![[NASA Logo]](../Images/nasaball.gif) |
NASA Procedures and Guidelines |
||||
This Document is Obsolete and Is No Longer Used.
|
|||||
|
|
|||||
|
|
||||
| | TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | ALL | | |||||
Aborts, A.6.1.5
Acceptable level of risk, 4.2.11.3
Acceptance of risk, 4.1.11c.
Acceptance testing
for commercial off-the-shelf software, A.6.6.2
Access control, 100--102
Access privileges
loss of, 62
types of, 56, 61
Access privileges, special, 55
Access, unauthorized, 54
Account Request Document
requirement for, 63, 94
responsibility for ensuring completion of, 13
Accounts. See User Accounts
Accreditation for national security information, 70, 71
Accrediting information resources, 11
Administrative information category, 35, 86
Agency IT Security Plans, 7
Anonymous file transfer, 118
Appealing denial of access, 57
Appropriate use of IT resources, 64-66
Assignment of responsibility, 21, 22
Associate Administrator for Headquarters Operations, 7
Audits of security controls, 33
Authentication, 117, 118
Authorization
to conduct penetration tests, 58
to process, 19, 21, 22, 44, 77, 80, 113
Availability, 1, 113, 114
Awareness and training. See IT security awareness and training
Awareness and Training Plan. See IT Security Awareness and Training Plan
Backups, A.6.1.4, A.6.5.5., A.6.11.2
Banner, warning, 4.10
Baseline requirements, A.7.3
description, A.1, A.3
determining, A.3
non-waiverable, A.5.1
satisfying, A.4
se of, A.2
Boundary
Business and Restricted Technology information category, 4.2.9.B, A.3.B
Center Chief Information Officer
responsibilities, 2.2.2
Center Chief of Security
authority for conducting personnel screening, 4.5.4
responsibilities, 2.3.1
Center Director responsibilities, 2.2.1
Center Information Processing Service Organizations, 2.2.9
Center IT Security Manager
appointment of, 2.2.1.b
responsibilities, 2.2.4, 3.7
Center IT Security Plans
approval of, 2.2.2.c
description, 5.1.1
organization and content of, 5.2.2, 5.3.2
requirement for, 5.1.2
responsibility for, 2.2.2.c, 2.2.7.3.d
Center Training Office. See Training Office, 2.3.2
Center Training Plan, 3.7, 2.3.2
Certification
of protective measures for national security information, 4.12.2.b
to process. See Authorization to process
Certification statement of risk acceptance, A.6.12.1
Certifying security controls. See Authorization to process
Changing passwords, A.6.3.4, A.6.3.9
Checksums, A.7.4.2
Chief Information Officer. See NASA Chief Information Officer and Center Chief Information Officer, 2.1.1, 2.2.2
Chief of Security. See Center Chief of Security, 2.3.1
CIO. See NASA Chief Information Officer and Center Chief Information Officer, 2.1.1, 2.2.2
Classified
activities, 2.3.1.h, 2.3.1.i
information. See National security information, 4.12
Commercial off-the-shelf software, A.6.6
Communication security, 4.11
Compromises of systems and information, 4.4.2, 4.4.11.1, 4.4.11.2
Computer
crimes. See also Security incidents
gathering evidence of, 2.2.4.k
handling evidence of, 4.4.9.6
point of contact for, 2.3.5
responsibility for investigating, 52
files, 4.4.8.3
usage policies, 4.9.2
Computer room security requirements, A.8
Computer Security Act of 1987, 1.7., Chapter 3., 4.3.1.1
Computer Security Official. See Organization Computer Security Official
Confidentiality, 1.1, A.7.1.3, A.7, 1.3,A.7.1, 2.4.2
Configuration management, A.6.1.7, A.6.6.2
Connections, dial-in, A.7.3.i
Console logon, A.6.10.3
Console logs, A.6.10.3
Construction phase of life cycle planning, 4.1.9
Contingency plans. See IT Security Contingency Plans
Controlled access area security Requirements, A.8.1.1
Controls. See Security controls
Copyrighted materials, 4.9.1, 4.1.13.2
