Effective Date: August 10, 2007
Expiration Date: June 28, 2013
|| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | ALL ||
There are common and essential requirements across the Agency for safeguarding all PII in digital form. All PII must be handled and protected as Sensitive But Unclassified (SBU) information in accordance with NPR 1600.1, NASA Security Program Procedural Requirements. There are several specific common requirements for protecting and monitoring the movement of digital PII.
2.2.1 Any PII on mobile computers/devices shall, at a minimum, be encrypted by users with Entrust or native encryption in Microsoft and Apple operating systems or any other NASA CIO-approved encryption solution.
2.2.2 A "time-out" function requiring user reauthentication after a maximum of 30 minutes of inactivity shall be employed by users for mobile devices or with remote access.
2.2.3 When any mobile storage device contains PII, users shall label the device, at a minimum, with "NASA Privacy Information; Protect Accordingly."
2.3.1 System owners shall ensure that access to PII on their systems is only accomplished by users via two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.
2.3.2 Access to PII shall use a "time-out" function that requires user reauthentication after 30 minutes of inactivity.
PII data must be protected during transmission. PII data will be encrypted using FIPS 140 2 compliant encryption methodology (e.g., Secure Socket Layer (SSL) or Internet Protocol Security (IPsec)).
Employees shall only remove PII from NASA premises or download and store PII remotely under conditions prescribed in NPR 1600.1.
NASA supervisors shall ensure that their employees who have access to PII are adequately trained and supervised in their responsibilities with regard to safeguarding PII and protecting it from unauthorized disclosure.
System owners shall ensure that all computer-readable data extracts from databases containing PII are logged and verified, including information on whether the extracted data have been erased within 90 days or that the data's use is still required.
| TOC | ChangeHistory | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | Chapter5 | AppendixA | AppendixB | AppendixC | AppendixD | AppendixE | AppendixF | AppendixG | AppendixH | AppendixI | ALL |
|| NODIS Library | Organization and Administration(1000s) | Search ||