HHS IRM Information Security Program Policy
December 15, 2004
The effective date of this policy is the date the policy is approved.
These policies and procedures will be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy dated August 7, 1997, as amended, titled "Departmental Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs, and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
Charles Havekost Date
The United States Department of Health and Human Services' (HHS) HHS Information Security Program Policy and its companion document, the HHS Information Security Program Handbook, are the foundation documents for the HHS Information Security Program. These documents implement relevant federal laws, regulations, and policies that provide a basis for the information security policies for the Department. All the policies listed in this document are accompanied by procedures and guidelines detailed in the HHS Information Security Program Handbook and subject-specific guidance in the HHS Information Security Program guidelines. Each section heading in the policy corresponds directly to procedural guidance in the HHS Information Security Program Handbook.
As the HHS Information Security Program evolves, this document is subject to review and revision. Review and update will take place at least annually, or when changes occur that identify the need to revise the HHS Information Security Program Policy. This may include:
The HHS Chief Information Officer (CIO) delegates the responsibility for maintaining and updating this policy to the HHS Chief Information Security Officer (CISO). All revisions shall be highlighted in the Document Change History table. Each revised policy is subject to HHS’ policy review and approval process before becoming final. When approved, a new version of this HHS Information Security Program Policy shall be disseminated throughout the Department.
The United States Department of Health and Human Services (HHS) is responsible for implementing and administering an information security program. This program must protect the Department's information resources, in compliance with applicable public laws, federal regulations, and Executive Orders (E.O.), including the Federal Information Security Management Act of 2002 (FISMA); the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, dated November 28, 2000; and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). To meet these requirements, HHS has instituted the HHS Information Security Program Policy and developed the accompanying HHS Information Security Program Handbook.
1.1 Scope and Applicability
This HHS Information Security Program Policy provides a baseline of security policies for the Department. These policies apply to the Department, which includes Operating Division (OPDIV) and Staff Division (STAFFDIV) personnel, contractors, and other authorized users. This document, and additional HHS guidance, provides a minimum standard for the Department. These standards will continue to be developed as the program matures. OPDIVs can exceed these standards, but must consistently apply at least the minimum.
This document establishes mandatory policies to ensure confidentiality, integrity, availability, reliability, and non-repudiation within the Department's infrastructure and its operations. It is the policy of HHS that the Department abides by or exceeds the requirements outlined in this document. In addition, to ensure adequate security, the OPDIVs shall implement additional security policies, as appropriate for their specific operational and risk environment. This policy supersedes the HHS Automated Information Systems Security Program Handbook, known as the Redbook, dated May 1994.
This HHS Information Security Program Policy does not apply to any information system that processes, stores, or transmits foreign intelligence or National Security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to E.O. 12333 or subsequent orders. Contact the Special Assistant to the Secretary (National Security) to obtain security policy and guidance for these systems.
This HHS Information Security Program Policy imposes special responsibilities on some positions. These policies apply to all information systems, including hardware, software, and data, and to all facilities that house these information systems and infrastructures. The HHS Information Security Program Handbook provides additional details on implementing the policies stipulated in this document.
The Clinger-Cohen Act of 1996, formerly the Information Technology Management Reform Act (Public Law 104-106), OMB Circular A-130, and FISMA are statutes that require federal agencies to protect their information resources and data by establishing information security programs and imposing special requirements for protecting personal information. This HHS Information Security Program Policy evolved from these mandates. It incorporates the requirements of E.O.s, Homeland Security Presidential Directives (Hspd), public laws, National Institute of Standards and Technology (NIST) Special Publications (SP), and federal and Departmental standards and regulations. This policy document will be used in conjunction with any current HHS Information Resource Management (IRM) policies and guidelines.
FISMA charges NIST with special responsibilities to develop guidance to improve federal-wide information security planning, implementation, management, and operation. Guidance from NIST's Computer Security Resource Center (CSRC) should be used to support the Department's information security efforts; instruction on a wide variety of information security related topics can be found at the NIST Web site, http://csrc.nist.gov/publications/index.html.
These authorities and guidance documents are listed in appendix B.
This section provides an overview of this HHS Information Security Program Policy. It highlights the Department's information security policy requirements, security responsibilities, and summarizes subsequent sections of this document.
HHS is responsible for implementing a Department-wide information security program to assure that each information system and associated facility provides a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained in the system. Each system's level of security shall protect the confidentiality, integrity, and availability of the information and comply with all security and privacy-related laws and regulations.
The Department shall administer an information security program that meets statutory, regulatory, and Departmental requirements, as well as the needs of the public. OPDIV information security programs shall comply with the HHS Information Security Program and must meet the minimum standards set forth by that program. OPDIVs may impose stricter policies where appropriate.
2.1 Document Organization
NIST delineates security controls into the three primary categories of management, operational, and technical, which structure the organization of the HHS Information Security Program Policy document.
This document contains policies that satisfy minimum-security requirements.
The HHS Information Security Program Handbook provides procedures outlining how to implement these policy requirements, and the HHS Information Security Program guides provide further guidance on specific aspects of the policy. (See appendix E for a complete list of the HHS Information Security Program documents). These requirements satisfy FISMA and information security best practices.
2.2 Roles and Responsibilities
The HHS Information Security Program is a component of a larger structure. Congress and OMB have imposed special responsibilities on the HHS CIO and the HHS CISO, while still reinforcing the direct responsibilities of the Department's mission and business leaders. Ultimately, mission and business leaders remain responsible for using risk-management principles to select and implement appropriate information security safeguards. The infrastructure provided by the HHS CIO and supported by the HHS and OPDIV CISOs supports these decisions.
The structure of the HHS Information Security Program is meant to provide collaboration between the OPDIVs and the HHS CIO, while assuring compliance with legislative and regulatory mandates and the HHS Information Security Program Policy. The program encompasses initiatives that address information security planning, policy development, education and awareness, communication, privacy, and compliance reviews. The program outlines individual responsibilities for specific roles within HHS. These individual responsibilities are explained in the following subsections.
