The U.S. Customs Service, Office of Information and Technology Automated Information Systems (AIS) Security Policy Manual is intended for those who use Customs AIS services and systems. Information throughout the manual supports the Customs mission by providing direction and guidance to protect AIS resources. It establishes uniform policies, responsibilities, and authorities for carrying out the Customs AIS Security Program. Security is provided for information that is collected, processed, transmitted, stored, or distributed for all other agencies utilizing Customs general support systems and major applications.
This high-level policy manual supplements the AIS security policies established by the U.S. Department of the Treasury, and is consistent with government-wide policies, standards, and procedures issued by the Office of Management and Budget, the Department of Commerce, the General Services Administration, and the Office of Personnel Management. Additional detailed and specific procedural guidelines, particular to Customs needs and requirements, will be issued in an iterative fashion, as appropriate. Prior releases of this manual (CIS HB 1400-04) are superseded.
Additional copies may be obtained by submitting Customs Form CF 262. Please include your street address, the number of publications you want, and either your Fed Ex, UPS, or RPS account number to pay for the shipping costs (publications are free) to: U.S. Customs Service National Distribution Center, PO Box 68912, Indianapolis, IN 46268. Non-Customs Federal and civil agencies, organizations, and members of the trade community may contact their Customs representative, or obtain the manual via the Internet from Customs World Wide Web (WWW) page on the National Technical Information Service (NTIS) FedWorld, at http://fedworld.gov, as available.
The U.S. Customs Service wishes to extend special thanks to the Federal Bureau of Investigation, Information Systems Security Unit, for valuable input which provided the basis for the development of this document, to the National Security Agency for their review and suggestions, and to the U.S. Department of the Treasury, Office of Information Systems Security, for their oversight and guidance.
(original signd by George J. Weise)
Commissioner
Distribution: G-25
INTRODUCTION..................................................................1-1
1.1 PURPOSE...............................................................1-1
1.2 REFERENCES............................................................1-1
1.3 DEFINITIONS...........................................................1-1
1.4 SCOPE.................................................................1-1
1.5 BACKGROUND............................................................1-2
1.6 INFORMATION SECURITY POLICY AND GUIDANCE HIERARCHY....................1-6
GENERAL POLICY................................................................2-1
2.1 GENERAL POLICY STATEMENT..............................................2-1
2.2 ROLES AND RESPONSIBILITIES............................................2-1
AIS SECURITY LIFE CYCLE.......................................................3-1
3.1 SECURITY PLANNING.....................................................3-1
3.1.1 Approvals.......................................................3-1
3.1.2 AIS Security Plan...............................................3-2
3.1.3 Disaster Recovery and Contingency Operations Planning ..........3-3
3.2 SECURITY REQUIREMENTS ................................................3-4
3.2.1 Policy Derived Requirements ....................................3-4
3.2.2 Risk Management ................................................3-5
3.3 DEVELOPMENT ..........................................................3-6
3.4 CERTIFICATION AND ACCREDITATION ......................................3-6
3.4.1 Certification...................................................3-7
3.4.2 Accreditation...................................................3-8
3.5 PROCEDURES AND PRACTICES..............................................3-10
3.6 EDUCATION, TRAINING, AND AWARENESS....................................3-10
3.7 SECURITY OVERSIGHT....................................................3-11
MINIMUM SECURITY REQUIREMENTS.................................................4-1
4.1 FACILITY SECURITY.....................................................4-1
4.1.1 Physical........................................................4-1
4.1.2 Environmental...................................................4-2
4.2 PERSONNEL SECURITY....................................................4-2
4.3 AUTOMATED SECURITY....................................................4-3
4.3.1 Minimum Security Requirements...................................4-3
4.3.2 Security Assurances.............................................4-5
4.3.3 Desirable Security Features.....................................4-7
4.4 ADMINISTRATIVE SECURITY...............................................4-7
4.4.1 Accountability and Access Control Criteria......................4-7
4.4.2 Software and Data Security......................................4-8
4.4.3 Technical Support and Maintenance...............................4-9
4.4.4 Portable Computer Equipment.....................................4-10
4.4.5 Classification and Controls.....................................4-10
4.4.6 External Labels.................................................4-11
4.4.7 Customs Work Performed at non-Customs Locations.................4-11
4.4.8 Use of Non-Customs Owned AISs...................................4-12
4.5 TELECOMMUNICATIONS SECURITY...........................................4-12
4.5.1 Information System Standards....................................4-12
4.5.2 Network Connections.............................................4-12
4.5.4 Electronic Mail (E-Mail)........................................4-13
4.5.5 Facsimile (FAX).................................................4-13
4.5.6 PBX and Voice Mail Systems......................................4-14
4.5.7 Communications Security (COMSEC)................................4-14
SECURITY INCIDENTS AND VIOLATIONS.............................................5-1
GLOSSARY......................................................................Glos-1
BIBLIOGRAPHY..................................................................Bib-1
Selected Readings.........................................................Bib-5
APPENDIX A
Abbreviations and Acronyms................................................A-1
APPENDIX B
Good Security Practices...................................................B-1
APPENDIX C
Controlled Access Protection (C2) Outline.................................C-1
APPENDIX D
Security Plan Format...................................................D-1
APPENDIX E
Computer Security Training.............................................E-1
APPENDIX F
Security Requirements Methodology......................................F-1
APPENDIX G
OMB Circulars..........................................................G-1
OMB Circular No. A-123, Introduction & Comments........................G-1
Circular No. A-123, Revised...........................................G-7
OMB Circular No. A-130, Appendix III, Revised.........................G-16
INDEX......................................................................Index-1
Reader's Comment Form......................................................Comment-1
CHAPTER 1
INTRODUCTION
1.1 PURPOSE
This document establishes uniform policies, responsibilities, and authorities for implementing the U.S. Customs Service, from now on called Customs, Automated Information Systems (AIS) Security Program. It promotes the Customs mission and provides guidance to protect Customs AIS resources and assure adequate security for all agency information collected, processed, transmitted, stored, or disseminated in its general support systems and major applications.
Customs AIS security policies are consistent with government-wide policies, standards, and procedures issued by the Office of Management and Budget (OMB), the Department of Commerce, the General Services Administration and the Office of Personnel Management (OPM). At a minimum, the Customs AIS Security Program includes the set of controls established by OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, dated February 8, 1996.
1.2 REFERENCES
The Bibliography contains specific reference citations used in the AIS Security Policy Manual, and Selected Reading references which support the policies.
1.3 DEFINITIONS
Appear in the Glossary.
1.4 SCOPE
This policy manual supplements the AIS security policies established by the U.S. Treasury Department and presented in the Treasury Security Manual, TD P 71-10.
(1) Inclusions: Policy provisions apply to all Customs personnel, contractors acting for Customs, and all authorized users who access Customs AISs, networks, and support facilities. Policy provisions also apply to non-Customs organizations, or their representatives, who are granted access to Customs AIS resources, including other government agencies and members of the trade community.
(2) Exclusions: Microprocessors embedded in or dedicated to production or process control equipment (e.g., test and laboratory equipment) are not covered by these policy provisions.
(3) Point-of-contact: Direct questions concerning this policy manual to the Director, AIS Security Division, Office of Information and Technology, via the web feedback button.
1.5 BACKGROUND
Customs Mission: [USCS 96PLAN; USCS IRMPLAN]
Ensure that all goods and persons entering or exiting the United States do so in compliance with all the United States laws and regulation.
Protect the public against violations which threaten the national economy and health and safety.
Be the national resource for information on goods and persons crossing our borders.
Customs is committed to carry out its mission with increasing effectiveness and efficiency using information technology as an essential supporting element. Customs employees worldwide use AISs for all facets of Customs operations and to support law enforcement, government agencies, and the commercial trade community. These activities facilitate enforcement of United States laws, and the control and generation of significant financial revenue to the U.S. Treasury.
(1) AIS Security Program goals:
"All Federal applications require some level of protection. Certain applications, because of the sensitive information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate." [OMB A-130,AIII]
(a) Establish and maintain adequate and effective AIS security safeguards (countermeasures) to ensure data confidentiality, integrity, and operational availability of all Customs AISs that process, store, or transmit non-sensitive, and sensitive but unclassified (SBU, from now on called "sensitive") information.
(b) The security program is designed to protect AIS processed information by:
(i) denying unauthorized AIS access;
(ii) restricting legitimate users to data or processes for which they are authorized; and
(iii) controlling access because of inadequate security design, implementation, or operation.
(c) AIS security safeguards will preserve information processing integrity, reliability and availability to ensure that the data are accurate and relevant to provide law enforcement and investigative support, help achieve Customs revenue collections, and meet commercial and administrative requirements. The application of Customs AIS security policies is evolutionary. When fully implemented, security programs will conform to an acceptable level of mandated Federal requirements.
(d) Within operational constraints, AIS security controls will allow required AIS services to be available to authorized users while denying these services to unauthorized users.
(2) Security classification:
(a) All Federal data, applications, and AISs must be afforded adequate security.
[OMB A-130,AIII]
(b) Unless otherwise designated, Customs general support systems and major applications are considered to contain sensitive information.
. (c) Classified (national security) information policy and procedures are addressed in Safeguarding Classified Information Handbook, CIS HB 1400-03.
(3) Information release:
The public release of information is controlled by statutes (Freedom of Information Act (FOIA), Privacy Act (PA), Electronic Communications Privacy Act, etc...). Regulations also control the release of such information, as do interagency agreements.
[OMB A-130; TD P 25-04; TD P 25-05]
(4) Policy application:
AIS security includes applicable security life-cycle requirements. Additional related programs are incorporated in this document by reference and should be considered when establishing and reviewing AIS security requirements. Their applicable policies and procedures may be obtained via the appropriate program managers.
(a) Office of Information and Technology (OIT)
The Office of Information and Technology is responsible for the design, development, programming, testing, implementation, and maintenance of Customs automated information systems, and oversight and management of the research and development and communications functions of the Customs Service. The Office is responsible for management of all Customs computer facilities, hardware, software, data and voice telecommunications, and related financial resources. It is responsible for identifying and evaluating new technologies for application to Customs automated systems; developing and maintaining all operational aspects of Customs computer security program; establishing requirements for computer-to-computer interfaces between Customs and various trade groups and government agencies; representing Customs on matters related to automated import processing and systems development; and implementing a viable Information Resources Management (IRM) program.
(b) Applications Development Division
The Applications Development Division is responsible for the design, development, programming, testing, implementation and maintenance of Customs automated information systems. The Division, in conjunction with the ADP Steering Committee, is responsible for approving project initiation. Specifically, this organization will be responsible for: providing system-specific support for users on existing applications during the transition to new integrated systems; change control and software release; and correcting system problems that arise after implementation. In addition, the project teams operating out of this Division are assigned full responsibility for development of new systems and major enhancements to existing systems. They are multi-functional and integrated to address both systems development efforts and new technologies.
