Interior
Chapter 1
Information Security Architecture
Version 2.0
Interior
Chapter 1
Information Security Architecture
Version 2.0
1.1 Introduction
and Background
Principle
1: Information is an Interior Asset
Principle
2: Data and Information Stewardship
Principle
3: Integration/ Interoperability
Principle
4: Reuse before you buy and buy before
you build
Principle
5: Ensure Security, Confidentiality
and Privacy
Principle
6: Continuity of Operations Planning
Principle
7: Enterprise Network as a secure
“Virtual” Network
Principle
8: Information Access
Principle
9: Total Cost of Ownership
Principle
10: Product Standards
Principle
11: Personnel security
Principle
12: Computer Security Incident Response
Capability (CSIRC)
Principle
13: Individual Security Responsibility
1.3.1 Virtual Private
Network (VPN)
1.3.2 Legislative /
Compliance
1.3.3 Authentication/Single
Sign-on
1.3.5 Network Devices /
Standards
1.3.7 Certificates/Digital
Signatures
1.3.8 Supporting Security
Services
The Department of the Interior is developing closer electronic partnerships with businesses, other government agencies, employees, and citizens in general. These various partnerships require varying levels of security. Regardless of the partnership, the purpose of security remains the same for all: to protect Interior’s information assets and provide an environment in which Interior’s business can be safely transacted.
In the past, training and resources for security within Interior have tended to be meager. With the use of shared personnel, part time resources and the like, maintaining an adequate level of security has often been difficult. Additionally, the authority to insure compliance to security policies has not resided within the security area itself except in times of declared emergencies. A good security practice is to address compliance issues well in advance of any real emergency.
The focus of the Interior Enterprise Architecture is on providing guidance for information technology (IT) issues and initiatives that are Interior-wide or multi-bureau in scope. The following Security architecture facilitates appropriate and innovative access to information while ensuring its confidentiality, integrity, availability, accountability and non-repudiation (CIAACNR). It supports business processes as well as compliance with all government regulations and standards related to information security. It also supports the generally accepted principles and practices of IT security.
If used correctly, the Interior Enterprise Architecture will act as a catalyst for those looking to capitalize on its contents and better understand the full meaning of its guidance. This understanding will permit IT personnel to better engage the non-IT organization in discussions around tradeoffs and priorities within the proper governance structure (e.g., Management Initiatives Team (MIT), Information Technology Management Council (ITMC)). The Interior Enterprise Architecture is not intended to be the “last word” (e.g., some automated checklist for product selection). It is intended to be one of the “first words” to assure that Interior’s mission priorities and its IT priorities remain closely aligned.
Because Interior is incorporating the OMB’s Federal Enterprise Architecture (FEA) models, the technical guidance provided by the subject area experts within a domain spans both the Service Component Reference Model (SRM) as well as the Technical Reference Model (TRM). For the Security domain, the SRM elements are as follows:
Service Domain(s): The Support Services Domain defines the set of cross-functional capabilities that can be leveraged independent of Service Domain objective and / or mission.
The Business Management Services Domain defines the set of capabilities that support the management of business functions and organizational activities that maintain continuity across the business and value chain participants. The Business Management Services domain represents those capabilities and services that are necessary for projects, programs and planning within a business operation to successfully be managed.
Service Type(s): Security Management – defines the set of capabilities that support the protection of an organization's hardware/software and related assets.
Management of Process - defines the set of capabilities that regulate the activities surrounding the business cycle of an organization.
Component(s): Access Control – defines the set of capabilities that support the management of permissions for logging onto a computer or network.
Identification and Authentication – defines the set of capabilities that support obtaining information about those parties attempting to log on to a system or application for security purposes and the validation of those users.
Verification – defines the set of capabilities that support the confirmation of authority to enter a computer system, application or network.
Role / Privilege Management - defines the set of capabilities that support the granting of abilities to users or groups of users of a computer, application or network.
Intrusion Detection – defines the set of capabilities that support the detection of illegal entrance into a computer system.
Audit Trail Capture and Analysis – defines the set of capabilities that support the identification and monitoring of activities within an application or system.
Encryption – defines the set of capabilities that support the encoding of data for security purposes.
Digital Signature – defines the set of capabilities that guarantee the unaltered state of a file.
Risk Management – defines the set of capabilities that support the identification and probabilities or chances of hazards as they relate to a task, decision or long-term goal.