2.2.1 Secretary of HHS
The Secretary for HHS is responsible for:
2.2.2 Department Leadership
Several leaders in the Department have specific information security responsibilities. The Departmental security leadership includes the following positions:
126.96.36.199 HHS CIO
The HHS CIO is responsible for:
188.8.131.52 OPDIV Heads
OPDIV Heads are responsible for:
184.108.40.206 Deputy Assistant Secretary for Finance
The Deputy Assistant Secretary for Finance is responsible for:
220.127.116.11 Assistant Secretary for Administration and Management
The ASAM is responsible for:
18.104.22.168 Deputy Assistant Secretary for Human Resources
The Deputy Assistant Secretary for Human Resources is responsible for:
2.2.3 Information Security Leadership
The information security leadership at the Department is responsible for overseeing, developing, and implementing the Department's information security program. The Departmental information security leadership consists of the following roles:
22.214.171.124 HHS CISO
The HHS CISO is responsible for:
126.96.36.199 OPDIV CIOs
OPDIV CIOs are responsible for:
188.8.131.52 OPDIV CISOs
OPDIV CISOs are responsible for:
184.108.40.206 OPDIV ISSOs
OPDIV ISSOs are responsible for:
220.127.116.11 CIO Council
The CIO Council is responsible for:
18.104.22.168 CISO Working Group
The CISO Working Group is responsible for:
2.2.4 Information Security Roles
Within the HHS Information Security Program, persons in other roles have responsibilities related to maintaining the information security posture of the Department. These roles include:
22.214.171.124 Designated Approving Authority
The DAA is the CIO, or other person designated by the CIO, and has the following responsibilities for systems and networks under his/her authority:
126.96.36.199 Certification Authority
The CA has the following responsibilities for systems and networks under his/her authority:
188.8.131.52 Program Executives
Program executives are responsible for:
184.108.40.206 Critical Infrastructure Protection Coordinator
The CIPC is responsible for:
220.127.116.11 Contingency Planning Coordinator
The Contingency Planning Coordinator is responsible for:
18.104.22.168 System Owners
System owners are responsible for:
22.214.171.124 Data Owners
Data owners are responsible for:
126.96.36.199 System/Network Administrators
System/Network administrators are responsible for:
188.8.131.52 Contracting Officers
COs are responsible for:
184.108.40.206 Personnel Officers
Personnel officers are responsible for:
Supervisors are responsible for:
220.127.116.11 Users and Employees
The Department's users and employees are responsible for:
2.2.5 Department Security Council
18.104.22.168 Information Technology Investment Review Board
The Information Technology Investment Review Board (ITIRB) is responsible for:
3. Management Policies
3.1 Capital Planning and Investment
Integrate and explicitly identify funding for information security technologies and programs into IT investment and budgeting plans. Establish consistent methodologies for determining information security costs for all Departmental systems and networks. Ensure that any Departmental system that is reported to FISMA must be mapped to an exhibit 300 and/or exhibit 53. This policy should be implemented in coordination with the HHS-IRM-2000-0001, HHS IRM Policy for Capital Planning and Investment Control, January 8, 2001.
3.2 Contractors and Outsourced Operations
Implement appropriate safeguards to protect Departmental systems and networks from unauthorized access throughout all phases of a contract. Review contracts to ensure that information security is appropriately addressed in the contracting language.
3.3 Security Performance Measures and Metrics
Develop and implement an information security performance measurement program to evaluate the effectiveness of technical and nontechnical information security safeguards, support mandatory data collections required by Congress, OMB, and the Office of Inspector General (OIG), and enable the creation, analysis, and reporting of information security performance measures selected by the Department. The program shall be linked to the Department's strategic plan and include measures of implementation, efficiency, effectiveness, and impact. Report all measures to the Secretary quarterly.
3.4 Critical Infrastructure Protection Support
Establish and implement a CIP program to comply with the Homeland Security Presidential Directive/Hspd-7, Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003, and develop and document a CIP Plan that identifies Departmental critical infrastructures and plans to minimize vulnerabilities.
3.5 System Life Cycle
Integrate security into the SLC for all Departmental systems from inception to the disposal phases of the system through adequate and effective management, personnel, operational, and technical control mechanisms.
3.6 Change Management Control
Establish, implement, and enforce change management and configuration management controls on all Departmental systems and networks that process, store, or communicate sensitive information, to include the preparation of configuration control plans for all Departmental systems and networks.
3.7 Risk Management
Establish and implement a risk-management program, responsibilities, and processes for all Departmental personnel, systems, networks, data, and facilities that house them.
3.7.1 Security Program Review
Conduct independent security program reviews on all Departmental information security programs to determine the program's effectiveness, at least annually.
3.7.2 Security Control Review
Review all security controls on all Departmental systems, networks, and interconnected systems to ensure that adequate security controls are implemented to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of information, at least annually.
3.7.3 Risk Assessments
Conduct assessments of the risk and magnitude of the harm that would result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems and networks that support Departmental operations when significant modifications are made and/or at least every three years.
3.7.4 System Interconnectivity/Information Sharing
Obtain written authorization from management (e.g., DAA) prior to connecting with other systems and/or sharing sensitive data/information.
3.8 Privacy Impact Assessments
Conduct PIAs on all Departmental information systems as instructed by OMB Memorandum M-03-22 that includes, but is not limited to, the collection of new information in identifiable form (IIF) or when the Department develops, acquires, and/or buys new information systems to handle collections of IIF. PIAs are also required when significant changes are made to these systems. Maintain both soft and signed hard copies of all PIAs and submit electronically both parts of the PIA (Analysis Worksheets and PIA Summary) to the HHS CISO. This policy shall be implemented as required by Section 208(b) of the E-Government Act of 2002 (Public Law 107-347, U.S.C. Title 44, Chapter 36) and consistent with the intent of OMB Memorandum (M)-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
Conduct self-assessments on all Departmental systems and networks at least annually in accordance with NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems. Maintain and submit all NIST Self-Assessments to the HHS CISO.
3.10 Plan of Action and Milestones
Capture all information security program and system weaknesses that require mitigation in the POA&M in accordance with the standards and guidelines set forth by OMB and the HHS CISO.
3.11 System Inventory
Develop and maintain an inventory of all Departmental systems and networks and update annually or when significant changes occur to the system. Maintain and submit all system inventories to the appropriate Departmental Enterprise Architect. The Enterprise Architect will be responsible for reporting any changes or updates to the HHS CISO. This policy shall be implemented as required by the Clinger-Cohen Act, Division E, Section 5402, and as required by FISMA, Section 305.
3.12 System Categorization
Establish and document all Departmental systems, networks, and data categorizations in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information, February 2004.