COTS software. See Commercial off-the-shelf software
Criminal prosecution, 4.7.7, Figure 4-8
Critical system files, A.6.1.1
Cryptographic key management. See Key management
Customer responsibilities, 2.4.3
DAA. See Designated Approval Authority
Daemons, 4.4.11.4.c
Data
integrity, 1.1, A.7.1.1, 2.4.2
liability issues, 2.4.3.a
recovery, A.6.5.5, 5.3
responsibility for identifying value of, 2.4.2.b
responsibility for protecting, 2.4.3, 2.4.2, 2.2.7
Data backups. See Backups
Data Encryption Standard, 4.11.1.1, A.6.9
Data owner responsibilities, 2.4.2, A.6.5.4
Data, private, A.6.9.4
Data, unclassified, A.6.9
Degaussing storage media, A.6.10.4, 4.1.13
Deleting information residing on storage media, A.6.10.4, 4.1.13
Demilitarized Zones, A.7.3
Denial of service, 4.4.11.4
DES. See Data Encryption Standard
Design phase of life cycle planning, 4.1.8
Designated Approval Authority
appointment of, 2.2.1.d, 2.2.5
responsibilities, 2.2.5
role in security of national security information, 4.12.2
Dial-in connections, A.7.3.i
Digital signatures, A.7.4.2
Disposal of assets phase of life cycle planning, 4.1.13
Distributing passwords, A.6.3.8
Documentation
requirements, A.6.10.1
reviews, 3.4
Electric power requirements, A.8.3, A.8.3.1
Electronic mail, 4.8.4.1, A.7.4.4
Encryption
algorithms, 4.11.1.1, A.6.9
of passwords, A.6.9.3
of unclassified data, A.6.9
requirement for, 4.11.1.1, 4.11.2, A.6.9.1
technology, 4.11.1. 4.11.2, 4.11.3
waivers, A.5.2
Entry control, A.8.1
Erasing information residing on storage media, 4.1.13.2
Evidence, computer crime, 4.4.9.6
Excessing media, 2.2.6, A.6.10.4
Expectation of privacy, 4.10.3
Expert Centers, 2.1.2
Export controlled information, 4.2.9, 4.7.6.3, 4.7.6.4, A.7.1.3
Facility housekeeping requirements, A.8.4
Facsimile services, A.7.3
Feasibility of security controls, 4.2.11.2
File transfer sessions, A.7.3, A.7.4.2, A.7.4.4
FIPS 140, 4.11.1.1
FIPS 46-1, A.6.9
Firewalls, A.7.3
Foreign government representatives, 4.5.5
Foreign national user accounts, 2.2.8.2
Freeware, Appendix C
General support systems, 1.6, 5.1.2.1, Figure 5-3
Granting access to IT resources, 4.7.1 - 4.7.6
considerations for foreign nationals, 4.7.6.3
considerations for international partners, 4.7.6.4
considerations for U.S. residents, 4.7.6.2
guidance for, 4.7.3
management guidelines for, 4.7.6
responsibility for, 4.7.2
System Administrator guidelines for, 4.7.7
Granting user accounts, 2.2.8.2
Group user IDs, A.6.2.2
Hostile probes, 4.4.11.6
Imported software, 4.9.2
Incident reporting and response, 3.8, 4.4.9
Incident Reports. See IT Security Incident Reports
Independent reviews, 4.2.8
Information
categories, 4.2.9
compromises, 4.4.2.1, 4.4.11
sensitivity, 1.2
Information Processing Service Organizations. See Center Information Processing Service Organizations
Information Resource Management Program, 2.1.1
Information, export controlled, 4.2.9, 4.7.6.3, A.7.1.3
Initial passwords, A.6.3.10
Inspector General. See Office of Inspector General
Installation, integration, and testing phase of life cycle planning, 4.1.10
Integrity, 1.1, A.6.5.5, A.6.7, A.7.1, A.7.1.1
International partners, 4.5.5
Internet server log files, A.6.1.4
Investigating security incidents, 2.3.1, 4.4.8
Isolation LANs, A.7.3
IT resources
appropriate use of, 4.8, 4.8.1 - 4.8.4
definition, 1.6
determining value of, 4.2.10.2
monitoring use of, 4.8.4.2, 4.10.4
protecting, 1.1, 2.4.3, A.7.2
protecting from fire and water, A.8.2
IT security awareness and training, 3.7, 4.3, 4.3.1 - 4.3.6
approach used for, 4.3.2
audience categories, 4.3.3
basis for, 4.3.1.1
requirement for, 3.7
subject matter areas, 4.3.4
training levels, 4.3.5
training matrix, 4.3.6