(c) User Support Services Division
The User Support Services Division is responsible for functions that deal directly with field users on a daily basis, including training activities supporting mainframe and distributed/PC/LAN applications, support of field equipment, including installation of PCs, LANs and peripheral equipment, data and voice communication lines and circuits; providing user assistance, including LAN administration; operation of the Customs Help Desk; and supporting all users of Customs automated systems.
(b) AIS Security Division (AISS)
(i) Develops security policies and standards.
(ii) Provides liaison activities for AIS security-related policies, issues, and products:
within Customs,
to the Department of Treasury and outside agencies,
to the trade community,
to other law enforcement agencies, and
to private organizations.
(iii) Manages security software packages.
(iv) Administers security access controls for Customs mainframe systems.
(v) Provides assistance and certification for Customs AIS users.
(vi) Coordinates the development of disaster recovery and contingency plans.
(c) Information Resources Management Division (IRM)
(i) Develops guidelines and standards for all developmental activities.
(ii) Performs and coordinates IRM reviews, and monitors corrective actions.
(iii) Provides security oversight.
(iv) Evaluates and plans Customs AIS resource capacity requirements.
(v) Coordinates strategic planning efforts.
(vi) Conducts analytical studies as needed in support of all OIT entities.
(vii) Provides technology assessments.
(viii) Develops the Information Systems Plan (ISP).
(ix) Plans and coordinates major procurements for AIS equipment and services.
(x) Provides Systems Development Life Cycle (SDLC) advice, assistance, and ensures compliance.
(d) Systems Operations Division (OPS)
The Systems Operations Division is responsible for managing all new and existing Customs computer facilities, hardware and software, and for managing the related financial resources. It is responsible for data base administration; systems engineering; computer operations; communications software design and implementation; and management of the Customs Data Center facility.
(e) Security Programs Division (SPD)
The Security Programs Division prescribes policy, procedures, and specifications for maintaining Customs personnel security programs.
The Security Programs Division, Security Management Branch is responsible for facility and industrial security programs.
(f) Communications Management Division (CMD)
The Office of Investigations, Communications Management Division, Communications Security Branch sets policy for handling Customs communications security (COMSEC) materials and equipment, and establishes standards and procedures for granting authorization to Customs employees for access or use of those materials and equipment. They also evaluate and approve AIS cryptography and communications security measures. [USCS 4300-09]
(g) Office of Regulations and Rulings (ORR)
The Office of Regulations and Rulings, Disclosure Law Branch, sets policy for Customs Freedom of Information Act and Privacy Act (FOIA/PA) programs.
[TD P 25-04; TD P 25-05]
(h) Office of Chief Counsel
The Office of Chief Counsel provides legal advice to all Customs Offices on Customs enforcement authorities and related subjects.
1.6 INFORMATION SECURITY POLICY AND GUIDANCE HIERARCHY
The following is for general information purposes. It is copied from Introduction to Certification and Accreditation. [NCSC-TG-029]
Security policy exists at different levels of abstraction. Federal and national-level policy is stated in public laws, Executive Orders (EO), National Security Directives (NSD), National Security Telecommunications and Information Systems Security (NSTISS) issuances, Federal Information Processing Standard Publications (FIPS PUBS), Office of Management and Budget (OMB) circulars, and other resources. Federal service and agency policies interpret Department of Defense (DoD) and national-level policies, as appropriate, and may impose additional requirements.
* TEMPEST generally applies to classified information and is not addressed in this manual. It refers control of electronic emanations and is not authorization to use classified data. TEMPEST issues should be directed to the Treasury Office of Information Systems Security.
[TD P 71-10; HB 1400-03]
Many national and Federal security policy documents exist that apply to both civil and defense agencies. Current overall security policy does not reflect an interdependent, cohesive collection of security disciplines. This proliferation of policy makes it difficult for security personnel to keep up with the changes and be aware of all the applicable policies for a given system. Rapidly changing technology also makes it difficult for policy to keep up with new security challenges caused by advances in capabilities and technology.
CHAPTER 2
GENERAL POLICY
2.1 GENERAL POLICY STATEMENT
(1) A Customs AIS is any automated information or telecommunications system owned, leased, or operated by or for Customs.
(2) Customs will implement at least the minimum security requirements as identified in this policy, to protect AIS resources and information (non-sensitive and sensitive data) processed, stored, or transmitted by Customs AISs. Based on risk management, they may apply additional safeguards to provide the most restrictive set of controls (privileges) that permit the performance of authorized tasks (principle of least-privilege). [TD P 71-10]
(3) Sensitive information in Customs AISs must be safeguarded against unauthorized disclosure, modification, access, use, destruction, or delay in service.
[USCS 1460-010]
(4) All AISs processing, storing, or transmitting sensitive information must be accredited.
[TD P 71-10]
(5) Connectivity is prohibited between Customs AISs which handle sensitive data and any other systems or networks not under Customs authority, unless formally approved by an appropriate Customs Accrediting Authority. [USCS 5500-07]
(6) All Customs AISs are for official Customs business only and users have no expectation of privacy while using these resources. [USCS 5500-07]
(7) All persons who use, manage, operate, maintain, or develop Customs AISs, applications, or data must comply with these policies.
2.2 ROLES AND RESPONSIBILITIES
Customs performs AIS Security through a variety of roles with specific responsibilities.
The general AIS Security organization is shown in Figure 2. Customs AIS Security Organization.
(1) Commissioner of Customs responsibilities:
(a) Annually certify the adequacy of Customs AIS Security Program to the Department of the Treasury.
(b) Ensure that a viable Customs AIS security education, training, and awareness program is established.
(c) Ensure that Customs AIS Security Plan documentation is developed and maintained according to Treasury and Federal standards.
(d) Designate Accrediting Authorities (AA) for sensitive Customs AISs.
(e) Designate an oversight authority for review and validation of the AIS Security Program.
(f) Delegate to Headquarters and field managers the responsibility for assigning local AIS security officers, Designated Security Officer (DSO).
(2) The ADP Steering Committee, Security Subcommittee responsibilities:
(a) Provide general oversight authority for the AIS Security Program.
(b) Conduct independent reviews of the AIS Security Program and assure compliance with Federal and Treasury policies.
(c) Report the AIS security posture status to the Commissioner.
(3) Assistant Commissioner, OIT, responsibilities:
(a) Ensure that an operational AIS security program is in place which provides a centrally administered security policy. The AIS Security program must comply with at least the minimum security requirements defined by Treasury and other Federal mandates, and preserve the operational flexibility necessary to Customs.
(b) Accredit sensitive Customs AIS (general support systems and major applications). This responsibility is shared with Process Owners.
(c) Implement Customs AIS Security education, training, and awareness program.
(d) Establish adequate and effective management accountability and control to ensure the protection of AIS resources.
(e) Designate an AIS Security Officer to develop, implement, and enforce the AIS Security Program to comply with C2 level functional security requirements.
(f) Support AIS security audits and reviews.
(4) The Director, AIS Security Division, responsibilities:
(a) Develop and promote the Customs AIS Security program policy, including:
(i) Interpret policy relating to AIS security functions and develop unique guidance, as needed.
(ii) Assist with policy compliance efforts by providing explanation or clarification of AIS security-related questions on issues that may impact Customs mission.
(iii) Ensure security administration for sensitive AIS, including general support systems and major applications .
(b) Coordinate the Designated Security Officers (DSOs) for sensitive Customs AISs, and provide them guidance and assistance in carrying out their functions.
(c) Review and authorize acquisitions, in coordination with the DSOs, and certify that the acquisition specifications include appropriate AIS security requirements for:
(i) AIS installation facility operations, equipment, or applications.
(ii) Acquisition of AIS hardware, software, and/or related services.
(d) Provide direction and guidance to system developers in defining and approving software development security requirements.
(e) Ensure that accreditation packages are prepared for sensitive Customs AISs and applications.
(i) Provide guidance on the scope and contents of security plans:
Review security plans prepared by or for the DSOs.
Prepare statements of residual risk and compliance summary, to complete each accreditation package.
Submit the accreditation package to the appropriate authorities.
(ii) Act as a liaison for AIS security issues to the Information Resources Management (IRM) and Security Programs Division (SPD) managers.
(f) Maintain a current status on all required accreditation documentation.
(g) Establish and maintain a Risk Management program, including risk assessments, for sensitive Customs AIS resources, including:
(i) AIS facilities.
(ii) General support AISs.
(iii) Major applications.
(h) Act as the liaison for AIS security matters to the Department of the Treasury.
(i) Report computer security incidents and violations to the OIT Assistant Commissioner (AC), Process Owners (PO), and Office of Internal Affairs (IA), as appropriate.
(j) Coordinate Customs AIS Virus Prevention program, including, recommending virus prevention solutions, providing guidance in defining the requirements, and selecting the approach.
(k) Establish standards and provide guidance for the preparation of AIS Disaster Recovery and Contingency Operations plans including, conducting of agency-wide analyses, and establishing and verifying strategies for business recovery and alternate processing. This includes coordinating the development of viable Disaster Recovery and Contingency Operations plans for Customs AIS facilities.
(l) Establish standards and provide guidance for preparing End-User AIS Contingency plans.
(m) Ensure that all interactive users of Customs AIS meet at least the minimum standards of eligibility for access. [USCS 1460-010]
(n) Conduct AIS security compliance review and oversight activities.
(o) Support areas or issues requiring AIS security-related research and development effort.
(p) Support AIS security audits and reviews, providing assistance as appropriate.
(5) IRM manager responsibilities:
(a) Ensure security-related quality assurance throughout the software development life-cycle.
(b) Coordinate with AIS Security for review of the SDLC documents and activities to incorporate security into developed products. [TD P 84-01]
(c) Assist with AIS security audits and reviews, as appropriate.
(6) Process Owner (identified in the Major Application Security Plan) responsibilities:
[USCS PPP]
(a) Accredit assigned Customs AIS Process (responsibility shared with the Assistant Commissioner, OIT).``
(b) Establish user requirements and controls that conform to Customs System Development Life Cycle (SDLC) Handbook. [USCS 5500-04]
(c) Specify that locally developed sensitive AIS products comply with C2 level functional security requirements.
(d) Designate or ensure that information sensitivity levels are assigned for the information processed, stored, or transmitted by the Customs AIS Process.
(e) Coordinate with the Customs Office of Regulations and Rulings, Disclosure Law Branch, to publish a "System of Records" in the Federal Register for any Customs Process that contains Privacy Act data, as appropriate. [TD P 25-04]
(f) Ensure that user access requirements and controls are defined for the Customs AIS Process.
(g) Delegate user access request authorization.
(h) Assist with AIS security audits and reviews, as appropriate.
(7) Application Development Manager responsibilities:
Application development managers (both OIT and development organizations external to OIT) have data ownership responsibilities for application-related information processed, stored, created, manipulated or transmitted by and/or for the application, unless data ownership is otherwise designated by agreements, functions, and/or assignments.
(a) Ensure that locally developed AIS products comply with C2 level functional security requirements.
(b) Ensure that at least the minimum security requirements mandated by law, statute, or regulation are incorporated into Customs AIS Process applications.