3.13 System Security Plans
Develop and document SSPs for all Departmental systems and networks in accordance with NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems. Update SSPs at least once every three years or when significant changes occur to the system.
3.14 Authorize Processing (Certification and Accreditation)
Ensure that all Departmental systems and networks are formally certified through a comprehensive evaluation of the technical and nontechnical security features. Any significant changes occurring to Departmental systems, networks, or to its physical environment, users, etc., require a review of the impact on the security of the information processed and shall require re-accreditation. All systems will be re-accredited every three years at a minimum or when a major change occurs. Maintain and submit all accreditation letters to the HHS CISO.
3.15 Policy Waiver
Obtain written authorization (form located in appendix F) from the OPDIV CISO if compliance with the HHS Information Security Program Policy is not feasible or technically possible, or if an OPDIV needs to deviate from a policy to support its mission or business function. The OPDIV will have 60 days to file the waiver or become compliant with the policy in question. All policy waivers must be recorded and maintained for inspection by the HHS CISO.
4. Operational Policies
4.1 Personnel Security
4.1.1 Background Investigations
Ensure that all Departmental information security employees and contractor personnel are designated with position-sensitivity levels that are commensurate with the responsibilities and risks associated with the position. Require suitability background investigations to be completed and favorably adjudicated for personnel assigned to these positions prior to allowing access to sensitive Departmental systems and networks.
Perform reinvestigations in accordance with the guidance provided in the HHS Personnel Security/Suitability Handbook.
4.1.2 Rules of Behavior
Develop system rules of behavior for all Departmental systems and networks that include specific security rules for each system. Require all Department system users to read, acknowledge, and comply with their roles and responsibilities and security rules of each system. Require all users to sign a rules of behavior agreement prior to being granted full access to all Departmental systems and networks. Digital signatures may be employed; however, if the technology is not available, then the individual's original signature should be obtained to acknowledge the receipt of the appropriate rules of behavior.
4.1.3 Disciplinary Action
Enforce disciplinary or adverse actions against Departmental employees or contractors who violate the HHS Information Security Program Policy, HHS Information Security Program Rules of Behavior, and system-specific rules of behavior.
4.1.4 Acceptable Use
Limit personal use of all Departmental IT resources, which include computers, telecommunications equipment, software, and other data/information services (e.g., e-mail and Internet) provided on the Departmental networks. Personal use of IT resources shall not compromise the security posture of the Department's IT resources. This policy should be implemented in coordination with the HHS-IRM-2000-0003, HHS IRM Policy for Personal Use Of Information Technology Resources, January 8, 2001.
4.1.5 Separation of Duties
Ensure that responsibilities with a security impact are shared among multiple staff by enforcing the concept of separation of duties, which requires that individuals do not have control of the entirety of a critical process.
Ensure that job descriptions accurately reflect assigned duties and responsibilities that support separation of duty.
4.1.6 Least Privilege
Ensure that all Departmental systems operate in such a way that they run with the least amount of system privilege needed to perform a specific function and that system access be granted on a need to know basis.
Enforce compliance with executive, legislative, and technical requirements to ensure that only appropriate personnel are granted access to sensitive information or system privileges.
4.1.7 Security Education and Awareness
Ensure new Departmental users receive initial security education and awareness training before being granted permanent access to Departmental systems and networks. Access to administrative systems, such as electronic or online training, can be granted for new employees on a temporary basis. All Departmental users shall receive annual (refresher) training in security education and awareness.
Provide specialized security education and awareness training for all security positions and roles that is commensurate with the individual's duties and responsibilities.
4.1.8 Personnel Separation
Upon Departmental employee or contractor termination, or other departure, ensure all access and privileges to Departmental systems, networks, and facilities are immediately revoked.
4.2 Physical Security
4.2.1 Physical Access
Limit access to rooms, work areas/spaces, and facilities that contain Departmental systems, networks, and data to authorized personnel. Controls shall be in place for deterring, detecting, monitoring, restricting, and regulating access to sensitive areas at all times. Controls must be commensurate with the level of risk and must be sufficient to safeguard these IT resources against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters.
4.2.2 Physical Security
Ensure that rooms, work areas/spaces, and facilities that contain Departmental IT resources that process, transmit, or store sensitive or privacy information implement physical protection measures that are commensurate with the level of risk.
4.2.3 Visitor Policy
Restrict and control visitor access at all times to rooms, work areas/spaces, and facilities that contain Departmental IT resources. Records that contain visitor access information shall be maintained.
4.3 Environmental Security
Ensure that all Departmental systems and networks are located in areas not in danger of water damage due to leakage from building plumbing lines, shut-off valves, and other similar equipment to support meeting federal and local building codes. Implement procedures to address infrastructure emergencies and provide access to the Department.
4.3.1 Fire Prevention
Install and ensure operability of fire suppression devices, such as fire extinguishers and sprinkler systems, and detection devices, such as smoke and water detectors, in all areas where Departmental critical systems are maintained (this includes server rooms, tape libraries, and data centers) to meet federal and local building codes.
4.3.2 Supporting Utilities
Install and ensure operability of air control devices, such as air-conditioners and humidity controls, in all areas where Departmental critical systems are maintained (this includes server rooms, tape libraries, and data centers) to meet federal and local building codes.
4.4 Media Control
4.4.1 Media Protection
Protect all Departmental electronic media (e.g., disk drives, diskettes, internal and external hard drives, and portable devices), including backup media, removable media, and media containing sensitive information from unauthorized access.
4.4.2 Media Marking
Ensure that all media containing Departmental data is appropriately marked and labeled to indicate the sensitivity level of the data.
4.4.3 Sanitization and Disposal of Information
Ensure that sanitization and disposal methods are commensurate with the sensitivity and criticality of Departmental data residing on storage devices, equipment, and hard copy.
4.4.4 Input/Output Controls
Implement physical, administrative, and technical controls to prevent unauthorized entry into office suites, operations, data storage, library, and other restricted areas. These controls shall restrict the unauthorized removal of media.
4.5 Data Integrity
Ensure that the appropriate Departmental systems and networks are equipped with data integrity and validation controls to provide assurance that Departmental information has not been altered.
Ensure that all Departmental system and network documentation is developed, readily available to appropriate personnel, secured, and up to date for routine security audits, tests, and unexpected events, such as system disruptions or outages.
