and other Federal
mandates, and preserve the operational flexibility necessary to Customs.<p>
<p>
(b) Accredit sensitive Customs AIS (general support systems and major applications).
This responsibility is shared with Process Owners.<p>
<p>
(c) Implement Customs AIS Security education, training, and awareness program.<p>
<p>
(d) Establish adequate and effective management accountability and control to ensure the
protection of AIS resources.<p>
<p>
(e) Designate an AIS Security Officer to develop, implement, and enforce the AIS
Security Program to comply with C2 level functional security requirements.<p>
<p>
(f) Support AIS security audits and reviews.<p>
<p>
(4) The<b> Director, AIS Security Division</b>, responsibilities:<p>
<p>
<p>
<p>
<p>
(a) Develop and promote the Customs AIS Security program policy, including: <p>
<p>
(i) Interpret policy relating to AIS security functions and develop unique
guidance, as needed.<p>
<p>
(ii) Assist with policy compliance efforts by providing explanation or
clarification of AIS security-related questions on issues that may impact
Customs mission.<p>
<p>
(iii) Ensure security administration for sensitive AIS, including general support
systems and major applications .<p>
<p>
(b) Coordinate the Designated Security Officers (DSOs) for sensitive Customs AISs, and
provide them guidance and assistance in carrying out their functions.<p>
<p>
(c) Review and authorize acquisitions, in coordination with the DSOs, and certify that
the acquisition specifications include appropriate AIS security requirements for: <p>
<p>
(i) AIS installation facility operations, equipment, or applications.<p>
<p>
(ii) Acquisition of AIS hardware, software, and/or related services.<p>
<p>
(d) Provide direction and guidance to system developers in defining and approving
software development security requirements.<p>
<p>
(e) Ensure that accreditation packages are prepared for sensitive Customs AISs and
applications.<p>
<p>
(i) Provide guidance on the scope and contents of security plans:<p>
Review security plans prepared by or for the DSOs.<p>
Prepare statements of residual risk and compliance summary, to
complete each accreditation package.<p>
Submit the accreditation package to the appropriate authorities.<p>
<p>
(ii) Act as a liaison for AIS security issues to the Information Resources
Management (IRM) and Security Programs Division (SPD) managers.<p>
<p>
(f) Maintain a current status on all required accreditation documentation.<p>
<p>
(g) Establish and maintain a Risk Management program, including risk assessments, for
sensitive Customs AIS resources, including:<p>
<p>
(i) AIS facilities.<p>
<p>
(ii) General support AISs.<p>
<p>
(iii) Major applications.<p>
<p>
(h) Act as the liaison for AIS security matters to the Department of the Treasury.<p>
<p>
(i) Report computer security incidents and violations to the OIT Assistant Commissioner
(AC), Process Owners (PO), and Office of Internal Affairs (IA), as appropriate.<p>
<p>
(j) Coordinate Customs AIS Virus Prevention program, including, recommending virus
prevention solutions, providing guidance in defining the requirements, and selecting
the approach.<p>
<p>
(k) Establish standards and provide guidance for the preparation of AIS Disaster
Recovery and Contingency Operations plans including, conducting of agency-wide
analyses, and establishing and verifying strategies for business recovery and alternate
processing. This includes coordinating the development of viable Disaster Recovery
and Contingency Operations plans for Customs AIS facilities.<p>
<p>
(l) Establish standards and provide guidance for preparing End-User AIS Contingency
plans.<p>
<p>
(m) Ensure that all interactive users of Customs AIS meet at least the minimum standards
of eligibility for access. [USCS 1460-010]<p>
<p>
(n) Conduct AIS security compliance review and oversight activities.<p>
<p>
(o) Support areas or issues requiring AIS security-related research and development
effort.<p>
<p>
(p) Support AIS security audits and reviews, providing assistance as appropriate.<p>
<p>
(5) <b>IRM manager</b> responsibilities:<p>
<p>
(a) Ensure security-related quality assurance throughout the software development
life-cycle.<p>
<p>
(b) Coordinate with AIS Security for review of the SDLC documents and activities to
incorporate security into developed products. [TD P 84-01]<p>
<p>
(c) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(6) <b>Process Owner</b> (identified in the Major Application Security Plan) responsibilities:<p>
[USCS PPP]<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
(a) Accredit assigned Customs AIS Process (responsibility shared with the Assistant
Commissioner, OIT).``<p>
<p>
(b) Establish user requirements and controls that conform to Customs System
Development Life Cycle (SDLC) Handbook. [USCS 5500-04]<p>
<p>
(c) Specify that locally developed sensitive AIS products comply with C2 level functional
security requirements.<p>
<p>
(d) Designate or ensure that information sensitivity levels are assigned for the
information processed, stored, or transmitted by the Customs AIS Process.<p>
<p>
(e) Coordinate with the Customs Office of Regulations and Rulings, Disclosure Law
Branch, to publish a "System of Records" in the Federal Register for any Customs
Process that contains Privacy Act data, as appropriate. [TD P 25-04]<p>
<p>
(f) Ensure that user access requirements and controls are defined for the Customs AIS
Process.<p>
<p>
(g) Delegate user access request authorization.<p>
<p>
(h) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(7) <b>Application Development Manager</b> responsibilities:<p>
<p>
Application development managers (both OIT and development organizations external to OIT)
have data ownership responsibilities for application-related information processed, stored,
created, manipulated or transmitted by and/or for the application, unless data ownership is
otherwise designated by agreements, functions, and/or assignments.<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
(a) Ensure that locally developed AIS products comply with C2 level functional security
requirements.<p>
<p>
(b) Ensure that at least the minimum security requirements mandated by law, statute, or
regulation are incorporated into Customs AIS Process applications.<p>
<p>
(c) Adhere to Customs System Development Life Cycle (SDLC) Handbook development
standards. [USCS 5500-04]<p>
<p>
(d) Prepare documentation for application certification and accreditation packages.<p>
<p>
(e) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(8) <b>AIS Owner</b> responsibilities:<p>
<p>
(a) Ownership responsibilities for sensitive Customs AISs are assigned to the Office of
Information and Technology, unless otherwise identified.<p>
<p>
(b) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(9) <b>AIS Security Administrator</b> responsibilities:<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
(a) Act as the primary point-of-contact for AIS security issues.<p>
<p>
(b) Identify security threats and establish safeguards (countermeasures) to protect
Customs AIS resources.<p>
<p>
(c) Implement security policy for AIS resources for which Customs has direct
operational responsibility.<p>
<p>
(d) Ensure that all personnel receive appropriate AIS security training.<p>
<p>
(e) Administer the Computer Security Incident Reporting Capability (CSIRC) program
including establishing reporting criteria, and coordinating with the Office of Internal
Affairs (IA), as appropriate.<p>
<p>
(f) Report to the AIS Security Officer any security incidents, such as attempts to gain
unauthorized access to information, virus infections, or other events affecting AIS
security, including damage assessments and actions taken to prevent future incidents,
as appropriate.<p>
<p>
(g) Ensure that viable End-User AIS Contingency Plans are developed to assure
continued operations of essential AIS functions should an emergency occur.<p>
<p>
(h) Coordinate local AIS Security Administrators.<p>
<p>
(i) Advise Customs management on implementing provisions of this policy and
applicable guidelines.<p>
<p>
(j) Ensure all AIS operations are conducted as authorized in the accreditation, or that
certification package modifications are prepared to accommodate the variances.<p>
<p>
(k) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(10) A <b>Designated Security Officer (DSO)</b> must be assigned for each sensitive AIS, including
general support systems and major applications.<p>
<p>
<u>Designated Security Officer</u>: The Customs person responsible to the AA for ensuring that
security is provided for and implemented throughout the life-cycle of an AIS (from concept
development through design, development, operations, maintenance, and disposal phases).<p>
<p>
The DSO responsibilities:<p>
<p>
(a) Ensure that appropriate security features are implemented in <u>new</u> sensitive AISs and
that they meet at least the minimum security requirements defined in this policy.<p>
<p>
Review and authorize acquisitions, in coordination with the AIS Security Officer, and
certify that appropriate AIS security is included in the specifications for the operation
of an AIS installation facility, equipment, or application, and for acquisition of AIS
hardware, software, or related services.<p>
<p>
(b) Prepare site certification packages in preparation for accreditation.<p>
<p>
Certification-related activities include:<p>
<p>
(i) Conduct design reviews, security tests, and certify the results when security-relevant changes (hardware, software, firmware, etc.) are made, to ensure
that the accreditation status is not affected.<p>
<p>
(ii) Identify and recommend AIS security improvements to management. <p>
<p>
(iii) Ensure that configuration management (CM) is used and maintained to
protect the AIS security-related features.<p>
<p>
(c) Prepare, or oversee the preparation of, AIS security plans, and maintain related
documentation for each AIS under their purview.<p>
<p>
(d) Ensure the distribution of end-user security procedures tailored for administrators,
and operators of sensitive AISs; advising users of the security features and
procedures used on the AISs. [USCS 5500-04]<p>
<p>
(e) Coordinate with the appropriate DSOs of other AISs, process owners, application
development managers, and the Customs AIS Security Officer to ensure that planning
adequately addresses the AIS security requirements.<p>
<p>
(f) Establish, in coordination with AIS Security Administration, access control criteria
and administrative procedures consistent with Customs policy, by which only
authorized persons gain access to the AIS.<p>
<p>
(g) Provide support for audit trail reviews and related discrepancy investigations.<p>
<p>
(h) Report immediately to AIS Security Administration, any security incident, such as
attempts to gain unauthorized access to information, virus infections, or other events
or conditions which may affect AIS security accreditation.<p>
<p>
(i) Conduct periodic security reviews of AIS facilities under their purview to assure
safeguards are commensurate with the AIS information being stored, processed or
transmitted.<p>
<p>
(j) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(11) <b>Local AIS Security Administrator</b> responsibilities:<p>
<p>
(a) Request and/or grant user access to AIS based on management authorization.<p>
<p>
(b) Remove or modify user access based on authorized requests of management, process
owners, and/or administrative processes.<p>
<p>
(c) Conduct authorized reviews of the user access to assure timely detection of
suspicious, inappropriate, or unauthorized activity.<p>
<p>
(d) Report to DSO or AIS Security Administration, any security incidents or other events
affecting AIS security (e.g., virus infections, attempts to gain unauthorized access
to information, suspicious, inappropriate, or unauthorized activity, etc.).<p>
<p>
(e) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(f) Support compliance of C2 level functional security requirements for locally
developed sensitive AIS products, as appropriate.<p>
<p>
(12) <b>Facility manager</b> (or functional equivalent) responsibilities:<p>
<p>
(a) Ensure that a physical inventory is maintained (usually by the local property officer)
of all AIS resources within their area of responsibility.<p>
<p>
(b) Ensure the physical security and accreditation of the sensitive AIS facility (site).<p>
<p>
Included in these responsibilities are AIS-related safety and security activities (e.g.,
Occupant Emergency Plan, Physical Security Plan, etc.).<p>
<p>
(c) Coordinate with appropriate DSOs any AIS security-relevant facility changes.<p>
<p>
(d) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(13) <b>Manager</b> and <b>Supervisor</b> responsibilities:<p>
<p>
(a) Ensure that sensitive AIS data and resources within their area of responsibility are
properly protected by appropriate security safeguards.<p>
<p>
(b) Ensure that subordinates have access only to those AIS applications and data
necessary to perform authorized tasks (principle of least-privilege).<p>
<p>
(c) Report to the appropriate Security Administrator any changes to employee access
requirements. Also coordinate with appropriate management when employee or
management transfers occur which might affect AIS access.<p>
<p>
(d) Review employee AIS access activity to ensure compliance to AIS security
requirements and provide timely detection of suspicious, inappropriate, or
unauthorized activity.<p>
<p>
(e) Ensure that a DSO is identified for each sensitive AIS (or group of facilities
designated as a sensitive AIS) used by employees under their management authority,
as warranted.<p>
<p>
(f) Report AIS security-related changes in their own job status to the responsible
Security Administrator.<p>
<p>
(g) Ensure that proposed acquisitions of sensitive AIS-related hardware, software,
