Download DHS Sensitive Systems Policy Directive 4300A - Homeland Security PDF

TitleDHS Sensitive Systems Policy Directive 4300A - Homeland Security
LanguageEnglish
File Size909.8 KB
Total Pages133
Table of Contents
                            1.0 INTRODUCTION
	1.1 Information Security Program
	1.2 Authorities
	1.3 Policy Overview
	1.4 Definitions
		1.4.1 Classified National Security Information
		1.4.2 National Intelligence Information
		1.4.3 National Security Information
		1.4.4 Foreign Intelligence Information
		1.4.5 Sensitive Information
		1.4.6 Public Information
		1.4.7 Information Technology
		1.4.8 DHS System
			1.4.8.1 General Support System
			1.4.8.2 Major Application
		1.4.9 Component
		1.4.10 Trust Zone
		1.4.11 Continuity of Operations
		1.4.12 Continuity of Operations Plan
		1.4.13 Essential Functions
		1.4.14 Vital Records
		1.4.15 Operational Data
		1.4.16 Federal Information Security Management Act
		1.4.17 Personally Identifiable Information
		1.4.18 Sensitive Personally Identifiable Information
		1.4.19 Privacy Sensitive System
		1.4.20 Strong Authentication
		1.4.21 Two-Factor Authentication
	1.5 Waivers and Exceptions
		1.5.1 Waivers
		1.5.2 Exceptions
		1.5.3 Waiver or Exception Requests
		1.5.4 U.S. Citizen Exception Requests
	1.6 Information Sharing and Electronic Signature
	1.7 Changes to Policy
2.0 ROLES AND RESPONSIBILITIES
	2.1 Information Security Program Roles
		2.1.1 DHS Senior Agency Information Security Officer
		2.1.2 DHS Chief Information Security Officer
		2.1.3 Component Chief Information Security Officer
		2.1.4 Component Information Systems Security Manager
		2.1.5 Risk Executive
		2.1.6 Authorizing Official
		2.1.7 Security Control Assessor
		2.1.8 Information Systems Security Officer
	2.2 Other Roles
		2.2.1 Secretary of Homeland Security
		2.2.2 Under Secretaries and Heads of DHS Components
		2.2.3 DHS Chief Information Officer
		2.2.4 Component Chief Information Officer
		2.2.5 DHS Chief Security Officer
		2.2.6 DHS Chief Privacy Officer
		2.2.7 DHS Chief Financial Officer
		2.2.8 Program Managers
		2.2.9 System Owners
		2.2.10 Common Control Provider
		2.2.11 DHS Employees, Contractors, and Others Working on Behalf of DHS
3.0 MANAGEMENT POLICIES
	3.1 Basic Requirements
	3.2 Capital Planning and Investment Control
	3.3 Contractors and Outsourced Operations
	3.4 Performance Measures and Metrics
	3.5 Continuity Planning for Critical DHS Assets
		3.5.1 Continuity of Operations Planning
		3.5.2 Contingency Planning
	3.6 System Engineering Life Cycle
	3.7 Configuration Management
	3.8 Risk Management
	3.9 Security Authoziation and Security Assessments
	3.10 Information Security Review and Assistance
	3.11 Security Working Groups and Forums
		3.11.1 CISO Council
		3.11.2 DHS Information Security Training Working Group
	3.12 Information Security Policy Violation and Disciplinary Action
	3.13 Required Reporting
	3.14 Privacy and Data Security