4.6 Communications Security
4.6.1 Voice Communications
Ensure that all Department-owned voice communication networks provide adequate security controls at the system and environmental levels.
4.6.2 Data Communications
Ensure that sensitive data is protected from unauthorized access during transmission.
4.6.3 Video Teleconferencing
Implement adequate controls to ensure that only authorized individuals attend a specific video teleconference. Ensure that appropriate transmission protections are in place commensurate with the highest sensitivity of information to be discussed over the video teleconference.
4.6.4 Audio Teleconferencing
Implement adequate controls to ensure that only authorized individuals attend a specific audio teleconference. Ensure that appropriate transmission protections are in place commensurate with the highest sensitivity of information to be discussed over the audio teleconference.
Implement adequate controls to ensure that only authorized individuals attend a specific Webcast and are able to participate in transmitting or receiving voice, data, and graphics over the World Wide Web. Ensure that appropriate transmission protections are in place commensurate with the highest sensitivity of information (voice, data, or graphics) to be transmitted or received over the Webcast.
4.6.6 Voice-Over Internet Protocol
Ensure that the use of voice-over Internet Protocol (IP) equipment to transmit or discuss sensitive data is protected with encryption standards that are commensurate with the sensitivity level of the data.
Ensure that appropriate technical controls are implemented and enforced for facsimile technology and systems that can be used to transmit and receive sensitive information. Facsimile communications that require secure communications shall use systems configured to use encryption standards that are commensurate with the sensitivity level of the data.
4.7 Wireless Communications Security
4.7.1 Wireless Local Area Network (LAN)
Ensure that the appropriate Departmental CIO approves the overall wireless plan for his/her respective organization. Wireless networks shall not be connected to wired Departmental networks except through appropriate controls (e.g., Virtual Private Network (VPN) port). Wireless LANs may not be used to transmit, process, or store sensitive information unless protected with encryption standards that are commensurate with the sensitivity level of the data.
4.7.2 Multifunctional Wireless Devices
Ensure that sensitive data is not transmitted using wireless devices unless secured with encryption standards that are commensurate with the sensitivity level of the data.
4.8 Equipment Security
Ensure that security controls that are commensurate with the sensitivity level of the data are maintained on all Departmental workstations.
4.8.2 Laptops and Other Portable Computing Devices
Ensure that the storage and transmission of Departmental sensitive data on laptop and portable computing devices are protected with encryption standards that are commensurate with the sensitivity level of the data.
4.8.3 Personally Owned Equipment and Software
Control the use of personally owned or non-Departmental equipment and software to process, access, or store sensitive data. Personally owned or non-Departmental equipment and software includes, but is not limited to, personal computers and related equipment and software, Internet service providers, personal e-mail providers (e.g., Yahoo, Hotmail), personal library resources, handheld and Personal Digital Assistant (PDA) devices, facsimile machines, and photocopiers. Such personally owned equipment and software shall not be used to process, access, or store sensitive information, or be connected to Departmental systems or networks without the written authorization from the appropriate Departmental CISO.
Require the use of encryption capabilities conforming to FIPS Publication 140-2, Security Requirements for Cryptographic Modules, when transmitting and storing sensitive information on personally owned equipment. Remote connection for telecommuting Departmental employees and contractors shall be executed in accordance with the Departmental policy for remote access and dial-in.
4.8.4 Hardware Security
Ensure that hardware products provide dependable, cost-effective security controls and features and preserve the integrity of the security features provided through the system software.
4.8.5 Software Security
Implement software security features that are commensurate with the sensitivity level of the data. The security controls selected must protect information resources from unauthorized access or modification.
4.8.6 Hardware/Software Maintenance
Ensure all Departmental hardware and software is tested, documented, and approved prior to promotion to production. Ensure that only authorized personnel conduct maintenance on all Departmental hardware and software.
4.9 Contingency Planning
Ensure contingency plans for all Departmental systems, networks, data, business process, and facilities are coordinated and aligned together and tested annually. Refer to the HHS Contingency Planning for Information Security Guide for implementation best practices.
4.9.1 Security Incident and Violation Handling
Establish and maintain an incident response capability to include preparation, identification, containment, eradication, recovery, and follow-up capabilities to ensure effective recovery from incidents. IRTs shall document and report all security incidents to the HHS SOCC, which will provide updates to the HHS CISO. Ensure that evidence of computer crimes is properly preserved. This policy should be implemented in coordination with the HHS-IRM-2000-0006, HHS IRM Policy for Establishing an Incident Response Capability, January 8, 2001.
4.9.2 IT Disaster Recovery
Identify, prioritize, and document disaster recovery (DR) planning requirements for all critical Departmental systems, networks, data, and facilities based on requirements set forth in FISMA; OMB Circular A-130, Appendix III; Federal Preparedness Circular (FPC) 65, Federal Executive Branch Continuity of Operations; Presidential Decision Directive (PDD) 67, Enduring Constitutional Government and Continuity of Government Operations; Federal Emergency Management Agency (FEMA), Federal Response Plan (FRP); and NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. The DR plan and procedures shall be tested annually or as significant changes are made. Refer to the disaster recovery section of the HHS Contingency Planning for Information Security Guide for implementation best practices.
4.9.3 Backup Data
Implement and enforce proper backup procedures for all system and network information based on the sensitivity and criticality of the data.
4.9.4 Store Backup Data
Ensure that backup data is stored a safe distance from the primary system, does not share the same environmental conditions as the primary system, and is not at risk for the same disruptions as the primary system.
5. Technical Policies
5.1 Identification and Authentication
Implement and enforce user Identification and Authentication (I&A) techniques for all Departmental systems and networks in a manner commensurate with the risk and sensitivity of the system, network, and data.
Establish individual accountability for all Departmental systems and networks using user identifications (UserID). UserIDs shall be unique to each authorized user.
Implement and enforce logical password controls for all Departmental systems and networks. Require passwords to remain confidential and to be used for all Departmental systems and networks where more than "read" authority is available to the user.
5.2 Access Control
Implement logical access controls that provide protection from unauthorized access, alteration, loss, disclosure, and availability of information. This policy should be implemented in coordination with the HHS-IRM-2000-0007, HHS IRM Policy for the Prevention, Detection, Removal and Reporting Of Malicious Software, January 8, 2001.
5.2.1 Review and Validation of System User Accounts
Conduct annual reviews and validations of system users' accounts to ensure the continued need for access to a system.