IT Security Awareness and Training Plan, 2.2.4, 2.3.2, 3.1, 3.7
IT Security Contingency Plans, 5.3, 5.3.1 - 5.3.3
IT Security Incident Reports, 3.1, 4.4.8.2
IT Security Incident Response Team, 2.3.3
IT security planning, 4.2. 4.2.1 - 4.2.13
description, 4.2.1
determining scope, 4.2.6
frequency, 4.2.4
responsibility for, 4.2.3
IT Security Plans, 5.1, 5.2. See also Agency IT Security Plans and Center IT Security Plans
approval sheet for, 4.2.12.1
cover letter for, 4.2.12.1
description of, 5.1.1, 5.2.1
for general support systems, 1.6, 5.1.2.1, Figure 5-3
for major applications, 1.6, 5.1.2.1, Figure 5-4
frequency of updates, 3.1, 4.2.13.2
requirement for, 3.3, 5.1.2
responsibility for, 2.2.6, 3.1
reviewing, 4.2.13.1
updating, 3.4, 4.2.13.2
writing, 1.6, 4.2.12
IT Security Program
description, 1
metrics, 3, 3.1. See also Metrics
objectives, 1.1
overview, 1
philosophy, 1.2
IT Security Working Group, 2.1.2
Job input/output, A.16.10.5
Journals, A.6.1.3, A.6.1.4
Key management, A6.9.1, A.6.9.2,
Keystroke monitoring, 4.10.1, 4.10.4
Laboratory area security requirements, A.8.1.2
LAN Managers, A.7.2
Laws concerning computer crimes, 4.2.10.5
Liabilities, user, 2.4.3, 4.1.13, 4.2.10.5
License agreements, 4.1.13, 4.9.1, 4.9.1
Life cycle process
construction phase of, 4.1.9
design phase of, 4.1.8
disposal of assets phase of, 4.1.13
installation, integration, and testing phase of, 4.1.10
operations phase of, 4.1.11
phases of, 4.1.5
project definition phase of, 4.1.7
project initiation phase of, 4.1.6
relationship to IT security planning, 4.1.4
requirements for, A.6.8.1
upgrade phase of, 4.1.12
Limited privilege access, 4.5.3, 4.5.5, 4.7.5, A.6.1.2
Line managers
assignment of, 3.1.1, 4.1.11
responsibilities, 2.2.7, 2.3.5, 2.4.1,2.4.2, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 4.1.11, 4.1.13, 4.2.3, 4.2.7, 4.2.8, 4.2.10, 4.2.11.3, 4.2.11.4, 4.2.12, 4.2.13, 4.4.10, 4.5.2, 4.7-4.9.2, 4.11
Log files, 4.10.4, A.6.1.4
Logic bombs, 4.4.11.4, A.6.6.1
Logical access control. See Access control
Logins, remote, A.7.4.2
Logon attempts, unsuccessful, 4.4.6.2, A.6.4.2
Logon to consoles, A.6.10.3
Logs, console, A.6.10.2, A.6.10.3
Major applications
definition, 1.6, 4.2.8
IT Security Plans for, 5.1.2
responsibility for, 2.2.3
Major information systems, 2.2.3, 4.2.8
Malicious code, 4.4.11.5, 4.9.2, A.6.7
Media storage, A.6.10.4
Message routing, A.7.3
Metrics, 3.0
frequency of completion, 3.1.3
responsibilities for, 3.1.1
responsibility for establishing reporting procedures, 3.1.7
Mission critical systems, 4.2.8
Mission information category, A.3, A.7.4.4
Monitoring
system events, A.6.1.3
use of IT resources, A.7.1.2
Multi-user
computers, A.6.5
systems, A.6.10
workstations, A.6.11.12
NASA Chief Information Officer, 2.1.1, 5.2.2
NASA IT Security Architecture document, 4.2.10.6, A.4
NASA Resource Protection facility, 4.2.8
National Industrial Security Program Operating Manual Supplement, 4.12.2
National security information, 4.12
accreditation for, 4.12.2
accrediting resources that process, 2.2.1.d
certification of protective measures, 4.12.2
responsibility for developing policies and procedures protecting, 2.3.1.f
responsibility for investigating compromises of, 2.2.1.h
Security Operations Plan, 4.12.2
Network Emergency Response Plan, A.7.2
Network security requirements, A.7
architecture, A.7.2
availability, A.7.1.2
components, A.7.5
confidentiality, A.7.1.3
connections, A.7.4.3
data integrity, A.7.1.1
for Business and Restricted Technology information, 4.2.9
for Mission information, 4.2.9
isolation, A.7.2, A.7.4
NISPOMSUP, 4.12.2
Non-privileged access, 4.5.4
Non-waiverable security requirements, A.5.1
Notification to users at logon, 4.10.
