Information Assurance - System Security Operating Procedures (SOPs)

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30996	IA-01.03.01	SV-41042r2_rule	DCSD-1 PESP-1	Low

Description
Failure to have documented procedures in an SOP could result in a security incident due to lack of knowledge by personnel assigned to the organization.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-39663r4_chk )
Check written SOPs for all systems, supporting infrastructure and physical facilities. Conduct a cursory review of the SOPs and as a minimum ensure the following areas are documented: a. Handling of suspected system compromise or spillage b. Information Operations Condition (INFOCON) procedures and policies c. Procedures for eradication after an attack d. Proper password management e. Purging of storage media (disks, CDs, DVDs,drives, etc) prior to turn-in or disposal f. Remote diagnostic and maintenance approval and procedure g. Out-processing and turn-in of equipment h. Use of screensavers/Unattended terminals i. Virus detection and scanning j. In-processing and vetting of employees for systems access (proper investigation and security clearance) NOTE: This requirement for on-hand SOPs should not be applied to a tactical environment, unless it is a fixed computer facility in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. 3) Procedures for field/mobile elements are still required and should be available at a supporting headquarters, either in Theater or perhaps even CONUS. These may be requested during pre-trip coordination or obtained after visiting the tactical AO.

Check Text ( C-39663r4_chk )

Check written SOPs for all systems, supporting infrastructure and physical facilities. Conduct a cursory review of the SOPs and as a minimum ensure the following areas are documented:
a. Handling of suspected system compromise or spillage
b. Information Operations Condition (INFOCON) procedures and policies
c. Procedures for eradication after an attack
d. Proper password management
e. Purging of storage media (disks, CDs, DVDs,drives, etc) prior to turn-in or disposal
f. Remote diagnostic and maintenance approval and procedure
g. Out-processing and turn-in of equipment
h. Use of screensavers/Unattended terminals
i. Virus detection and scanning
j. In-processing and vetting of employees for systems access (proper investigation and security clearance)
NOTE: This requirement for on-hand SOPs should not be applied to a tactical environment, unless it is a fixed computer facility in a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. 3) Procedures for field/mobile elements are still required and should be available at a supporting headquarters, either in Theater or perhaps even CONUS. These may be requested during pre-trip coordination or obtained after visiting the tactical AO.

Fix Text (F-34809r3_fix)
1. Security Operating Procedures (SOPs) for all systems, supporting infrastructure and physical facilities must be written. 2. The procedures must be readily available to both the Information Assurance Staff (IAM, IAO, SA) and all system users requiring information in the procedures to perform their jobs. Information can be placed in an Information System Users Guide (SFUG) and other applicable documents as appropriate. SOP availability must be on a site intranet, shared folders, WEB page, etc. for ease of reference by all employees - unless classified or otherwise requiring restricted access. As a minimum the following areas must be documented: a. Handling of suspected system compromise or spillage b. Information Operations Condition (INFOCON) procedures and policies c. Procedures for eradication after an attack d. Proper password management e. Purging of storage media (disks, CDs, DVDs,drives, etc) prior to turn-in or disposal f. Remote diagnostic and maintenance approval and procedure g. Out-processing and turn-in of equipment h. Use of screensavers/Unattended terminals i. Virus detection and scanning j. In-processing and vetting of employees for systems access (proper investigation and security clearance)

Fix Text (F-34809r3_fix)

1. Security Operating Procedures (SOPs) for all systems, supporting infrastructure and physical facilities must be written.

2. The procedures must be readily available to both the Information Assurance Staff (IAM, IAO, SA) and all system users requiring information in the procedures to perform their jobs. Information can be placed in an Information System Users Guide (SFUG) and other applicable documents as appropriate. SOP availability must be on a site intranet, shared folders, WEB page, etc. for ease of reference by all employees - unless classified or otherwise requiring restricted access.

As a minimum the following areas must be documented:

a. Handling of suspected system compromise or spillage
b. Information Operations Condition (INFOCON) procedures and policies
c. Procedures for eradication after an attack
d. Proper password management
e. Purging of storage media (disks, CDs, DVDs,drives, etc) prior to turn-in or disposal
f. Remote diagnostic and maintenance approval and procedure
g. Out-processing and turn-in of equipment
h. Use of screensavers/Unattended terminals
i. Virus detection and scanning
j. In-processing and vetting of employees for systems access (proper investigation and security clearance)