5.2.2 Automatic Account Lockout
Implement and enforce account lockout controls that limit the number of consecutive failed log-on attempts against all Departmental systems and networks.
5.2.3 Automatic Session Timeout
Establish and implement limits of time that a session is allowed to remain idle before it is automatically timed out.
5.2.4 Warning Banner
Ensure that all Departmental systems and networks display Department-approved sign-on warning banners at all system access points.
5.3 Audit Trails
Ensure all Departmental systems and networks generate audit logs that show addition, modification, and/or deletion of information. Ensure that audit logs are protected from unauthorized modification, access, or destruction and are recorded, retained, and regularly analyzed to identify unauthorized activity.
5.4 Network Security
5.4.1 Remote Access and Dial-In
Implement and enforce remote access and dial-in security controls to provide protection for information that is stored, accessed, transmitted, and received across public or private networks. This policy should be implemented in coordination with the HHS-IRM-2000-0005, HHS IRM Policy for IT Security for Remote Access, January 8, 2001.
5.4.2 Network Security Monitoring
Implement a security event-monitoring program for all Departmental systems and networks.
Ensure that all incoming and outgoing connections from Departmental systems and networks to the Internet, intranets, and extranets are made through a firewall.
5.4.4 Internet Security
Ensure that the Department's connectivity to the Internet is within a framework of effective technical security controls using firewalls and gateways that provide external network access via Internet Service Providers (ISP) and other public or designated external entities.
5.4.5 E-Mail Security
Protect e-mail services against malicious code attacks and ensure that e-mail services are not used to relay unauthorized messages.
5.4.6 Personal E-Mail Accounts
Prohibit Departmental employees and contractors from transmitting sensitive information using any personal e-mail accounts (e.g., Hotmail, Yahoo, MSN).
5.4.7 Security Testing and Vulnerability Assessment
Ensure that all Departmental systems and networks containing sensitive or mission critical information undergo vulnerability scanning and/or penetration testing to identify security threats at least annually or when significant changes are made to the system or network.
Ensure that all information requiring protection form unauthorized disclosure is encrypted during transmission using current NIST encryption standards and Department-approved encryption products. Departmental employees and contractors shall not transmit such information without using cryptographic protections.
5.6 Malicious Code Protection
Implement and enforce a malicious code protection program designed to minimize the risk of introducing malicious code (e.g., viruses, worms, Trojan horses) into all Departmental systems and networks. This policy should be implemented in coordination with the HHS-IRM-2000-0007, HHS IRM Policy for the Prevention, Detection, Removal and Reporting Of Malicious Software, January 8, 2001.
5.7 Product Assurance
Ensure that the appropriate implementation of evaluated and approved technology products is required for all Departmental systems used to store, process, display, or transmit sensitive or privacy information.
5.8 System-to-System Interconnection
Implement a plan to establish, maintain, and terminate interconnections among Departmental systems and networks that are owned and operated by different organizations, including organizations within another federal agency.
5.9 Peer-to-Peer Communications
Ensure the use of secure instant messaging and peer-to-peer file sharing software on all Departmental systems and networks, where appropriate.
5.10 Patch Management
Implement security patches to all Departmental systems and networks in a manner that ensures maximum protection against security vulnerabilities and minimum impact on Departmental business operations. Patch management must contain a systematic process of identifying, prioritizing, acquiring, implementing, testing, and validating security patches necessary for each system or network. A risk-based decision must be documented if security patches are not applied to a system or network. The OPDIV CISO must approve all patch management policies.
Appendix A: Document Feedback
This form is for reviewer suggested corrections, revisions, or updates to improve the usefulness of the document for possible inclusion in future versions. Please forward recommended changes and comments to the U.S. Department of Health and Human Services (HHS), Office of Information Resources Management (OIRM).
By E-mail: SecureOne.HHS@hhs.gov
Appendix B: References
Executive Orders (E.O.)
E.O. 10450, Security Requirements for Government Employment, April 27, 1953.
E.O. 12333, United States Intelligence Activities, December 4, 1981.
E.O. 12958, Classified National Security Information, April 17, 1995.
E.O. 13010, Critical Infrastructure Protection, July 15, 1996.
E.O. 13011, Federal Information Technology, July 16, 1996.
E.O. 13103, Computer Software Piracy, September 30, 1998.
E.O. 13228, Establishing the Office of Homeland Security and the Homeland Security Council, October 10, 2001.
E.O. 13231, Critical Infrastructure Protection in the Information Age, October 16, 2001, as amended February 28, 2003, E.O., amendments of E.O., and other laws in connection with the establishment of the Department of Homeland Security.
Federal Preparedness Circulars (FPC)
FPC 65, Federal Executive Branch Continuity of Operations, July 26, 1999.
Presidential Decision Directives (PDD)
PDD 67, Enduring Constitutional Government and Continuity of Government Operations, October 21, 1998.
Homeland Security Presidential Directive/Hspd-7, Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003.
Public Law 83-703, Atomic Energy Act of 1954, August 30, 1954.
Public Law 93-579, Privacy Act of 1974, December 31, 1974.
Public Law 97-255, Federal Manager's Financial Integrity Act of 1982 [H.R. 1526], September 8, 1982.
Public Law 99-474, Computer Fraud and Abuse Act of 1986.
Public Law 103-62, Government Performance and Results Act of 1993, August 3, 1993.
Public Law 104-106, Division E, Clinger-Cohen Act of 1996 (formerly Information Technology Management Reform Act), February 10, 1996.
Public Law 104-191, Health Insurance Portability and Accountability Act (HIPAA) of 1996, August 21, 1996.
Public Law 107-347 [H.R. 2458], The E-Government Act, Title II - Federal Management and Promote of Electronic Government Services, and Title III - Information Security Federal Information Security Management Act (FISMA) December 17, 2002.
Office of Management and Budget (OMB)
OMB Circular A-11, Preparing, Submitting, and Executing the Budget, updated annually.OMB Circular A-123, Management Accountability and Control, June 21, 1995.
OMB Circular A-127, Financial Management Systems, July 23, 1993.
OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, November 28, 2000.
OMB Memoranda (M)
OMB M-00-07, Incorporating and Funding Security in Information Systems Investments, February 28, 2000.
OMB M-00-13, Privacy Policies and Data Collection on Federal Web Sites, June 22, 2000.
