CHAPTER 4

AIS SECURITY

LEARNING OBJECTIVES

Upon completing this chapter, you should be able to do the following:

l Identify the procedures for issuing and updating user identification and passwords and for validating customer authorization.

l Identify the procedures for performing, directing, and validating security inspections and for reporting and investigating security violations.

l Identify the procedures for developing and updating security plans.

l Recognize how to implement and evaluate countermeasures and contingency plans.

l Identify the procedures for preparing and updating emergency action plans.

l Explain how to implement and evaluate security test and evaluation procedures.

l Explain how to safeguard AIS classified material.

AIS security is a cycle of events that never ends. You start with the development of a security plan for the facility. This plan includes conducting an in-depth risk assessment covering different types of disasters that threaten the security of the AIS facility. Once the security plan is in place, the inspections begin. You will be responsible for preparing the inspection plan and conducting the inspection using the guidelines provided in the security instructions.

In this chapter, you will learn about AIS security-from the implementation of the security plan through conducting security inspections. This includes AIS threat and risk analysis, disaster protection, contingency planning, inspection preparation, and data privacy.

WHAT IS AIS SECURITY?

AIS security is more than protecting classified information and keeping unauthorized personnel out of your AIS facility. It is protecting equipment, media, data and people. AIS security is limiting access, avoiding misuse, and preventing destruction. It is preventing changes to data that would make the data unreliable. It covers the denial of service and the destruction of computer rooms, the loss of confidentiality, fraud, the theft of computer time as well as the computer itself. AIS security is a critical part of your job.

As you probably noticed from reading the learning objectives, AIS security has its own terminology and jargon. To carry out your AIS responsibilities, you need to be familiar with these terms and their meanings.

AIS SECURITY CONCEPTS

Our AIS security goal is to take all reasonable measures to protect our AIS assets. Keep in mind that AIS assets (hardware, software, data, supplies, documentation, people, and procedures) have value.

Their value can usually be stated in dollar terms. It costs money to repair or replace hardware. It costs money to reprogram and redocument. It costs money to retrain personnel. Unauthorized access costs money. Service delays cost money.

Our AIS assets (figure 4-1) include the facilities, hardware, software, data, supplies, documentation, people and procedures. These assets combine to provide service. Service is computer time, telecommunications, data storage, user support, application system development, and operation.

Service must be available to those authorized to receive it when they request it. Information is at the top of the triangle. It is the ultimate AIS asset. Information is the reason the rest exists.

Threats are things that can destroy your assets (figure 4-2). Easy to recognize, threats come in two basic forms: people and environmental changes. People are a threat because they sometimes do unexpected things, make mistakes, or misuse resources, steal, subvert, and sabotage (deliberate threats). Some of us even smoke and spill soft drinks in computer rooms. Environmental threats are things like heat, humidity, explosions, dust, dirt, power peaks, power failures; and natural disasters like fire, floods, hurricanes, thunderstorms, and earthquakes. Hardware failures and compromising emanations are also threats. Another term associated with threats is their probability of occurrence. What is the likelihood that something will happen? Probabilities are measured in time\once a pico second, once a memory cycle, once a fiscal year, once a century.

Threats cannot reach an AIS asset without the aid and assistance of a vulnerability. Vulnerabilities are the holes threats sneak through or weaknesses they exploit. Vulnerabilities are caused by lack of AIS security planning, poor management, disorganization, disorder, inadequate or improper procedures, open data and open door policies, undocumented software, unaware or unconcerned personnel. You can help limit the vulnerabilities by following established AIS security policies and procedures.