communications, applications, and equipment satisfy AIS security requirements and
receive DSO concurrence prior to acquisition.<p>
<p>
(h) Ensure that sensitive AIS products developed under their management authority
comply with C2 level functional security requirements.<p>
<p>
(i) Ensure that employees under their management authority receive AIS security
training relevant to their assignments, as required by laws, regulations, MOUs, or
other agreements.<p>
<p>
(j) Attend AIS security training as required by laws, regulations, MOUs, or other
agreements.<p>
<p>
(k) Assist with AIS security audits and reviews, as appropriate.<p>
<p>
(14) <b>User</b> responsibilities:<p>
<p>
(a) Protect access IDs, authentication codes (e.g., passwords, personal identification
numbers [PIN], encryption codes, etc.) from improper disclosure.<p>
<p>
(b) Access only authorized AIS applications and data necessary to perform approved
responsibilities.<p>
<p>
Due to technical capability of some AIS, access might exceed authority. Access
capability however, does not equate to authority (e.g., <b>casual browsing of data is
not permitted</b>).<p>
<p>
<b>It is a violation of law for users to access U.S. Government AIS data in excess
of their authorization. [18 USC 1030]</b><p>
<p>
(c) Notify supervisor and AIS Security Administrator when AIS access or authority is
no longer required for their authorized tasks.<p>
<p>
(d) Apply the security controls required by AIS security policies and standards.<p>
<p>
(e) Comply with the provisions in the Customs AIS Security Policy manual.<p>
<p>
(f) Attend AIS security training as required by laws, regulations, MOUs, or other
agreements.<p>
<p>
(g) Provide assistance with AIS security audits and reviews as required by laws,
regulations, MOUs, or other agreements, as appropriate.<p>
<p>
(15) <b>External agency user</b> responsibilities:<p>
<p>
(a) Comply with U.S. Government AIS-related laws and regulations.<p>
<p>
(b) Comply with inter-agency MOU (Memorandum of Understanding) or other formal
agreements between themselves and Customs.<p>
<p>
External agencies must designate AIS Security Coordinators. The head of the
external agency, or delegate (<u>as identified in writing</u>), is responsible for ensuring that
employees and contractors under their authority observe Customs AIS Security
Policy as identified in this manual.<p>
<p>
(c) Protect access IDs, authentication codes (e.g., passwords, personal identification
numbers [PIN], encryption codes, etc.) from improper disclosure.<p>
<p>
(d) Access only authorized AIS applications and data necessary to perform approved
activities.<p>
<p>
Due to the technical capability of some AIS, access might exceed authority. Access
capability however, does not equate to authority (e.g., <b>casual browsing of data is
not permitted</b>).<p>
<p>
<b>It is a violation of law for users to access U.S. Government AIS data in excess
of their authorization. [18 USC 1030]</b><p>
<p>
(e) Notify Customs AIS Security Administrator when AIS access or authority is no
longer required for approved tasks.<p>
<p>
(f) Use the security controls required by AIS security policies and standards.<p>
<p>
(g) Comply with the provisions in the Customs AIS Security Policy manual.<p>
<p>
(h) Attend AIS security training as required by laws, regulations, MOUs, or other
agreements.<p>
<p>
(i) Provide assistance with AIS security audits and reviews as required by laws,
regulations, MOUs, or other agreements, as appropriate.<p>
<p>
(16) <b>Trade community user</b> responsibilities:<p>
<p>
(a) Comply with U.S. Government AIS-related laws and regulations;<p>
<p>
(b) Comply with any formal agreements governing access to Customs AIS resources.<p>
<p>
Trade community user access to Customs AIS resources must be approved by the
appropriate Customs Accrediting Authorities and formally documented.<p>
<p>
(c) Access only authorized AIS applications and data necessary to perform approved
activities.<p>
<p>
AIS access will be restricted to authorized data and processes. Due to the technical
capability of some AIS however, access might exceed authority. Access capability
does not equate to authority (e.g.,<b> casual browsing of data is not permitted</b>). <p>
<p>
<b>It is a violation of law for users to access U.S. Government AIS data in excess
of their authorization. [18 USC 1030]</b><p>
<p>
(d) Protect access IDs, authentication codes (e.g., passwords, personal identification
numbers [PIN], encryption codes, etc.) from improper disclosure.<p>
<p>
(e) Notify Customs AIS Security Administrator when AIS access or authority is no
longer required for approved tasks.<p>
<p>
(f) Use the security controls required by Customs AIS security policies and standards.<p>
<p>
(g) Comply with the provisions in the Customs AIS Security Policy manual.<p>
<p>
(h) Attend AIS security training as required by laws, regulations, MOUs, or other
agreements.<p>
<p>
(i) Support Customs AIS security audits and reviews as required by laws, regulations,
MOUs, or other agreements.<p>
CHAPTER 3<p>
<i>AIS SECURITY LIFE CYCLE</i><p>
<IMG SRC="images/bar1.gif">
<p>
<p>
This section documents activities for acquisition and development of AIS and related applications. It provides
guidance to ensure that sensitive AISs and applications are developed, acquired, and documented according
to Customs policy.<p>
<p>
Topics include:<p>
<p>
<u>Security Planning</u>. Security planning activities are the responsibility of the appropriate Customs Process
Owner, AIS owner, Applications Developer, DSO, and AIS Security Officer. These activities pertain to the
development or acquisition of new Customs AISs and applications, or changes to existing ones.<p>
<p>
<u>Certification and Accreditation</u>. Certification and accreditation activities are the responsibility of the
appropriate Accrediting Authorities (AAs), DSO, and the AIS Security Officer.<p>
<p>
<u>Security Education, Training, and Awareness</u>. These activities are ongoing and apply to all personnel who
manage, use, or operate Customs AISs, whether or not they are Customs employees.<p>
<p>
<u>Security Oversight</u>. The AIS Security Officer conducts policy-related security oversight activities for ongoing
day-to-day operations. The ADP Steering Committee, Security Subcommittee, is designated as the oversight
authority for Customs AIS Security Program. <p>
<p>
<b>3.1 SECURITY PLANNING</b><p>
<p>
Security planning activities support the accreditation of all sensitive Customs AISs, including general
support systems and major applications. This section discusses the processes for AIS security
planning, risk management, disaster recovery, contingency operations, and the documentation
required to achieve certification and accreditation.<p>
<p>
Prior to the development or acquisition of sensitive AISs and applications, the AIS Security Officer
must be consulted to establish the scope of the security-related activities and necessary documentation.<p>
<p>
<b>3.1.1 Approvals</b><p>
<p>
The security planning process requires the DSO to seek approvals at several steps during system
planning activities.<p>
<p>
(1) To the extent feasible, security requirements must be defined prior to the start of AIS
development, be approved by the DSO and AIS Security Officer, and included as part of the
acquisition process.<p>
<p>
(2) Prior to the start of AIS development, system designs must include security reviews and be
approved by the AIS Security Officer.<p>
<p>
(3) Security test plans and security testing results must be approved by the AIS Security Officer. <p>
<p>
(4) Prior to accreditation, AIS security planning documentation must be approved by AIS
Security Administration.<p>
<p>
<b>3.1.2 AIS Security Plan</b><p>
<p>
The objective of security planning is to improve the protection of AIS resources and information. <p>
<p>
(1) Information owners (those managers most directly affected by and interested in the
information or processing capabilities), must demonstrate how they are planning to protect
information and processing capabilities from loss, misuse, unauthorized access, modification,
unavailability, or undetected security-related activities.<p>
<p>
(2) The AIS Security Officer will define the scope and format for Customs AIS security plans
to ensure a standardized approach that provides sufficient information to assess the security
posture and complies with applicable regulations.<p>
<p>
(3) Each sensitive Customs AIS requires a security plan to document its security requirements,
from development or acquisition, through implementation and operation, to disposal. The
assigned DSO will prepare and maintain the system security plan.<p>
<p>
(a) When an existing non-sensitive AIS is changed to a sensitive Customs AIS, an
appropriate AIS Security Plan must be prepared.<p>
<p>
(b) AIS Security Officer will determine the final boundaries for AIS networks.<p>
<p>
(c) The DSOs will clearly define the boundaries of non-networked sensitive AISs under
their purview and are responsible for ensuring that the AISs are operated according
to the approved AIS security plan.<p>
<p>
(4) An AIS security plan will include at least the following: (See also: Appendix D)<p>
<p>
(a) Risk management actions pertaining to the AIS. (See also: Section 3.2.2)<p>
<p>
(b) A Certification statement that reflects the results of security features tests and
implementation schedules applicable to the AIS. (See also: Section 3.4)<p>
<p>
(c) A Disaster Recovery and Contingency Operations Plan, consisting of: (See also:
Section 3.1.3)<p>
<p>
(i) emergency response plan,<p>
<p>
(ii) back-up operations plan, and<p>
<p>
(iii) postdisaster recovery plan.<p>
<p>
(d) Security procedures and practices for users and operators of AISs. (See also:
Section 3.5)<p>
<p>
(5) A single (generic) security plan can cover multiple AISs in some situations. Such plans must
consider ownership responsibilities, administrative burdens, technical complexity, and be
cost-effective.<p>
<p>
(a) A single (generic) AIS security plan can include multiple comparable AISs in similar
and associated operating environments. If additional security measures for a
particular operating environment are required, they can be added as supplemental to
the primary security plan, rather then create a new plan. The plan must show how
the changes are associated and maintain the plan integrity.<p>
<p>
(b) A single (generic) AIS security plan can cover related AIS resources that perform
similar and/or associated functions and are physically and logically located in the
same general area. The plan might Include Local Area Networks (LANs), hosts with
terminals, groups of stand-alone personal computers, workstations, and other related
office automation systems.<p>
<p>
(c) A single (generic) AIS security plan can cover related AIS resources that perform
similar and/or associated functions in support of a common mission, but might be at
unspecified or physically and/or logically diverse locations. Such a plan must
consider the diversity of conditions that might be encountered and ensure that
adequate and appropriate levels of security are provided. The plan might include
personal computers, workstations, and other related AIS equipment over Wide Area
Networks (WANs), Local Area Networks (LANs), and/or other communications
networks or mediums.<p>
<p>
<b>3.1.3 Disaster Recovery and Contingency Operations Planning</b><p>
<p>
(1) Each essential (mission-critical) sensitive Customs AIS, including general support systems and
major applications, or grouping of like systems, shall have a viable and logical Disaster
Recovery and Contingency Operations Plan. Plans shall be well-written, routinely reviewed,
tested, and updated to provide for reasonable continuity of AIS support if normal operations
are interrupted. This enables rapid restoration of vital operations and resources, and reduces
downtime. [OMB A-130,AIII]<p>
<p>
(2) Disaster Recovery and Contingency Operations planning elements must include, at least the
following:<p>
<p>
(a) Emergency response procedures appropriate to government laws, regulations, and
directives, civil disorder, fire, flood, natural disaster, bomb threat, or other incidents
or activity where lives, property, or the capability to perform essential functions are
threatened or seriously impacted.<p>
<p>
(b) Back-up operations plans, procedures, and responsibilities to ensure that essential
(mission-critical) operations will continue if normal processing or data
communications are interrupted for an unacceptable period. The minimally
acceptable level of degraded operation of the essential (mission-critical) systems or
functions must be identified and ranked so that plan priorities are accomplished. This
must include appropriate provisions for storage, maintenance, and retrieval of
essential back-up and operational support data.<p>
<p>
(c) Post-disaster recovery procedures and responsibilities to facilitate the rapid
restoration of normal operations at a primary site, or if necessary at an alternate
facility, following destruction, major damage, or other significant interruptions of the
primary site.<p>
<p>
(3) The AIS Security Officer is responsible for ensuring the development of AIS Disaster
Recovery and Contingency Operations Plans for general support systems and major
applications, and for defining the testing requirements that the DSOs will carry out.<p>
<p>
(a) The AIS Disaster Recovery and Contingency Operations Plans shall provide for
viable and reasonable continuity of essential AIS capabilities if normal operations are
interrupted.<p>
<p>
(b) The AIS Security Officer provides guidance for the formulation of these plans. The
plans must address the business continuity requirements for interfacing with
applications and be supported by application contingency plans.<p>
<p>
(c) AIS application contingency planning activities are conducted in concert with facility