		3.14.1 Personally Identifiable Information
		3.14.2 Privacy Threshold Analyses
		3.14.3 Privacy Impact Assessments
		3.14.4 System of Records Notices
		3.14.5 Protecting Privacy Sensitive Systems
		3.14.6 Privacy Incident Reporting
		3.14.7 E-Authentication
	3.15 DHS CFO Designated Systems
	3.16 Social Media
	3.17 Health Insurance Portability and Accountability Act
4.0 OPERATIONAL POLICIES
	4.1 Personnel
		4.1.1 Citizenship, Personnel Screening, and Position Categorization
		4.1.2 Rules of Behavior
		4.1.3 Access to Sensitive Information
		4.1.4 Separation of Duties
		4.1.5 Information Security Awareness, Training, and Education
		4.1.6 Separation From Duty
	4.2 Physical Security
		4.2.1 General Physical Access
		4.2.2 Sensitive Facility
	4.3 Media Controls
		4.3.1 Media Protection
		4.3.2 Media Marking and Transport
		4.3.3 Media Sanitization and Disposal
		4.3.4 Production, Input/Output Controls
	4.4 Voice Communications Security
		4.4.1 Private Branch Exchange
		4.4.2 Telephone Communications
		4.4.3 Voice Mail
	4.5 Data Communications
		4.5.1 Telecommunications Protection Techniques
		4.5.2 Facsimiles
		4.5.3 Video Teleconferencing
		4.5.4 Voice Over Data Networks
	4.6 Wireless Network Communications
		4.6.1 Wireless Systems
		4.6.2 Wireless Portable Electronic Devices
			4.6.2.1 Cellular Phones
			4.6.2.2 Pagers
			4.6.2.3 Multifunctional Wireless Devices
		4.6.3 Wireless Tactical Systems
		4.6.4 Radio Frequency Identification
	4.7 Overseas Communications
	4.8 Equipment
		4.8.1 Workstations
		4.8.2 Laptop Computers and Other Mobile Computing Devices
		4.8.3 Personally Owned Equipment and Software
		4.8.4 Hardware and Software
		4.8.5 Personal Use of Government Office Equipment and DHS Systems/Computers
		4.8.6 Wireless Settings for Peripheral Equipment
	4.9 Department Information Security Operations
	4.10 Security Incidents and Incident Response and Reporting
		4.10.1 Law Enforcement Incident Response
	4.11 Documentation
	4.12 Information and Data Backup
	4.13 Converging Technologies
5.0 TECHNICAL POLICIES
	5.1 Identification and Authentication
		5.1.1 Passwords
	5.2 Access Control
		5.2.1 Automatic Account Lockout
		5.2.2 Automatic Session Termination
		5.2.3 Warning Banner
	5.3 Auditing
	5.4 Network and Communications Security
		5.4.1 Remote Access and Dial-In
		5.4.2 Network Security Monitoring
		5.4.3 Network Connectivity
		5.4.4 Firewalls and Policy Enforcement Points
		5.4.5 Internet Security
		5.4.6 Email Security
		5.4.7 Personal Email Accounts
		5.4.8 Testing and Vulnerability Management
		5.4.9 Peer-to-Peer Technology
	5.5 Cryptography
		5.5.1 Encryption
		5.5.2 Public Key Infrastructure
		5.5.3 Public Key/Private Key
	5.6 Malware Protection
	5.7 Product Assurance
6.0 DOCUMENT CHANGE REQUESTS
7.0 QUESTIONS AND COMMENTS
APPENDIX A ACRONYMS
APPENDIX B GLOSSARY
APPENDIX C REFERENCES
APPENDIX D DOCUMENT CHANGE HISTORY
                        