(c) Adhere to Customs System Development Life Cycle (SDLC) Handbook development standards. [USCS 5500-04]
(d) Prepare documentation for application certification and accreditation packages.
(e) Assist with AIS security audits and reviews, as appropriate.
(8) AIS Owner responsibilities:
(a) Ownership responsibilities for sensitive Customs AISs are assigned to the Office of Information and Technology, unless otherwise identified.
(b) Assist with AIS security audits and reviews, as appropriate.
(9) AIS Security Administrator responsibilities:
(a) Act as the primary point-of-contact for AIS security issues.
(b) Identify security threats and establish safeguards (countermeasures) to protect Customs AIS resources.
(c) Implement security policy for AIS resources for which Customs has direct operational responsibility.
(d) Ensure that all personnel receive appropriate AIS security training.
(e) Administer the Computer Security Incident Reporting Capability (CSIRC) program including establishing reporting criteria, and coordinating with the Office of Internal Affairs (IA), as appropriate.
(f) Report to the AIS Security Officer any security incidents, such as attempts to gain unauthorized access to information, virus infections, or other events affecting AIS security, including damage assessments and actions taken to prevent future incidents, as appropriate.
(g) Ensure that viable End-User AIS Contingency Plans are developed to assure continued operations of essential AIS functions should an emergency occur.
(h) Coordinate local AIS Security Administrators.
(i) Advise Customs management on implementing provisions of this policy and applicable guidelines.
(j) Ensure all AIS operations are conducted as authorized in the accreditation, or that certification package modifications are prepared to accommodate the variances.
(k) Assist with AIS security audits and reviews, as appropriate.
(10) A Designated Security Officer (DSO) must be assigned for each sensitive AIS, including general support systems and major applications.
Designated Security Officer: The Customs person responsible to the AA for ensuring that security is provided for and implemented throughout the life-cycle of an AIS (from concept development through design, development, operations, maintenance, and disposal phases).
The DSO responsibilities:
(a) Ensure that appropriate security features are implemented in new sensitive AISs and that they meet at least the minimum security requirements defined in this policy.
Review and authorize acquisitions, in coordination with the AIS Security Officer, and certify that appropriate AIS security is included in the specifications for the operation of an AIS installation facility, equipment, or application, and for acquisition of AIS hardware, software, or related services.
(b) Prepare site certification packages in preparation for accreditation.
Certification-related activities include:
(i) Conduct design reviews, security tests, and certify the results when security-relevant changes (hardware, software, firmware, etc.) are made, to ensure that the accreditation status is not affected.
(ii) Identify and recommend AIS security improvements to management.
(iii) Ensure that configuration management (CM) is used and maintained to protect the AIS security-related features.
(c) Prepare, or oversee the preparation of, AIS security plans, and maintain related documentation for each AIS under their purview.
(d) Ensure the distribution of end-user security procedures tailored for administrators, and operators of sensitive AISs; advising users of the security features and procedures used on the AISs. [USCS 5500-04]
(e) Coordinate with the appropriate DSOs of other AISs, process owners, application development managers, and the Customs AIS Security Officer to ensure that planning adequately addresses the AIS security requirements.
(f) Establish, in coordination with AIS Security Administration, access control criteria and administrative procedures consistent with Customs policy, by which only authorized persons gain access to the AIS.
(g) Provide support for audit trail reviews and related discrepancy investigations.
(h) Report immediately to AIS Security Administration, any security incident, such as attempts to gain unauthorized access to information, virus infections, or other events or conditions which may affect AIS security accreditation.
(i) Conduct periodic security reviews of AIS facilities under their purview to assure safeguards are commensurate with the AIS information being stored, processed or transmitted.
(j) Assist with AIS security audits and reviews, as appropriate.
(11) Local AIS Security Administrator responsibilities:
(a) Request and/or grant user access to AIS based on management authorization.
(b) Remove or modify user access based on authorized requests of management, process owners, and/or administrative processes.
(c) Conduct authorized reviews of the user access to assure timely detection of suspicious, inappropriate, or unauthorized activity.
(d) Report to DSO or AIS Security Administration, any security incidents or other events affecting AIS security (e.g., virus infections, attempts to gain unauthorized access to information, suspicious, inappropriate, or unauthorized activity, etc.).
(e) Assist with AIS security audits and reviews, as appropriate.
(f) Support compliance of C2 level functional security requirements for locally developed sensitive AIS products, as appropriate.
(12) Facility manager (or functional equivalent) responsibilities:
(a) Ensure that a physical inventory is maintained (usually by the local property officer) of all AIS resources within their area of responsibility.
(b) Ensure the physical security and accreditation of the sensitive AIS facility (site).
Included in these responsibilities are AIS-related safety and security activities (e.g., Occupant Emergency Plan, Physical Security Plan, etc.).
(c) Coordinate with appropriate DSOs any AIS security-relevant facility changes.
(d) Assist with AIS security audits and reviews, as appropriate.
(13) Manager and Supervisor responsibilities:
(a) Ensure that sensitive AIS data and resources within their area of responsibility are properly protected by appropriate security safeguards.
(b) Ensure that subordinates have access only to those AIS applications and data necessary to perform authorized tasks (principle of least-privilege).
(c) Report to the appropriate Security Administrator any changes to employee access requirements. Also coordinate with appropriate management when employee or management transfers occur which might affect AIS access.
(d) Review employee AIS access activity to ensure compliance to AIS security requirements and provide timely detection of suspicious, inappropriate, or unauthorized activity.
(e) Ensure that a DSO is identified for each sensitive AIS (or group of facilities designated as a sensitive AIS) used by employees under their management authority, as warranted.
(f) Report AIS security-related changes in their own job status to the responsible Security Administrator.
(g) Ensure that proposed acquisitions of sensitive AIS-related hardware, software, communications, applications, and equipment satisfy AIS security requirements and receive DSO concurrence prior to acquisition.
(h) Ensure that sensitive AIS products developed under their management authority comply with C2 level functional security requirements.
(i) Ensure that employees under their management authority receive AIS security training relevant to their assignments, as required by laws, regulations, MOUs, or other agreements.
(j) Attend AIS security training as required by laws, regulations, MOUs, or other agreements.
(k) Assist with AIS security audits and reviews, as appropriate.
(14) User responsibilities:
(a) Protect access IDs, authentication codes (e.g., passwords, personal identification numbers [PIN], encryption codes, etc.) from improper disclosure.
(b) Access only authorized AIS applications and data necessary to perform approved responsibilities.
Due to technical capability of some AIS, access might exceed authority. Access capability however, does not equate to authority (e.g., casual browsing of data is not permitted).
It is a violation of law for users to access U.S. Government AIS data in excess of their authorization. [18 USC 1030]
(c) Notify supervisor and AIS Security Administrator when AIS access or authority is no longer required for their authorized tasks.
(d) Apply the security controls required by AIS security policies and standards.
(e) Comply with the provisions in the Customs AIS Security Policy manual.
(f) Attend AIS security training as required by laws, regulations, MOUs, or other agreements.
(g) Provide assistance with AIS security audits and reviews as required by laws, regulations, MOUs, or other agreements, as appropriate.
(15) External agency user responsibilities:
(a) Comply with U.S. Government AIS-related laws and regulations.
(b) Comply with inter-agency MOU (Memorandum of Understanding) or other formal agreements between themselves and Customs.
External agencies must designate AIS Security Coordinators. The head of the external agency, or delegate (as identified in writing), is responsible for ensuring that employees and contractors under their authority observe Customs AIS Security Policy as identified in this manual.
(c) Protect access IDs, authentication codes (e.g., passwords, personal identification numbers [PIN], encryption codes, etc.) from improper disclosure.
(d) Access only authorized AIS applications and data necessary to perform approved activities.
Due to the technical capability of some AIS, access might exceed authority. Access capability however, does not equate to authority (e.g., casual browsing of data is not permitted).
It is a violation of law for users to access U.S. Government AIS data in excess of their authorization. [18 USC 1030]
(e) Notify Customs AIS Security Administrator when AIS access or authority is no longer required for approved tasks.
(f) Use the security controls required by AIS security policies and standards.
(g) Comply with the provisions in the Customs AIS Security Policy manual.
(h) Attend AIS security training as required by laws, regulations, MOUs, or other agreements.
(i) Provide assistance with AIS security audits and reviews as required by laws, regulations, MOUs, or other agreements, as appropriate.
(16) Trade community user responsibilities:
(a) Comply with U.S. Government AIS-related laws and regulations;
(b) Comply with any formal agreements governing access to Customs AIS resources.
Trade community user access to Customs AIS resources must be approved by the appropriate Customs Accrediting Authorities and formally documented.
(c) Access only authorized AIS applications and data necessary to perform approved activities.
AIS access will be restricted to authorized data and processes. Due to the technical capability of some AIS however, access might exceed authority. Access capability does not equate to authority (e.g., casual browsing of data is not permitted).
It is a violation of law for users to access U.S. Government AIS data in excess of their authorization. [18 USC 1030]
(d) Protect access IDs, authentication codes (e.g., passwords, personal identification numbers [PIN], encryption codes, etc.) from improper disclosure.
(e) Notify Customs AIS Security Administrator when AIS access or authority is no longer required for approved tasks.
(f) Use the security controls required by Customs AIS security policies and standards.
(g) Comply with the provisions in the Customs AIS Security Policy manual.
(h) Attend AIS security training as required by laws, regulations, MOUs, or other agreements.
(i) Support Customs AIS security audits and reviews as required by laws, regulations, MOUs, or other agreements.
CHAPTER 3
AIS SECURITY LIFE CYCLE
This section documents activities for acquisition and development of AIS and related applications. It provides guidance to ensure that sensitive AISs and applications are developed, acquired, and documented according to Customs policy.
Topics include:
Security Planning. Security planning activities are the responsibility of the appropriate Customs Process Owner, AIS owner, Applications Developer, DSO, and AIS Security Officer. These activities pertain to the development or acquisition of new Customs AISs and applications, or changes to existing ones.
Certification and Accreditation. Certification and accreditation activities are the responsibility of the appropriate Accrediting Authorities (AAs), DSO, and the AIS Security Officer.
Security Education, Training, and Awareness. These activities are ongoing and apply to all personnel who manage, use, or operate Customs AISs, whether or not they are Customs employees.
Security Oversight. The AIS Security Officer conducts policy-related security oversight activities for ongoing day-to-day operations. The ADP Steering Committee, Security Subcommittee, is designated as the oversight authority for Customs AIS Security Program.
3.1 SECURITY PLANNING
Security planning activities support the accreditation of all sensitive Customs AISs, including general support systems and major applications. This section discusses the processes for AIS security planning, risk management, disaster recovery, contingency operations, and the documentation required to achieve certification and accreditation.
Prior to the development or acquisition of sensitive AISs and applications, the AIS Security Officer must be consulted to establish the scope of the security-related activities and necessary documentation.
3.1.1 Approvals
The security planning process requires the DSO to seek approvals at several steps during system planning activities.
(1) To the extent feasible, security requirements must be defined prior to the start of AIS development, be approved by the DSO and AIS Security Officer, and included as part of the acquisition process.