OMB M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones, October 17, 2001.
OMB M-02-09, Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones, July 2, 2002.
OMB M-03-09, Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones, August 6, 2003.
OMB M-03-10, Planning for the President's Fiscal Year 2005 Budget Request, April 25, 2003.
OMB M-03-18, Implementation Guidance for the E-Government Act of 2002, August 1, 2003.
OMB M-03-19, Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting, August 6, 2003.
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 30, 2003.
OMB M-99-18, Privacy Policies on Federal Web Sites, June 2, 1999.
OMB M-99-20, Security of Federal Automated Information Resources, June 23, 1999.
National Archives and Records Administration (NARA)
36 Code of Federal Regulations (CFR) Chapter XII, Subchapter B, Records Management, Part 1234, Electronic Records Management, (last amended on 5/16/01).
National Computer Security Center (NCSC)
National Computer Security Center (NCSC)-TG-025, A Guide to Understanding Data Remanence in Automated Information Systems.
National Institute of Standards and Technology (NIST)
Federal Information Processing Standards (FIPS) Publications
FIPS Publication 140-2, Security Requirements for Cryptographic Modules, June 2001.
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.
Special Publications (SP)
NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995.
NIST SP 800-13, Telecommunications Security Guidelines for Telecommunications Management Network, October 1995.
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996.
NIST SP 800-15, Minimum Interoperability Specification for PKI Components (MISPC) Version 1, January 1998.
NIST SP 800-16, Information Technology Security Training Requirements: A Role- And Performance-Based Model (supersedes NIST Spec. Pub. 500-172), April 1998.
NIST SP 800-17, Modes of Operation Validation System (MOVS): Requirements and Procedures, February 1998.
NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998.
NIST SP 800-19, Mobile Agent Security, October 1999.
NIST SP 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures, April 2000.
NIST SP 800-21, Guideline for Implementing Cryptography in the Federal Government, November 1999.
NIST SP 800-22, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, October 2000.
NIST SP 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, August 2000.
NIST SP 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does, August 2000.
NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, October 2000.
NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001.
NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001.
NIST SP 800-28, Guidelines on Active Content and Mobile Code, October 2001.
NIST SP 800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, June 2001.
NIST SP 800-30, Risk Management Guide for Information Technology Systems, January 2002.
NIST SP 800-31, Intrusion Detection Systems (IDS), November 2001.
NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure, February 2001.
NIST SP 800-33, Underlying Technical Models for Information Technology Security, December 2001.
NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, June 2002.
NIST SP 800-35, Guide to Information Technology Security Services, October 2003.
NIST SP 800-36, Guide to Selecting Information Security Products, October 2003.
NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004.
NIST SP 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques, December 2001.
NIST SP 800-40, Procedures for Handling Security Patches, September 2002.
NIST SP 800-41, Guidelines on Firewalls and Firewall Policy, January 2002.
NIST SP 800-42, Guideline on Network Security Testing, October 2003.
NIST SP 800-43, Systems Administration Guidance for Windows 2000 Professional, November 2002.
NIST SP 800-44, Guidelines on Securing Public Web Servers, September 2002.
NIST SP 800-45, Guidelines on Electronic Mail Security, September 2002.
NIST SP 800-46, Security for Telecommuting and Broadband Communications, September 2002.
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, September 2002.
NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002.
NIST SP 800-49, Federal S/MiME V3 Client Profile, November 2002.
NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, October 2003.
NIST SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002.
NIST SP 800-55, Security Metrics Guide for Information Technology Systems, July 2003.
NIST SP 800-59, Guideline for Identifying an Information System as a National Security System, August 2003.
NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004.
NIST SP 800-61, Computer Security Incident Handling Guide, January 2004.
NIST SP 800-64, Security Considerations in the Information System Development Life Cycle, October 2003.
DRAFT NIST SP 800-53, Recommended Security Controls for Federal Information Systems, October 31, 2003.
United States Department of Health and Human Services Resources
HHS-Information Resources Management (IRM)-2000-0001, HHS IRM Policy for Capital Planning and Investment Control, January 8, 2001.
HHS-IRM-2000-0001-GD, HHS IRM Guidelines for Capital Planning and Investment Control, January 8, 2001.
HHS-IRM-2000-0003, HHS IRM Policy for Personal Use Of Information Technology Resources, January 8, 2001.
HHS-IRM-2000-0004, HHS IRM Policy for Use of Broadcast Messages, Spamming and Targeted Audiences, January 8, 2001.
HHS-IRM-2000-0005, HHS IRM Policy for Information Technology (IT) Security for Remote Access, January 8, 2001.
HHS-IRM-2000-0006, HHS IRM Policy for Establishing an Incident Response Capability, January 8, 2001.
HHS-IRM-2000-0007, HHS IRM Policy for Prevention, Detection, Removal and Reporting Of Malicious Software, January 8, 2001.
HHS-IRM-2000-0008, Domain Names, January 8, 2001.
HHS-IRM-2000-0009, HHS IRM Policy for Usage of Persistent Cookies, January 8, 2001.
HHS-IRM-2000-0010, HHS IRM Policy for Active Directory, January 8, 2001.
HHS-IRM-2000-0011, HHS IRM Policy for Public Key Infrastructure (PKI); Certification Authority (CA), January 8, 2001.
HHS-IRM-2000-0012, HHS IRM Policy for Directory Services Using Lightweight Directory Access Protocol (LDAP), January 8, 2001.
HHS-IRM-2002-0001, HHS IRM Policy for Government Emergency Telecommunication System Cards Ordering, Usage and Termination, November 25, 2002.
HHS-IRM-2003-0001, HHS IRM Policy For Comments From And Responses To Operating Divisions On Newly Developed Policies and CIO Council and ITIRB Clearance Documents, February 14, 2003.
HHS-IRM-2003-0002, HHS IRM Policy for Conducting Information Technology Alternatives Analysis, supersedes 2000-0002, June 13, 2003.
Appendix C: Acronyms
Appendix D: Glossary
Access-ability to make use of any information system (IS) resource (Defined in National Institute of Standards and Technology [NIST] Special Publication [SP] 800-32, Section 9).
Access Control-enable authorized use of a resource while preventing unauthorized use or use in an unauthorized manner (Defined in NIST SP 800-27, Appendix B).
