Cyber Security Fundamentals (CSF) Training Lesson 3: Army Regulations and Policies Lesson Overview/Objectives: • Army Regulation 25-1 Army Knowledge Management and Information Technology • Army Regulation 25-2 Information Assurance • Army Regulation 380-5 Department of the Army Information Security Program • Army Regulation 380-53 Information Systems Security Monitoring • Army Information Assurance Program Best Business Practices At the conclusion of this lesson you will be familiar with the Army Regulations and Best Business Practices that pertain to Information Assurance. Army Regulations Army regulations, like all Department of Defense regulations, are implemented in a hierarchical fashion. Each regulation builds upon and supports the higher level regulation. All Army regulations are constructed in such a way as to not conflict with higher level Department of Defense regulations. As an Information Assurance Security Officer, there are a slew of pertinent army regulations, directives, manuals, and BBP’s to reference and enforce. You will be a representative of the requirements contained within those regulations. Within this lesson you will be introduced to the main regulations but it is your responsibility to become knowledgeable with content of those regulations as they pertain to your job.
The Army is here to help provide you with information on matters dealing with money. The Army's Financial Readiness Program (FRP) and Consumer Advocacy Services are.
AR 25-1 Army Knowledge Management and Information Technology The AR 25-1 establishes Army policies for information technologies, policies to manage information knowledge, and policies to assign responsibilities for the carrying out of those policies. It applies to the United States Army, the United States Army Reserves, and the Army National Guard. Within those components, this regulation applies to information technologies in support of Command and Control (C2) and business systems. It may also apply, when noted, to intelligence systems and National Security Systems that apply to the Army. It does not, however, directly apply to operational support for intelligence or Electronic Warfare (EW) systems. Those areas of concentrations would have their own regulations (Intelligence Community Directives).
AR 25-1 defines Information Technology as any system, subsystem, or equipment used in the automatic acquisition, storage, control, interchange, transmission, display, or manipulation of information. It includes computing devices and their software, firmware, and hardware, as well as any support services and their related resources. The ultimate goal of Army knowledge management is to produce a net-centric, knowledge-based force in support of the Global Information Grid (GIG). The infrastructure will be managed in an enterprise fashion and will be enhanced with centralized, information-sharing, collaborating resources such as Army Knowledge Online (AKO). AR 25-1 specifically creates the roles of Army Chief Information Officer (CIO/G6) and Army Network Enterprise Technology Command / 9th Signal Command (NETCOM/9SC) and then goes on to delineate their responsibilities. The CIO/G6 is the primary advisor to the Secretary of the Army regarding Information Technology matters.
AR 25-1 also defines roles and responsibilities for the Under Secretary of the Army and the various Assistants to the Secretary of the Army. Responsibilities for RCIO’s (Regional Chief Information Officer) and DOIM’s (Director of Information Management) can be located in this regulation.
AR 25-1 reinforces the requirement, initially set at the Department of Defense level, of an Information Assurance program. AR 25-1 establishes key IA roles and then directs the creation of AR 25-2, which is the Army Information Program. AR 25-1 points Information Assurance Security Officers to AR 25-2 for a litany of IASO responsibilities. We will cover those responsibilities shortly.
AR 25-1 requires all information systems to go through a formal certification and accreditation process called DIACAP (DoD Information Assurance Certification and Accreditation Process). NETCOM is tasked with the responsibility of verifying systems are in DIACAP compliance. Furthermore, AR 25-1 requires information systems to be purchased from the Army’s IA APL (Approved Products List) located at the website. System Administrators are to use the Army Gold Standards (AGM) for security configurations. Any alterations must be approved by the Designated Accrediting Authority (DAA) and then documented accordingly.