(2) Prior to the start of AIS development, system designs must include security reviews and be approved by the AIS Security Officer.
(3) Security test plans and security testing results must be approved by the AIS Security Officer.
(4) Prior to accreditation, AIS security planning documentation must be approved by AIS Security Administration.
3.1.2 AIS Security Plan
The objective of security planning is to improve the protection of AIS resources and information.
(1) Information owners (those managers most directly affected by and interested in the information or processing capabilities), must demonstrate how they are planning to protect information and processing capabilities from loss, misuse, unauthorized access, modification, unavailability, or undetected security-related activities.
(2) The AIS Security Officer will define the scope and format for Customs AIS security plans to ensure a standardized approach that provides sufficient information to assess the security posture and complies with applicable regulations.
(3) Each sensitive Customs AIS requires a security plan to document its security requirements, from development or acquisition, through implementation and operation, to disposal. The assigned DSO will prepare and maintain the system security plan.
(a) When an existing non-sensitive AIS is changed to a sensitive Customs AIS, an appropriate AIS Security Plan must be prepared.
(b) AIS Security Officer will determine the final boundaries for AIS networks.
(c) The DSOs will clearly define the boundaries of non-networked sensitive AISs under their purview and are responsible for ensuring that the AISs are operated according to the approved AIS security plan.
(4) An AIS security plan will include at least the following: (See also: Appendix D)
(a) Risk management actions pertaining to the AIS. (See also: Section 3.2.2)
(b) A Certification statement that reflects the results of security features tests and implementation schedules applicable to the AIS. (See also: Section 3.4)
(c) A Disaster Recovery and Contingency Operations Plan, consisting of: (See also: Section 3.1.3)
(i) emergency response plan,
(ii) back-up operations plan, and
(iii) postdisaster recovery plan.
(d) Security procedures and practices for users and operators of AISs. (See also: Section 3.5)
(5) A single (generic) security plan can cover multiple AISs in some situations. Such plans must consider ownership responsibilities, administrative burdens, technical complexity, and be cost-effective.
(a) A single (generic) AIS security plan can include multiple comparable AISs in similar and associated operating environments. If additional security measures for a particular operating environment are required, they can be added as supplemental to the primary security plan, rather then create a new plan. The plan must show how the changes are associated and maintain the plan integrity.
(b) A single (generic) AIS security plan can cover related AIS resources that perform similar and/or associated functions and are physically and logically located in the same general area. The plan might Include Local Area Networks (LANs), hosts with terminals, groups of stand-alone personal computers, workstations, and other related office automation systems.
(c) A single (generic) AIS security plan can cover related AIS resources that perform similar and/or associated functions in support of a common mission, but might be at unspecified or physically and/or logically diverse locations. Such a plan must consider the diversity of conditions that might be encountered and ensure that adequate and appropriate levels of security are provided. The plan might include personal computers, workstations, and other related AIS equipment over Wide Area Networks (WANs), Local Area Networks (LANs), and/or other communications networks or mediums.
3.1.3 Disaster Recovery and Contingency Operations Planning
(1) Each essential (mission-critical) sensitive Customs AIS, including general support systems and major applications, or grouping of like systems, shall have a viable and logical Disaster Recovery and Contingency Operations Plan. Plans shall be well-written, routinely reviewed, tested, and updated to provide for reasonable continuity of AIS support if normal operations are interrupted. This enables rapid restoration of vital operations and resources, and reduces downtime. [OMB A-130,AIII]
(2) Disaster Recovery and Contingency Operations planning elements must include, at least the following:
(a) Emergency response procedures appropriate to government laws, regulations, and directives, civil disorder, fire, flood, natural disaster, bomb threat, or other incidents or activity where lives, property, or the capability to perform essential functions are threatened or seriously impacted.
(b) Back-up operations plans, procedures, and responsibilities to ensure that essential (mission-critical) operations will continue if normal processing or data communications are interrupted for an unacceptable period. The minimally acceptable level of degraded operation of the essential (mission-critical) systems or functions must be identified and ranked so that plan priorities are accomplished. This must include appropriate provisions for storage, maintenance, and retrieval of essential back-up and operational support data.
(c) Post-disaster recovery procedures and responsibilities to facilitate the rapid restoration of normal operations at a primary site, or if necessary at an alternate facility, following destruction, major damage, or other significant interruptions of the primary site.
(3) The AIS Security Officer is responsible for ensuring the development of AIS Disaster Recovery and Contingency Operations Plans for general support systems and major applications, and for defining the testing requirements that the DSOs will carry out.
(a) The AIS Disaster Recovery and Contingency Operations Plans shall provide for viable and reasonable continuity of essential AIS capabilities if normal operations are interrupted.
(b) The AIS Security Officer provides guidance for the formulation of these plans. The plans must address the business continuity requirements for interfacing with applications and be supported by application contingency plans.
(c) AIS application contingency planning activities are conducted in concert with facility disaster recovery planning and/or end-user contingency planning, when such plans exist.
(d) Facility disaster recovery plans address physical security, the protection of general AIS support, and help ensure the availability of critical assets (resources) to facilitate the continuity of operations during an emergency.
(4) The DSO will develop and maintain a current viable AIS Disaster Recovery and Contingency Operations Plan for each sensitive and/or mission-critical AIS (general support system, microcomputers, etc.). The plan will provide reasonable assurance that critical data processing support can be continued, or quickly resumed, if normal operations are interrupted.
(a) Depending on the results of the criticality assessment (business impact analysis), the DSO may determine that an AIS is not sufficiently critical to the agency or user community to warrant a Disaster Recovery and Contingency Operations Plan. In this event the DSO will provide a Continuity of Operations Statement to that effect, subject to the approval of the Accrediting Authorities.
(b) End-User AIS Contingency Plans shall be developed, reviewed, and updated at least every three years, or whenever major processing environment changes occur (e.g., physical site, hardware, software, operating systems, etc.).
(5) All plans must be operationally tested at a frequency commensurate with the risk and importance of loss or harm that could result from disruption of AIS support.
3.2 SECURITY REQUIREMENTS
3.2.1 Policy Derived Requirements
Security requirements must be risk management based and result from an analysis of policy as applied to data and augmented by a risk analysis. These requirements must be compared to an AIS security features cost-benefit analysis, not against the minimum requirements. Appendix F discusses policy methodology.
3.2.1.1 Global Security Policy
The security policy of Customs is to operate its AISs in compliance with existing Federal and national-level policy as stated in public laws (PL), Executive Orders (EO), Federal Information Processing Standard Publications (FIPS PUBS), Office of Management and Budget (OMB) circulars and bulletins, Treasury Directives (TD), and Customs Directives (CD); to protect the data and information in the AISs; and to effectively support the Customs mission.
3.2.1.2 Cost-Effective Security
Federal regulations and Treasury directives require that (i) resources are used consistent with the agency mission; (ii) programs and resources are protected from waste fraud and mismanagement; and (iii) the best available and most cost-effective products are used in the design and implementation of AIS security protection. The selection of security products must consider the costs of managing and administering such products. Meeting these requirements, and the continually increasing demands for protection of information, requires consideration of products which are compatible with existing and anticipated AIS hardware and software configurations. [OMB A123; TD P 71-10]
3.2.2 Risk Management
(1) Risk management is the total process of identifying, controlling, and eliminating or reducing risks that may affect AIS resources. It includes: risk analysis (identify and analyze the risks); a determination of the appropriate levels of resources necessary to protect the AIS; a management decision to implement selected AIS security safeguards based on the risk analysis, including accepting residual risk, if necessary; and effectiveness reviews.
(2) Risks are derived from the analysis of threats and vulnerabilities. A formal risk analysis requires determining relativity among risks and assessing associated damage or loss potentials. This relationship forms the basis for selecting effective safeguards. Before starting the risk analysis process, the AIS Security Officer should be consulted for guidance on the scope of the analysis and the recommended approach. In the absence of specific directions, refer to the Treasury Risk Assessment Guideline. [TD P 85-03]
(a) A risk analysis will be conducted or sponsored by the AIS Security Officer for each Customs general support AIS (mainframe or network) facility for the following conditions.
(i) Whenever a new or substantially modified AIS facility design is approved.
(ii) Before design specifications for new general support AISs and their supporting installations are approved.
(iii) Whenever a significant change occurs to the general support AIS (e.g., adding a LAN; changing from batch to on-line processing; adding dial-up capability, etc.). The criteria for defining significant changes will be commensurate with the sensitivity of the data processed by the general support AIS.
(iv) At periodic intervals established by the AIS Security Officer commensurate with the sensitivity of the data processed, but not to exceed every three years, if no risk analysis is performed during that period.
(b) The DSO will coordinate or conduct a risk analysis which focuses on the automated (technical) and administrative security control techniques associated specifically with the AIS or process under review. This includes the interface between the operating systems and the applications, and/or the communications environment and the applications, and the threats inherent in processing in a specific environment. Facility (physical) risk analysis must be considered when defining and approving security specifications for the major applications or network systems.
(3) Responsibility for carrying out the recommendations of a risk analysis rests with the manager of the AIS facility under review, or the application developer, as appropriate. Response to the recommended safeguards includes implementation schedules, or rationale for non-implementation. They must evaluate the recommendations and determine whether to carry them out based on technical and operational feasibility, and costs. Customs Accreditation Authorities (AAs) will consider the effects of the reviewer's actions in making accreditation decisions.
3.3 DEVELOPMENT
(1) The Customs System Development Life Cycle (SDLC) methodology described in the SDLC handbook applies to all systems and applications (mainframe, networked, or stand-alone), developed by or for Customs and used by Customs employees, contract personnel, other government agencies, and persons or companies using Customs resources, whether or not under direct control of the Office of Information and Technology (OIT). It incorporates a standards-based approach to systems development and AIS development policies.
(2) The SDLC handbook is required reading for all persons new to the Customs automation environment and incorporates Government and industry development standards applicable to Customs. It describes the minimum requirements that Customs applications must meet to comply with existing standards and directives throughout their projected life-cycles and facilitates a step-by-step process to deliver accurate, effective and efficient AISs to the users. [USCS 5500-4]
3.4 CERTIFICATION AND ACCREDITATION
Certification and accreditation, although related, are not the same processes nor do they have the same objectives. Certification is a short term activity that is repeated after any significant AIS-related change and is a prerequisite for accreditation. Accreditation is a long-term authorization, up to three years, for an AIS to operate based on the facts, plans, and schedules developed during certification.
(1) Each Customs general support AIS and major application is considered to contain or process sensitive information and must be certified and accredited.
(2) All other Customs AISs and applications which contain or process sensitive information and must be certified and accredited, as appropriate.
3.4.1 Certification
Certification is the comprehensive testing and evaluation of the technical and nontechnical AIS security features, and other safeguards used in support of the accreditation process. It establishes the extent to which a particular AIS design and implementation meet a specified set of security requirements. Certification primarily addresses software and hardware security safeguards, but also considers procedural, physical, and personnel security measures employed to enforce AIS security policy.