Office area security requirements, A.8.1.3
Office of Inspector General, 2.3.5, 4.4.9
Official business use of Government resources, 4.8.2, 4.8.3
OMB A-11, 4.2.8.b
OMB Circular A-130, 1.6.b.1, 1.7.b, 3, 4.3.1.1, A.5.1
Operating systems
configuration management 4.1.7, 4.2.9.d
Operations phase of life cycle planning, 4.1.11
Operations, privileged, A.6.10.2
Organization Computer Security Officials, 2.2.6
IT Security plan, 4.2.12.2
responsibilities for reviewing system documentation, 3.6
Organization managers. See Senior organization managers
Password files
encryption of, A.6.9.3
restrictions on accessing, A.6.1.1
Password guideline compliance, 2.2.8
Passwords
accountability for, A.6.3.1
changing, A.6.2.4
distributing, A.6.3.8.
encryption of, A.6.9.3.
initial, A.6.3.10.
lifetime, A.6.2.4
non-triviality of, A.6.3.3.
resetting, A.6.3.9.
reuse of, A.6.3.6.
sharing, A.6.3.5
storage of, A.6.3.7.
PCITS. See PCITS
Penetration test teams, 4.6.5.
Penetration testing
cause for suspending, 4.6.6.
guidelines for, 4.6.6.
training for conducting, 4.6.1.
Penetration tests
authorization to conduct, 4.6.5.1.
boundaries, 4.6.5.1.
conducted by Center IT Security Manager, 4.6.6.
conducted by organizations, 4.6.5.
definition of, 4.6.2.
reporting results of, 60
responsibility for conducting, 4.6.6.
types of, 4.6.4.
use of, 4.6.5.3.
Perimeters, security, A.7.3.
Periodic reviews
independent, 3.4.
reporting results of, 3.4.
requirements, 3.4.
responsibility for conducting, 3.4.
scope and frequency, 3.4.
Personnel screening, 4.5.
establishing a process for, 4.5.4.1
requesting, 4.5.4.3.
responsibility for, 4.5.2.
verification of, 4.5.4
Personnel security investigations, 2.3.1.
Physical controls, 4.2.11.1.
Physical security
requirements, A.8.
responsibility for ensuring, 2.3.1.
Privacy
expectation of, 4.10.3.1.
information requiring protection, A.6.9.4.
Privacy Act, P.3
Private data, A.6.9.4.
Privileged access
definition, 4.5.3.
operations, 4.5.3.
programs, 4.5.3.
users, 4.5.3.
Privileges, operating system, 4.4.11.1.
Procedural controls, 4.2.11.1.
Procurement Office, 2.3.4.
Program managers, 2.4.1.
Project definition phase of life cycle planning, 2.2.2.
Project initiation phase of life cycle planning, 2.2.2.
Project life cycle. See Life cycle process
Project managers, 2.4.1.
Proper use. See Appropriate use of IT resources
Proxy logins, A.7.4.2.
Public Access information category, 4.2.9.
Public domain software A.6.7.
for mainframes, A.6.7.2.
for user workstations, A.6.7.1.
guidelines for using, 4.9.2., A.6.7.