AR 25-1, as well as other DoD and Army regulations, is concerned with inappropriate use of its communication technologies. As an IASO it is your duty to become familiar with these regulations and their specific communication prohibitions. Army communication systems will not be used to promote particular candidates for public elections, promote personal financial gain opportunities, or promote unlawful activities. Email systems will not be used to transmit chain-letters, spam, or hoaxes Email systems will not be used for broadcasts to large groups of email users (entire organizations), instead relegate the transmissions to the relevant audience. Large files are not to be promulgated to groups of accounts via email but should instead be centrally managed with a service such as AKO.
Security incidents will be handled with the utmost timeliness. Whenever an incident occurs, whether successful or unsuccessful, it will be reported to the chain-of-command and the next highest IA-level.
All incidents will be investigated to determine their cause and a solution to mitigate its reoccurrence will be applied. AR 25-2 Information Assurance AR 25-2 is the Army’s Information Assurance Program. This regulation holds important information about the entire gamut of Information Assurance as well as specific roles assigned to the IASO. AR 25-2 mandates Defense-in-Depth to protect resources and borrows security axioms from COMSEC, INFOSEC, TRANSEC, and physical security. It is your duty as an IASO to uphold these regulations. Eun And Resnick International Financial Management Canadian Perspectives 2nd Edition there. Failure to do so can make your actions, or lack of actions, subject to the UCMJ (military) or prosecution in US District Court (civilian).
The Information Assurance Program Manager (IAPM) develops, maintains, and manages the formal IA security program. The IAPM defines the IA personnel structure and assigns the Information Assurance Network Manager (IANM), Information Assurance Network Officer (IANO), and the Information Assurance Security Officers (IASO). The IASO is ultimately assigned by the commander or manager of an activity. The IASO can be assigned to one Information System or to multiple ISs. They must obtain and maintain the appropriate IA certification(s). The Department of Defense regulations will often refer to the IASO as the IAO. IASOs must enforce the IA policy, IA guidance, and training requirements derived in the Army and DoD regulations.
The IASO must also ensure all users meet regulation requirements prior to granting user access to information systems. The users are to receive annual IA awareness training to support their access.
The IASO is tasked with reviewing system logs and judge the ramifications system changes have on the security posture. They must make sure their systems are certified, accredited, and reaccredited when the time comes. All software must be properly licensed and verified. Any security violations and incidents will be reported to the applicable RCERT. System and Network Administrators will fulfill the duties of IASO when an IASO is not available.
Any personnel acting as an IASO must, once appointed, complete the IASO course within 6 months. The administrator must be both, IA certified, and certified for the Information System on which they will be working (computing environment).
They will also sign a Privileged-level Access Agreement (PAA) and a Non-Disclosure Agreement (NDA). Administrators will perform vulnerability assessments, maintain antivirus definitions, and ensure proper patch management of their Information System. Any system changes due to patch management will be reported to the IAM/IASO. The administrator will also implement and test data backups for that Information System. Administrators will review user accounts for legitimacy, neutralizing any default accounts or guest accounts. Departing users will have their user accounts removed before the user leaves the organization and if inactive accounts are no longer required after 45 days then they will be terminated. Any user accounts involved in knowingly harming Army Information Systems are to be suspended.
The administrator will have two separate accounts: one for privileged-level administrative access and the other a general use, non-privileged access for routine procedures. The terms to be met by general users apply to administrators as well.
The administrator must comply with the command’s Acceptable Use Policy (AUP) and sign the AUP before initially accessing their account. They also must remember to log off their accounts at the end of the day and enable password-enabled screen locks within 15 minutes of last activity. Both accounts belonging to the System Administrator must show signs of activity within 45 days or be subject to termination. Though the default lockout threshold (i.e. Password-enable screen saver) should initiate within 15 minutes of system inactivity, there are situations in which the lockout may impede mission readiness. These occurrences are rare, but the System Owner (SO) may override the lockout threshold so that activation occurs later as long as the system is not unattended during the extended period, additional safeguards are implemented to reduce the risks, and there is a minimum of risk to overall system readiness (i.e. The network and its connected devices).
The lockout feature may never be disabled however. Exceptions will never be granted for convenience or ease of use.