(1) Software Certification
(a) In-house developed software. Design reviews and systems tests will be performed, and a certification of the results recorded, for newly developed software, and for existing software when significant modifications are made.
(b) Government-Off-The-Shelf Software (GOTS). Government developed software will be examined to assure that the software does not contain features which might be detrimental to Customs AIS security. Software design reviews and systems tests will be performed, and a certification of the results recorded when significant modifications are made to GOTS software.
(c) Commercial-Off-The-Shelf Software (COTS). Commercially procured software will be examined to assure that the software does not contain features which might be detrimental to AIS security. Security-related software will be examined to assure that the security features function as specified.
(2) The DSO will oversee or conduct AIS certification tests. Individuals who conduct the certification testing will be independent of the AIS developers, if resources are available. The testing process and results will be documented in a format that ensures that the tests can be repeated and achieve the results reflected in the certification report, if required.
(3) AIS security safeguards must be modified to correct any deficiencies found during certification testing, as appropriate.
(4) Certification testing will vary with the AIS security mode of operation.
(a) Dedicated security mode does not require extensive certification efforts as users and data are not required to be separated with technical security measures. Certification focuses on the physical, procedural, and personnel security measures to ensure that all users have the appropriate access approval and need-to-know for all Customs data on the AIS. (Example: a standalone personal computer).
(b) System-high security mode requires that hardware and software security features reliably segregate users from data for which they do not have a need-to-know, in addition to the requirements of Dedicated security mode. (Example: a general support AIS).
(c) Compartmented and multilevel security modes are used for classified AISs and are not addressed in the manual. (Reference: CIS HB 1400-03).
(5) The AIS Security Officer will provide guidance on conducting certification testing.
3.4.2 Accreditation
"Any significant modification made to an SBU AIS or network should be reviewed to determine the impact on security."
"Modified systems/networks will be reaccredited by appropriate officials as outlined in TD P 71-10, Sect. 7.A in light of the results of the security review." [TD P 71-10]
(1) Accreditation is the official management authorization to operate an AIS based on the following criteria.
(a) The particular security mode of operation.
(b) The defined set of threats, with related vulnerabilities and prescribed safeguards.
(c) The given operational environment.
(d) The stated operational concept.
(e) The stated interconnection to other AISs.
(f) The operational necessity.
(g) An acceptable level of risk for which the Accrediting Authorities have formally assumed responsibility.
(2) The Accrediting Authorities (AA) officially declare that a certified AIS will adequately protect related information, will operate in one of the following security modes, and accept security responsibilities for the AIS operation.
The AIS security mode of operation is based on data sensitivity, access approval, and need-to-know of the AIS users. Available or proposed AIS security features do not determine the security mode.
Applicable Security Modes of operations are:
(a) Dedicated security mode. (See also: Certification. Section 3.4.1.(4)(a).
(b) System-high security mode. (See also: Certification. Section 3.4.1.(4)(b).
(3) All sensitive AISs, including general support systems and major applications, must be submitted for and be accredited expeditiously.
(4) The AIS security plan documentation, discussed in Section 3.1, will be submitted by the DSO to the AIS Security Officer for review. The AIS Security Officer will develop a summary of compliance to include security requirements and a statement of residual risk.
(5) Prior to accreditation, Customs Information Resources Management (IRM) and Security Programs Division (SPD) representatives will review security plan documentation, for sensitive AIS, including the summary of compliance and statement of residual risk.
(6) The appropriate Customs AAs will make the accreditation decision based on the summary of compliance, a statement of residual risk, and an approved AIS security plan. The accreditation process results in a decision that the AIS is:
(a) accredited to operate, or
(b) given interim operating approval for a specific time pending satisfactory completion of specified requirements, or
(c) denied permission to operate, until identified deficiencies are corrected.
(7) Every sensitive AIS covered by this policy must be reaccredited at least every three years. The accreditation status and supporting documentation will be reviewed and revised for the following conditions or events, as appropriate.
(a) A significant change occurs in the hardware, software, or data communications configuration that impacts the AIS security safeguards defined in the original accreditation package. A significant change is one whose impact is such that it needs to be brought to the attention of the AAs.
(b) The sensitivity level of the information being processed is significantly changed.
(c) The security mode of operation is changed.
(d) AIS facility or remote terminal area changes occur, including relocations or structural modifications, which may affect AIS security.
Whenever a major office relocation occurs (e.g., moves to a new building), the AIS Security Officer should conduct an AIS compliance review to decide whether the change in physical location impacts the AIS security posture. The results of the security review should be retained as part of Customs AIS security documentation.
(e) An AIS security-related event occurs that appears to invalidate the accreditation.
(8) The accreditation package revision and review process will include at least the following activities and information.
(a) The same steps required for the original accreditation package will be completed. Portions of the package which configuration management shows to still be valid, need not be redone.
(b) The IRM and SPD representatives will review and approve the AIS security plan, summary of compliance, and statement of residual risk, as appropriate.
(c) The appropriate AAs will review and reaccredit the AIS.
(9) The AIS Security Officer will maintain a record system containing the status of the documents in the Customs AIS accreditation packages.
(10) The AAs are the only ones authorized to exempt an operation from the security requirements specified in the accreditation statement. This exemption must be formally documented in a written waiver and retained with the original accreditation package.
3.5 PROCEDURES AND PRACTICES
This policy manual does not contain AIS security-related procedures and practices. They are presented separately and provided to Customs AIS users, administrators, and operators, as appropriate. Procedures and practices explain specific AIS security mechanism operations so that users, administrators, and operators may consistently and effectively protect Customs information. Such information should also be addressed during training, when applicable. ( See also: Section 1.5.1)
3.6 EDUCATION, TRAINING, AND AWARENESS
"The Computer Security Act requires Federal agencies to provide for the mandatory periodic training in computer security awareness and accepted computer security practice of all employees who are involved with the management, use, or operation of a Federal computer system within or under the supervision of the Federal agency. This includes contractors as well as employees of the agency."
"Training is particularly important in view of the changing nature of information resources management. Decentralization of information technology has placed the management of automated information and information technology directly in the hands of nearly all agency personnel rather than in the hands of a few employees at centralized facilities."
"The OMB Circular A-130, Appendix III enforces such mandatory training by requiring its completion prior to granting access to the system." [OMB A-130,AIII]
(1) The Director, AIS Security Division, shall ensure that a Customs AIS Security Education, Training, and Awareness Program is established.
(2) Training may be presented in stages, for example, as more access is granted. In some cases, the training should be in the form of classroom instruction. In other cases, interactive computer sessions or well-written and understandable brochures may be sufficient, depending on the risk and magnitude of harm related to the subject matter..
(3) Refresher awareness training frequency shall be determined by the Director, AIS Security.
(4) Each new user of a general support system in some sense introduces a risk to all other users. Therefore, each user should be versed in acceptable behavior -- the rules of the system -- before being allowed to use the system.
(5) Training should be tailored to what a user needs to know to use the system securely, given the nature of that use, and how to get help in the event of difficulty with using or security of the system.
(6) Access provided to members of the public should be constrained by controls in the applications through which access is allowed, and training should be within the context of those controls.
(7) Additional awareness training will be provided when significant changes occur in AIS security environments or procedures, or to employees who assume new positions or assignments dealing with information at a higher level of sensitivity.
(8) Security awareness training should include the following topics, as appropriate.
.
(a) Common AIS threats, vulnerabilities, and risks.
(b) Information accessibility, handling, labeling, and storage protection considerations.
(c) Physical and environmental AIS protection considerations.
(d) AIS data access controls and rules of behavior.
(e) Procedures for disaster recovery and contingency operations plans.
(f) AIS security configuration management and control requirements.
(g) AIS-related security incident reporting requirements and procedures.
(9) Specialized training is required for all individuals given access to an application, including members of the public. It should vary depending on the type of access allowed and the risk that access represents to the security of the application and information in it. This training will be in addition to that required for access to a support system. Such training may vary from a notification at the time of access (e.g., for members of the public using an information retrieval application) to formal training (e.g., for an employee that works with a high-risk application).
(10) All personnel who design, develop, operate, or maintain sensitive AIS will be provided security training appropriate to the level of risk they present to Customs AIS. The training shall address the types of security and internal control techniques that ought to be incorporated into AIS development, operation, and maintenance.
(11) AIS Security Administration should be consulted for guidance on achieving training objectives.
3.7 SECURITY OVERSIGHT
The ADP Steering Committee, Security Subcommittee, is the oversight authority for Customs AIS Security Program. (See also: Section 2.2(2))
The AIS Security Officer conducts ongoing day-to-day operational policy-related security oversight activities and ensures that periodic AIS security reviews are conducted.
(1) The AIS Security Officer must develop and maintain, with the assistance of AIS Security Administration, IRM, and SPD managers, a list of AISs requiring accreditation. This list must be annually verified and should include the recommended accreditation priority and AA identity for each AIS.
(2) Given the global nature of Customs AIS resources, the appointment of DSOs provide local oversight and help to ensure adherence to AIS security policy. They provide points-of-contact for accomplishing AIS security-related activities.
(3) Customs Office of Information and Technology (OIT) is a sign-off to AIS-related acquisitions and will enforce AIS security as part of the procurement process.
The AIS Security Officer reviews and authorizes all security-related acquisitions for sensitive AISs to ensure that the appropriate AIS security requirements are included in the specifications for the operation of an AIS installation facility, equipment, application system, or the acquisition of AIS hardware, software, or related services.
(4) The Contracting Officer Technical Representative (COTR) has contract oversight and will ensure that the contractor-related AIS security requirements are followed throughout the contract life-cycle.
(5) The AIS security policy program is implemented through the following actions:
(i) appointment of DSOs;
(ii) acquisition reviews;
(iii) review and approval of security requirements to support AIS development;
(iv) preparation, approval, and implementation of certification requirements;
(v) preparation and approval of accreditation documentation;
(vi) security training reviews;
(vii) security controls and auditing; and
(viii) security incident reporting.
CHAPTER 4
MINIMUM SECURITY REQUIREMENTS
The AIS security goal is to develop a functionally secure, efficient, cost-effective environment based on an assessment of security risks and safeguards. All AISs processing, storing, or transmitting sensitive information must meet the requirements of this policy through automated or manual means. More stringent requirements may be imposed based on a risk analysis.
This section documents the minimum security requirements for Customs AISs processing sensitive data with respect to: Facility, Personnel, Automated, and Telecommunications security.
4.1 FACILITY SECURITY
(1) The Security Programs Division (SPD), Security Management Branch, prescribes policies, procedures, and standards for the Customs facility security program.
(2) Facility security addresses the requirements to provide adequate physical and environmental controls based on the level of risk to the AISs supported in a facility, as identified by a risk analysis. The security controls must not be less than the minimum requirements discussed in this section, unless a written waiver has been granted by the Accrediting Authorities (AAs).
(3) For the purposes of this policy, an AIS facility includes physical space housing AIS equipment such as terminals, microcomputers, mainframe systems, communications equipment, or supporting environmental control utilities. Facilities also include data storage and AIS documentation libraries (e.g., off-site back-up storage facilities).
