Defense Security Service Defense Security Service



Download 479.88 Kb.
Page1/15
Date05.05.2018
Size479.88 Kb.
#48205
  1   2   3   4   5   6   7   8   9   ...   15





Defense Security Service

Office of the



Designated Approving Authority
Defense Security Service

Defense Security Service

Defense Security Service


DSS

SAMPLE ELECTRONIC COMMUNICATIONS PLAN (ECP)
This sample document provides a comprehensive example on how you could articulate your draft ECP and is not meant to replace or restrict your ECP development in any manner. In this example, you will find italicized red fonted items which are the original text from the DSS ECP template. Verbiage in black font provides examples of how you could fulfill a particular requirement, but does not serve as a recommended or particular solution. Every ECP will be unique. When drafting your ECP, you must try to be as detailed and clear as possible to expedite the entire process. For more information regarding ECP development, contact your Industrial Security Representative.

February 2012






Defense Security Service

Electronic Communications Plan Sample

Date: 02/01/2012

Company:

XYZ, Inc.

Address:

12345 West Broad Way, New York, NY. 54321

Cage Code:

89PGK

ODAA Unique Identifier:

89PGK-20111119-00009-00019

Table of Contents

1. INTRODUCTION 5

1. INTRODUCTION 5

2. PURPOSE 6

2. PURPOSE 6

3. ROLES/PERSONNEL SECURITY 7

3. ROLES/PERSONNEL SECURITY 7

4. DETAILED SYSTEM DESCRIPTION/TECHNICAL OVERVIEW 8

4. DETAILED SYSTEM DESCRIPTION/TECHNICAL OVERVIEW 8

5. IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 9

5. IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 9

5.1 USER IDENTIFICATION AND AUTHENTICATION 9

5.2 DEVICE IDENTIFICATION AND AUTHENTICATION 10

5.3 IDENTIFIER MANAGEMENT 10

5.4 AUTHENTICATOR MANAGEMENT 10

5.5 ACCESS CONTROL POLICY AND PROCEDURES 11

5.7 ACCESS ENFORCEMENT 12

5.8 INFORMATION FLOW ENFORCEMENT 13

5.9 SEPARATION OF DUTIES 13

5.10 LEAST PRIVILEGE 14

5.11 UNSUCCESSFUL LOGIN ATTEMPTS 14

5.12 SYSTEM USE NOTIFICATION 14

5.13 SESSION LOCK 15

5.15 SUPERVISION AND REVIEW — ACCESS CONTROL 16

5.16 REMOTE ACCESS 16

5.17 USE OF EXTERNAL INFORMATION SYSTEMS 17

6. SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES 18

6. SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES 18

6.1 SECURITY TRAINING 19

7. AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 19

7. AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 19

7.1 AUDITABLE EVENTS 19

7.2 CONTENT OF AUDIT RECORDS 20

7.3 AUDIT STORAGE CAPACITY 20

7.4 AUDIT MONITORING, ANALYSIS, AND REPORTING 20

7.5 TIME STAMPS 21

7.6 PROTECTION OF AUDIT INFORMATION 21

7.7 CONTINUOUS MONITORING 21

8. CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 22

8. CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 22

8.1 MONITORING CONFIGURATION CHANGES 22

8.2 ACCESS RESTRICTIONS FOR CHANGE 23

8.3 LEAST FUNCTIONALITY 23

9. INCIDENT RESPONSE 23

9. INCIDENT RESPONSE 23

9.1 INCIDENT RESPONSE POLICY AND PROCEDURES 23

9.2 INCIDENT RESPONSE TRAINING 24

9.3 INCIDENT RESPONSE TESTING AND EXERCISES 24

9.4 INCIDENT HANDLING 24

9.5 INCIDENT MONITORING 25

9.6 INCIDENT REPORTING 25

9.7 INCIDENT RESPONSE ASSISTANCE 26

10. PHYSICAL AND ENVIRONMENTAL PROTECTION 26

10. PHYSICAL AND ENVIRONMENTAL PROTECTION 26

10.1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES 26

10.2 PHYSICAL ACCESS AUTHORIZATIONS 26

10.3 PHYSICAL ACCESS CONTROL 27

10.4 MONITORING PHYSICAL ACCESS 27

11. CONTINGENCY PLANNING AND OPERATION 28

11. CONTINGENCY PLANNING AND OPERATION 28

11.1 CONTINGENCY PLANNING POLICY AND PROCEDURES 28

11.2 CONTINGENCY PLAN 28

11.3 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION 29

12. SYSTEM AND COMMUNICATIONS PROTECTIONS 29

12. SYSTEM AND COMMUNICATIONS PROTECTIONS 29

12.1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES 29

13. APPLICATION PARTITIONING (IF APPLICABLE) 30

13. APPLICATION PARTITIONING (IF APPLICABLE) 30

13.1 INFORMATION REMNANCE 31

13.2 DENIAL OF SERVICE PROTECTION 31

13.3 BOUNDARY PROTECTION 32

13.4 TRANSMISSION INTEGRITY 32

13.5 TRANSMISSION CONFIDENTIALITY 33

13.6 NETWORK DISCONNECT 33

13.7 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 33

13.8 COLLABORATIVE COMPUTING 33

13.9 MOBILE CODE 33

13.10 VOICE OVER INTERNET PROTOCOL 34

13.12 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 34

13.13 SESSION AUTHENTICITY 35

13.14 MALICIOUS CODE PROTECTION 35

13.15 INFORMATION SYSTEM MONITORING TOOLS AND TECHNIQUES 36

14. MAINTENANCE 37

14. MAINTENANCE 37

14.1 SYSTEM MAINTENANCE POLICY AND PROCEDURES 37

14.2 CONTROLLED MAINTENANCE 38

14.3 MAINTENANCE TOOLS 38

14.4 REMOTE MAINTENANCE 39

14.5 MAINTENANCE PERSONNEL 40

15. MEDIA PROTECTION 40

15. MEDIA PROTECTION 40

15.1 MEDIA PROTECTION POLICY AND PROCEDURES 40

15.2 MEDIA ACCESS 40

15.3 MEDIA SANITIZATION AND DISPOSAL 41

16. EXPORT CONTROL PROCEDURES 41

16. EXPORT CONTROL PROCEDURES 41

17. ADDITIONAL FOCI PROCEDURES 43

17. ADDITIONAL FOCI PROCEDURES 43

17.1 TELEPHONE PROCEDURES 43

17.2 FACSIMILE PROCEDURES 44

17.3 COMPUTER COMMUNICATIONS 45

Additional ODAA recommendations 50

Additional ODAA recommendations 50

ATTACHMENT 2 – EXPORT RELEASE FORMS 52

ATTACHMENT 2 – EXPORT RELEASE FORMS 52

ATTACHMENT 4 – ECP REVISION LOG 54

ATTACHMENT 4 – ECP REVISION LOG 54






Download 479.88 Kb.

Share with your friends:
  1   2   3   4   5   6   7   8   9   ...   15




The database is protected by copyright ©ininet.org 2024
send message

    Main page