FSO Officer: Protecting Classified Information Systems


Published on

Information Systems safeguards should reflect compliance with the National Industrial Security Operating Manual (NISPOM). The Information Security Officer (ISSO) and the Information System Security Manager (ISSM) are essential in protection classified information.

Published in: Career, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

FSO Officer: Protecting Classified Information Systems

  1. 1. FSO SeriesA CL E A R A NCE JOB S SPECI A L R EP OR TProtecting ClassifiedInformation Systemsby Jeffrey W. Bennett, Industrial Security Professional (ISP), for ClearanceJobs.comLightening fast capabilities enable enterprises toperform on contracts more efficiently and in lesstime. However, because of fast distribution andprocessing speeds, measures must be in placeto prevent unauthorized disclosure, spillage andcompromise of classified information.Classified ProcessingInformation systems allow businesses to increase workproductivity at blinding speeds. Documents, images, andmedia can be duplicated, printed, emailed and faxed much involve senior officers to take part in the strategic riskquicker than technology allowed just a few years ago. management. This management cooperation ensures the enterpriseʼs vision incorporates the protection ofAs with protecting physical classified properties, classified information. In such an environment FSOs,information systems and their products must also be industrial security specialists and others in a securitysafeguarded at the appropriate level. Primarily classified discipline provide proactive measures.processing is conducted in controlled areas. Computersused for uploading, storing, processing, disseminating,printing and other functions are protected at the level Authenticationof the information being worked. These protection The NISPOM describes roles of key control custodianslevels include creating an environment where users of as they maintain accountability of combinations, locksInformation Systems (IS) understand the policies, threat, and keys used in the storage of classified material. In theand their role in enforcing security measures. same way, an IS administrator controls the authentication and identification and ensures measures are in place forThe safeguarding of the IS should reflect compliance the proper access of the classified information storedwith the National Industrial Security Operating Manual(NISPOM) as well as the results of thorough riskmanagement. The security managerʼs responsibility is notonly to look at the effectiveness of protection measuresas they relate to the computer or system, but as it affectsthe mission and national security. As the senior securityprofessional, the Facility Security Officer (FSO) should
  2. 2. or processed on the computer system or network. The Physical Accessauthentication, user identification and logon information Physical access is controlled to prevent unauthorizedacts as “keys” controlling access to classified information personnel from obtaining and or compromisingon the system. Without the strict control, there is no way classified material. This also applies during maintenanceto prevent unauthorized persons from getting to the data operations. Information systems may require repair,stored in computers or components. upgrades and other maintenance that may not be performed by the ISSM or ISSO. When necessary andAll information regarding authentication must be restricted available, maintenance should be performed by clearedto only those with the proper clearance and need to personnel with need to know or at least with an abilityknow. Each user should have the ability to access only to control the need to know. This is the least risky ofthe data authorized. The segregation of access and need all options as a technically knowledgeable employeeto know can be affected on either individual systems or can escort and monitor the repairs and ensure securitycomponents or an entire system capable of allowing access processes are in place.to many user levels. The Information System SecurityManager (ISSM) or Information Security Officer (ISSO) can In many cases maintenance personnel without securityprotect the authentication data by making it unreadable or clearances or if they do have clearances, are not clearedsimply controlling the file access. This system is the same to the level of IS classification. They are not employees oftheory as controlling access to security combinations and the company and do not have the need to know. Thesestoring them in a security container affording the proper maintenance professionals must be U.S. citizens and belevel of protection. escorted. The escort conducts all login and logoff and remove all classified data and media to deny access to theJust as combinations and keys are rotated and changed unauthorized repair persons. These controls prevent theduring certain events, user identification, removal un-cleared persons from gaining access to passwords,and revalidation must also be in place. These similar authentications and classified data. They are only allowedmeasured are used to ensure the proper users have to work on the system after system access is granted. Theaccess and deny access to those who have lost their system is similar to opening a combination and removingclearance or need to know, changed jobs or otherwise contents of a security container prior to grantingno longer require access to the IS. Each authorized user authorization for a locksmith to make repairs. ★ ★ ★identification procedure is revalidated at least yearly forthose who still require access. Authenticators such as thekeys, passwords and smartcards, must be protected atthe highest classification level needed. Jeffrey W. Bennett, ISP, is a former Army officer, FSO and is an accomplished writer of security books and periodicals.Passwords must be protected at the level of classification His books include ISP Certification-The Industrial Securityof the data stored or processed by the IS. If an Professional Exam Manual. He is the owner of Red Bikeinformation system is configured to process SECRET Publishing (www.redbikepublishing.com).information, then the password is also classified SECRET.It cannot be stored in a phone, personal data assistant,or otherwise written down unless stored in a securitycontainer. According to the NISPOM the password mustbe at least eight characters long and generated by anapproved method. This approval is based on lengthof password, structure and size of password space asdescribed in the System Security Plan designed by theISSM. The passwords are changed annually and thosepasswords pre-installed in software and operatingsystems must be replaced before users can access the IS.4101 NW Urbandale Drive • Urbandale, Iowa 50322 • 1.877.386.3323 • www.clearancejobs.com