4.1.1 Physical
(1) Physical security is concerned with the measures designed to prevent unauthorized physical access to equipment, facilities, material, information, and documents, and to safeguard them against espionage, sabotage, damage, tampering, theft, and other covert or overt acts. AIShardware, software, documentation, and all sensitive information handled by the AIS will be protected to prevent unauthorized disclosure, modification, or destruction. AIS hardware, software, or documentation must be protected if access to such resources may reveal information that can be used to eliminate, bypass, or otherwise render ineffective the security safeguards (countermeasures) used to protect sensitive information.
(2) Sensitive Customs information, while operational, must be processed, stored, or transmitted in physical spaces (i.e., buildings, communications facilities, etc.) which are under exclusive Customs control, including MOUs (Memorandum of Understanding) and contractual agreements. When not in operation, or under the direct control of an authorized person, Customs AISs and information must be protected by control systems and measures consistent with Customs facility security program.
Prior to conducting sensitive AIS operations at any location, AIS security planning must consider the facility security program as part of the accreditation process.
(3) For all types of facilities where sensitive information is stored, processed, or transmitted, physical access will be restricted to those individuals who are authorized according to the personnel security requirements and who are necessary to complete assigned job functions and related duties. (See also: Section 4.2)
All other personnel granted facility access must be properly escorted and restricted to those areas necessary to complete their tasks. Sensitive Customs information must be protected from unauthorized disclosure to such persons.
4.1.2 Environmental
(1) Environmental controls address the requirements to provide appropriate temperature and humidity controls, fire protection, power, and natural disaster protection necessary to ensure the continuity of operations for AIS facilities and equipment.
(2) Areas that support desktop AIS equipment generally require environmental controls specified for human safety and comfort. Additional physical, electrical, temperature, and humidity controls may be needed to ensure reliable AIS operations in some cases.
(3) Facilities supporting large-scale AIS operations, such as mainframe computers and telecommunication facilities, may require additional environmental controls as determined by operational needs and risk analysis. The following additional controls should be considered:
(a) Fire prevention, detection, suppression, and protection measures.
(b) Water hazard detection, prevention, and corrective measures.
(c) Electric power supply protection.
(d) Temperature and humidity controls.
(e) Protective or control measures from the effects of earthquakes, lightning, windstorms, and other natural disasters.
(f) Protective or control measures from the effects of industrial, environmental, or other physical conditions which might seriously impact normal AIS operations.
(g) Housekeeping protection from dirt, dust, and other contaminants.
(h) Personnel safety features.
4.2 PERSONNEL SECURITY
(1) The Security Programs Division (SPD) sets policy and provides procedures and guidance in support of Customs personnel security program. Prior to conducting AIS operations, and as part of the accreditation process, AIS security planning must consider the personnel security program.
(2) All personnel entrusted with the management, operation, maintenance, or use of a Customs AIS processing, storing, or transmitting sensitive information require appropriate personnel security approval. [USCS 51000-05]
(3) Customs personnel and Non-Customs contractor personnel entrusted with the management, operation, maintenance, or use of sensitive Customs AISs require an appropriate authorization and must have a completed Background Investigation (BI). [USCS 1460-010]
(4) Non-Customs government personnel entrusted with the management, operation, maintenance, or use of sensitive Customs AISs require an appropriate authorization and background investigation.
(5) Non-Customs personnel (members of the trade community), who use Customs AISs must be authorized in writing by the AIS Security Officer, Process Owner, or some other formalized process that assures appropriate authorization.
(6) Non-Customs AIS technical support personnel who are required to perform maintenance on Customs AISs within Customs-controlled facilities may be approved for unescorted access based on an appropriate authorization and a completed BI.
(7) AIS security training must be provided to all personnel who manage, operate, develop or use AISs. (See also: Section 3.6)
4.3 AUTOMATED SECURITY
This section establishes near-term requirements and long-term goals to improve the security of Customs AISs through increasing reliance on automated security features. The minimum security requirements addressed in this section are feasible in the current Customs AIS environment. As technology evolves, the desirable security features identified in this section should be assessed during AIS planning and development.
4.3.1 Minimum Security Requirements
National Policy on Controlled Access Protection. The White House, National Telecommunications and Information Systems Security Committee, 07/15/87, directs that by Federal agencies must provide automated Controlled Access Protection (C2 level) for all sensitive or classified information processed or maintained by AIS, when all users do not have the same authorization to use the sensitive information. [NTISSP 200]
(1) AISs used for the processing of sensitive information must have the security functionality of the C2 level of trust, as defined in the Department of Defense (DoD), Trusted Computer System Evaluation Criteria (TCSEC). [5200.28-STD]
(a) In cases where C2 functional security requirements are time consuming, technically unsound, or adversely affect operations to an unacceptable degree, other safeguards may be substituted if they maintain the level of system security commensurate with the sensitivity of the data. The AIS Security Officer must approve exceptions (written waiver) to C2 functional security requirements for sensitive AIS.
(See also: Appendix C)
(b) The National Computer Security Center (NCSC) Technical Guide, Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria (TNI-TCSEC, commonly known as the "red book"), provides guidance on achieving C2 functionality in networks. [NCSC-TG-005]
(2) The design of AISs that process, store, or transmit sensitive information must include at a minimum, the automated security features discussed in this section. Security safeguards will be in place to ensure each person having access to a sensitive AIS is individually accountable for their actions on the system.
(a) User Identification. User access will be controlled and limited based on positive user identification and authentication mechanisms that support the minimum requirements of access control, least privilege, and system integrity.
(b) Authentication. For AIS requiring authentication controls, the AIS will ensure that each user is authenticated prior to AIS access. The preferred method for authenticating users is a password system where authentication is done each time the password is used. More sophisticated authentication techniques, such as "smart cards," MISSI (Multilevel Information Systems Security Initiative) technology (Fortezza, Capstone, etc.), biological recognition systems (retina scanners, hand print, voice recognition, etc.), must be cost-justified through the risk analysis process. [MISSI]
(c) Audit Records. AIS transactions are subject to recording and routine review for inappropriate or illegal activity. Audit trail records should be sufficient in detail to facilitate reconstruction of events if compromise or malfunction occurs, or is suspected, and should be reviewed as specified in the AIS security plan. The audit trail records should contain at least the following information.
(i) Identifier of each user and device accessing or attempting to access an AIS.
(ii) The time and date of the access and of the logoff.
(iii) Identify activities that might modify, bypass, or negate AIS security safeguards.
(iv) Log of security-relevant actions associated with processing.
(d) Object Reuse. Sensitive AIS must clear memory and/or data storage areas (RAM, DASD, tape, R/W Optical, etc.) prior to reallocation of the area to a different user. This prevents one user from obtaining residual data of another user.
(e) Access Control. Sensitive AIS may implement additional discretionary access control (DAC) measures such as file passwords, access control lists, disk encryption, or other techniques, as defined in the approved system security plan.
(3) For sensitive AIS the following Warning Banner (exactly as worded in Figure 3) must be displayed to users at logon time, followed by a pause requiring manual intervention to continue. This addresses the concern that users are informed that all Customs AISs are subject to monitoring and that by using the AIS they consent to such monitoring.
(4) Automatic interactive-session timeout (logoff) will be provided for all general support and/or sensitive AISs. This will lockout a user session after an interval of inactivity, not to exceed the time interval and restart requirements specified in the AIS security plan. System logon will be required to re-access the AIS.
(5) Interconnections between sensitive Customs AISs and non-Customs AISs must be established through controlled interfaces and will be accredited at the highest security level of information on the network. Consult the AIS Security Officer for guidance on establishing controlled interfaces.
Controlled interface functions are a combination of gateway and guard functions.
Gateways provide secure points of interconnection between networks, connected peripheral devices, remote terminals, or remote hosts, and provide a reliable exchange of information to allow secure interconnections between components.
Automated guard processors and security filters (e.g., firewall) are software, combined hardware/software techniques, or specialized hardware that filter information in a data stream based on associated security information and/or data content.
4.3.2 Security Assurances
(1) AISs will be examined when received from the vendor(s) and before being placed into operation. The following areas must be considered:
(a) Hardware. An examination will result in assurance that the equipment appears to be in good working order and has no components that might be detrimental to the secure operation of the resource when placed under Customs control and cognizance. Subsequent changes and developments which affect security may require additional examination.
(b) In-house Developed Software or Government-Off-The-Shelf (GOTS). New or significantly changed software developed by or specifically for Customs or the Government will be subject to testing and review at all stages of the development, as required by the SDLC. [USCS 5500-4]
(c) Commercial-Off-The-Shelf Software (COTS). Commercially procured software will be examined to assure that the software does not contain features which might be detrimental to AIS security. Security-related software will be examined by Customs authorized personnel to assure that the security features function as specified.
(2) Customs endorses the use of products from the Evaluated Products List (EPL) of the National Computer Security Center (NCSC). EPL products are computer systems, software, or components that protect information while it is being stored or processed.
When certified as properly implemented through the process discussed in Section 3.4, these products will be accepted as meeting the security requirements for the portion of the sensitive AIS where they are used.
(3) When EPL products are not specified or used for sensitive AIS, the AIS security plan must include a functionality statement and implementation schedule of how the C2 security level functionality will be achieved. The statement will become part of the accreditation package and must address the following EPL evaluation areas.
(a) Confidence in software source. In acquiring software resources to be used as part of a sensitive AIS, consideration will be given to the level of confidence placed in the vendor to provide a quality product, to support the security features of the product, and to help in the correction of any flaws.
(b) Security performance testing. Security performance testing includes both certification testing that is performed before the AIS is accredited and ongoing performance testing that is performed on a regular basis.
(c) Security penetration testing. In addition to testing the performance of the AIS, there will be testing to attempt to penetrate the security safeguards of the system. The test procedures will be documented in the test plan for certification and in the ongoing test plan.
(d) Life-cycle assurance. The development of hardware, firmware, and software will be conducted under life-cycle control and management.
(4) A configuration management (CM) system is required to preserve the AIS accreditation integrity and maintain control of changes to any of the AIS features that may alter the accreditation status. Examples of CM activities include security-related hardware changes, or changes to any line of source or object code of the security-related software. The CM system will record by whom, for what reason, and when the change is made. Documentation of the security-related hardware and/or software design will be maintained and kept current. [NCSC-TG-006]
4.3.3 Desirable Security Features
(1) AIS planning must consider technological advances in security features. The planning process will be documented and approved via the AIS security plan.
(2) Interoperability with external systems must consider support for digital signature standards (DSS), nonrepudiation in messaging systems, and data encryption issues as they relate to interagency communications or interoperability.
(3) Continuous On-Line Automated Monitoring and Warning functions for sensitive AIS can provide real-time use monitoring (audit) and real-time warning to the DSOs of suspected AIS misuse.
(4) Network Access Control Features should address the following areas, to achieve C2 level security of communications paths:
(a) Identification and Authentication Forwarding. Reliable forwarding of the identification should be used between AISs when users are connecting through a network. When identification forwarding cannot be verified, a request for access from a remote AIS should require authentication before permitting access to the system.
