Information assurance program manual table of contents

11

200. 
     Organization. TACTRAGRULANT (TTGL) IAWF will serve as focal point for all internal IA matters. IA personnel will consist of the Deployed Designated Approving Authority (Commanding Officer), Information Assurance Manager (IAM), Information Assurance Officer (IAO), and System Administrators (SA).
     
201. 
     Responsibilities
     
     1. 
        Designated Approval Authority (DAA). The DAA responsibilities shall be delineated as follows:
        
        1. 
           ODAA. The Office for Designated Approval Authority (ODAA) is responsible for accreditation, overall security and integrity of TTGL IS systems.
           
     2. 
        COMMANDING OFFICER. The CO responsibilities include:
        
        1. 
           Direct the development of TTGL IA plan. This plan shall provide for the positive, secure control of IS assets, and the integrity of the data produced.
           
        2. 
           Appoint IAM in writing to serve as the IA program administrator.
           
        3. 
           Appoint in writing an adequate IA staff as required to meet proper IS posture.
           
        4. 
           Ensure all IA incidents or violations are investigated, documented and reported per reference (h).
           
     3. 
        INFORMATION SYSTEMS MANAGER (N6). The N6 will serve as principal advisor to the CO on all matters relating to the security and integrity of TTGL IS, networks, IP connectivity, media, peripherals, and data they produce.
        
        1. 
           Be the central point of contact for all matters relevant to: personal, physical, communications, hardware, software, and procedural security safeguards for all IS onboard TTGL.
           
        2. 
           Direct IAM in investigating, documenting and reporting all IA incidents or violations IAW reference (h).
           
        3. 
           Ensure the TTGL IA Instruction is reviewed annually for continued compliance with DOD/DON guidance.
           
        4. 
           Inform the CO of completion and discrepancies identified during Quarterly inspections of IS magnetic media handling and accounting procedures and semi-annual inventories of IS hardware.
           
     4. 
        INFORMATION ASSURANCE MANAGER. The IAM will support the Information Systems Manager in advising the CO on all matters relating to the security and integrity of TTGL IS, networks, IP connectivity, media, peripherals, and data they produce. In addition to reference (b), IAM shall:
        
        1. 
           Author, update and ensure effective implementation of the TTGL IA instruction. Maintain up-to-date knowledge of IA security policies and procedures.
           
        2. 
           Lead the investigation of all IA incidents or violations and ensure events are documented and reported IAW reference (h).
           
        3. 
           Direct and assist all TTGL IA personnel in accomplishment of IA responsibilities. IAM assumes all IA responsibilities for any staff position not assigned.
           
        4. 
           Develop a formal IA training plan for secure operation and handling of IS assets. This training plan shall include both formal and informal instruction and provide effective training at both the common and privileged user levels. Training status for IAWF personnel shall be reported in writing to the CO on an annual basis. Additionally, IAM shall be responsible for the maintenance of IAWF Workforce Improvement Program (WIP) certification and recertification requirements IAW references (m) and (n).
           
        5. 
           Ensure IS accreditation documents (ATOs/IATOs) are developed, maintained, and updated for each system or network IAW references (f).
           
        6. 
           Ensure all IS media is controlled, accounted for, and handled IAW references (j) and (l). Provide to the CO semi-annually, inventories of all IS hardware.
           
        7. 
           Conduct quarterly inspections of IS magnetic media handling and accounting procedures and report the results of each inspection to N6.
           
        8. 
           Review authority for IS configuration controls including installation, relocation, reconfiguration, or removal of IS assets; changes to hardware and software assets; or modifications to accredited security parameters or mode or operation to ensure compliance with IA accreditation standards.
           
        9. 
           Coordinate with the TTGL N6 and IAO to establish effective INFOSEC/PERSEC controls for IS.
           
        10. 
            Per reference (l), track and monitor all contractor functions within the TTGL IS environment to ensure IA compliance.
            
        11. 
            Ensure that TTGL is in compliance with and reporting status of all applicable Computer Tasking Orders (CTO), Naval Technical Directives (NTD), Fragmented Orders (FRAGO), Fleet Advisory Messages (FAM), and Program of Record (PoR) guidance to the CO on a monthly basis.
            
        12. 
            Maintain inventory of all IS DIACAP and System Operational Verification Test (SOVT) packages.
            
        13. 
            Forward formal reports of all TTGL IS media security violations to appropriate authorities.
            
        14. 
            Complete IAWF Training requirements at the following NIPR Site: https://navyiacertprep.skillport.com/skillportfe/login.action
            
     5. 
        INFORMATION ASSURANCE OFFICER. The IAO serves as the focal point on all matters dealing with the INFOSEC/PERSEC of TTGL IS assets. The IAO may also serve as the stations ISSM. In addition to the requirements of reference (b), IAO shall:
        
        1. 
           Enforce IA/INFOSEC/PERSEC policies to IS systems and networks assigned. Violations shall be reported immediately to the IAM and recorded in the IT POA&M.
           