Public Law P.3
Public Trust positions, See Glossary
Re-authorization to process, A.6.12. See also Authorization to process
Recertification. See Re-authorization to process
Recommended controls, 4.2.11.2.
Remote
logins, A.6.4.1.
users, 4.5.5.
Reporting security incidents, 2.2.4.j(4), 4.4.3, 4.4.4.1, 4.4.9.2, 4.4.9.4
Requirements, baseline, A.1.
description, A.3.
determining, A.1.
non-waiverable, A.5.
satisfying, A.4.
use of, A.2.
Resetting passwords, A.6.3.9.
Responsibilities
of Associate Administrator for Headquarters Operations, 2.2.1.
of Center Chief Information Officers, 2.2.2.
of Center Chief of Security, 2.3.1.
of Center Directors, 2.2.1.
of Center Information Processing Service Organizations, 2.2.9.
of Center IT Security Managers, 2.2.4.
of data owners, 2.4.2.
of Designated Approval Authorities, 2.2.5.
of IT Security Incident Response Teams, 2.3.3.
of line managers, 2.2.7.1.
of NASA Chief Information Officer, 2.1.1.
of, 18
of Organization Computer Security Officials, 4.2.8.
of Procurement Offices, 2.3.4.2.
of program managers, 2.4.1.
of senior organization managers, 2.2.3.
of System Administrators, 2.2.8.1.
of the Manager of the PCITS, 2.1.2.
of Training Offices, 2.3.2.
of users, 2.4.3.
Responsibility, assignment of, 3.2.
Restarts, A.6.1.5.
Reusing
passwords, A.6.3.6.
user IDs, A.6.2.1.
Revalidating user IDs, A.6.2.3.
Reviews
independent, 4.2.8.
of IT security, Figure 5-5 (Part 1 of 1)
of security controls, 3.4.
periodic, 3.4.
Risk
deciding on acceptable level of, 4.2.11.3.
definition,
management, 4.2.1.
values, 4.2.10.5.
waiving, A.5.
Risk analysis, 4.1.7., 4.2.9.,4.2.10.4., 4.2.12., 4.3.4
Risk analysts
requirements for, 4.2.10.4.
responsibilities, 4.2.10.4.
Risk assessments, 4.2.10.
definition, 4.2.10.
encryption technology considerations, 4.11.1.2.
for systems requiring "special management attention", 4.2.11.3.
frequency of, 4.2.10.
initial, 4.1.6.
reporting results of, 4.2.11.3.
responsibility for conducting, 4.2.10.
Risk reduction analysis, 4.2.11.
Risk summary, 4.2.11.4.
Risk-based security approach, 1.2.
Risks
accepting, Figure 5-3 (Part 5 of 6), 2.2.2., 4.1.11.21.
determining, 4.2.10.5.
documenting, 4.2.2.
justifying, 4.2.11.4.
prioritizing, 4.2.10.5.
relationship to threats and vulnerabilities, A.5.
Risks, shared, 5.1.2.1.
Scientific, Engineering, and Research information category, A.3.c.
Screening. See Personnel screening, 4.5
Security control audits, 4.1.12
Security controls
applying, 4.2.11.5.
costs of, 4.2.11.2.
identifying, 4.2.11.1.
responsibility for certifying, 2.2.7.c.
responsibility for evaluating, 2.4.2.f.
review of, 3.4
Security Incident Reports. See IT Security Incident Reports
Security incidents, 4.4. See also Computer crimes
categories of, 4.4.11.
Center IT Security Manager's responsibilities, 2.2.4
collecting evidence, 4.4.9.6
communication regarding, 4.4.8
definition, 4.4.2.
investigating, 4.5.4
reporting, 4.4.7.
responding to, 4.4.4.
responsibility for handling, 4.4.4.
responsibility for reporting, 4.4.3
returning equipment to service, 4.4.10.
signs of, 4.4.6.
Security investigations
contesting findings of, 4.5.6.
for international partners, 4.5.5.b.
for remote users, 4.5.5.a.
Security Operations Plan, 4.12.2.b.
Security perimeters, A.7.3.a.
Security requirements. See Baseline requirements
Security test plans, 4.1.7
Self-inspections, 2.2.8
Senior organization managers, 2.2.3.
Shared risks, 5.1.2.