(b) Protection of Authenticator Data. In forwarding the authenticator information and any tables (e.g., password tables) associated with it, the data should be protected from access by unauthorized users (e.g., by encryption) to ensure its integrity.
4.4 ADMINISTRATIVE SECURITY
Administrative security consists of the controls and operational procedures used with or in place of computer security features. Administrative security controls must be documented in the AIS security plan, Security Features User's Guide (SFUG), and Trusted Facility Manual (TFM) for each accredited AIS.
4.4.1 Accountability and Access Control Criteria
The DSO will establish access control criteria and administrative procedures to limit access to information processed, stored, or transmitted by sensitive Customs AISs. These activities are documented in the AIS security planning process, approved by the AIS Security Officer, and accredited as discussed in Section 3.4 and should include at least the following:
(1) The access control criteria identify who is authorized AIS access and who is responsible for approving such access.
(a) The individual who requires access must possess the appropriate security authorization and have a valid need-to-know.
(b) The AIS security features must have the capability to restrict the user's access to only that information which is necessary for scope of the job or assignment.
(2) Customs and contractor personnel who access sensitive Customs AISs must have a completed BI (discussed in Section 4.2). Personnel must only be granted access to AISs for which they have a valid need-to-know based on their operational needs (i.e., principle of least-privilege.).
(3) Customs AISs are generally designed for the use of Customs personnel, but by special arrangements Customs may authorize certain types of access to other Federal, State, local, or international law enforcement agencies, other government agencies, private contractors, and trade community members in support of particular operations.
Written requests for special access must be submitted to the appropriate Customs Security Administrator who coordinates the AIS security process for the sponsoring organization. The Security Administrator will ensure that such requests meet the following criteria.
(a) The individual for whom access is requested must have appropriate security authorization for the information or functions which are being requested.
(b) The individual must have a valid need-to-know (i.e., access is an operational necessity) documented in the application by the sponsoring organization.
(c) The AIS security features have the capability to restrict the user's access to only information and/or functions appropriate for the authorized activities.
(d) If the AIS access is for members trade community, it must be based on limits as specified in formal agreements with Customs.
(4) Some Customs AISs are designed for the support of the law enforcement, trade communities (e.g., TECS, ACS), and other agencies. Access requirements, controls, and procedures are defined for each system and documented in its System Security Plan. Reference the appropriate AIS support documentation for details related to such systems.
4.4.2 Software and Data Security
(1) All executable software used on sensitive Customs AISs should be obtained through authorized procurement channels. Software acquired by any other means (e.g., public domain software, bulletin board services, personally owned software [developed or purchased]) is restricted and must be approved in writing by AIS Security Administration as an operational necessity.
(2) Safeguards must be in place to detect and minimize inadvertent or malicious modification or destruction, or attempts to do so, of a sensitive AIS's application software, operating system software, and critical data files. The safeguards should achieve the integrity objectives andbe documented in the AIS security plan.
(a) Executable software authorized to run on a sensitive Customs AIS will be identified in the AIS security plan.
(b) The level of protection must be commensurate with the sensitivity of the information processed.
(c) At a minimum, essential data should be backed-up and the media stored physically separate from the AIS (preferably at an off-site location). Appropriate AIS security controls must be in place to assure viability of such back-ups.
(3) Virus and malicious code (software) prevention and control measures, commensurate with the identified level of risk, will be employed to protect the integrity of the software and data for applicable AIS.
(a) The AIS Security Officer manages the virus protection program for Customs and should be contacted for approved prevention and control measures (e.g., behavior detection, scanning, cleanup techniques and/or procedures) if there is a suspected or known malicious code (software) threat.
(b) Identified incidents of malicious code (software), or virus infections should be reported promptly to the DSO, AIS Security Officer, and/or IA, as appropriate.
(c) Prior to introduction into or use by Customs, AIS data recording media will be scanned for malicious code (software), including:
(i) all Customs-seized AIS machines and media,
(ii) all removable AIS magnetic or optical recording media (e.g., floppy disks, CD-ROM, etc.), regardless of source, and
(iii) all fixed AIS storage devices (e.g., hard drives, R/W Optical, etc.), on a periodic basis.
(4) Use of copyrighted software will comply with copyright laws and license agreements.
(5) Introduction of data from sources and/or in formats other than those specified in the appropriate AIS security plan (e.g., financial data received from financial institutions) must be approved in writing by the AIS Security Officer as an operational necessity. These activities must be in conformance with the accreditation of the AIS and FOIA/PA (Freedom of Information Act/Privacy Act) requirements.
(6) To maintain software integrity, proper configuration management (CM) and controls must be used to monitor software installation and updates. This process will provide a historical record of software changes; helping to ensure that the software functions as expected, is maintained, and that only authorized software is permitted on the AIS.
4.4.3 Technical Support and Maintenance
(1) Technical support and maintenance activities for Customs AIS must ensure that:
(a) Hardware and software maintenance activities do not affect the integrity of existing safeguards or permit the introduction of security exposures into an AIS (e.g., computer viruses, Trojan Horses, logic bombs, malicious code, etc.).
(b) Sensitive Customs AIS electronic storage and memory devices are not released from Customs control without proper clearing procedures to remove residual data. Exceptions (waivers) must be approved by the AIS Security Officer.
(c) Automated (i.e., computer-connected) dial-up diagnostic maintenance of sensitive Customs AIS via remote communications between vendors and Customs AIS facilities is prohibited unless authorized by Principal Accrediting Authority (PAA) in the AIS Accreditation. The Accreditation should reference an approved contract, MOU, or other agreement when such a service is included.
(2) AIS technical support and maintenance work performed in Customs facilities (on-site) must be supervised by or under the control of Customs personnel knowledgeable in appropriate AIS operations.
On-site AIS technical support and maintenance personnel must meet the personnel security requirements. (See also: Section 4.2)
(3) AIS technical support and maintenance must be considered in AIS certification.
4.4.4 Portable Computer Equipment
Customs AIS portable computers, related types of equipment, and storage media must be restricted to the exclusive authorized Customs use. Unattended Customs AIS equipment and storage media must be secured in an appropriate manner commensurate with the sensitivity of the data, equipment, and authorized use. To the extent possible, such equipment and storage media must be kept in the possession of the individual to whom it is issued or charged out.
4.4.5 Classification and Controls
(1) Customs AISs that store, process, or transmit sensitive information must be adequately safeguarded to ensure that access to sensitive Customs information is restricted to Customs authorized personnel, and operated only by Customs authorized persons in facilities (physical space) under Customs authorization or control.
(2) When not under the control of Customs authorized personnel, Customs sensitive AISs and related equipment must, at a minimum, be secured as follows:
(a) Microcomputers, terminals, displays, and related AIS equipment which might provide unauthorized access to sensitive data or resources, must be turned off or otherwise made unaccessible. Additional appropriate security control measures may be necessary in some situations. Exceptions (waivers) must be part of the accreditation statement or separately approved by the AIS Security Officer.
(b) Diskettes, tapes, removable storage devices, printer ribbons or laser cartridges, and other AIS media which contain sensitive information must be labeled and secured commensurate with the highest level of information stored on the device. Destruction of such media must be appropriate to the level of sensitivity of the data stored on it.
4.4.6 External Labels
In an AIS environment where no classified information is processed or stored, special security labels with the word "Unclassified," are not required to identify that the storage media contains unclassified information. However, for some categories of SBU data, special identification labels are required. Reference Safeguarding Classified Information Handbook, for the appropriate procedures.
[USCS HB 1400-03]
The term "unclassified" is not a security classification, but is a category of data within which are several subcategories, including sensitive but unclassified (SBU) and public information.
Sensitive but unclassified (SBU) information is restricted to authorized persons with a need-to-know and requires appropriate controls as explained in this manual.
4.4.7 Customs Work Performed at non-Customs Locations
When operational necessity requires that Customs authorized work be performed at non-Customs controlled locations (e.g., field assignment, work at home, etc.), the following policies apply and associated risks must be appropriately managed.
(1) Customs management must determine that required security controls and documentation are in place for authorized AIS operations and that SBU information is properly protected. Although current technology makes it feasible to address these requirements, providing adequate safeguards and conducting related activities for individual AISs may not always be cost-effective.
AIS security control documentation includes the following.
(a) System security plan.
(b) Risk analysis.
(c) Contingency plan.
(d) Security procedures.
(e) Certification.
(f) Accreditation.
(2) AIS equipment (whether or not Customs owned) used to process SBU at non-Customs controlled locations must meet the security requirements for sensitive Customs AISs as presented in this policy manual.
(3) Authorized use of Customs owned computer equipment at home is permitted when such usage is consistent with the policy as presented in this manual.
4.4.8 Use of Non-Customs Owned AISs
(1) It is Treasury policy that, "Personally-owned computers and software will not be used to process sensitive but unclassified (SBU) information without the approval of the Principal Accrediting Authority." (Reference: TD P 71-10, Chap. VI, Section 4.D.1).
Treasury policy defines, Personally-owned computers or software as, "Computers or software purchased with non-government funds, except those turned over for exclusive U.S. Government control and use and where the hard-drive will be properly erased when the system is no longer in U.S. Government use."
(Reference: TD P 71-10, Appendix B. Definition updated 11/24/95).
(2) It is Customs policy that, non-Customs owned computers or software will not be used to process, access, or store Sensitive But Unclassified (SBU) information without the written approval of the Principal Accrediting Authority (PAA).
(a) Policy exceptions (waivers) must be approved by the PAA who assumes the associated risks for authorizing the use.
(b) The protection requirements for data on Customs owned equipment apply equally to the protection of data when used on non-Customs owned equipment.
4.5 TELECOMMUNICATIONS SECURITY
The Federal government is developing appropriate security policies and infrastructures that deal with the rapidly changing field of telecommunications. Under the auspices of the White House Office of Science and Technology Policy, the National Information Infrastructure Task Force (NITF) is a driving force in this effort. The NITF includes high-level representatives of Federal agencies that play a major role in the development and application of information and telecommunications technologies. [GAO94285; GAO9523]
4.5.1 Information System Standards
It is the policy of the Department of the Treasury to comply with all mandatory Federal Information Processing Standards (FIPS), mandatory Federal Telecommunications Standards (FED-STDs), voluntary FIPS, FED-STDs, American National Standards Institute (ANSI), or other information system standards and guidelines to the extent they are determined to be cost-effective and appropriate for the intended use. A waiver process is defined in Treasury Information Systems Standard Program, 8/23/89. [TD 87-01; COHEN]
4.5.2 Network Connections
Telecommunication connections between Customs AISs and non-Customs AISs or networks, public or private, may be authorized by the AIS Security Officer under the following conditions:
(1) Non-sensitive Customs AIS, when operated in a dedicated security mode, must be locally documented, including the administrative approval of the AIS Security Officer and a technical description of the connection(s). Example: microcomputers, PCs, etc., that do not contain or process SBU data and are not connected physically or logically to any other Customs AIS or network (Treasury or Customs).
