Security Incident/Spillage - Lack of Procedures or Training for Handling and Reporting

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32138	IS-14.02.01	SV-42455r2_rule	VIIR-1 VIIR-2	Medium

Description
Failure to report possible security compromise can result in the impact of the loss or compromise of classified information not to be evaluated, responsibility affixed, or a plan of action developed to prevent recurrence of future incidents.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40663r4_chk )
General requirement: Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both. Reviewer Checks: Check #1. Check to ensure the site or organization has written procedures on reporting possible security incidents. Check #2. Check to ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to. Check #3. Check to ensure employees know what to do when discovering classified material unsecure or out of proper control. Ask random employees if they know what to do if they discover a security incident? TACTICAL ENVIRONMENT: Classified material that is discovered not properly secured must immediatly be secured and the incident reported - regardless of environment.

Check Text ( C-40663r4_chk )

General requirement:
Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both.
Reviewer Checks:

Check #1. Check to ensure the site or organization has written procedures on reporting possible security incidents.

Check #2. Check to ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to.

Check #3. Check to ensure employees know what to do when discovering classified material unsecure or out of proper control. Ask random employees if they know what to do if they discover a security incident?
TACTICAL ENVIRONMENT: Classified material that is discovered not properly secured must immediatly be secured and the incident reported - regardless of environment.

Fix Text (F-36074r1_fix)
General requirement: Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both. Fixes: 1. Ensure the site or organization has written procedures on reporting possible security incidents. 2. Ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to. 3. Ensure employees know what to do when discovering classified material unsecure or out of proper control. Verify by asking random employees if they know what to do if they discover a security incident.

Fix Text (F-36074r1_fix)

General requirement:
Anyone finding classified information out of proper control shall, if possible, take custody of and safeguard the material and immediately notify the appropriate security authorities. Secure communications should be used for notification whenever possible. Every civilian employee and Active, Reserve, and National Guard Military member of the Department of Defense, and every DoD contractor or employee of a contractor working with classified material, as provided by the terms of the contract, who becomes aware of the loss or potential compromise of classified information shall immediately report it to the head of his or her local activity and to the activity security manager. Prompt reporting of security incidents ensures incidents are properly investigated and necessary actions are taken to negate or minimize the adverse effects of an actual loss or unauthorized disclosure of classified information and to preclude recurrence through a properly tailored, and up-to-date security education and awareness program. In cases where compromise has been ruled out and there is no adverse effect on national security, a common sense approach to the early resolution of an incident at the lowest appropriate level is encouraged. All security incidents involving classified information shall involve a security inquiry, a security investigation, or both.

Fixes:

1. Ensure the site or organization has written procedures on reporting possible security incidents.

2. Ensure personnel within the organization have training to be able to know when to report a possible security incident and who to report it to.

3. Ensure employees know what to do when discovering classified material unsecure or out of proper control. Verify by asking random employees if they know what to do if they discover a security incident.