disaster recovery planning and/or end-user contingency planning, when such plans
exist.<p>
<p>
(d) Facility disaster recovery plans address physical security, the protection of general
AIS support, and help ensure the availability of critical assets (resources) to facilitate
the continuity of operations during an emergency.<p>
<p>
(4) The DSO will develop and maintain a current viable AIS Disaster Recovery and Contingency
Operations Plan for each sensitive and/or mission-critical AIS (general support system,
microcomputers, etc.). The plan will provide reasonable assurance that critical data
processing support can be continued, or quickly resumed, if normal operations are
interrupted.<p>
<p>
(a) Depending on the results of the criticality assessment (business impact analysis), the
DSO may determine that an AIS is not sufficiently critical to the agency or user
community to warrant a Disaster Recovery and Contingency Operations Plan. In this
event the DSO will provide a Continuity of Operations Statement to that effect,
subject to the approval of the Accrediting Authorities.<p>
<p>
(b) End-User AIS Contingency Plans shall be developed, reviewed, and updated at least
every three years, or whenever major processing environment changes occur (e.g.,
physical site, hardware, software, operating systems, etc.).<p>
<p>
(5) All plans must be operationally tested at a frequency commensurate with the risk and
importance of loss or harm that could result from disruption of AIS support.<p>
<p>
<b>3.2 SECURITY REQUIREMENTS</b><p>
<p>
<b>3.2.1 Policy Derived Requirements</b><p>
<p>
Security requirements must be risk management based and result from an analysis of policy as applied
to data and augmented by a risk analysis. These requirements must be compared to an AIS security
features cost-benefit analysis, not against the minimum requirements. Appendix F discusses policy
methodology.<p>
<p>
<b>3.2.1.1 Global Security Policy</b><p>
<p>
The security policy of Customs is to operate its AISs in compliance with existing Federal and national-level policy as stated in public laws (PL), Executive Orders (EO), Federal Information Processing
Standard Publications (FIPS PUBS), Office of Management and Budget (OMB) circulars and
bulletins, Treasury Directives (TD), and Customs Directives (CD); to protect the data and information
in the AISs; and to effectively support the Customs mission.<p>
<p>
<b>3.2.1.2 Cost-Effective Security</b><p>
<p>
Federal regulations and Treasury directives require that (i) resources are used consistent with the
agency mission; (ii) programs and resources are protected from waste fraud and mismanagement; and
(iii) the best available and most cost-effective products are used in the design and implementation of
AIS security protection. The selection of security products must consider the costs of managing and
administering such products. Meeting these requirements, and the continually increasing demands for
protection of information, requires consideration of products which are compatible with existing and
anticipated AIS hardware and software configurations. [OMB A123; TD P 71-10] <p>
<p>
<b>3.2.2 Risk Management</b><p>
<p>
(1) Risk management is the total process of identifying, controlling, and eliminating or reducing
risks that may affect AIS resources. It includes: risk analysis (identify and analyze the risks);
a determination of the appropriate levels of resources necessary to protect the AIS; a
management decision to implement selected AIS security safeguards based on the risk
analysis, including accepting residual risk, if necessary; and effectiveness reviews.<p>
<p>
(2) Risks are derived from the analysis of threats and vulnerabilities. A formal risk analysis
requires determining relativity among risks and assessing associated damage or loss
potentials. This relationship forms the basis for selecting effective safeguards. Before
starting the risk analysis process, the AIS Security Officer should be consulted for guidance
on the scope of the analysis and the recommended approach. In the absence of specific
directions, refer to the <u>Treasury Risk Assessment Guideline</u>. [TD P 85-03] <p>
<p>
(a) A risk analysis will be conducted or sponsored by the AIS Security Officer for each
Customs general support AIS (mainframe or network) facility for the following
conditions.<p>
<p>
(i) Whenever a new or substantially modified AIS facility design is approved.<p>
<p>
(ii) Before design specifications for new general support AISs and their
supporting installations are approved.<p>
<p>
(iii) Whenever a significant change occurs to the general support AIS (e.g.,
adding a LAN; changing from batch to on-line processing; adding dial-up
capability, etc.). The criteria for defining significant changes will be
commensurate with the sensitivity of the data processed by the general
support AIS.<p>
<p>
(iv) At periodic intervals established by the AIS Security Officer commensurate
with the sensitivity of the data processed, but not to exceed every three
years, if no risk analysis is performed during that period.<p>
<p>
(b) The DSO will coordinate or conduct a risk analysis which focuses on the automated
(technical) and administrative security control techniques associated specifically with
the AIS or process under review. This includes the interface between the operating
systems and the applications, and/or the communications environment and the
applications, and the threats inherent in processing in a specific environment.
Facility (physical) risk analysis must be considered when defining and approving
security specifications for the major applications or network systems.<p>
<p>
(3) Responsibility for carrying out the recommendations of a risk analysis rests with the manager
of the AIS facility under review, or the application developer, as appropriate. Response to
the recommended safeguards includes implementation schedules, or rationale for non-implementation. They must evaluate the recommendations and determine whether to carry
them out based on technical and operational feasibility, and costs. Customs Accreditation
Authorities (AAs) will consider the effects of the reviewer's actions in making accreditation
decisions.<p>
<p>
<b>3.3 DEVELOPMENT</b><p>
<p>
(1) The Customs System Development Life Cycle (SDLC) methodology described in the SDLC
handbook applies to all systems and applications (mainframe, networked, or stand-alone),
developed by or for Customs and used by Customs employees, contract personnel, other
government agencies, and persons or companies using Customs resources, whether or not
under direct control of the Office of Information and Technology (OIT). It incorporates a
standards-based approach to systems development and AIS development policies.<p>
<p>
(2) The SDLC handbook is required reading for all persons new to the Customs automation
environment and incorporates Government and industry development standards applicable to
Customs. It describes the minimum requirements that Customs applications must meet to
comply with existing standards and directives throughout their projected life-cycles and
facilitates a step-by-step process to deliver accurate, effective and efficient AISs to the users.
[USCS 5500-4]<p>
<p>
<b>3.4 CERTIFICATION AND ACCREDITATION</b><p>
<p>
Certification and accreditation, although related, are not the same processes nor do they have the same
objectives. Certification is a short term activity that is repeated after any significant AIS-related
change and is a prerequisite for accreditation. Accreditation is a long-term authorization, up to three
years, for an AIS to operate based on the facts, plans, and schedules developed during certification.<p>
<p>
(1) Each Customs general support AIS and major application is considered to contain or process
sensitive information and must be certified and accredited. <p>
<p>
(2) All other Customs AISs and applications which contain or process sensitive information and
must be certified and accredited, as appropriate.<p>
<p>
<b>3.4.1 Certification</b><p>
<p>
Certification is the comprehensive testing and evaluation of the technical and nontechnical AIS security
features, and other safeguards used in support of the accreditation process. It establishes the extent
to which a particular AIS design and implementation meet a specified set of security requirements.
Certification primarily addresses software and hardware security safeguards, but also considers
procedural, physical, and personnel security measures employed to enforce AIS security policy.<p>
<p>
(1) Software Certification<p>
<p>
(a) <u>In-house developed software</u>. Design reviews and systems tests will be performed,
and a certification of the results recorded, for newly developed software, and for
existing software when significant modifications are made.<p>
<p>
(b) <u>Government-Off-The-Shelf Software (GOTS)</u>. Government developed software will
be examined to assure that the software does not contain features which might be
detrimental to Customs AIS security. Software design reviews and systems tests will
be performed, and a certification of the results recorded when significant
modifications are made to GOTS software.<p>
<p>
(c) <u>Commercial-Off-The-Shelf Software (COTS)</u>. Commercially procured software will
be examined to assure that the software does not contain features which might be
detrimental to AIS security. Security-related software will be examined to assure
that the security features function as specified.<p>
<p>
(2) The DSO will oversee or conduct AIS certification tests. Individuals who conduct the
certification testing will be independent of the AIS developers, if resources are available. The
testing process and results will be documented in a format that ensures that the tests can be
repeated and achieve the results reflected in the certification report, if required.<p>
<p>
(3) AIS security safeguards must be modified to correct any deficiencies found during
certification testing, as appropriate.<p>
<p>
(4) Certification testing will vary with the AIS security mode of operation.<p>
<p>
(a) <u>Dedicated</u> security mode does not require extensive certification efforts as users and
data are not required to be separated with technical security measures. Certification
focuses on the physical, procedural, and personnel security measures to ensure that
all users have the appropriate access approval and need-to-know for all Customs data
on the AIS. (Example: a standalone personal computer).<p>
<p>
(b) <u>System-high</u> security mode requires that hardware and software security features
reliably segregate users from data for which they do not have a need-to-know, in
addition to the requirements of Dedicated security mode. (Example: a general
support AIS).<p>
<p>
(c) <u>Compartmented</u> and <u>multilevel</u> security modes are used for classified AISs and are
not addressed in the manual. (Reference: CIS HB 1400-03).<p>
<p>
(5) The AIS Security Officer will provide guidance on conducting certification testing.<p>
<p>
<b>3.4.2 Accreditation</b><p>
<p>
"Any significant modification made to an SBU AIS or network should be reviewed to determine the
impact on security."<p>
<p>
"Modified systems/networks will be reaccredited by appropriate officials as outlined in TD P 71-10,
Sect. 7.A in light of the results of the security review." [TD P 71-10]<p>
<p>
(1) Accreditation is the official management authorization to operate an AIS based on the
following criteria.<p>
<p>
(a) The particular security mode of operation.<p>
<p>
(b) The defined set of threats, with related vulnerabilities and prescribed safeguards.<p>
<p>
(c) The given operational environment.<p>
<p>
(d) The stated operational concept.<p>
<p>
(e) The stated interconnection to other AISs.<p>
<p>
(f) The operational necessity.<p>
<p>
(g) An acceptable level of risk for which the Accrediting Authorities have formally
assumed responsibility.<p>
<p>
(2) The Accrediting Authorities (AA) officially declare that a certified AIS will adequately
protect related information, will operate in one of the following security modes, and accept
security responsibilities for the AIS operation.<p>
<p>
The AIS security mode of operation <u>is</u> based on data sensitivity, access approval, and need-to-know of the AIS users. Available or proposed AIS security features <u>do not</u> determine the
security mode.<p>
<p>
Applicable Security Modes of operations are:<p>
<p>
(a) <u>Dedicated</u> security mode. (See also: Certification. Section 3.4.1.(4)(a).<p>
<p>
(b) <u>System-high</u> security mode. (See also: Certification. Section 3.4.1.(4)(b).<p>
<p>
(3) All sensitive AISs, including general support systems and major applications, must be
submitted for and be accredited expeditiously.<p>
<p>
(4) The AIS security plan documentation, discussed in Section 3.1, will be submitted by the DSO
to the AIS Security Officer for review. The AIS Security Officer will develop a summary
of compliance to include security requirements and a statement of residual risk.<p>
<p>
(5) Prior to accreditation, Customs Information Resources Management (IRM) and Security
Programs Division (SPD) representatives will review security plan documentation, for
sensitive AIS, including the summary of compliance and statement of residual risk.<p>
<p>
(6) The appropriate Customs AAs will make the accreditation decision based on the summary of
compliance, a statement of residual risk, and an approved AIS security plan. The
accreditation process results in a decision that the AIS is:<p>
<p>
(a) accredited to operate, or<p>
<p>
(b) given interim operating approval for a specific time pending satisfactory completion
of specified requirements, or<p>
<p>
(c) denied permission to operate, until identified deficiencies are corrected.<p>
<p>
(7) Every sensitive AIS covered by this policy must be reaccredited at least every three years.