Accountability-the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after action recovery and legal action (NIST SP 800-30, Revision (Rev) A, Appendix E).
Accreditation-the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed upon set of security controls. (Defined in NIST SP 800-37, Appendix B).
Audit-a formal (usually independent) review and examination of a project or project activity for assessing compliance with contractual obligations.
Audit Trail-a chronological record of system activities to ensure the reconstruction and examination of the sequence of events and/or changes in an event. Audit trails may apply to information in an information system, input/output media controls, message routing in a communications system, the transfer of communications security material, or a record showing who has accessed a system. In conjunction with appropriate tools and procedures, audit trails can provide a means to accomplish several security-related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem identification. (See the description for Audit Trails as provided in NIST SP 800-14, Section 3.13.)
Authentication-verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. (Defined in Draft NIST 800-37, Appendix B).
Authorization-the granting or denying of access rights to a user, program, or process (Defined in NIST SP 800-27, Appendix B).
Authorizing Official-official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals. Also known as Designated Approving Authority or Designated Accrediting Authority (Defined in Draft NIST 800-37, Appendix B).
Availability-ensuring timely and reliable access to and use of information (Defined in 44 U.S.C., SEC. 3542).
Awareness, Training, and Education-includes (1) awareness programs set the stage for training by changing organizational attitudes towards realization of the importance of security and the adverse consequences of its failure; (2) the purpose of training is to teach people the skills that shall enable them to perform their jobs more effectively; and (3) education is more in-depth than training and is targeted for security professionals and those whose jobs require expertise in IT security (Defined in NIST SP 800-26, Appendix C).
Banner-display on an information system that sets parameters for system or data use.
Best Practices-the processes, practices, or systems identified in public and private organizations that performed exceptionally well and are widely recognized as improving an organization's performance and efficiency in specific areas. Successfully identifying and applying best practices can reduce business expenses and improve organizational efficiency (Defined in General Accounting Office (GAO) Assessing Risks and Returns: A Guide for Evaluation Agencies' IT Investment Decision-making, February 1997).
Certification-a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (Defined in NIST SP-37, Appendix B).
Certification Authority (CA)- the individual, group, or organization responsible for conducting a security certification. (Defined in Draft NIST SP 800-37, Appendix B, Certification Agent).
Confidentiality-preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Defined in 44 U.S.C., SEC. 3542).
Contingency Plan-(1) a formal document that establishes continuity of operations processes in case of a disaster. It includes names of responsible parties to be contacted, data to be restored, and location of such data. (2) Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster (Defined in NIST SP 800-34, Appendix E).
Critical Assets-those physical and information assets required for the performance of the site mission.
Critical Infrastructure-physical and cyber-based systems essential to the minimum operations of the economy and government (Defined in PDD-63).
Critical Infrastructure Protection (CIP)-those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems, and emergency services, both governmental and private.
Data-programs, files or other information stored in, or processed by, a computer system (Defined in FIPS PUB 112, page 8).
Data Integrity-the property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit (Defined in NIST SP 800-27, Appendix B).
Database-a set of related files that is created and managed by a database management system (DBMS).
Department-Wide Information Security Program-HHS is required to develop and implement an information security program for the entire Department, including all Operating Divisions. This program must provide information security for the operations and assets of the Department, including operations and assets provided or managed by another Department (Defined in the Government Information Security Reform Act of 2000, section 3534 (b)(1)).
Destruction-the physical alteration of IT media or of IT components such that they can no longer be used for storage or information retrieval.
Encryption-cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used. (Defined by System Administration, Networking, and Security Institute [SANS] at http://www.sans.org/resources/glossary.php#A).
Extranet-a network used to communicate with business partners and/or the public.
Facility-a physically definable area consisting of a controlled space that contains national security or sensitive but unclassified (SBU) information processing equipment.
Gateway-interface that provides compatibility between networks by converting transmission speeds, protocols, codes, or security measures.
General Support System (GSS)-an interconnected set of information resources under the same direct management control, which shares common functionality. A GSS normally includes hardware, software, information, data, applications, communications, and people. A GSS can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental data processing center including its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO) (Defined in Office of Management and Budget [OMB] Circular A-130, (A)(2)(c)).
Incident-a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security (defined in NIST SP 800-61, Appendix D).
Information-any communication or representation of knowledge such as facts, data, or opinions in any medium or form; including textual, numerical, graphic, cartographic, narrative, or audiovisual forms (Defined in OMB Circular A-130, 6(a)).
Information Assurance (IA)-measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. (Committee for National Security System [CNSS] Instruction 4009).
Information Resources-information and related resources, such as personnel, equipment, funds, and information technology (Defined in 44 U.S.C., SEC. 3502).
Information Security (INFOSEC)-the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability (44 U.S.C., SEC. 3542).
Information Technology-any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency. Equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources (Defined in 40 U.S.C., SEC. 1401).
IT Investments-IT resources that are implemented to strengthen and improve the organization's strategic objectives and business plans while reducing cost.
Integrity-guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity (Defined in 44 U.S.C., § 3542).
Intranet-an internal network intended for HHS only use.
Label-marking an item of information to reflect its security classification. (a) Internal Label. Marking an item of information to reflect the classification of the information within the confines of the medium containing the information. (b) External Label. The visible and readable marking on the outside or cover of the medium that reflects the classification of the information resident within the medium.
Local Area Network (LAN)-a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building) (Defined in NIST SP 800-46, Glossary).
Major Application (MA)-an application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (Defined in OMB Circular A-130)
Malicious Code-software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. (Defined by SANS at http://www.sans.org/resources/glossary.php#A).
Management Controls-the security controls (i.e., safeguards and countermeasures) applied to an information system that focus on the management of risk and the management of the information security system. Actions that are performed primarily to support management decisions with regard to information system security (Defined in NIST SP 800-53, Appendix B).
Media-all materials in which data and/or information may be stored and it may include floppy disks, CD-ROMs, hard drives, software manuals, and papers.
National Security System-any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency- (i) the function, operation, or use of which: involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or, (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy (Defined in 44 U.S.C., SEC. 3542).
Need to Know-the necessity for access to or knowledge of or possession of specific information required to carry out official duties.
