DHS Sensitive Systems Handbook 4300A v12

DHS 4300A Sensitive Systems Handbook

Version 12.0 November 15, 2015

Protecting the Information that Secures the Homeland

DHS 4300A SENSITIVE SYSTEMS HANDBOOK

This page intentionally left blank

v12.0, November 15, 2015

ii

DHS 4300A SENSITIVE SYSTEMS HANDBOOK

FOREWORD

This Handbook and its Attachments provide guidance and best practices for implementation, and checklists of required and recommended measures that protect the security of DHS information.

The Handbook is based on the Department of Homeland Security (DHS) 4300 series of information security policies, which are the official documents that create and publish Departmental standards in accordance with DHS Management Directive 140-01 Information Technology System Security.

Comments concerning DHS Information Security publications are welcomed and should be submitted to the DHS Director for Information Systems Security Policy at infosecpolicy@hq. or addressed to:

DHS Director of Security Policy and Remediation

OCIO CISO Stop 0182

Department of Homeland Security

245 Murray Lane SW

Washington, DC 20528-0182

Digitally signed by JEFFREY L

JEFFREY L

EISENSMITH DN: c=US, o=U.S. Government, ou=Department of Homeland Security,

ou=DHS HQ, ou=People, cn=JEFFREY L

EISENSMITH EISENSMITH, 0.9.2342.19200300.100.1.1=0387904707.D

HS HQ.1

Date: 2016.01.08 11:37:00 -05'00'

Jeffrey Eisensmith Chief Information Security Officer Department of Homeland Security

v12.0, November 15, 2015

iii

DHS 4300A SENSITIVE SYSTEMS HANDBOOK

Contents

1.0 INTRODUCTION..............................................................................................................1 1.1 Information Security Program and Implementation Guidelines..............................1 1.2 Authorities................................................................................................................2 1.3 Handbook Overview ................................................................................................2 1.4 Definitions................................................................................................................3 1.4.1 Classified National Security Information ....................................................3 Information that has been determined, pursuant to Executive Order 13526, "Classified National Security Information," to require protection against unauthorized disclosure and is marked to indicate its classified status. [Source: Executive Order 13526] ................................................................3 1.4.2 Component ...................................................................................................3 A DHS Component is any organization which reports directly to the Office of the Secretary (including the Secretary, the Deputy Secretary, the Chief of Staff's, Counselors, and staff, when approved as such by the Secretary), including both Operational Components and Support Components (also known as Headquarters Components). [Source DHS Lexicon and DHS Management Directive 112-01]......................................3 1.4.3 Continuity of Operations (COOP) ...............................................................3 1.4.4 DHS System.................................................................................................3 1.4.5 Essential Function ........................................................................................4 1.4.6 Federal Information Security Modernization Act of 2014 (FISMA)...........4 1.4.7 Foreign Intelligence Information .................................................................4 1.4.8 General Support System (GSS) ...................................................................4 1.4.9 Information Technology (IT) .......................................................................5 1.4.10 Major Application (MA)..............................................................................5 All Federal applications require some level of protection. Certain applications, because of the information they contain, however, require special management oversight and should be classified as MAs. An MA is distinguishable from a GSS by the fact that it is a discrete application, whereas a GSS may support multiple applications. Each MA must be under the direct oversight of a Component CISO or Information System Security Manager (ISSM), and must have an ISSO assigned......................5 National Intelligence Information................................................................5 1.4.11 National Intelligence Information................................................................5 1.4.12 Operational Data ..........................................................................................5 1.4.13 Personally Identifiable Information (PII).....................................................6 1.4.14 Privacy Sensitive System .............................................................................6 1.4.1 Privileged User.............................................................................................6 1.4.2 Public Information .......................................................................................6 1.4.3 Sensitive Information...................................................................................6 1.4.4 Sensitive Personally Identifiable Information (SPII)...................................2 1.4.5 Sensitive System ..........................................................................................3 1.4.6 Strong Authentication ..................................................................................3 1.4.7 Trust Zone ....................................................................................................3

v12.0, November 15, 2015

iv

DHS 4300A SENSITIVE SYSTEMS HANDBOOK

1.4.8 Two-Factor Authentication ..........................................................................3 1.4.9 Visitor ..........................................................................................................3 1.4.10 Vital Records ...............................................................................................4 1.5 Waivers ....................................................................................................................4 1.5.1 Waiver Requests ..........................................................................................4 1.5.2 Requests for Exception to U.S. Citizenship Requirement ...........................5 1.6 Digital and Other Electronic Signatures ..................................................................5 1.7 Information Sharing .................................................................................................5 1.8 Threats......................................................................................................................6 1.8.1 Insider Threats .............................................................................................6 1.8.2 Criminal Threats ..........................................................................................7 1.8.3 Foreign Threats ............................................................................................7 1.8.4 Lost or Stolen Equipment ............................................................................7 1.8.5 Supply Chain Threats...................................................................................7 1.9 Changes to this Handbook, and Requests for Changes............................................7

2.0 ROLES AND RESPONSIBILITIES................................................................................9 2.1 Information Security Program Roles .......................................................................9 2.1.1 DHS Senior Agency Information Security Officer (SAISO) ......................9 2.1.2 DHS Chief Information Security Officer (CISO) ........................................9 2.1.3 Component Chief Information Security Officer ........................................11 2.1.4 Component Information Systems Security Manager (ISSM) ....................13 2.1.5 Risk Executive ...........................................................................................14 2.1.6 Authorizing Official (AO) .........................................................................15 2.1.7 Security Control Assessor..........................................................................15 2.1.8 Information Systems Security Officer (ISSO) ...........................................16 2.1.9 Ongoing Authorization (OA) Manager and Operational Risk Management Board (ORMB) ..........................................................................................16 2.1.10 DHS Security Operations Center (SOC)....................................................16 2.1.11 Component Security Operations Centers...................................................18 2.2 Other Roles ............................................................................................................19 2.2.1 Secretary of Homeland Security ................................................................19 2.2.2 Under Secretaries and Heads of DHS Components...................................20 2.2.3 DHS Chief Information Officer (CIO) ......................................................20 2.2.4 Component Chief Information Officer ......................................................21 2.2.5 DHS Chief Security Officer (CSO) ...........................................................23 2.2.6 DHS Chief Privacy Officer ........................................................................23 2.2.7 DHS Chief Financial Officer (CFO)..........................................................24 2.2.8 Program Managers .....................................................................................24 2.2.9 System Owners ..........................................................................................24 2.2.10 Common Control Provider.........................................................................25 2.2.11 DHS Employees, Contractors, and Others Working on Behalf of DHS ...25

3.0 MANAGEMENT POLICIES .........................................................................................26 3.1 Basic Requirements ...............................................................................................26 3.2 Capital Planning and Investment Control (CPIC) .................................................26 3.2.1 Capital Planning and Investment Control Process.....................................27 3.3 Contractors and Outsourced Operations ................................................................28

v12.0, November 15, 2015

v

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.