The accreditation status and supporting documentation will be reviewed and revised for the
following conditions or events, as appropriate.<p>
<p>
(a) A significant change occurs in the hardware, software, or data communications
configuration that impacts the AIS security safeguards defined in the original
accreditation package. A significant change is one whose impact is such that it
needs to be brought to the attention of the AAs.<p>
<p>
(b) The sensitivity level of the information being processed is significantly changed.<p>
<p>
(c) The security mode of operation is changed.<p>
<p>
(d) AIS facility or remote terminal area changes occur, including relocations or
structural modifications, which may affect AIS security. <p>
<p>
Whenever a major office relocation occurs (e.g., moves to a new building), the AIS
Security Officer should conduct an AIS compliance review to decide whether the
change in physical location impacts the AIS security posture. The results of the
security review should be retained as part of Customs AIS security documentation.<p>
<p>
(e) An AIS security-related event occurs that appears to invalidate the accreditation.<p>
<p>
(8) The accreditation package revision and review process will include at least the following
activities and information.<p>
<p>
(a) The same steps required for the original accreditation package will be completed.
Portions of the package which configuration management shows to still be valid, need
not be redone.<p>
<p>
(b) The IRM and SPD representatives will review and approve the AIS security plan,
summary of compliance, and statement of residual risk, as appropriate.<p>
<p>
(c) The appropriate AAs will review and reaccredit the AIS.<p>
<p>
(9) The AIS Security Officer will maintain a record system containing the status of the documents
in the Customs AIS accreditation packages.<p>
<p>
(10) The AAs are the only ones authorized to exempt an operation from the security requirements
specified in the accreditation statement. This exemption must be formally documented in a
written waiver and retained with the original accreditation package.<p>
<p>
<b>3.5 PROCEDURES AND PRACTICES</b><p>
<p>
This policy manual does not contain AIS security-related procedures and practices. They are
presented separately and provided to Customs AIS users, administrators, and operators, as
appropriate. Procedures and practices explain specific AIS security mechanism operations so that
users, administrators, and operators may consistently and effectively protect Customs information.
Such information should also be addressed during training, when applicable. ( See also: Section 1.5.1)<p>
<p>
<b>3.6 EDUCATION, TRAINING, AND AWARENESS</b><p>
<p>
"The Computer Security Act requires Federal agencies to provide for the mandatory periodic training
in computer security awareness and accepted computer security practice of all employees who are
involved with the management, use, or operation of a Federal computer system within or under the
supervision of the Federal agency. This includes contractors as well as employees of the agency." <p>
<p>
"Training is particularly important in view of the changing nature of information resources
management. Decentralization of information technology has placed the management of automated
information and information technology directly in the hands of nearly all agency personnel rather than
in the hands of a few employees at centralized facilities."<p>
<p>
"The OMB Circular A-130, Appendix III enforces such mandatory training by requiring its completion
prior to granting access to the system." [OMB A-130,AIII]<p>
<p>
(1) The Director, AIS Security Division, shall ensure that a Customs AIS Security Education,
Training, and Awareness Program is established. <p>
<p>
(2) Training may be presented in stages, for example, as more access is granted. In some cases,
the training should be in the form of classroom instruction. In other cases, interactive
computer sessions or well-written and understandable brochures may be sufficient, depending
on the risk and magnitude of harm related to the subject matter..<p>
<p>
(3) Refresher awareness training frequency shall be determined by the Director, AIS Security.<p>
<p>
(4) Each new user of a general support system in some sense introduces a risk to all other users.
Therefore, each user should be versed in acceptable behavior -- the rules of the system --
before being allowed to use the system.<p>
<p>
(5) Training should be tailored to what a user needs to know to use the system securely, given
the nature of that use, and how to get help in the event of difficulty with using or security of
the system.<p>
<p>
(6) Access provided to members of the public should be constrained by controls in the
applications through which access is allowed, and training should be within the context of
those controls.<p>
<p>
(7) Additional awareness training will be provided when significant changes occur in AIS security
environments or procedures, or to employees who assume new positions or assignments
dealing with information at a higher level of sensitivity.<p>
<p>
(8) Security awareness training should include the following topics, as appropriate.<p>
.<p>
(a) Common AIS threats, vulnerabilities, and risks.<p>
<p>
(b) Information accessibility, handling, labeling, and storage protection considerations.<p>
<p>
(c) Physical and environmental AIS protection considerations.<p>
<p>
(d) AIS data access controls and rules of behavior.<p>
<p>
(e) Procedures for disaster recovery and contingency operations plans.<p>
<p>
(f) AIS security configuration management and control requirements.<p>
<p>
(g) AIS-related security incident reporting requirements and procedures.<p>
<p>
(9) Specialized training is required for all individuals given access to an application, including
members of the public. It should vary depending on the type of access allowed and the risk
that access represents to the security of the application and information in it. This training
will be in addition to that required for access to a support system. Such training may vary
from a notification at the time of access (e.g., for members of the public using an information
retrieval application) to formal training (e.g., for an employee that works with a high-risk
application).<p>
<p>
(10) All personnel who design, develop, operate, or maintain sensitive AIS will be provided
security training appropriate to the level of risk they present to Customs AIS. The training
shall address the types of security and internal control techniques that ought to be incorporated
into AIS development, operation, and maintenance.<p>
<p>
(11) AIS Security Administration should be consulted for guidance on achieving training
objectives.<p>
<p>
<b>3.7 SECURITY OVERSIGHT</b><p>
<p>
The ADP Steering Committee, Security Subcommittee, is the oversight authority for Customs AIS
Security Program. (See also: Section 2.2(2))<p>
<p>
The AIS Security Officer conducts ongoing day-to-day operational policy-related security oversight
activities and ensures that periodic AIS security reviews are conducted.<p>
<p>
(1) The AIS Security Officer must develop and maintain, with the assistance of AIS Security
Administration, IRM, and SPD managers, a list of AISs requiring accreditation. This list
must be annually verified and should include the recommended accreditation priority and AA
identity for each AIS.<p>
<p>
(2) Given the global nature of Customs AIS resources, the appointment of DSOs provide local
oversight and help to ensure adherence to AIS security policy. They provide points-of-contact
for accomplishing AIS security-related activities.<p>
<p>
(3) Customs Office of Information and Technology (OIT) is a sign-off to AIS-related acquisitions
and will enforce AIS security as part of the procurement process.<p>
<p>
The AIS Security Officer reviews and authorizes all security-related acquisitions for sensitive
AISs to ensure that the appropriate AIS security requirements are included in the
specifications for the operation of an AIS installation facility, equipment, application system,
or the acquisition of AIS hardware, software, or related services.<p>
<p>
(4) The Contracting Officer Technical Representative (COTR) has contract oversight and will
ensure that the contractor-related AIS security requirements are followed throughout the
contract life-cycle.<p>
<p>
(5) The AIS security policy program is implemented through the following actions:<p>
<p>
(i) appointment of DSOs;<p>
<p>
(ii) acquisition reviews;<p>
<p>
(iii) review and approval of security requirements to support AIS development;<p>
<p>
(iv) preparation, approval, and implementation of certification requirements;<p>
<p>
(v) preparation and approval of accreditation documentation;<p>
<p>
(vi) security training reviews;<p>
<p>
(vii) security controls and auditing; and<p>
<p>
(viii) security incident reporting.<p>
CHAPTER 4<p>
<i>MINIMUM SECURITY REQUIREMENTS</i><p>
<IMG SRC="images/bar1.gif">
<p>
<p>
The AIS security goal is to develop a functionally secure, efficient, cost-effective environment based
on an assessment of security risks and safeguards. All AISs processing, storing, or transmitting
sensitive information must meet the requirements of this policy through automated or manual means.
