2. -
Purpose. To define internal INFOSEC/Information System Monitoring (INFOSEC/ISM) policy, establish procedures, outline incident reporting requirements and implement internal network protection services.
-
Scope. The policies, practices and procedures outlined in this document are intended for IAM/IAO action; however, INFOSEC is everyone’s responsibility.
-
Background. TTGL IS infrastructure connects tactical, logistic and administrative data to afloat and ashore units worldwide. These sensitive computer networks are continuously susceptible to computer network attacks and exploitation (CNA/CNE) and other malicious activity, both externally and internally. To protect IS technology resources and maximize combat readiness, it is essential to continuously evaluate the integrity and monitor activity of all TTGL computer systems and networks by providing:
-
Comprehensive oversight of system operational characteristics.
-
Reliable and continuing assessment of threats, weaknesses, and vulnerabilities.
-
Implementation appropriate, effective, and efficient security measures.
-
Establishing a technical baseline to maintain and evaluate information system security controls.
-
Policy.
-
INFORMATION SECURITY. INFOSEC is the policies and procedures for the classification, safeguarding, transmission, and destruction of classified information. The term “classified information” is any material, document, product, or substance in which classified information is recorded or embodied, including information residing on classified IS. However, it is important to recognize that all information transmitted and received on IS, regardless of classification, is considered sensitive information and shall be included when practicing INFOSEC. For specific INFOSEC responsibilities, refer to Chapter 2 of this instruction and TTGL Command Security Instruction.
-
INFORMATION SYSTEMS MONITORING. TTGL ISM carries with it the requirement to comply with individual privacy laws to ensure individual freedoms are observed consistent with security requirements. Internal INFOSEC/ISM of information infrastructures shall be used only as necessary to identify weaknesses, evaluate vulnerabilities, and determine the degree of security provided to essential computer systems and networks. All internal ISM activities shall be conducted by responsible, properly trained, and specifically authorized individuals and in strict compliance with applicable DoD and DoN directives, executive orders, and public laws. Additionally:
-
A Warning Banner message (Log-on Banner) shall be clearly displayed on all displays and monitors at initial login stating requirements IAW CTO 08-008A.
-
Under no circumstances may internal INFOSEC/ISM be initiated against any computer system or network when such monitoring would constitute electronic surveillance.
-
Information acquired incidentally during the course of authorized internal INFOSEC/ISM which may relate directly to a crime will be reported immediately to the CO.
-
The results of internal INFOSEC/ISM shall not be used to gather foreign intelligence/counterintelligence.
Chapter FOUR
InCIDENT Response Procedures and Reporting Requirements
3. -
Purpose. To define incident response policy, establish procedures, outline incident reporting requirements.
-
Background.
-
The term “incident” refers to an assessed event that confirms an attack on an information system resulting in unexpected behavior by IS that yields abnormal results or indicates unauthorized use or access, unexplained outages, denial of service, loss of accountability, or the presence of a virus. Per references (c) and (e), all computer security incidents will be reported for top secret systems and below and reference (k) for SCI systems. In general, the Naval Computer Incident Response Team (NAVCIRT) at Navy Cyber Defense Operations Command (NCDOC) addresses five types of incidents: intrusions, attempted intrusions, probes, denial of service attacks, and malicious logic infections. Adverse events from natural disasters and inadvertent man-made events such as floods, fires, power-related disruptions, and excessive heat are not within the scope of this chapter.
-
An “event” is an occurrence not yet assessed that may affect the performance of an information system. An example of an event is a system crash. Events sometimes indicate that an incident is occurring. In reality, events caused by human error (e.g., unintentional deletion of a critical directory and all files contained therein) are the most costly and disruptive computer security-related events. However, they are attracting an increasing amount of attention within the DoN to the threat of unauthorized remote access because of the abundance of malicious code available to perpetrators.
-
A “violation” is a failure to comply with the policies and procedures established which could reasonably result in the loss, compromise, or possible compromise of classified information. Security violations are different from incidents and are reported differently or not reported at all. Requirements for reporting security violations are specified in references (h), Chapter 12. The owner of the data generally determines reporting requirements for security violations. All computer security violations or suspected violations occurring will be reported immediately to the TTGL IAM and TTGL Security Manager. All instances will be vigorously investigated and reported per applicable references. Examples of a computer security violation include:
-
Removal of classified information
-
Wrongful disclosure of classified information
-
Introduction of high-risk software
-
Introduction of malicious code
-
Sharing passwords
-
Scope.
-
Per references (a) and (h), this document outlines suggested steps for responding to a network incident; however, individual responses and actions may be facilitated in several ways and may consist of several stages based on the nature and cause of the malicious activity. All actions taken during detection, response and recovery from an incident should be in accordance with reference (h) and current TTGL IA policies and procedures. These are standard recommended actions and should not be considered all inclusive.
-
The overview of this document addresses actions that should be taken to contain, eradicate, recover, and report a network incident. This includes:
-
TTGL IA policy review and implementation
-
Regaining control
-
Analysis of the incident
-
NCDOC/ NAVCIRT contact requirements
-
Recovery actions
-
IA Policy update requirements
-
Incident reporting
-
Post-incident analysis and IA policy update as required.
-
Action. The following actions will be taken if there is an intrusion of any system or network:
-
Initiate Network/System Intrusion Checklist, Exhibit 1.
-
Notify other interested elements within your command. In addition to notifying the CO and legal counsel, you may also need to notify other commands who may be directly affected.
-
Document all of the steps you take in systems or data recovery. The importance of documenting every step taken in recovery cannot be overstated.
-
Per references (c), (e), and Exhibit 1 and 2, contact NCDOC, and other sites involved to initiate reporting. The preferred method to contact NCDOC is via their webpage. NCDOC contact information:
Mailing address:
Commanding Officer
Network Computer Defense Operations Center
2555 Amphibious Drive
Norfolk, VA 23521-3225
Phone: Comm: (757) 417-4024, DSN (312) 537-4024
NCDOC Hotline: 1-888-NAVCDOC or 1-888-628-2362
Unclas fax: (757) 417-4031
Class fax: (757) 417-4064
STU/STE (312) 537-7592/ (757) 417-7952
NIPRNET: https://www.ncdoc.navy.mil
E-mail: ncdoc@ncdoc.navy.mil
SIPRNET: http://www.ncdoc.navy.smil.mil/forms.php
E-mail: cndwo@ncdoc.navy.smil.mil
Chapter FIVE
Policy on Local Area Network (LAN) Configuration Management Plan
Share with your friends: |
