Inspection Preparation

Custom Search

Recovery Planning

Information Technician Administration and Security

Conducting Inspections

INSPECTION PREPARATION

The inspection should be conducted by some department or facility outside the span of control of the AIS technical manager. One of the main principles in selecting an inspection team is that members should not be responsible for AIS operations. Team members should have some knowledge of data processing and, if possible, basic inspection principles. A programming or AIS operations background is desirable but not essential. An experienced military or civil service user of AIS services might have the necessary qualifications. The role of the team is not to develop security controls, but to evaluate established controls and procedures. Also, the team should not be responsible for enforcing control procedures, which is clearly an AIS management responsibility.

The character of each of the inspection team members is extremely important. Judgment, objectivity, maturity, ability, and a probing nature will all affect the success of the inspection. The leader of the inspection team must be able to organize the efforts, prepare a good written report, and communicate findings effectively. The leader should be an officer, warrant officer, chief petty officer, or U.S. civilian employee who is GS-7 or above. If not technically oriented, the team leader should be assisted by someone whose technical judgment and knowledge of AIS is reliable.

The size of the team depends upon the size of the facility and the scope of the inspection. A large facility should consider including personnel from the following areas on the inspection team:

Internal inspection. The knowledge and discipline to conduct an inspection can be provided through internal inspection specialists. Inquisitiveness, a probing nature, and attention to detail are typical characteristics desired for inspection board members. Even though an inspection team member generally is not trained in data processing technology, it should not be difficult to appoint team members with some data processing knowledge.

Security. A security officer is a welcome addition to an inspection team.

Computer operations. Technical expertise in data processing is required. Both programming knowledge and operations experience is helpful. Perhaps the data processing internal security officer has these skills and, if so, should be a prime candidate for the team. Using someone from the AIS facility being evaluated need not significantly affect the objectivity of the inspection process.

Users. Users have the most to gain from an effective inspection because of their dependence on the AIS facility, yet too often they have little or no interest in AIS controls or security measures. To encourage participation in the AIS security program, one or more users who are concerned about sensitive data being compromised, disclosed, or destroyed should be motivated to join or should be appointed to the inspection team.

Building management. Many of the physical security controls to be inspected-fire prevention and detection, air conditioning, electric power, access controls, and disaster prevention-relate to building management and engineering.

Outside specialists. Independent, experienced viewpoints provided by outside consultants can be very helpful.

The composition of the team can be flexible. One of the prime requirements is that it consist of people who are objective. If only one AIS facility is to be inspected, the members of the team can be assigned for the term of the inspection and then returned to their normal jobs. If there are many AIS facilities under the jurisdiction of the command, it might be advisable to establish a permanent inspection team to review all facilities on a recurring basis. In any event, the composition of the team should be changed periodically to bring in fresh viewpoints and new and different inspection techniques.

THE INSPECTION PLAN

A comprehensive inspection plan must be developed to properly conduct an internal inspection of security. It should be action-oriented, listing actions to be performed. The plan must be tailored to the particular facility. It should include the report and report formatting requirement and the distribution of the final report. This means quite a bit of work is required in its development.

The first step is to examine the security policy for the AIS facility. This policy may apply to an entire naval district, a command, a ship, a department, or a single AIS facility. In any case, the security policy should be reviewed and pertinent security objectives extracted for subsequent investigation. The next step is to review the risk analysis plan, identifying those vulnerabilities that are significant for the particular facility. Third, the AIS Facility Security Manual, the Operations Manual, and other appropriate documents should be reviewed to determine what the specified security operating procedures are. And last, the AIS facility organization chart and job descriptions should be examined to identify positions with specific security or internal control responsibilities. This background material forms the basis for the development of the inspection plan. A number of general questions should be considered when formulating the inspection program. The following are examples:

What are the critical issues with regard to security? Does the AIS facility process classified or otherwise sensitive data? Does the processing duplicate that of other data centers, thereby providing some sort of backup or contingency capability? Or is it a stand-alone activity processing unique applications? What are the critical applications in terms of the inspection emphasis?

What measures are least tested in day-to-day operations? For example, if the computer fails every day at 1615 because of power switchovers, the immediate backup and recovery requirements are likely to be well formulated and tested. However, the complete disaster recovery plan probably has not been tested, unless there is a specific policy to do so. This is a key point.

Security measures of this type are often inadequately exercised.

What inspection activities produce the maximum results for least effort? A test of fire detection sensors under surprise conditions tests not only the response to alarms but also the reaction of the fire party and the effectiveness of evacuation plans. In interviewing personnel, the team should design questions to elicit comprehensive answers. For example, the question "How would you process an unauthorized job?" is likely to elicit more information than "Are job authorization controls effective?" The most likely answer to the second question is a simple and uninformative "Yes."

What are the security priorities? Because of particular policy, a request for an investigation, or an incident of loss, interruption, or compromise, the testing of a particular security measure probably should receive more emphasis than another equally important but noncurrent topics. One must, however, avoid irrational concentration on anyone aspect of the program. Management overemphasis as a result of a recent security breach should be tempered with a rational approach toward investigating all aspects of computer security.

Another step in the process of developing an inspection plan is the review of previous inspection reports. Many times these identify weaknesses or concerns that should have been corrected, and so should bean item of special attention in the current inspection.