More stringent requirements may be imposed based on a risk analysis.<p>
<p>
This section documents the minimum security requirements for Customs AISs processing sensitive
data with respect to: Facility, Personnel, Automated, and Telecommunications security.<p>
<p>
<b>4.1 FACILITY SECURITY</b><p>
<p>
(1) The Security Programs Division (SPD), Security Management Branch, prescribes policies,
procedures, and standards for the Customs facility security program.<p>
<p>
(2) Facility security addresses the requirements to provide adequate physical and environmental
controls based on the level of risk to the AISs supported in a facility, as identified by a risk
analysis. The security controls must not be less than the minimum requirements discussed
in this section, unless a written waiver has been granted by the Accrediting Authorities (AAs).<p>
<p>
(3) For the purposes of this policy, an AIS facility includes physical space housing AIS equipment
such as terminals, microcomputers, mainframe systems, communications equipment, or
supporting environmental control utilities. Facilities also include data storage and AIS
documentation libraries (e.g., off-site back-up storage facilities).<p>
<p>
<b>4.1.1 Physical</b><p>
<p>
(1) Physical security is concerned with the measures designed to prevent unauthorized physical
access to equipment, facilities, material, information, and documents, and to safeguard them
against espionage, sabotage, damage, tampering, theft, and other covert or overt acts. AIShardware, software, documentation, and all sensitive information handled by the AIS will be
protected to prevent unauthorized disclosure, modification, or destruction. AIS hardware,
software, or documentation must be protected if access to such resources may reveal
information that can be used to eliminate, bypass, or otherwise render ineffective the security
safeguards (countermeasures) used to protect sensitive information.<p>
<p>
(2) Sensitive Customs information, while operational, must be processed, stored, or transmitted
in physical spaces (i.e., buildings, communications facilities, etc.) which are under exclusive
Customs control, including MOUs (Memorandum of Understanding) and contractual
agreements. When not in operation, or under the direct control of an authorized person,
Customs AISs and information must be protected by control systems and measures consistent
with Customs facility security program. <p>
<p>
Prior to conducting sensitive AIS operations at any location, AIS security planning must
consider the facility security program as part of the accreditation process.<p>
<p>
(3) For all types of facilities where sensitive information is stored, processed, or transmitted,
physical access will be restricted to those individuals who are authorized according to the
personnel security requirements and who are necessary to complete assigned job functions and
related duties. (See also: Section 4.2)<p>
<p>
All other personnel granted facility access must be properly escorted and restricted to those
areas necessary to complete their tasks. Sensitive Customs information must be protected
from unauthorized disclosure to such persons.<p>
<p>
<b>4.1.2 Environmental</b><p>
<p>
(1) Environmental controls address the requirements to provide appropriate temperature and
humidity controls, fire protection, power, and natural disaster protection necessary to ensure
the continuity of operations for AIS facilities and equipment.<p>
<p>
(2) Areas that support desktop AIS equipment generally require environmental controls specified
for human safety and comfort. Additional physical, electrical, temperature, and humidity
controls may be needed to ensure reliable AIS operations in some cases.<p>
<p>
(3) Facilities supporting large-scale AIS operations, such as mainframe computers and
telecommunication facilities, may require additional environmental controls as determined by
operational needs and risk analysis. The following additional controls should be considered:<p>
<p>
(a) Fire prevention, detection, suppression, and protection measures.<p>
<p>
(b) Water hazard detection, prevention, and corrective measures.<p>
<p>
(c) Electric power supply protection.<p>
<p>
(d) Temperature and humidity controls.<p>
<p>
(e) Protective or control measures from the effects of earthquakes, lightning,
windstorms, and other natural disasters.<p>
<p>
(f) Protective or control measures from the effects of industrial, environmental, or other
physical conditions which might seriously impact normal AIS operations.<p>
<p>
(g) Housekeeping protection from dirt, dust, and other contaminants.<p>
<p>
(h) Personnel safety features.<p>
<p>
<b>4.2 PERSONNEL SECURITY</b><p>
<p>
(1) The Security Programs Division (SPD) sets policy and provides procedures and guidance in
support of Customs personnel security program. Prior to conducting AIS operations, and as
part of the accreditation process, AIS security planning must consider the personnel security
program.<p>
<p>
(2) <u>All personnel</u> entrusted with the management, operation, maintenance, or use of a Customs
AIS processing, storing, or transmitting sensitive information require appropriate personnel
security approval. [USCS 51000-05]<p>
<p>
(3) <u>Customs personnel</u> and <u>Non-Customs contractor personnel</u> entrusted with the management,
operation, maintenance, or use of sensitive Customs AISs require an appropriate authorization
and must have a completed Background Investigation (BI). [USCS 1460-010]<p>
<p>
(4) <u>Non-Customs government personnel</u> entrusted with the management, operation, maintenance,
or use of sensitive Customs AISs require an appropriate authorization and background
investigation.<p>
<p>
(5) <u>Non-Customs personnel (members of the trade community)</u>, who use Customs AISs must be
authorized in writing by the AIS Security Officer, Process Owner, or some other formalized
process that assures appropriate authorization.<p>
<p>
(6) <u>Non-Customs AIS technical support personnel</u> who are required to perform maintenance on
Customs AISs within Customs-controlled facilities may be approved for unescorted access
based on an appropriate authorization and a completed BI.<p>
<p>
(7) AIS security training must be provided to all personnel who manage, operate, develop or use
AISs. (See also: Section 3.6)<p>
<p>
<b>4.3 AUTOMATED SECURITY</b><p>
<p>
This section establishes near-term requirements and long-term goals to improve the security of
Customs AISs through increasing reliance on automated security features. The<i> minimum security
requirements</i> addressed in this section are feasible in the current Customs AIS environment. As
technology evolves, the <i>desirable security features</i> identified in this section should be assessed during
AIS planning and development.<p>
<p>
<b>4.3.1 Minimum Security Requirements</b><p>
<p>
<u> National Policy on Controlled Access Protection</u>. The White House, National Telecommunications
and Information Systems Security Committee, 07/15/87, directs that by Federal agencies must provide
automated Controlled Access Protection (C2 level) for all sensitive or classified information processed
or maintained by AIS, when all users do not have the same authorization to use the sensitive
information. [NTISSP 200]<p>
<p>
(1) AISs used for the processing of sensitive information must have the security functionality of
the C2 level of trust, as defined in the Department of Defense (DoD), <u>Trusted Computer
System Evaluation Criteria</u> (TCSEC). [5200.28-STD]<p>
<p>
(a) In cases where C2 functional security requirements are time consuming, technically
unsound, or adversely affect operations to an unacceptable degree, other safeguards
may be substituted if they maintain the level of system security commensurate with
the sensitivity of the data. The AIS Security Officer must approve exceptions
(written waiver) to C2 functional security requirements for sensitive AIS.<p>
(See also: Appendix C)<p>
<p>
(b) The National Computer Security Center (NCSC) Technical Guide, <u>Trusted Network
Interpretation of the Trusted Computer System Evaluation Criteria</u> (TNI-TCSEC,
commonly known as the "red book"), provides guidance on achieving C2
functionality in networks. [NCSC-TG-005]<p>
<p>
(2) The design of AISs that process, store, or transmit sensitive information must include at a
minimum, the automated security features discussed in this section. Security safeguards will
be in place to ensure each person having access to a sensitive AIS is individually accountable
for their actions on the system. <p>
<p>
(a) <u>User Identification</u>. User access will be controlled and limited based on positive user
identification and authentication mechanisms that support the minimum requirements
of access control, least privilege, and system integrity.<p>
<p>
(b) <u>Authentication</u>. For AIS requiring authentication controls, the AIS will ensure that
each user is authenticated prior to AIS access. The preferred method for
authenticating users is a password system where authentication is done each time the
password is used. More sophisticated authentication techniques, such as "smart
cards," MISSI (Multilevel Information Systems Security Initiative) technology
(Fortezza, Capstone, etc.), biological recognition systems (retina scanners, hand
print, voice recognition, etc.), must be cost-justified through the risk analysis
process. [MISSI]<p>
<p>
(c) <u>Audit Records</u>. AIS transactions are subject to recording and routine review for
inappropriate or illegal activity. Audit trail records should be sufficient in detail to
facilitate reconstruction of events if compromise or malfunction occurs, or is
suspected, and should be reviewed as specified in the AIS security plan. The audit
trail records should contain at least the following information.<p>
<p>
(i) Identifier of each user and device accessing or attempting to access an AIS.<p>
<p>
(ii) The time and date of the access and of the logoff.<p>
<p>
(iii) Identify activities that might modify, bypass, or negate AIS security
safeguards.<p>
<p>
(iv) Log of security-relevant actions associated with processing.<p>
<p>
(d) <u>Object Reuse</u>. Sensitive AIS must clear memory and/or data storage areas (RAM,
DASD, tape, R/W Optical, etc.) prior to reallocation of the area to a different user.
This prevents one user from obtaining residual data of another user.<p>
<p>
(e) <u>Access Control</u>. Sensitive AIS may implement additional discretionary access
control (DAC) measures such as file passwords, access control lists, disk encryption,
or other techniques, as defined in the approved system security plan.<p>
<p>
(3) For sensitive AIS the following <b>Warning Banner</b> (exactly as worded in Figure 3) must be
displayed to users at logon time, followed by a pause requiring manual intervention to
continue. This addresses the concern that users are informed that all Customs AISs are
subject to monitoring and that by using the AIS they consent to such monitoring.<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
(4) Automatic<u> interactive-session timeout</u> (logoff) will be provided for all general support and/or
sensitive AISs. This will lockout a user session after an interval of inactivity, not to exceed
the time interval and restart requirements specified in the AIS security plan. System logon
will be required to re-access the AIS.<p>
<p>
(5) Interconnections between sensitive Customs AISs and non-Customs AISs must be established
through controlled interfaces and will be accredited at the highest security level of information
on the network. Consult the AIS Security Officer for guidance on establishing controlled
interfaces.<p>
<p>
Controlled interface functions are a combination of gateway and guard functions.<p>
<p>
Gateways provide secure points of interconnection between networks, connected
peripheral devices, remote terminals, or remote hosts, and provide a reliable
exchange of information to allow secure interconnections between components.<p>
<p>
Automated guard processors and security filters (e.g., firewall) are software,
combined hardware/software techniques, or specialized hardware that filter
information in a data stream based on associated security information and/or data
content.<p>
<p>
<b>4.3.2 Security Assurances</b><p>
<p>
(1) AISs will be examined when received from the vendor(s) and before being placed into
operation. The following areas must be considered:<p>
<p>
(a) <u>Hardware</u>. An examination will result in assurance that the equipment appears to be
in good working order and has no components that might be detrimental to the secure
operation of the resource when placed under Customs control and cognizance.
Subsequent changes and developments which affect security may require additional
examination.<p>
<p>
(b) <u>In-house Developed Software</u> or <u>Government-Off-The-Shelf</u> (GOTS). New or
significantly changed software developed by or specifically for Customs or the
Government will be subject to testing and review at all stages of the development, as
required by the SDLC. [USCS 5500-4]<p>
<p>
(c) <u>Commercial-Off-The-Shelf Software (COTS)</u>. Commercially procured software will
be examined to assure that the software does not contain features which might be
detrimental to AIS security. Security-related software will be examined by Customs
authorized personnel to assure that the security features function as specified.<p>
<p>
(2) Customs endorses the use of products from the Evaluated Products List (EPL) of the National
Computer Security Center (NCSC). EPL products are computer systems, software, or
components that protect information while it is being stored or processed. <p>
<p>
When certified as properly implemented through the process discussed in Section 3.4, these
products will be accepted as meeting the security requirements for the portion of the sensitive
AIS where they are used.<p>
<p>
(3) When EPL products are not specified or used for sensitive AIS, the AIS security plan must
include a functionality statement and implementation schedule of how the C2 security level
functionality will be achieved. The statement will become part of the accreditation package
and must address the following EPL evaluation areas.<p>
<p>
(a) <u>Confidence in software source</u>. In acquiring software resources to be used as part
of a sensitive AIS, consideration will be given to the level of confidence placed in the
vendor to provide a quality product, to support the security features of the product,
and to help in the correction of any flaws.<p>
<p>
(b) <u>Security performance testing</u>. Security performance testing includes both
certification testing that is performed before the AIS is accredited and ongoing
performance testing that is performed on a regular basis.<p>
<p>
(c) <u>Security penetration testing</u>. In addition to testing the performance of the AIS, there
will be testing to attempt to penetrate the security safeguards of the system. The test
procedures will be documented in the test plan for certification and in the ongoing
test plan.<p>
<p>
(d) <u>Life-cycle assurance</u>. The development of hardware, firmware, and software will
be conducted under life-cycle control and management.<p>
<p>
(4) A configuration management (CM) system is required to preserve the AIS accreditation
integrity and maintain control of changes to any of the AIS features that may alter the
accreditation status. Examples of CM activities include security-related hardware changes,
or changes to any line of source or object code of the security-related software. The CM
system will record by whom, for what reason, and when the change is made. Documentation
of the security-related hardware and/or software design will be maintained and kept current.