Examples where the lockout may be extended past 15 minutes are: standalone systems for audience presentations, or medical systems to aid triage units. Any system that supports account lockouts will have a threshold set to 3 attempts. The system must not indicate that the identity challenge or the authentication challenge was incorrectly provided. IA personnel will verify the reason for the lockout and the user’s identity before unlocking the account within 72 hours.
The reason will be documented and maintained for 1 year by the administrator. Automatic unlocking may only be approved by the DAA. Network Access Controls (NAC) will be implemented when systems attempt remote access. The systems will meet security configuration requirements such as Information Assurance Vulnerability Management (IAVM) that includes system patches, certification and accreditation standards, and host-based safeguards (i.e. Updated antivirus and a firewall) before being granted access to network resources. The log-in credentials will be encrypted as they traverse trusted and untrusted networks.
Each user will annually read and sign security and end-user agreements as a condition for continued access. System Administrators will maintain audit logs for all systems for no less than 90 days. An audit trail should be detailed enough to reconstruct events so that the cause of a system compromise can be determined. Centralized, enterprise audit servers will be utilized to ingest audit logs from client machines in order to minimize exposure.
Audit logs will be reviewed at least weekly. Centralized audit server logs will be maintained for a minimum of 1 year. Retain classified and sensitive Information System audit files for 1 year (5 years for SCI systems, depending on storage capability). The Administrator can remove any file, email, or attachment that interferes with the operation of an Information System without consent of the originator or recipient. The System Administrator or Network Administrator must notify the sender and receiver of the removal. The Administrator is not allowed to access individual information or data files unless authorized to do so under explicit scenarios. An administrator may access the file if conducting a search on behalf of management.
The search must be sensible and pertinent to the occasion. For example, the administrator is not allowed to access the user’s email account when merely searching for a word document that would be stored in the user’s personal folder. The administrator may also access user files when conducting an authorized administrative search.
Lastly, user files may be accessed in support of an authorized investigation. Information Assurance Vulnerability Alert (IAVA) is a process within the C2 system that provides for a sensing of valid information about events and the environment, reporting information, assessing the situation and associated alternatives for action, deciding on an appropriate course of action, and issuing messages directing corrective action. Additionally, IA protects those information and information-based systems essential to the minimum operations of the Army. They include, but are not limited to, telecommunications, weapons systems, transportation, personnel, budget, BASOPS, and force protection.
(See also AR 25–2 for more policy on information assurance). IA components will be designed to protect information from the wide-ranging threats to the Army’s critical information infrastructures, to include the basic facilities, equipment, and installations needed for the function of a system, network, or integrated network that will support the National Security of the United States and the continuity of Government. IA seeks to maintain effective C2 of friendly forces by protecting critical information infrastructures from unauthorized users, detecting attempts to obtain or alter information, and reacting to unauthorized attempts to obtain access to or change information.
These measures focus on the integrity, confidentiality, availability, authentication, verification, protection, and nonrepudiation of the infrastructures and the information contained within. Per DODD 8500.1, IA-enabling technologies such as Public Key Infrastructure (PKI) and biometrics will be used to protect information. AR 380-5 AR 380-5 is the Army’s Information Security Program. It addresses the techniques to safeguard, classify, declassify, and destroy information. From authentication techniques to device hardening, this regulation is essential for IA physical security. Whenever data is written to a storage medium and then later deleted, the data isn’t truly erased. Data remanence is the pattern of ones and zeroes that are still left on the storage device after the user had “deleted” the file.
Through software or sensitive forensic equipment, the old data can be recovered, reconstructed, and ultimately lead to unauthorized disclosure of information. Removing data remanence from storage media, such as hard disks, floppy disks, and magnetic tapes, can be conducted in two distinct ways: clearing and purging. Simply reformatting a hard drive will not due. The media is cleared by writing a series of randomized ones and zeroes over the previous ones and zeroes. This is sometimes referred to as zeroization. Clearing is appropriate for object reuse within the same security compartment (for example, reusing a hard disk at the same security level within the same facility).