These SRM service elements are likewise supported by Interior’s IT (technical) infrastructure (e.g., servers, networks). Within this infrastructure are individual TRM components for which this domain team is providing guidance. The graphic below outlines those TRM elements for this domain that support the service needs of the SRM.
Although only 9 SRM Service Components and 8 TRM Standards are explicitly indicated above, it is understood that security is and integral part of all aspects within the SRM and subsequently the TRM.
Additionally, it’s doubtful that a single domain chapter from the TRM can be used to address a substantive issue. More realistically, a few architecture domains may need to be reviewed when addressing an important IT decision. For example, if Interior was considering the creation of a new Interior-wide Web application that could be used both by the general public and Interior personnel, then the TRM chapters like Data Management Technologies, Information Security, Distributed Systems Management and Application Development might all need to be reviewed.
The
principles listed below provide guidance for the design and selection of
technology components that will support the security needs of Interior-wide IT
initiatives.
Principle 1: Information is an Interior Asset |
|
|
|
Information is valued as an Interior asset and must be protected. Rationale:
Implications: 1. Policies supporting security, privacy, confidentiality, information sharing, information integrity must be developed and implemented. 2.
Need to promote secure
interoperable information management that facilitates information
availability for decision-making.
4.
Data access will be limited to those who “need to know”. 5.
Procedures for regular estimation of the value of the
information assets need to be defined and practiced. |
|
|
|
Principle 2:
Data and Information Stewardship
|
|
|
|
Protection of the data and information must be managed and maintained as a stewardship responsibility to support the mission of the department. Rationale:
·
Data stewards will promote common business rules, which
will facilitate information sharing and improve data integrity. Implications: 1.
Recognition
that business area personnel need to be responsible for stewardship of the
data and the commitment of the resources necessary to provide an adequate
level of protection.
|
|
|
|
Principle 3:
Integration/ Interoperability
|
|
|
|
Security systems must be designed, acquired, developed, or enhanced so that data and processes can be effectively shared, for appropriate purposes, across Interior and with our partners. Rationale:
Implications: 1.
Every
systems analyst needs to consider enterprise wide security impacts when
designing enhancing, acquiring or extending the scope or use of
applications.
|
|
|
|
Principle 4: Reuse before you buy and buy before you build |
|
|
|
In considering system security requirements (e.g., new functionality), we should look to reuse existing components before we buy. If no components exist, purchased solutions (e.g., COTS or GOTS) should be explored before we build. Rationale: ·
Complies with Office of Management and Budget (OMB) Circular A-130
“Management of Federal Information Resources”, the Privacy Act of 1974, and
the Federal Information Security Act (FISMA) of 2003. ·
The more you’re “like” everyone else (e.g., same standard, same systems),
the easier it is to share with others. Implications: 1. Need to identify and maintain
“reusable” components. 2. Good system security specifications
will be needed early in the planning cycle to evaluate alternatives. 3. Business processes may need to be "changed"
but not compromised to ensure compliance with Interior and Federal security
standards, to accommodate reuse or purchased solutions. 4. In-depth knowledge of security
functions may be outside of the organization, potentially increasing issues
of risk and cost. 5. System security design will migrate
to more widely used standards. |
|
|
|
Principle 5: Ensure Security, Confidentiality and Privacy |
|
|
|
IT systems should be designed and implemented in accordance with security and privacy legislation and policies to assure information confidentiality, integrity and availability. Rationale:
·
Complies with the Computer
Security Act, the Privacy Act of 1974, and OMB Circular A-130 “Management of Federal Information
Resources” and the generally accepted principles and
practices of IT security. Implications: 1. Need to identify, publish and keep the applicable policies, procedures and attendant interpretations thereof.
8.
