The Security Plus Security System provides a means for ensuring the protection of intelligence information stored and processed by an information system. The implementation of Security Plus is based on the Director of Central Intelligence Directive 6/3 (DCID 6/3) which provides uniform guidance and security requirements based on several levels of concern. A level of concern deals with a combination of confidentiality, integrity, availability, and protection level of the data used in the information system. There are five protection levels, and three levels of concern for confidentiality, integrity, and availability provided by the DCID 6/3 guidelines. Once the levels of concern are established for an information system, DCID 6/3 details the security requirements needed to protect an IS at that level of concern.

Security Plus provides the infrastructure to establish projects at specific levels of concern; define the components of an information system in terms of hardware, software, physical plant, and personnel; automatically assign security requirements to these components based on the level of concern; provide a means to enter security services established by the agency responsible for the IS; maintain a database of information about the IS with regard to its components, security requirements, and security services; and supply reports and a user interface that displays the status of the IS security requirements and the security services that meet these requirements.

The Security Plus system can be launched as a stand alone application or a web application started by Java Web Start. The following actions must be taken in order to make Security Plus operational.

• Define one or more projects - A project specifies the levels of concern for the information system with regard to its level of protection, confidentiality, integrity, and availability. It also defines the contact information for the project administrator and identifies the agency in charge of the project. Projects may be established for different information systems or to break up one information system into manageable sub sets that are maintained by different security officers. Projects can be merged (as long as they have the same levels of concern) when their component parts have been finished.
• Define one or more security officers(user) for a project - A user is a person that can log onto the Security Plus system, enter data into the project, and review information provided by the system. There are two classes of users. Regular users can perform the tasks specified previously. Administrators are users that can perform those tasks and also modify project information, add and delete users, manage passwords for other users, and import/export data into and out of the system. Users may be associated with one or more projects or all projects handled by the Security Plus system.
• Determine and define the components of an information system - Security Plus provides a GUI to allow input of this information into the Security Plus system. Security Plus provides for the classification of information system components into the following:
  1. Component Group - An arbitrary designator that allows for grouping information system components for purposes of manageability. An information system can have a vast quantity of components. Grouping provides a structure for managing information about an information system. All regular components must be associated with a component group.
  2. Regular Components or just Components - A component can be any object in the information system such as hardware, software, physical plant, telecommunication equipment, or person. A component has a name, and a description and the Security Plus system will assign to each component a set of security requirements based on the project's levels of concern.
  3. Shared Components - A shared component is basically any object that is cloned or duplicated in the information system. Examples are fire walls, operating systems, lap top notebooks, work stations etc.. When a particular component has the same capabilities, features, uses, and is replicated throughout the information system it is worth while to define one shared component that represents all the physical components in the IS. Shared components are described by a name, a type designation, and a description. The type designation classifies the shared component. For example the type may be specified as a firewall, Windows 2000, work station, operator console, operator, etc.. Each shared component may be associated with one or more component groups.
  4. Path - A path is defined to be a unit of physical space between two components that has a security concern. This could be simply a hallway guarded by a security camera and a smart lock or an ethernet transmission line between two work stations. Paths can only be defined after the two endpoint components are defined to the Security Plus system. The end points can be two regular components, two shared components or a combination of the two.
  5. Security Service - Anything in the information system that addresses or satisfies a security requirement. Examples of security services are video cameras, locks, authentications and auditing procedures, fire walls, Proxy servers, fire sprinkler systems, backup procedures, access procedures, and the list goes on. Security services are input to the Security Plus system to address the security requirements imposed by DCID 6/3 based on the levels of concern of the information system. A security service has a name, a description, a rationale, a type classification, and an indicator whether or not it satisfies a security requirement to which it is attached. The rationale field of the security service is used by the security officer to explain why the security service satisfies or does not satisfy the security requirement. The goal of the Security Plus system is to have every security requirement met by one or more security services. When all security requirements, for all information system components, have been satisfied, the system is deemed secure.
  6. Security Requirements - Security Plus generates the security requirements needed by an information system based on the levels of concern specified for a project based on the guidelines established by DCID 6/3. This set of security requirements are than assigned to each component of the information system (mapped to each component) when a component is defined to Security Plus. A security requirement has a name, a description, a rationale, and an indicator that specifies whether or not a requirement applies to the component to which it is mapped. The security officer must make the determination if a particular security requirement applies to a particular component and set its applicability accordingly. The rationale field of the security requirement is used to explain this decision.