However, if we want to use the storage media for a different security level then we need to be more aggressive at removing data remanence. Purging is defined as the unequivocal erasing of data from the storage device in such a way so that the data may never be recovered. Storage media that maintains the data as magnetic bits, such as tapes and hard disks, will employ degaussing. Degaussing is the act of running a strong magnetic disturbance through the magnetic field of the storage device, effectively resetting the magnetic field to its original, unintelligible shipping state. It is important to purge the storage media before declassification occurs. Some magnetic tapes are impervious to degaussing so it may be best to just destroy the tapes when they are no longer needed. The varied techniques in destroying information are well documented in AR 380-5 but the destruction of choice is to incinerate the medium that holds the data.
Whether the medium is paper, microfiche, or equipment such as hard drives, simply incinerate it. No other single destruction method has been found to be as effective, versatile, and secure, as incineration. AR 380-53 AR 380-53 is the Army’s Information Systems Security Monitoring regulation. It stipulates the minimal training required to participate in Information Systems Security Monitoring and specifies who can conduct Information Systems Security Monitoring. AR 380-53 mandates that sending classified information over non-secure communication channels is prohibited and users must be made aware of this mandate. A Warning Banner will be presented to users before they are authenticated stating their communications are subject to eavesdropping. Acceptance of the Warning Banner notification implies the user’s consent to monitoring at any time.
An example Warning Banner message is provided in AR 380-53 but the required Warning Banner message is dictated in AR 25-2 paragraph 4-5(m). Appendix B of this regulation covers the Computer Defense Assistance Program (CDAP) and describes ACERT’s Role in this program. CDAP is primarily concerned with mitigating threats to Information Operations. The primary goals of those threats would be compromise of information, the corruption of data, and the disruption of operations.
A diagram depicting the CDAP process is provided within the Appendix. Annex A pertains to penetration testing. It regulates the conduct of the penetration test by specifying when testing can be conducted and what will be tested. Best Business Practice’s As stated in the Army Information Assurance Program Best Business Practices document: The BBPs will be evolutionary documents that will define approaches and methods the Army will employ to address changes and implement Information Technology (IT) policy or requirements. The Army has a goal to maintain an operationally and technically efficient Army Information Assurance Program (AIAP); focused on the most effective and innovative methods of implementing IT. The purpose and goal of developing Army Best Business Practices (BBPs) is to establish the following: • To provide foundational directives and guidance in securing and enhancing the trust and trusted relationships of Army information, systems, and networks through application of information assurance initiatives and technology. • To provide implementing directives and guidance for Army regulations and policy.
• To provide centralized accountability and repository of IA or IT published doctrine. Veeramanidasan Devotional Mp3 Songs Free Download. • To provide administrative, operational, and technical systems security requirements. • To establish and enhance baseline information assurance levels of the AEI. • To define and mandate methods to implement the Defense in Depth (DiD) Strategy. • To promote the use of efficient best practices and cost-effective, computer-based security features and assurances.
• To implement the concepts of mission assurance category, levels of confidentiality, and levels of robustness of information. • To implement Army Regulation AR 25-2 (Information Assurance); DoD Directive 8500.1 (Information Assurance); DoD Instructions 8500.2 (Information Assurance Implementation) and 5200.40 (DoD Information Assurance Security Certification and Accreditation Process (DIASCAP)); and CJCSM 6510.01 (Information Assurance and Computer Network Defense) and other DoD or service guidance to align Army IA goals and objectives to support the DoD Information Management Strategic Plan. • To assist Designated Approving Authorities (DAAs) in meeting the system accreditation polices and IA requirements before fielding or accepting systems or networks. • To assist Commanders in the implementation of a Configuration Management Process. • To assist in the development of Continuity of Operations Plans (COOP). • To establish and implement specific policy, measures, and practices. • To meet changing technology or IA requirements.
• To provide the foundation for the Networthiness Certification Program.