        2. 
           Conduct quarterly audits of user level accesses within system settings for all IS and report violations directly to CO.
           
        3. 
           Identify risks and develop appropriate contingency plans for continuous operations, where applicable.
           
        4. 
           Establish and maintain an up-to-date inventory of all IS operating systems, software, and applications.
           
        5. 
           Facilitate the monitoring of any configuration changes in IS which may adversely affect IA posture. Installation of any non-program-of-record procured software or applications shall be pre-approved for use by NAVCYBERFOR and ISIC and managed IAW Chapter 5.
           
        6. 
           Maintain and audit the master password list for IS IAW reference (l). Ensure all passwords are stored in a vault that is equal to the highest classification level of IS onboard.
           
        7. 
           Maintain an IS operator training program covering content regarding INFOSEC and PERSEC. Training should be comprehendible to the common user.
           
        8. 
           Maintain IS standard operating procedures for IA safeguards consistent with IA policies, including:
           
           1. 
              User access controls: creating, disabling, and deleting users.
              
           2. 
              Password settings.
              
           3. 
              Clearing, declassifying and destroying IS media.
              
           4. 
              TOP SECRET/SECRET/UNCLAS data safeguarding.
              
           5. 
              Warning banner verification and updating.
              
           6. 
              Antivirus updating and scanning.
              
           7. 
              Information Assurance Vulnerability Management scanning and patching.
              
     6. 
        SYSTEM ADMINISTRATORS. System Administrators (SYSADMIN(s)) and any personnel with privileged user access will be appointed in writing by the CO for each IS. SYSADMINs will inform the IAM/IAO on all operational IA-related matters. SYSADMIN Shall:
        
        1. 
           Report to IAO all hardware and software configuration changes that deviate from baseline.
           
        2. 
           Maintain user access controls for IS to include:
           
           1. 
              User profiles and rights assigned. Users will not be permitted rights other than Authorized User rights without the written permission from the IAM.
              
           2. 
              Ensure no duplicate or alias accounts are created.
              
           3. 
              Maintain records of all access violations.
              

(4) Provide assistance to authorized network users regarding IA matters.

(5) Provide and store copies of network auditor logs.

(6) Ensure anti-virus programs are installed, updated, and provide continuous monitoring of the network.

(7) Identify CNA/CNE activity and take appropriate immediate actions for incident handling IAW reference (h).

(8) Ensure personnel authorized for remote terminal access have the appropriate need-to-know and security clearance.

(9) Maintain a user access list and copies of completed SAAR-N/PAA forms and report any changes to IAM/IAO at the following intervals:

(a) Upon installation/revision/removal of any system, hardware, firmware, operating system, software, or application upon which a user access list is required.

(b) When operator is disqualified due to transfer, termination, job change, investigation, or other cause.

(c) Quarterly, review user accounts and create a list of accounts that are inactive, expired or have been locked and report to IAM/IAO.

7. 
   AUTHORIZED/EMBARKED USERS. Users and embarked units must be familiar and comply with all directives set forth on the user agreement for the network access granted. SAAR-N forms are mandatory for all users prior to granting access to any TTGL IS. The safeguards listed below are the responsibility of all personnel. All authorized users shall:
   
   1. 
      Be familiar with TTGL Network Policy.
      
   2. 
      Have a clearance and a need-to-know equal to or higher than the highest classification of all categories of access granted.
      
   3. 
      Be familiar with all IS standard operating procedures commensurate with their respective level of access.
      
   4. 
      Understand and comply with SAAR-N form user agreement requirements.
      
   5. 
      No user will gain access to a terminal by any means other than use of his/her own credentials.
      
   6. 
      All users are responsible for safeguarding and ensuring their Common Access Card (CAC), CAC pin, and account password is not divulged to anyone, including other authorized terminal users.
      
   7. 
      No user will attempt to perform any functions for which he/she is not authorized to perform.
      
   8. 
      Upon discovery of an IS incident or vulnerability, the user must immediately notify the duty IT.
      
   9. 
      Users requiring access above Authorized User must obtain written permission from the IAM.
      
8. 
   Escorted Personnel. Escorts will be provided for controlling visitors or outside maintenance personnel not appropriately cleared to enter IS spaces. The following apply to IS Escorts:
   
   1. 
      Escorts shall be technically competent and familiar with the maintenance work being performed.
      
   2. 
      Escorts shall actively monitor all actions conducted by maintenance personnel.
      
   3. 
      Escorts shall log off of a terminal prior to leaving the immediate vicinity of the terminal.