Criteria used for classifying
information/data needs to be flexible to accommodate changes in the threat
environment (e.g., Homeland security). |
|
|
|
Principle 6: Continuity of Operations Planning |
|
|
|
Appropriate disaster recovery and business continuity planning, design, testing and maintenance must take place. System Contingency plans are an integral part of these planning activities. Rationale: · Required by federal laws and regulations · Customers and partners have heightened awareness of the need for systems availability. · Any significant visible loss of system availability and stability could negatively impact our mission and legal responsibilities. · Application systems and data are valuable organization assets that must be protected. Implications: 1. Operation and systems plans will need to be categorized according to business recovery needs (e.g., short term essential and long term essential). 2. Alternate information processing capabilities need to be in place. 3. Systems should be designed with appropriate level of fault tolerance and recovery in mind. 4. Plans for work site recovery will need to be in place (e.g., office space). 5. Life cycle and other costs may increase. 6. Disaster Recovery Plans (DRPs) and Business Recovery Plans (BRPs) will require periodic testing and revision. 7. Plans for records recovery and alternate data capture mechanisms/processes need to be in place. 8. Business impact analysis needs to be conducted in the first phase of life cycle process (e.g., an assessment of business continuation and recovery requirements will be mandatory when acquiring, developing, enhancing or outsourcing systems). |
|
|
|
Principle 7:
|
|
|
|
We must implement an Interior-wide “interoperable network”
performing as if it were a virtual network. Rationale:
Implications:
|
|
|
|
Principle 8: Information Access |
|
|
|
Security and privacy must not be compromised in order to accommodate easy and timely access to information. Rationale:
Implications: 1. Publicly accessible services must be logically isolated from the internal networks to ensure security.
|
|
|
|
Principle 9: Total Cost of Ownership |
|
|
|
Security must be explicitly factored into a Total Cost of Ownership (TCO) model for all IT systems. Rationale:
Implications: 1. Need to develop a total cost of ownership model
that includes security and educate system sponsors and decision-makers about
how to use it. 2. Need to identify
methods to collect security cost portion of TCO. |
|
|
|
Principle 10: Product Standards |
|
|
|
Extra value will be given to security products and/or components adhering to federal standards and non-proprietary open architecture. Rationale: ·
Required to support adequate
levels of security. Implications: 1. Need effective management process to identify and assess federal security standards, guidelines, laws and regulations. 2. Participation in the development of open standards is desirable; otherwise, someone else will do it for you (e.g., litigation.) 3. Training and education are required to promote the use of “open
standards.” |
|
|
|
Principle 11: Personnel security |
|
|
|
All employees, vendors, business partners, consultants and contractors who require access to business information must be appropriately screened, trained and monitored. Rationale:
Implications: 1. Need to ensure consistency across and among bureaus.
|
|
|
|
Principle 12: Computer Security Incident Response Capability (CSIRC) |
|
|
|
Interior will coordinate an incident response capability that will be shared across all bureaus. Rationale:
Implications: 1. Need to develop consistent, documented CSIRC procedures across Interior.
10.
Need to develop law enforcement linkages |
|
|
|
Principle 13:
Individual Security Responsibility
|
|
|
|
All Interior employees, contractors, partners, etc. share
responsibility for Interior’s IT Security. Rationale:
Implications: 1.
Non-security
professionals need to be made aware of security policies, procedures and
their responsibilities.
|
The Security components in this domain include:
The classifications for any products or standards within this domain are:
Life Cycle Definition/
Classifications Meaning
Preferred Product/standard of choice; support available; recommended.
Contained Develop solutions using these standards or products only if there are no suitable alternatives categorized as preferred; if a preferred product is available that will meet the requirements, plans should be developed to move from contained to preferred as soon as practical.
Obsolete Being phased out; (e.g., vendor support ending); plans should be developed to rapidly phase out and replace (often to avoid substantial risks).
Research Product/standard to be used in conjunction with technology research efforts only (e.g., testing, pilots).
Rejected Product/standard has been evaluated and found not to meet technical architecture needs.
Virtual Private Network (VPN) is a Private Data Network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
Legislative / Compliance defines the pre-requisites that an application, system or service must have mandated by congress or governing bodies.
Authentication / Single Sign-on (SSO) refers a method that provides users with the ability to log-in one time, getting authenticated access to all their applications and resources.
.
Authentication Standards:
Single Sign-on Standards:
Authentication and Single Sign-on Products:
Test Management is the consolidation of all testing activities and results. Test Management activities include test planning, designing (test cases), execution, reporting, code coverage, and heuristic and harness development.
Network Devices / Standards refer to a group of stations (computers, telephones, or other devices) connected by communications facilities for exchanging information.
Utilities refer to software tools that address various miscellaneous processes for technology applications and users. Utilities are broken down into several categories. Due to the nature and increasing frequency of Information Technology threats, Security Professionals must have the ability to stay one step ahead of potential hackers and attackers of Interior systems. Consideration when considering utilities is that, whenever possible, they should be standards based and the latest versions must be attained.
Intrusion Detection Standards:
Technical Vulnerability Assessment Standards:
Anti-Virus Products:
Configuration Management Products:
Intrusion Detection Products:
Packet Sniffer Products:
Security & Assessment Products:
Technical Vulnerability Assessment Products:
Utilities – Miscellaneous Products:
Certificates / Digital Signatures refer to software used by a certification authority (CA) to issue digital certificates and secure access to information.