Document Text Contents
Page 1

DHS Sensitive Systems Policy

Directive 4300A



Version 8.0



March 14, 2011




This is the implementation of
DHS Management Directive 140-01 Information

Technology System Security, July 31, 2007










DEPARTMENT OF HOMELAND SECURITY

Page 2

DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A





































This page intentionally left blank

Page 66

DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A

58

v8.0, March 14, 2011

4.4 Voice Communications Security
4.4.1 Private Branch Exchange

Policy
ID DHS Policy Statements

Relevant
Controls

4.4.1.a Components shall provide adequate physical and information security for all
DHS-owned Private Branch Exchanges (PBX). (Refer to NIST SP 800-24,
PBX Vulnerability Analysis, for guidance on detecting and fixing
vulnerabilities in PBX systems.)

CM-2

4.4.2 Telephone Communications

Policy
ID DHS Policy Statements

Relevant
Controls

4.4.2.a Components shall develop guidance for discussing sensitive information over
the telephone. Guidance shall be approved by a senior Component official and
is subject to review and approval by the DHS CISO. Under no circumstances
shall classified national security information be discussed over unsecured
telephones.

PL-4

4.4.3 Voice Mail

Policy
ID DHS Policy Statements

Relevant
Controls

4.4.3.a Sensitive information shall not be communicated over nor stored in voice mail. PL-4

4.5 Data Communications

4.5.1 Telecommunications Protection Techniques

Policy
ID DHS Policy Statements

Relevant
Controls

4.5.1.a Components shall carefully select the telecommunications protection
techniques that meet their information security needs, in the most cost-
effective manner, consistent with Departmental and Component information
system security policies. Approved protected network services (PNS) may be
used as cost-effective alternatives to the use of encryption for sensitive
information requiring telecommunications protection.

CM-2

Page 67

DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A

59

v8.0, March 14, 2011

4.5.2 Facsimiles

Policy
ID DHS Policy Statements

Relevant
Controls

4.5.2.a Components shall implement and enforce technical controls for fax technology
and systems (including fax machines, servers, gateways, software, and
protocols) that transmit and receive sensitive information.

SC-1,
SC-7,
SC-8,
SC-9

4.5.2.b Components shall configure fax servers to ensure that incoming lines cannot
be used to access the network or any data on the fax server.

AC-4

4.5.3 Video Teleconferencing

Policy
ID DHS Policy Statements

Relevant
Controls

4.5.3.a Components shall implement controls to ensure that only authorized
individuals are able to participate in each videoconference.

AC-3,
PE-3

4.5.3.b Components shall ensure that appropriate transmission protections,
commensurate with the highest sensitivity of information to be discussed, are
in place throughout any video teleconference.

SC-8,
SC-9

4.5.3.c Video teleconferencing equipment and software shall be disabled when not in
use.

AC-3,
PE-3

4.5.4 Voice Over Data Networks
Voice over Internet Protocol (VoIP) and similar technologies move voice over digital networks.
These technologies use protocols originally designed for data networking. Such technologies
include Voice over Frame Relay, Voice over Asynchronous Transfer Mode, and Voice over
Digital Subscriber Line (refer to NIST SP 800-58 for further information).

Policy
ID DHS Policy Statements

Relevant
Controls

4.5.4.a Prior to implementing voice over data network technology, Components shall
conduct rigorous risk assessments and security testing and provide a business
justification for their use. Any systems that employ this technology shall be
accredited for this purpose with residual risks clearly identified.

SC-19,
PM-9

4.5.4.b Voice over data network implementations shall have sufficient redundancy to
ensure network outages do not result in the loss of both voice and data
communications.

SC-19

4.5.4.c Components shall ensure appropriate identification and authentication
controls, audit logging, and integrity controls are implemented on every
element of their voice over data networks.

SC-19

Page 133

DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A

125

v8.0, March 14, 2011

Version Date Description

Section 4.9.j: Language updated to require that Component SOCs report
operationally to the respective Component CISO.

Section 4.9.k: New policy element added, “The DHS EOC shall report
operationally to the DHS CISO.”

Section 4.10: Revise list of annual system documentation updates.

Section 4.12.c: Policy element replaced with new one stating that the policy
applies “to all DHS employees, contractors, detailees, others working on
behalf of DHS, and users of DHS information systems that collect, generate,
process, store, display, transmit, or receive DHS data.”

Section 5.4.1.e: Policy element removed.

Section 5.4.1.f: Policy element removed.

Appendix A: Include new acronyms

Appendix B: Revise definition of Accreditation Package to reflect new list
of documentation.

Appendix C: Update references

Similer Documents