[NCSC-TG-006]<p>
<p>
<b>4.3.3 Desirable Security Features</b><p>
<p>
(1) AIS planning must consider technological advances in security features. The planning process
will be documented and approved via the AIS security plan.<p>
<p>
(2) Interoperability with external systems must consider support for digital signature standards
(DSS), nonrepudiation in messaging systems, and data encryption issues as they relate to
interagency communications or interoperability.<p>
<p>
(3) Continuous On-Line Automated Monitoring and Warning functions for sensitive AIS can
provide real-time use monitoring (audit) and real-time warning to the DSOs of suspected AIS
misuse.<p>
<p>
(4) Network Access Control Features should address the following areas, to achieve C2 level
security of communications paths:<p>
<p>
(a) <u>Identification and Authentication Forwarding</u>. Reliable forwarding of the
identification should be used between AISs when users are connecting through a
network. When identification forwarding cannot be verified, a request for access
from a remote AIS should require authentication before permitting access to the
system.<p>
<p>
(b) <u>Protection of Authenticator Data</u>. In forwarding the authenticator information and
any tables (e.g., password tables) associated with it, the data should be protected
from access by unauthorized users (e.g., by encryption) to ensure its integrity.<p>
<p>
<b>4.4 ADMINISTRATIVE SECURITY</b><p>
<p>
Administrative security consists of the controls and operational procedures used with or in place of
computer security features. Administrative security controls must be documented in the AIS security
plan, Security Features User's Guide (SFUG), and Trusted Facility Manual (TFM) for each accredited
AIS.<p>
<p>
<b>4.4.1 Accountability and Access Control Criteria</b><p>
<p>
The DSO will establish access control criteria and administrative procedures to limit access to
information processed, stored, or transmitted by sensitive Customs AISs. These activities are
documented in the AIS security planning process, approved by the AIS Security Officer, and
accredited as discussed in Section 3.4 and should include at least the following:<p>
<p>
(1) The access control criteria identify who is authorized AIS access and who is responsible for
approving such access.<p>
<p>
(a) The individual who requires access must possess the appropriate security
authorization and have a valid need-to-know.<p>
<p>
(b) The AIS security features must have the capability to restrict the user's access to only
that information which is necessary for scope of the job or assignment.<p>
<p>
(2) Customs and contractor personnel who access sensitive Customs AISs must have a completed
BI (discussed in Section 4.2). Personnel must only be granted access to AISs for which they
have a valid need-to-know based on their operational needs (i.e., principle of least-privilege.).<p>
<p>
(3) Customs AISs are generally designed for the use of Customs personnel, but by special
arrangements Customs may authorize certain types of access to other Federal, State, local,
or international law enforcement agencies, other government agencies, private contractors,
and trade community members in support of particular operations.<p>
<p>
Written requests for special access must be submitted to the appropriate Customs Security
Administrator who coordinates the AIS security process for the sponsoring organization. The
Security Administrator will ensure that such requests meet the following criteria.<p>
<p>
(a) The individual for whom access is requested must have appropriate security
authorization for the information or functions which are being requested.<p>
<p>
(b) The individual must have a valid need-to-know (i.e., access is an operational
necessity) documented in the application by the sponsoring organization. <p>
<p>
(c) The AIS security features have the capability to restrict the user's access to only
information and/or functions appropriate for the authorized activities.<p>
<p>
(d) If the AIS access is for members trade community, it must be based on limits as
specified in formal agreements with Customs.<p>
<p>
(4) Some Customs AISs are designed for the support of the law enforcement, trade communities
(e.g., TECS, ACS), and other agencies. Access requirements, controls, and procedures are
defined for each system and documented in its System Security Plan. Reference the
appropriate AIS support documentation for details related to such systems.<p>
<p>
<b>4.4.2 Software and Data Security</b><p>
<p>
(1) All executable software used on sensitive Customs AISs should be obtained through
authorized procurement channels. Software acquired by any other means (e.g., public
domain software, bulletin board services, personally owned software [developed or
purchased]) is <u>restricted</u> and must be approved in writing by AIS Security Administration as
an operational necessity.<p>
<p>
(2) Safeguards must be in place to detect and minimize inadvertent or malicious modification or
destruction, or attempts to do so, of a sensitive AIS's application software, operating system
software, and critical data files. The safeguards should achieve the integrity objectives andbe documented in the AIS security plan.<p>
<p>
(a) Executable software authorized to run on a sensitive Customs AIS will be identified
in the AIS security plan.<p>
<p>
(b) The level of protection must be commensurate with the sensitivity of the information
processed.<p>
<p>
(c) At a minimum, essential data should be backed-up and the media stored physically
separate from the AIS (preferably at an off-site location). Appropriate AIS security
controls must be in place to assure viability of such back-ups.<p>
<p>
(3) Virus and malicious code (software) prevention and control measures, commensurate with
the identified level of risk, will be employed to protect the integrity of the software and data
for applicable AIS.<p>
<p>
(a) The AIS Security Officer manages the virus protection program for Customs and
should be contacted for approved prevention and control measures (e.g., behavior
detection, scanning, cleanup techniques and/or procedures) if there is a suspected or
known malicious code (software) threat.<p>
<p>
(b) Identified incidents of malicious code (software), or virus infections should be
reported promptly to the DSO, AIS Security Officer, and/or IA, as appropriate.<p>
<p>
(c) Prior to introduction into or use by Customs, AIS data recording media will be
scanned for malicious code (software), including:<p>
<p>
(i) all Customs-seized AIS machines and media,<p>
<p>
(ii) all removable AIS magnetic or optical recording media (e.g., floppy disks,
CD-ROM, etc.), regardless of source, and<p>
<p>
(iii) all fixed AIS storage devices (e.g., hard drives, R/W Optical, etc.), on a
periodic basis.<p>
<p>
(4) Use of copyrighted software will comply with copyright laws and license agreements.<p>
<p>
(5) Introduction of data from sources and/or in formats other than those specified in the
appropriate AIS security plan (e.g., financial data received from financial institutions) must
be approved in writing by the AIS Security Officer as an operational necessity. These
activities must be in conformance with the accreditation of the AIS and FOIA/PA (Freedom
of Information Act/Privacy Act) requirements.<p>
<p>
(6) To maintain software integrity, proper configuration management (CM) and controls must
be used to monitor software installation and updates. This process will provide a historical
record of software changes; helping to ensure that the software functions as expected, is
maintained, and that only authorized software is permitted on the AIS.<p>
<p>
<b>4.4.3 Technical Support and Maintenance</b><p>
<p>
(1) Technical support and maintenance activities for Customs AIS must ensure that:<p>
<p>
(a) Hardware and software maintenance activities do not affect the integrity of existing
safeguards or permit the introduction of security exposures into an AIS (e.g.,
computer viruses, Trojan Horses, logic bombs, malicious code, etc.).<p>
<p>
(b) Sensitive Customs AIS electronic storage and memory devices are not released from
Customs control without proper clearing procedures to remove residual data.
Exceptions (waivers) must be approved by the AIS Security Officer.<p>
<p>
(c) Automated (i.e., computer-connected) dial-up diagnostic maintenance of sensitive
Customs AIS via remote communications between vendors and Customs AIS
facilities is prohibited unless authorized by Principal Accrediting Authority (PAA)
in the AIS Accreditation. The Accreditation should reference an approved contract,
MOU, or other agreement when such a service is included.<p>
<p>
(2) AIS technical support and maintenance work performed in Customs facilities (on-site) must
be supervised by or under the control of Customs personnel knowledgeable in appropriate
AIS operations.<p>
<p>
On-site AIS technical support and maintenance personnel must meet the personnel security
requirements. (See also: Section 4.2)<p>
<p>
(3) AIS technical support and maintenance must be considered in AIS certification.<p>
<p>
<b>4.4.4 Portable Computer Equipment</b><p>
<p>
Customs AIS portable computers, related types of equipment, and storage media must be restricted
to the exclusive authorized Customs use. Unattended Customs AIS equipment and storage media must
be secured in an appropriate manner commensurate with the sensitivity of the data, equipment, and
authorized use. To the extent possible, such equipment and storage media must be kept in the
possession of the individual to whom it is issued or charged out.<p>
<p>
<b>4.4.5 Classification and Controls</b><p>
<p>
(1) Customs AISs that store, process, or transmit sensitive information must be adequately
safeguarded to ensure that access to sensitive Customs information is restricted to Customs
authorized personnel, and operated only by Customs authorized persons in facilities (physical
space) under Customs authorization or control.<p>
<p>
(2) When not under the control of Customs authorized personnel, Customs sensitive AISs and
related equipment must, at a minimum, be secured as follows:<p>
<p>
(a) Microcomputers, terminals, displays, and related AIS equipment which might
provide unauthorized access to sensitive data or resources, must be turned off or
otherwise made unaccessible. Additional appropriate security control measures may
be necessary in some situations. Exceptions (waivers) must be part of the
accreditation statement or separately approved by the AIS Security Officer.<p>
<p>
(b) Diskettes, tapes, removable storage devices, printer ribbons or laser cartridges, and
other AIS media which contain sensitive information must be labeled and secured
commensurate with the highest level of information stored on the device.
Destruction of such media must be appropriate to the level of sensitivity of the data
stored on it.<p>
<p>
<b>4.4.6 External Labels</b><p>
<p>
In an AIS environment where no classified information is processed or stored, special security labels
with the word "Unclassified," are not required to identify that the storage media contains unclassified
information. However, for some categories of SBU data, special identification labels are required.
Reference <u>Safeguarding Classified Information Handbook</u>, for the appropriate procedures.<p>
[USCS HB 1400-03]<p>
<p>
The term "unclassified" is not a security classification, but is a category of data within which are
several subcategories, including sensitive but unclassified (SBU) and public information.<p>
<p>
Sensitive but unclassified (SBU) information is restricted to authorized persons with a need-to-know
and requires appropriate controls as explained in this manual.<p>
<p>
<b>4.4.7 Customs Work Performed at non-Customs Locations</b><p>
<p>
When operational necessity requires that Customs authorized work be performed at non-Customs
controlled locations (e.g., field assignment, work at home, etc.), the following policies apply and
associated risks must be appropriately managed.<p>
<p>
(1) Customs management must determine that required security controls and documentation are
in place for authorized AIS operations and that SBU information is properly protected.
Although current technology makes it feasible to address these requirements, providing
adequate safeguards and conducting related activities for individual AISs may not always be
cost-effective.<p>
<p>
AIS security control documentation includes the following.<p>
<p>
(a) System security plan.<p>
<p>
(b) Risk analysis.<p>
<p>
(c) Contingency plan.<p>
<p>
(d) Security procedures.<p>
<p>
(e) Certification.<p>
<p>
(f) Accreditation.<p>
<p>
(2) AIS equipment (whether or not Customs owned) used to process SBU at non-Customs
controlled locations must meet the security requirements for sensitive Customs AISs as
presented in this policy manual.<p>
<p>
(3) Authorized use of Customs owned computer equipment at home is permitted when such usage
is consistent with the policy as presented in this manual.<p>
<p>
<b>4.4.8 Use of Non-Customs Owned AISs</b><p>
<p>
(1) It is <u>Treasury policy</u> that, "Personally-owned computers and software will not be used to
process sensitive but unclassified (SBU) information without the approval of the Principal
Accrediting Authority." (Reference: TD P 71-10, Chap. VI, Section 4.D.1).<p>
<p>
<u>Treasury policy</u> defines, <u>Personally-owned computers or software</u> as, "Computers or software
purchased with non-government funds, except those turned over for exclusive U.S.
Government control and use and where the hard-drive will be properly erased when the
system is no longer in U.S. Government use."<p>
(Reference: TD P 71-10, Appendix B. Definition updated 11/24/95).<p>
<p>
(2) It is <u>Customs policy</u> that, non-Customs owned computers or software will not be used to
process, access, or store Sensitive But Unclassified (SBU) information without the written
approval of the Principal Accrediting Authority (PAA).<p>
<p>
(a) Policy exceptions (waivers) must be approved by the PAA who assumes the
associated risks for authorizing the use.<p>
<p>
(b) The protection requirements for data on Customs owned equipment apply equally to
the protection of data when used on non-Customs owned equipment.<p>
<p>
<b>4.5 TELECOMMUNICATIONS SECURITY</b><p>
<p>
The Federal government is developing appropriate security policies and infrastructures that deal with
the rapidly changing field of telecommunications. Under the auspices of the White House Office of
Science and Technology Policy, the National Information Infrastructure Task Force (NITF) is a
driving force in this effort. The NITF includes high-level representatives of Federal agencies that play
a major role in the development and application of information and telecommunications technologies.