Supporting Security Services - These consist of the different protocols and components to be used in addition to certificates and digital signatures.
The Domain Principles, because they are derived from Interior’s business direction and strategies, provide the primary direction and guidance around technology decisions within this domain. Additional benefit may sometimes be obtained by reviewing Select Best Practices. These reflect the valuable insights from either domain team members’ experiences or other public sector organizations.
SRM Focused
Select
Best Practice 1: Program - Interior
shall have an integrated IT security program under the direction of the
Departmental Office of CIO. All levels
of management are responsible for ensuring the success of the program. The Office of the CIO (OCIO) and Departmental
IT Security Manager (DITSM) collaborates with the Bureau CIOs and Bureau IT
Security Managers (BITSM) to guide the implementation of IT security throughout
the Department.
Select
Best Practice 2: Policy - The IT
security policy for Interior provides the foundational requirements on how IT
security will be implemented throughout Interior.
Select
Best Practice 3: Security Awareness, Training and Education – Education, training and awareness are a major
part of Interior’s IT security program. Security awareness, training, and
education will cover all levels of IT security training and all levels of
personnel including executives, system owners, IT staff, end-users and
contractors.
Select
Best Practice 4: Risk Management - Risk management is an integral and ongoing element of Interior’s IT
security program for assessing risk, and taking steps to reduce and maintain
risk at an acceptable level.
Select
Best Practice 5: IT Contingency Planning - Contingency planning directly supports an organization's goal of
continued operations. This practice augments Continuity of Operations Planning
specifically for IT assets of Interior.
Select
Best Practice 6: Certification and Accreditation – All systems will be certified and accredited
in accordance with Interior IT Security Program Policy.
Select
Best Practice 7: Information Assurance – Information resources shall be protected to preserve the confidentiality,
availability and integrity consistent with the information’s sensitivity and
importance.
Select
Best Practice 8: Computer Security Incident Response - All computer security incidents shall be
reported to the appropriate authorities and handled in accordance with
established procedures.
Select
Best Practice 9: Lifecycle Management - IT security shall be an integral part of IT system lifecycle management
(LCM).
Select
Best Practice 10: Personnel Security – Follow established Interior procedures (DM441) for determining
suitability and grading positions for access to sensitive information or
systems. These procedures apply to both
Federal employees and others using government IT resources and/or information
(e.g., contractors).
Select
Best Practice 11: Identification and Authentication – Interior will utilize identification and
strong authentication as the basis for establishing access and accountability
associated with the use of IT resources.
Select
Best Practice 12: Physical and Environmental Security - Physical and environmental security controls shall
be implemented to protect the facilities housing IT resources and the IT system
resources themselves.
Select
Best Practice 13: Audit Trails - Audit
trails shall be employed to maintain a record of user, application and/or
system activity. Detail shall be
sufficient to reconstruct events, detect intrusion and misuse, and assist in
problem identification.
Select
Best Practice 14: Software Configuration Management – Test and apply all security fixes and
maintain a comprehensive record of all configuration changes.
Select
Best Practice 15: Hardware Maintenance – Follow practices to guarantee the ongoing availability of systems and IT
resources.
Select
Best Practice 16: Review of Security Controls - Perform assessments and evaluations at regular intervals to determine if
the security controls of a system are still operating within an acceptable
level of risk.
Select
Best Practice 17: Production, Input/Output Controls - Procedures for storing, handling and
destroying media shall be part of the support and operations of IT systems.
Select
Best Practice 18: Logical Access Controls – Access controls shall be implemented to enforce access and privileges to
information for authorized users based on the principles of least privilege and
need-to-know or use.
The quality of the Interior-wide guidance provided within this TRM chapter is a reflection of the efforts of the Security Domain team. The members of the team are:
Organization Name
Bureau of Reclamation Lee Matuszczak
Bureau of Land Management David Cavallier
Minerals Management Service Thanh Do
National Park Service Jim Guglielmino
Office of the Secretary Alan Wiser
Office of Hearings and Appeals Robert Elledge
Office of Special Trust Jay Lente
Office of Surface Mining Louis Blasiotti
US Fish and Wildlife Service Tom Snoich
US Geological Survey Lester North
| Disclaimer | Privacy Statement | FOIA | E-Gov | USA.gov | White House | DOI Home |