Network-comprises communications media and all components attached thereto whose responsibility is the transfer of information among a collection of IT systems or workstations. Network components include packet switches, front-end computers, network controllers, technical control devices, and other networks. In the context of this manual, such networks are: (a) under the operational control of an HHS official, (b) used for the transmission of classified or SBU data, and (c) may provide connectivity among information systems operated by various classified or SBU information components. Networks include wide- and local-area technologies.
Operational Controls-the security controls (i.e., safeguards and countermeasures) applied to an information system that are primarily implemented and executed by people (as opposed to the information system) (Defined in NIST SP 800-53, Appendix B).
Patch Management-the process of acquiring, testing, and distributing patches to the appropriate administrators and users throughout the organization (Defined in NIST SP 800-61, Appendix D).
Personally Identifiable Information-information in an IT system or online collection: (1) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.), or (2) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). (Defined in OMB M-03-22).
Personnel Security-the procedures established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances (Defined in National Computer Security Center [NCSC]-TG-004).
Personnel Security Clearance-an administrative determination that an individual is eligible from a security point of view for access to classified information of the same or lower category as the level of the personnel security clearance being granted.
Physical Security-the application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information (Defined in NCSC-TG-004).
Plan of Action and Milestones (POA&M)-a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones (Defined in OMB Memorandum 02-01).
Policy-the rules and regulations set by an organization that define the purpose of the program and its scope within an organization; assigns responsibilities for direct program implementation, as well as other responsibilities to related offices (e.g., Chief Information Office); and addresses compliance issues. A program policy sets organizational and strategic directions for security and assigns resources for its implementation (Defined in NIST 800-12).
Privacy Impact Assessment (PIA)-an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks (Defined in OMB M-03-22).
Residual Risk-the portion of risk remaining after the application of appropriate security controls in the information system (Defined in Draft NIST SP 800-37, Appendix B).
Risk-the level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring (NIST SP 800-30, Rev A, Appendix E).
Risk Assessment-the process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses (NIST SP 800-30, Rev A).
Risk Management-the process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes: risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal approval to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations (NIST SP 800-30, Rev A).
Rules of Behavior-the rules that have been established and implemented concerning use of, and security in, the system. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the system. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of federal government equipment, assignment and limitation of system privileges, and individual accountability (Defined in NIST SP 800-18, Appendix D).
Sanitization-eliminating sensitive information from an IT system or media associated with an IT to permit the reuse of the IT or media at a lower classification level or to permit the release to unauthorized personnel or personnel without the proper need to know.
Scan-to examine computer coding and programs sequentially, part by part. For viruses, scans are made for virus signatures or potentially unsafe practices (e.g., changes to an executable file, direct writes to specific disk sectors).
Security-the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability (Defined in 44 U.S.C., SEC. 3542).
Security Controls-the management, operational, and technical controls (safeguards or countermeasures) prescribed for an information system which, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information (Defined in NIST SP 800-53, Appendix B).
Security Safeguards-the protective measures and controls prescribed to meet the security requirements specified for an IT system. Safeguards may include, but are not necessarily limited to, hardware and software security features; operation procedures; accountability procedures; access and distribution controls; management constraints; personnel security; and physical structures, areas, and devices.
Security Violation-the failure to comply with policy and procedures established by the federal government that could reasonably result in the loss or compromise of sensitive information.
Sensitive Data-information whose loss, misuse, unauthorized access to, modification, or destruction could adversely affect the national interest or the conduct of federal programs, or privacy to which individuals are entitled, but which has not been specifically authorized to be kept secret in the interest of national defense or foreign policy, etc. Sensitive data can relate to industry (e.g., proprietary, patented), copyrighted or business data, as well as data that is simply inappropriate for public release (Defined in FIPS PUB 102, Appendix A).
Sensitivity-the IT environment consists of the system, data, and applications that must be examined individually and in total. All systems and applications require some level of protection for confidentiality, integrity, and/or availability; these levels of required protection are determined by an evaluation of the sensitivity of the information processed, the relationship of the system to the organization's mission, and the economic value of the system components.
Separation of Duties-the practice of dividing roles and responsibilities so that a single individual does not control the entirety of a critical process (Defined in NIST SP 800-12).
Session-The period of time a user interfaces with an application. The user session begins when the user accesses the application and ends when the user quits the application.
System-(1) a collection of components (hardware, software, and interfaces) organized to accomplish a specific function or set of functions; generally considered a self-sufficient item in its intended operational use.
System Life Cycle (SLC)-a formal model of a hardware or software project that depicts the scope of and relationship among activities, products, reviews, approvals, and resources. In addition, the period that begins when a need is identified (initiation) and ends when a system ceases to be available for use (disposition). Note: Activities associated with a system include the system's initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal (that may instigate another system initiation) (Defined in NIST SP 800-34, Appendix E).
System Security Plan (SSP)-formal document that provides an overview of the security requirements of the information system and describes the security controls in place or planned for meeting those requirements (Defined in NIST SP 800-53, Appendix B, Security Plan).
Technical Controls-the security controls (i.e., safeguards and countermeasures) applied to an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system (Defined in NIST SP 800-53, Appendix B).
Threat-any circumstance or event with the potential to intentionally or unintentionally exploit a specific vulnerability in an information system resulting in a loss of confidentiality, integrity, or availability (Defined in NIST SP 800-53, Appendix B).
Unauthorized Disclosure-exposure of information to individuals not authorized to receive it.
User-person or process accessing an information system either by direct connections (that is, by way of terminals), or indirect connections (that is, prepare input data or receive output that is not reviewed for content or classification by a responsible individual).
Validation-the process of determining the correctness of the final product, system, or system component for the user's requirements. Answers the question, "Am I building the right product?" Verification-the process used by an independent agent to confirm or establish by testing, evaluation, examination, investigation, or competent evidence, the effectiveness of the security controls in an information system (Defined in NIST SP 800-53, Appendix B).
Vulnerability-a flaw or weakness in the design or implementation of an information system (including the security procedures and security controls associated with the system) that could be intentionally or unintentionally exploited to adversely effect an organization's operations or assets through a loss of confidentiality, integrity, or availability (Defined in NIST SP 800-53, Appendix B).
Vulnerability Assessment-formal description and evaluation of the vulnerabilities in an information system (CNSS Instruction 4009).
Appendix E: Information Security Program Documents
The Department of Health and Human Service (HHS) Information Security Program is supplemented by a series of HHS Information Security documents. These documents include:
Appendix F: Departmental Policy Waiver