(2) All other Customs AIS connections to non-Customs networks must be approved by the AIS Security Officer, on a case-by-case basis. The AIS Security Officer will ensure that the appropriate safeguards are in place and that documentation, such as license agreements, memoranda of understanding (MOU), interconnection agreements, etc., are executed on behalf of Customs, as part of the approval process. Example: Customs AIS access to the National Information Infrastructure (NII) or commercial information databases (e.g., LEXIS/NEXIS, Dun & Bradstreet Business records, D&B Worldbase, etc.).
4.5.3 Internet Services
Treasury policy: Issued April 28, 1995, by the Deputy Assistant Secretary for Information Systems. [TD INTERNET]
Treasury operating policy requires that any access to the Internet services from Treasury AIS (including Customs) be provided via protected Internet gateways (access control mechanisms) that have been approved by the Office of Telecommunications Management (OTM).
Exceptions must be approved in writing by the Director, OTM.
Customs policy:
In addition to Treasury policy, Customs owned or controlled AISs may only access the Internet via Customs approved gateways.
This limitation means that Customs owned, controlled, or authorized computer equipment, regardless of its location or means of connection to any network or system, may not be used to access the Internet, directly or indirectly (e.g., via service providers such as CompuServe, AOL, etc.) unless such connection is via a Customs approved Internet gateway (i.e., firewall). While the configuration of some networks make it technically possible to access the Internet without going through an approved gateway, such access is not authorized.
Exceptions to this policy must be approved in writing by the Director, OTM, U.S. Treasury Department. [TD INTERNET]
4.5.4 Electronic Mail (E-Mail)
Government projects and commercial products for secure electronic mail (E-Mail) systems are undergoing rapid development and will be available in the coming years. Until such products are implemented, users are cautioned NOT to send sensitive information via E-Mail.
4.5.5 Facsimile (FAX)
Sensitive information will only be transmitted via a secure facsimile system (e.g., encrypted or via a protected network). Commercial-off-the-shelf (COTS) software and hardware are available to provide the necessary safeguards and should be employed as appropriate.
4.5.6 PBX and Voice Mail Systems
Private Branch Exchanges (PBX) and Voice mail systems do not currently meet standard security specifications and are not generally considered secure systems. They are susceptible to unauthorized access and messages left on a voice mail system should contain the least amount of information possible. Do not leave any information on a voice mail system that, if compromised, could damage Customs mission. Report suspected unauthorized access attempts to AIS Security Administration.
PBX systems must be physically secured and system security features configured (to the extent possible for a specific system) to prevent unauthorized access to dial-tones, modems, or other AIS access. (See also: Appendix D. Good Security Practices).
Voice Mail and Voice Interactive Response systems must be configured (to the extent possible) to prevent unauthorized access to dial-tones, modems, or other AIS access.
(See also: Appendix B. Good Security Practices).
4.5.7 Communications Security (COMSEC)
COMSEC is intended is to deny unauthorized persons information derived from telecommunications of the United States Government related to national security and to ensure the authenticity of such communications. COMSEC issues should be directed to the Communications Security Management Branch, Orlando, FL. [USCS 4300-09]
CHAPTER 5
SECURITY INCIDENTS AND VIOLATIONS
Definition: AIS Security Incident. An AIS security incident is any event and/or condition that has the potential to impact the security and/or accreditation of an AIS and may result from intentional or unintentional actions.
Examples include: unauthorized attempts to gain access to information; introduction of malicious code or viruses into Customs AISs; loss or theft of computer media; or the failure of an AIS security function to perform as designed. For reporting purposes, malicious code (software) incidents include any detection of malicious code, whether detected on magnetic media prior to the media's entry into a Customs AIS or after infection of the AIS, and any actual execution of malicious code.
Definition: AIS Security Violation. An event which may result in disclosure of sensitive or classified information to unauthorized individuals, or that results in unauthorized modification or destruction of system data, loss of computer system processing capability, or loss or theft of any computer system resources.
(See also: TD P 71-10, Chapter III.4)
(1) Customs employees, contractors, and/or users should report security-related incidents and/or violations through the appropriate supervisory channels to the DSOs, Security Administrators, AIS Security Officer, or Internal Affairs (IA), as appropriate. The AIS Security Officer will maintain the appropriate records and address the impact of the security incidents on the accreditation status of related AISs. Additional security safeguards to reduce generic risks may be recommended, as required.
(2) Additionally, malicious code (software) and virus infection incidents on Customs AIS (i.e., mainframes, microcomputers, networks, PCS, floppy disks or other media, etc.) should be promptly reported to the AIS Security Officer.
(3) Customs employees may be subject to disciplinary action for failure to comply with Customs AIS security policy, whether or not the failure results in criminal prosecution.
AIS security-related violations are addressed in the Treasury Standards of Ethical Conduct for Employees of the Executive Branch and the Customs Conduct and Employee Responsibilities. Such violations should be reported through the appropriate supervisory channels to the AIS Security Officer and/or IA, as appropriate. [TD ETHICS; USCS 51000-05]
(4) Non-Customs employees who fail to comply with this policy are subject to having their access to Customs AISs and facilities terminated, whether or not the failure results in criminal prosecution.
(5) Any person who improperly discloses sensitive or classified information is subject to criminal and civil penalties and sanctions under a variety of laws (e.g., Privacy Act ...).
GLOSSARY
Editor's note: Computer terms have evolved and become more clearly defined during the past decade. The referenced definitions are from recent publications of established sources, and are generally preferred.
Source references:
Glossary of Computer Security Terminology, developed by the National Security Telecommunications and Information Systems Security Committee (NSTISSC) and published by NIST as NISTIR 4659. Available from NTIS as PB92-112259.
Glossary for Computer Security Terms. National Technical Information Service (NTIS), FIPS PUB 39, Springfield, VA., 02/15/76. Withdrawn 4/93. Replacement is FIPS 11-3.
Introduction to Certification and Accreditation. National Computer Security Center (NCSC), NCSC-TG-029, Ver. 1, NSA, Ft. George G. Meade, MD., January 1994.
Treasury Security Manual, TD P 71-10, Appendix B, 1993.
Access
A specific type of interaction between a subject and an object that results in the flow of information from one to the other. The capability and opportunity to gain knowledge of, or to alter information or materials including the ability and means to communicate with (i.e., input or receive output), or otherwise make use of any information, resource, or component in a computer system.
Access Control
The process of limiting access to the resources of a system to only authorized persons, programs, processes, or other systems. Synonymous with controlled access and limited access. Requires that access to information resources be controlled by or for the target system. In the context of network security, access control is the ability to limit and control the access to host systems and applications via communications links. To achieve this control, each entity trying to gain access must first be identified, or authenticated, so that access rights can be tailored to the individual.
Accreditation/Approval
The official management authorization for operation of an AIS. It provides a formal declaration by an Accrediting Authority that a computer system is approved to operate in a particular security mode using a prescribed set of safeguards. Accreditation is based on the certification process as well as other management considerations. An accreditation statement affixes security responsibility with the Accrediting Authority and shows that proper care has been taken for security.
Accrediting Authority (AA)
The official who has the authority to decide on accepting the security safeguards prescribed for a computer system or that official who may be responsible for issuing an accreditation statement that records the decision to accept those safeguards.
See also: Designated Approving Authority (DAA), Principal Accrediting Authority.
Adequate Security
Security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational and technical controls. [OMB A-130, AIII]
Administrative Systems
An automated Customs system to provide support in areas of accounting, personnel, payroll, logistics and other support services.
ADP
Automatic Data Processing. See also: Automated Information System
AIS
See: Automated Information System.
AIS Owner
The official who has the authority to decide on accepting the security safeguards prescribed for an AIS and is responsible for issuing an accreditation statement that records the decision to accept those safeguards.
See also: Accrediting Authority (AA), Application Owner, Process Owner, PAA, DAA.
AIS Security
Measures or controls that safeguard or protect an AIS against unauthorized (accidental or intentional) disclosure, modification, destruction of the AIS and data, or denial of service. AIS security provides an acceptable level of risk for the AIS and the data contained in it. Considerations include: 1) all hardware and/or software functions, characteristics, and/or features; 2) operational procedures, accountability procedures, and access controls at all computer facilities in the AIS; 3) management constraints; 4) physical structures and devices; and 5) personnel and communications controls.
Application
A software organization of related functions, or series of interdependent or closely related programs, that when executed accomplish a specified objective or set of user requirements. Customs applications include: Automated Commercial System (ACS), Automated Export System (AES), Treasury Enforcement Communication Systems (TECS), and Administrative Systems (AS). [USCS 5500-05] See also: Major Application, Process.
Application Owner
The official who has the responsibility to ensure that the program or programs which make up the application accomplish the specified objective or set of user requirements established for that application, including appropriate security safeguards.
See also: Accrediting Authority (AA), Process Owner.
Audit
To conduct the independent review and examination of system records and activities.
Audit trail
A set of records that collectively provides documentary evidence of processing. It is used to aid in tracing from original transactions forward to related records and reports, and/or backwards from records and reports to their component source transactions.
Automated Commercial System (ACS)
A joint public/private data processing system used by Customs and the import trade community to process millions of commercial cargo shipments entering U.S. commerce each year.
Automatic Data Processing (ADP)
The assembly of computer hardware, firmware, and software used to categorize, sort, calculate, compute, summarize, store, retrieve, control, process, and/or protect data with a minimum of human intervention. ADP systems can include, but are not limited to, process control computers, embedded computer systems that perform general purpose computing functions, supercomputers, personal computers, intelligent terminals, offices automation systems (which includes standalone microprocessors, memory typewriters, and terminal connected to mainframes), firmware, and other implementations of AIS technologies as may be developed: they also include applications and operating system software. See also: Automated Information System (AIS).
Automated Export System (AES)
A data processing system used by Customs to provide automatic release of cargo that is subject to U.S. export regulatory requirements, collect export data and statistics for use in law enforcement, illegal chemical interdiction, export verification, revenue collection, and other activities.
Automated Information System (AIS)
An AIS is an assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information. Examples include: information storage and retrieval systems, mainframe computers, minicomputers, personal computers and workstations, office automation systems, automated message processing systems (AMPSs), and those supercomputers and process control computers (e.g., embedded computer systems) that perform general purpose computing functions. [TD P 71-10]
Authenticate/Authentication
1) The process to verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
2) A process used to verify that the origin of transmitted data is correctly identified, with assurance that the identity is not false. To establish the validity of a claimed identity.
Authenticated user
A user who has accessed an AIS with a valid identifier and authentication combination.
Authorization
The privileges and permissions granted to an individual by a designated official to access or use a program, process, information, or system. These privileges are based on the individual's approval and need-to-know.
Authorized Person
A person who has the need-to-know for sensitive information in the performance of official duties and who has been granted authorized access at the required level. The responsibility for determining whether a prospective recipient is an authorized person rests with the person who has possession, knowledge, or control of the sensitive information involved, and not with the prospective recipient.
Availability
The property of being ac