Shareware, 4.9.2.b.
Sharing
passwords, A.6.3.5.
user accounts, 4.4.6.2.
Shutdowns. See System shutdowns, A.6.1.5.
Single-user workstations, A.6.11.1.
Software
contractor-supplied, A.6.8.
customer-supplied, A.6.8.
imported, 4.9.2.d.
licenses, 4.9.2.c.
public domain, 4.9.2.a.
Software, application, 4.4.6.3
Space and flight programs, 4.11.2.
Special access privileges, 4.5.1.2.
Special management attention
definition, 1.6.c.
identification of systems requiring, 4.2.8.
risk assessments for systems requiring, 2.2.3.
Storage media, A.6.10.4.
deleting information residing on, 4.1.13
erasing information residing on, 4.1.13
protection of, A.8.5
Storing
media, A.6.10.4.
passwords, A.6.3.7.
Submitting waivers, A.5.3.
System
auditors, A.6.1.2
backups, A.6.1.4
compromises, 4.4.11.1.
documentation reviews, 3.6.
journals, A.6.1.3
retention, A.6.1.4
System Administrators
assignment of, 2.2.8.
knowledge and skills required, 3.7
requirement for, 2.2.8
responsibilities, 2.2.8
training, 2.2.4
System files, critical, A.6.1.1.
System logs, missing or altered, 4.4.6.2.e.
System Security Administrators, 4.2.7 See also System Administrators
System shutdowns, unscheduled, A.6.1.5
Systems
definition, 1.6.b.
responsibility for certification of, 2.2.7.c.
untrusted, A.7.3.k.
Technical controls, 4.2.11.1
Technical security requirements, A.6
Telnet sessions, A.7.4.4
Test plans, 4.1.7
Threats
identification of, 4.2.10.1
relationship to risks and vulnerabilities, 4.2.10.4
Training. See IT security awareness and training
Training Office responsibilities, 2.2.4, 2.3.2
Training Plan. See IT Security Awareness and Training Plan
Training Plan, Center, 2.3.2
Trap doors, 4.9.2(d)
Trojan code, 4.9.2(d), A6.6.1, C
Trojan horses, 4.4.11.4
Trusted logins, A.7.4.2
Trusted network partners, A.7.4.3
Unauthorized access, 4.4.11.3
Unclassified data, A.6.9
University environments, 1.3(c)
Unscheduled system shutdowns, A.6.1.5
Untrusted systems, A.7.3(k)
Unused user IDs, A.6.2.4
Upgrade phase of life cycle planning, 4.1.12
Usage policies. See Computer usage policies
User accounts
for foreign nationals, 4.7.6
granting, 4.7.6
responsibility for disabling, 2.2.8.2(b)
security incidents affecting, 4.4
sharing, 4.4.8.3
User authentication. See Authentication
User IDs
changing passwords associated with, A.6.2.4
disposition of, A.6.2.4
lifetimes of, A.6.2.4
process for obtaining, A.6.2.1
reminders to change, A.6.2.4
reusing, A.6.2.5
revalidation of, A.6.2.4
termination of, A.6.2.6
User IDs, group, A.6.2.2
User IDs, unused, A.6.2.4
User liabilities, 2.4.3, 4.5.4.2
User responsibilities, 2.4.3
Users, privileged, A.6.1.2
Value of IT resources, 4.2.10.2
Virtual Private Networks, A.7.3
Virus detection software, A.6.11.1, A.6.11.2
Viruses
checking for, 4.9.2(d)
responding to, 4.4
signs of, 4.4.6.5
Vital records, fig 5-6
Vulnerabilities
definition of, 4.2.10.4(d)
identification of, 4.2.10.4
of interconnected systems, 4.2.10.4(e)
relationship to risks and threats, 4.2.10.4
sources for assessing, 4.2.10.4(c)
Waiver requests, 4.11.3
Waivers, A.5 - A.5.3.4
appeals process, A.5.3
for encryption technology, A.5.2
philosophy, 1.2, 4.11.3, A.5.1
submission process, A.5.3
Warning banner, 4.10
Workstations, A.6.7.1
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | ALL | |
| | NODIS Library | Legal Policies(2000s) | Search | |