[GAO94285; GAO9523]<p>
<p>
<b>4.5.1 Information System Standards<p>
</b><p>
It is the policy of the Department of the Treasury to comply with all mandatory Federal Information
Processing Standards (FIPS), mandatory Federal Telecommunications Standards (FED-STDs),
voluntary FIPS, FED-STDs, American National Standards Institute (ANSI), or other information
system standards and guidelines to the extent they are determined to be cost-effective and appropriate
for the intended use. A waiver process is defined in Treasury <u>Information Systems Standard
Program</u>, 8/23/89. [TD 87-01; COHEN]<p>
<p>
<b>4.5.2 Network Connections</b><p>
<p>
Telecommunication connections between Customs AISs and non-Customs AISs or networks, public
or private, may be authorized by the AIS Security Officer under the following conditions:<p>
<p>
(1) Non-sensitive Customs AIS, when operated in a dedicated security mode, must be locally
documented, including the administrative approval of the AIS Security Officer and a technical
description of the connection(s). Example: microcomputers, PCs, etc., that do not contain
or process SBU data and are not connected physically or logically to any other Customs AIS
or network (Treasury or Customs).<p>
<p>
(2) All other Customs AIS connections to non-Customs networks must be approved by the AIS
Security Officer, on a case-by-case basis. The AIS Security Officer will ensure that the
appropriate safeguards are in place and that documentation, such as license agreements,
memoranda of understanding (MOU), interconnection agreements, etc., are executed on
behalf of Customs, as part of the approval process. Example: Customs AIS access to the
National Information Infrastructure (NII) or commercial information databases (e.g.,
LEXIS/NEXIS, Dun & Bradstreet Business records, D&B Worldbase, etc.).<p>
<p>
<b>4.5.3</b> <b>Internet Services</b><p>
<p>
<u>Treasury policy</u>: Issued April 28, 1995, by the Deputy Assistant Secretary for Information Systems.
[TD INTERNET]<p>
<p>
Treasury operating policy requires that any access to the Internet services from Treasury AIS
(including Customs) be provided via protected Internet gateways (access control mechanisms) that
have been approved by the Office of Telecommunications Management (OTM).<p>
<p>
Exceptions must be approved in writing by the Director, OTM.<p>
<p>
<u>Customs policy</u>:<p>
<p>
In addition to Treasury policy, Customs owned or controlled AISs may only access the Internet via
Customs approved gateways.<p>
<p>
This limitation means that Customs owned, controlled, or authorized computer equipment, regardless
of its location or means of connection to any network or system, may not be used to access the
Internet, directly or indirectly (e.g., via service providers such as CompuServe, AOL, etc.) unless
such connection is via a Customs approved Internet gateway (i.e., firewall). While the configuration
of some networks make it technically possible to access the Internet without going through an
approved gateway, such access is not authorized.<p>
<p>
Exceptions to this policy must be approved in writing by the Director, OTM, U.S. Treasury
Department. [TD INTERNET]<p>
<p>
<b>4.5.4 Electronic Mail (E-Mail)</b><p>
<p>
Government projects and commercial products for secure electronic mail (E-Mail) systems are
undergoing rapid development and will be available in the coming years. Until such products are
implemented, users are cautioned NOT to send sensitive information via E-Mail.<p>
<p>
<b>4.5.5 Facsimile (FAX)</b><p>
<p>
Sensitive information will only be transmitted via a secure facsimile system (e.g., encrypted or via
a protected network). Commercial-off-the-shelf (COTS) software and hardware are available to
provide the necessary safeguards and should be employed as appropriate.<p>
<p>
<b>4.5.6 PBX and Voice Mail Systems</b><p>
<p>
Private Branch Exchanges (PBX) and Voice mail systems do not currently meet standard security
specifications and are not generally considered secure systems. They are susceptible to unauthorized
access and messages left on a voice mail system should contain the least amount of information
possible. Do not leave any information on a voice mail system that, if compromised, could damage
Customs mission. Report suspected unauthorized access attempts to AIS Security Administration.<p>
<p>
PBX systems must be physically secured and system security features configured (to the extent
possible for a specific system) to prevent unauthorized access to dial-tones, modems, or other AIS
access. (See also: Appendix D. Good Security Practices).<p>
<p>
Voice Mail and Voice Interactive Response systems must be configured (to the extent possible) to
prevent unauthorized access to dial-tones, modems, or other AIS access.<p>
(See also: Appendix B. Good Security Practices).<p>
<p>
<b>4.5.7 Communications Security (COMSEC)</b><p>
<p>
COMSEC is intended is to deny unauthorized persons information derived from telecommunications
of the United States Government related to national security and to ensure the authenticity of such
communications. COMSEC issues should be directed to the Communications Security Management
Branch, Orlando, FL. [USCS 4300-09]<p>
CHAPTER 5<p>
<i>SECURITY INCIDENTS AND VIOLATIONS</i><p>
<IMG SRC="images/bar1.gif">
<p>
<p>
Definition: <u>AIS Security Incident</u>. An AIS security incident is any event and/or condition that has the potential
to impact the security and/or accreditation of an AIS and may result from intentional or unintentional actions.<p>
<p>
Examples include: unauthorized attempts to gain access to information; introduction of malicious code or
viruses into Customs AISs; loss or theft of computer media; or the failure of an AIS security function to
perform as designed. For reporting purposes, malicious code (software) incidents include any detection of
malicious code, whether detected on magnetic media prior to the media's entry into a Customs AIS or after
infection of the AIS, and any actual execution of malicious code.<p>
<p>
Definition: <u>AIS Security Violation</u>. An event which may result in disclosure of sensitive or classified
information to unauthorized individuals, or that results in unauthorized modification or destruction of system
data, loss of computer system processing capability, or loss or theft of any computer system resources.<p>
(See also: TD P 71-10, Chapter III.4)<p>
<p>
(1) Customs employees, contractors, and/or users should report security-related incidents and/or
violations through the appropriate supervisory channels to the DSOs, Security Administrators, AIS
Security Officer, or Internal Affairs (IA), as appropriate. The AIS Security Officer will maintain the
appropriate records and address the impact of the security incidents on the accreditation status of
related AISs. Additional security safeguards to reduce generic risks may be recommended, as
required.<p>
<p>
(2) Additionally, malicious code (software) and virus infection incidents on Customs AIS (i.e.,
mainframes, microcomputers, networks, PCS, floppy disks or other media, etc.) should be promptly
reported to the AIS Security Officer.<p>
<p>
(3) Customs employees may be subject to disciplinary action for failure to comply with Customs AIS
security policy, whether or not the failure results in criminal prosecution.<p>
<p>
AIS security-related violations are addressed in the Treasury <u>Standards of Ethical Conduct for
Employees of the Executive Branch</u> and the Customs <u>Conduct and Employee Responsibilities</u>. Such
violations should be reported through the appropriate supervisory channels to the AIS Security Officer
and/or IA, as appropriate. [TD ETHICS; USCS 51000-05]<p>
<p>
(4) Non-Customs employees who fail to comply with this policy are subject to having their access to
Customs AISs and facilities terminated, whether or not the failure results in criminal prosecution.<p>
<p>
(5) Any person who improperly discloses sensitive or classified information is subject to criminal and civil
penalties and sanctions under a variety of laws (e.g., Privacy Act ...).<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<p>
<center>(This Page Intentionally Left Blank)</center>
<p>
GLOSSARY<p>
<IMG SRC="images/bar1.gif">
<p>
<p>
Editor's note: Computer terms have evolved and become more clearly defined during the past decade. The
referenced definitions are from recent publications of established sources, and are generally
preferred.<p>
<p>
Source references:<p>
<p>
<u>Glossary of Computer Security Terminology</u>, developed by the National Security Telecommunications and
Information Systems Security Committee (NSTISSC) and published by NIST as NISTIR 4659.
Available from NTIS as PB92-112259.<p>
<p>
<u>Glossary for Computer Security Terms</u>. National Technical Information Service (NTIS), FIPS PUB 39,
Springfield, VA., 02/15/76. <b>Withdrawn</b> 4/93. Replacement is FIPS 11-3.<p>
<p>
<u>Introduction to Certification and Accreditation</u>. National Computer Security Center (NCSC), NCSC-TG-029,
Ver. 1, NSA, Ft. George G. Meade, MD., January 1994.<p>
<p>
<u>Treasury Security Manual</u>, TD P 71-10, Appendix B, 1993.<p>
<p>
<p>
<center><b>A</b></center>
<p>
<p>
<b>Access</b><p>
A specific type of interaction between a subject and an object that results in the flow of information
from one to the other. The capability and opportunity to gain knowledge of, or to alter information
or materials including the ability and means to communicate with (i.e., input or receive output), or
otherwise make use of any information, resource, or component in a computer system.<p>
<p>
<b>Access Control</b><p>
The process of limiting access to the resources of a system to only authorized persons, programs,
processes, or other systems. Synonymous with controlled access and limited access. Requires that
access to information resources be controlled by or for the target system. In the context of network
security, access control is the ability to limit and control the access to host systems and applications
via communications links. To achieve this control, each entity trying to gain access must first be
identified, or authenticated, so that access rights can be tailored to the individual. <p>
<p>
<b>Accreditation/Approval</b><p>
The official management authorization for operation of an AIS. It provides a formal declaration by
an Accrediting Authority that a computer system is approved to operate in a particular security mode
using a prescribed set of safeguards. Accreditation is based on the certification process as well as
other management considerations. An accreditation statement affixes security responsibility with the
Accrediting Authority and shows that proper care has been taken for security.<p>
<p>
<b>Accrediting Authority (AA)</b><p>
The official who has the authority to decide on accepting the security safeguards prescribed for a
computer system or that official who may be responsible for issuing an accreditation statement that
records the decision to accept those safeguards.<p>
See also: <b>Designated Approving Authority (DAA), Principal Accrediting Authority</b>.<p>
<p>
<b>Adequate Security</b><p>
Security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or
unauthorized access to or modification of information. This includes assuring that systems and
applications used by the agency operate effectively and provide appropriate confidentiality, integrity,
and availability, through the use of cost-effective management, personnel, operational and technical
controls. [OMB A-130, AIII]<p>
<p>
<b>Administrative Systems</b><p>
An automated Customs system to provide support in areas of accounting, personnel, payroll, logistics
and other support services.<p>
<p>
<b>ADP</b><p>
Automatic Data Processing. See also: <b>Automated Information System</b><p>
<p>
<b>AIS</b><p>
See: <b>Automated Information System</b>.<p>
<p>
<b>AIS Owner</b><p>
The official who has the authority to decide on accepting the security safeguards prescribed for an AIS
and is responsible for issuing an accreditation statement that records the decision to accept those
safeguards.<p>
See also:<b> Accrediting Authority (AA)</b>,<b> Application Owner</b>, <b>Process Owner, PAA, DAA</b>.<p>
<p>
<b>AIS Security</b><p>
Measures or controls that safeguard or protect an AIS against unauthorized (accidental or intentional)
disclosure, modification, destruction of the AIS and data, or denial of service. AIS security provides
an acceptable level of risk for the AIS and the data contained in it. Considerations include: 1) all
hardware and/or software functions, characteristics, and/or features; 2) operational procedures,
accountability procedures, and access controls at all computer facilities in the AIS; 3) management
constraints; 4) physical structures and devices; and 5) personnel and communications controls.<p>
<p>
<b>Application</b><p>
A software organization of related functions, or series of interdependent or closely related programs,
that when executed accomplish a specified objective or set of user requirements. Customs applications
include: Automated Commercial System (ACS), Automated Export System (AES), Treasury
Enforcement Communication Systems (TECS), and Administrative Systems (AS). [USCS 5500-05]
See also: <b>Major Application</b>, <b>Process</b>.<p>
<p>
<b>Application Owner</b><p>
The official who has the responsibility to ensure that the program or programs which make up the
application accomplish the specified objective or set of user requirements established for that
application, including appropriate security safeguards.<p>
See also:<b> Accrediting Authority (AA)</b>,<b> Process Owner</b>.<p>
<p>
<b>Audit</b><p>
To conduct the independent review and examination of system records and activities.<p>
<p>
<b>Audit trail</b><p>
A set of records that collectively provides documentary evidence of processing. It is used to aid in
tracing from original transactions forward to related records and reports, and/or backwards from
records and reports to their component source transactions.<p>
<p>
<b>Automated Commercial System (ACS)</b><p>
A joint public/private data processing system used by Customs and the import trade community to
process millions of commercial cargo shipments entering U.S. commerce each year.<p>
<p>
<b> Automatic Data Processing (ADP)</b><p>
The assembly of computer hardware, firmware, and software used to categorize, sort, calculate,
compute, summarize, store, retrieve, control, process, and/or protect data with a minimum of human
intervention. ADP systems can include, but are not limited to, process control computers, embedded
computer systems that perform general purpose computing functions, supercomputers, personal
computers, intelligent terminals, offices automation systems (which includes standalone
microprocessors, memory typewriters, and terminal connected to mainframes), firmware, and other
implementations of AIS technologies as may be developed: they also include applications and
operating system software. See also: <b>Automated Information System (AIS)</b>.<p>
<p>
<b>Automated Export System (AES)</b><p>
A data processing system used by Customs to provide automatic release of cargo that is subject to
U.S. export regulatory requirements, collect export data and statistics for use in law enforcement,
illegal chemical interdiction, export verification, revenue collection, and other activities.<p>
<p>
<b>Automated Information System (AIS)</b><p>
An AIS is an assembly of computer hardware, software, and/or firmware configured to collect,
create, communicate, compute, disseminate, process, store, and/or control data or information.
