SecureIS is a software product that processes, stores, and organizes security information pertaining to an information system that processes confidential data. The security information deals with security decisions made by information system personnel as they evaluate security requirements and provide security solutions. Security solutions are people, hardware, software, and procedures that perform a security function that protects some aspect of an information system. Security requirements are a set of specifications and guidelines established by the director of central intelligence to protect intelligence data. The SecureIS system provides a framework that allows an organization to adhere to the Director of Central Intelligence Directive 6/3 (DCID 6/3). This directive is a rather long and complex set of rules and guidelines. The following paragraph is taken from that directive to provide a sample of the information in this directive.
| Intelligence information shall be appropriately safeguarded at all times, including when used in information systems. The information systems shall be protected. Safeguards shall be applied such that (1) individuals are held accountable for their actions; (2) information is accessed only by authorized individuals* and processes; (3) information is used only for its authorized purpose(s); (4) information retains its content integrity; (5) information is available to satisfy mission requirements; and (6) information is appropriately marked and labeled. Appropriate security measures shall be implemented to ensure the confidentiality, integrity, and availability of that information. The mix of security safeguards selected for systems that process intelligence information ensures that the system meets the policy requirements set forth in this policy and its implementation manual. |
To view the full DCID 6/3 policy document go to the DCID 6/3 web site. To view the DCID 6/3 implementation manual go to DCID 6/3 Manual. The information provided at these two web sites is not aimed at the casual reader. A security oriented information technology background is required in order to make use of this material. Essentially, the directive specifies the security requirements that have to be met, at various levels of security concern, in order for an information system to be deemed secure. A security concern is a combination of five possible protection levels, and three possible levels of confidentiality, integrity, and availability . These attributes are associated with the intelligence data processed by the information system.
SecureIS provides an audit trail of the security decisions that are used to make an information system secure and to provide various reports that show the current level of security that has been achieved. Security personnel make a security decisions when they determine if a security requirement is applicable to an information system component. They also make a decision when they attempt to match security requirements with security solutions.
Security personnel must determine which security solutions are needed to satisfy each security requirement. This decision requires an explanation (rationale). The security officer must provide an explanation why the security solution does or does not satisfy the requirement. This process is repeated for every security requirement, attached to every information system component that has a security concern. An information system is secure when all information system components have been secured. The audit trail of security decisions provides the accountability and assigns the responsibility required by DCID 6/3. The reports produced by SecureIS show the status of the security project and provides many reports that can be used to manage the security effort.
How secure is your information system? The answer to that question is based on how well security solutions meet security requirements. This information is maintained in the SecureIS database. Graphically it would appear as follows.
Audit lists that show all the security requirements, their applicability and rationale, and the security solutions that satisfy the security requirements and their associated rationales will substantiate the information displayed above.
SecureIS> provides a standard set of reports plus a facility for ad hoc report generation. It supplies a generalized report editor and print facility. All standard reports are placed into this facility where they can be modified (by changing colors, and fonts, and inserting images). The report editor and print facility also provides the capability to preview the report, add page breaks, and add report headers and footers. The reports can be printed or saved into the local file system. The ad hoc reporting system can also send its reports to this facility. The above display shows a report in the report editor and print facility window.
SecureIS organizes information, relevant to the security process, by a number of artifacts that stand for information system components and security solutions. The following user interface window shows the organizational structure used by the SecureIS system.
The tree structure on the left hand side of the window grows as information is input into the system. The major tree nodes (Item Templates, Projects, Users, Grouped Items, Identical Items, Connections, Compliance Items, and Requirements) show how SecureIS compartmentalizes information into various artifacts. The forms at the bottom of the window allow for data entry and data display. The right hand portion of the window displays tutorial information and various lists. Online help is available to describe system capabilities and how to perform the tasks required to implement security processes.
SecureIS provides facilities to import and export data into and from the SecureIS database. The import capability will minimize data entry requirements, if information system inventory is already defined in another database. Similarly, export of data from the SecureIS database can feed information to other applications.
To get more information about the SecureIS system see SecureIS Implementation. A demonstration of the SecureIS system can be arranged by contacting George White via e-mail at ggwhite@taggassociates.com.
DCID 6/3 specifies policy guidance and requirements for ensuring adequate protection of certain categories of intelligence information that is stored or processed on an information system (IS). DCID 6/3 applies to all entities that process, store, or communicate intelligence information, including United States government organizations, their commercial contractors, and Allied governments.
Traditionally, providing security for a system has meant protecting the confidentiality of the information on it, although for some systems protecting data integrity and system and data availability has always been a concern. While the traditional operational concern over confidentiality of classified information has not diminished, integrity and availability have become critical parts of security for all systems. The mix of confidentiality, integrity, and availability define a Level-of-Concern.
The Level-of-Concern is a rating assigned to an IS by the Designated Accrediting Authority (DAA). This is an official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. A separate Level-of-Concern is assigned to each IS for confidentiality, integrity, and availability. The Level-of-Concern for confidentiality, integrity, and availability can be Basic, Medium, or High. The Level-of-Concern assigned to an IS for confidentiality is based on the sensitivity of the information it maintains, processes, and transmits. The Level-of-Concern assigned to an IS for integrity is based on the degree of resistance to unauthorized modifications. The Level-of-Concern assigned to an IS for availability is based on the needed availability of the information maintained, processed and transmitted by the system for mission accomplishment, and how much tolerance for delay is allowed.
The concept of Protection Levels applies only to confidentiality. Having verified that an IS will maintain, process, or transmit intelligence information and therefore that its Level of Concern for confidentiality must be High, the DAA must next ascertain the appropriate Protection Level for the IS based on the required clearance(s), formal access approval(s), and need-to-know of all direct and indirect users who receive information from the IS without manual intervention and reliable human review. It indicates an implicit level of trust that is placed in the system’s technical capabilities.
The DAA must assign a Protection Level to each IS that is to be accredited. The decision regarding the Protection Levels shall be explicit for all (including interconnected) systems. The record of this decision shall be in writing, and the DAA shall ensure that these records are retained for the operational life of the system(s) involved. At the DAA’s discretion, the decision can be made for groups of systems, but it shall be explicit.
An IS operates at Protection Level 1 when all users have all required approvals for access to all information on the IS. This means that all users have all required clearances, formal access approvals, and the need to know for all information on the IS.
An IS operates at Protection Level 2 when all users have all required formal approvals for access to all information on the IS, but at least one user lacks administrative approval for some of the information on the IS. This means that all users have all required clearances and all required formal access approvals, but at least one user lacks the need to know for some of the information on the IS.
An IS operates at Protection Level 3 when at least one user lacks at least one required formal approval for access to all information on the IS. This means that all users have all required clearances, but at least one user lacks formal access approval for some of the information on the IS.
An IS operates at Protection Level 4 when at least one user lacks sufficient clearance for access to some of the information on the IS, but all users have at least a Secret clearance.
An IS operates at Protection Level 5 when at least one user lacks any clearance for access to some of the information on the IS.
The DAA determines the Level-of-concern, Protection Levels, and sets up a project in the SecureIS system to implement security based on these settings. SecureIS selects the security requirements that are associated with this Level-of-concern and will assign them to all items defined to be part of the information system. This automated process pays for the system. Without this capability countless hours would be wasted trying to perform this task. To see the full description of the DCID 6/3 directive click on the following link DCID 6/3 - Manual.