Examples include: information storage and retrieval systems, mainframe computers, minicomputers,
personal computers and workstations, office automation systems, automated message processing
systems (AMPSs), and those supercomputers and process control computers (e.g., embedded
computer systems) that perform general purpose computing functions. [TD P 71-10] <p>
<p>
<b>Authenticate/Authentication</b><p>
1) The process to verify the identity of a user, device, or other entity in a computer system, often
as a prerequisite to allowing access to resources in a system.<p>
2) A process used to verify that the origin of transmitted data is correctly identified, with
assurance that the identity is not false. To establish the validity of a claimed identity.<p>
<p>
<b>Authenticated user</b><p>
A user who has accessed an AIS with a valid identifier and authentication combination.<p>
<p>
<b>Authorization</b><p>
The privileges and permissions granted to an individual by a designated official to access or use a
program, process, information, or system. These privileges are based on the individual's approval
and need-to-know.<p>
<p>
<b>Authorized Person</b><p>
A person who has the need-to-know for sensitive information in the performance of official duties and
who has been granted authorized access at the required level. The responsibility for determining
whether a prospective recipient is an authorized person rests with the person who has possession,
knowledge, or control of the sensitive information involved, and not with the prospective recipient.<p>
<p>
<b>Availability</b><p>
The property of being accessible and usable upon demand by an authorized entity. Security
constraints must make AIS services available to authorized users and unavailable to unauthorized
users.<p>
<p>
<p>
<b><center>B</b><p>
</center>
<p>
<p>
<b>Back-up</b><p>
A copy of a program or data file for the purposes of protecting against loss if the original data
becomes unavailable.<p>
<p>
<b>Back-up Operation</b><p>
A method of operations to complete essential tasks as identified by a risk analysis. These tasks would
be employed following a disruption of the AIS and continue until the AIS is acceptably restored.<p>
See also: <b>Disaster Recovery, Contingency Operations</b>.<p>
<p>
<b>Bacteria</b><p>
A malicious computer program that consumes AIS resources by replicating itself. The program does
not explicitly cause damage to files but replicates itself, thereby denying normal availability of AIS
resources. See also: <b>Virus</b>,<b> Worm, Trojan Horse, Malicious Code, Trap Door.</b><p>
<p>
<b>Baud</b><p>
The signaling rate of a communications device, such as a modem, as measured by the changes per
second of an event (usually an electrical or optical change). Using encoding the bits-per-second rate
can be multiples of the Baud rate.<p>
<p>
<b>Bits-per-second</b><p>
The signaling rate of a communications device, such as a modem, measured by binary digits transfers
per second. Using encoding, bits-per-second rate can be multiples of the Baud rate. <p>
See also: <b>BAUD</b>.<p>
<p>
<p>
<center><b>C</b></center>
<p>
<p>
<p>
<b>C2</b><p>
A level of security safeguard criteria. See also: <b>Controlled Access Protection, TCSEC</b>.<p>
<p>
<b>CA-TOP SECRET®</b><p>
A computer system security program marketed by Computer Associates International Corporation®.
Originally labeled under the trade mark of TOP-SECRET it was renamed CA-TOP SECRET® to
avoid confusion with the DoD classification. <p>
<p>
<b>Capstone</b><p>
The U.S. Government's long-term project to develop a set of standards for publicly-available
cryptography, as authorized by the Computer Security Act of 1987. The Capstone cryptographic
system will consist of four major components and be contained on a single integrated circuit microchip
that provides non-DoD data encryption for Sensitive But Unclassified information. It implements the
Skipjack algorithm. See also: <b>Clipper</b>, <b>Fortezza</b>, <b>Sensitive But Unclassified</b>, <b>MISSI</b>.<p>
<p>
<b>Category I</b><p>
"Consists of Federal departments and agencies expected to play a major role in establishing broad
policy parameters, participating in setting national priorities, and defining and implementing strategies
for response to national security emergencies. Departments and agencies in this category have
uninterruptible functions which are vital to the national security, immediate survival, and continuity
of government." (Reference: TD P 71-10, V.1.I.2.a, Attachment Section 1, 10/01/92). <p>
Note: The Customs Service is designated Category I.<p>
<p>
<b>Certification</b><p>
The comprehensive analysis of the technical and nontechnical features, and other safeguards, to
establish the extent to which a particular AIS meets a set of specified security requirements.
Certification is part of the accreditation process and carries with it an implicit mandate for
accreditation. See also: <b>Accreditation</b>.<p>
<p>
<b>Channel</b><p>
An information transfer path within a system or the mechanism by which the path is affected.<p>
<p>
<b>CICS (Customer Information Control System)</b><p>
An IBM® program product for the management of on-line communications between terminal users
and a data base.<p>
<p>
<b>Cipher</b><p>
An algorithm for encryption or decryption. A cipher replaces a piece of information (an element of
plain text) with another object, with the intent to conceal meaning. Typically, the replacement rule
is governed by a secret key. See also: <b>Encryption, Decryption</b>.<p>
<p>
<b>Classification</b><p>
A systematic arrangement of information in groups or categories according to established criteria.
In the interest of national security it is determined that the information requires a specific degree of
protection against unauthorized disclosure together with a designation signifying that such a
determination has been made. The established categories are Top Secret, Secret, and Confidential,
as specified in E.O. 12958, 4/17/95. For details on classified information handling processes
reference: CIS HB 1400-03, 1991. See also: <b>Limited Official Use</b>.<p>
<p>
<b>Clear or clearing (AIS Storage Media)</b><p>
The removal of sensitive data from AIS storage and other peripheral devices with storage capacity,
at the end of a period of processing. It includes data removal in such a way that assures, proportional
to data sensitivity, it may not be reconstructed using normal system capabilities, i.e., through the
keyboard. See also: <b>Remanence, Object Reuse</b>.<p>
<p>
<b>Clipper</b><p>
Clipper is an encryption chip developed and sponsored by the U.S. government as part of the
Capstone project. Announced by the White House in April, 1993, Clipper was designed to balance
competing concerns of Federal law-enforcement agencies and private citizens by using escrowed
encryption keys. See also: <b>Capstone, Fortezza, MISSI, Skipjack.</b><p>
<p>
<b>Commercial-Off-The-Shelf (COTS</b>)<p>
Products that are commercially available and can be utilized as generally marketed by the
manufacturer. <p>
<p>
<b>Compromise</b><p>
The disclosure of sensitive information to persons not authorized access or having a need-to-know.<p>
<p>
<b>COMSEC (Communication security)</b><p>
Measures and controls that deny unauthorized persons access to, and ensure the authenticity of,
sensitive (or classified) information derived from telecommunications. For details on applying
COMSEC to classified information reference: CIS HB 1400-03, 1991.<p>
<p>
<b>Computer Fraud and Abuse Act of 1986</b><p>
This law makes it a crime to knowingly gain access to a Federal Government computer without
authorization and to affect its operation. [18 USC 1030] See also: <b>Federal Government Computer</b>.<p>
<p>
<b>Computer Security</b><p>
Technological and managerial procedures applied to AIS to ensure the availability, integrity, and
confidentiality of information managed by the AIS. See also: <b>Information System Security</b>.<p>
<p>
<b>Computer Security Act of 1987</b><p>
The law provides for improving the security and privacy of sensitive information in "federal computer
systems"--"a computer system operated by a Federal agency or other organization that processes
information (using a computer system) on behalf of the Federal Government to accomplish a Federal
function." [PL 100-235] See also: <b>Federal Government Computer</b>.<p>
<p>
<b>Confidential</b><p>
A security classification for information relevant to national security. For details on classified
information handling processes reference: CIS HB 1400-03, 1991; E.O. 12958, 4/17/95.<p>
See also: <b>Limited Official Use</b>.<p>
<p>
<b>Confidentiality</b><p>
The condition when designated information collected for approved purposes is not disseminated
beyond a community of authorized knowers. It is distinguished from secrecy, which results from the
intentional concealment or withholding of information. [OTA-TCT-606]<p>
<p>
Confidentiality refers to: 1) how data will be maintained and used by the organization that collected
it; 2) what further uses will be made of it; and 3) when individuals will be required to consent to such
uses. It includes the protection of data from passive attacks and requires that the information (in an
AIS or transmitted) be accessible only for reading by authorized parties. Access can include printing,
displaying, and other forms of disclosure, including simply revealing the existence of an object.<p>
<p>
<b>Configuration Management (CM)</b><p>
The management of changes made to an AIS hardware, software, firmware, documentation, tests, test
fixtures, test documentation, communications interfaces, operating procedures, installation structures,
and all changes thereto throughout the development and operational life-cycle of the AIS.<p>
[NCSC-TG-006]<p>
<p>
<b>Contingency Plan</b><p>
The documented organized process for implementing emergency response, back-up operations, and
post-disaster recovery, maintained for an AIS as part of its security program, to ensure the availability
of critical assets (resources) and facilitate the continuity of operations in an emergency. <p>
See also: <b>Disaster Recovery, Emergency Plan</b>.<p>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed