AFSPC PCS TRAINING COVER SLIDE Good morning . Welcome to this presentation on the AFSPC Computer Security Education, Training, & Awareness Program (ETAP) for newly arrived PCS personnel. My name is . I am the with the . This ETAP presentation is targeted towards newly arrived personnel, and will require approximately 20 minutes for the slide presentation, followed by a 10 to 20 minute discussion period. At the conclusion of this presentation you will understand the how and the why of the security protection measures in place for your organization. If you feel that you do not understand any portion of this presentation, please do not leave here without discussing the issues with me today. As a headquarters command, AFSPC contains many diverse elements and components, with personnel and organizations spread around the world. This presentation will equip you to operate with all AFSPC elements, and to communicate via data processing resources in the course of your job by educating you on the AFSPC approach to computer security, and by presenting the AFSPC organization and infrastructure that supports the AFSPC approach to computer security. < NEXT SLIDE > SLIDE 2: SI 33-202; THE AFSPC COMPUSEC PROGRAM Computer security policy has been in place Air Force-wide for several years, beginning with AFR 300-8, AFR 205-16, and now as represented by various instructions and memoranda. One computer instruction applicable to you here at AFSPC is SI 33-202, The AFSPC COMPUSEC PROGRAM. This instruction is put out by AFSPC/SCX. As newly arrived personnel, you will find the information in SI 33-202 to be very helpful in learning just what is required of you in support of the AFSPC computer security. < NEXT SLIDE > SLIDE 3: SI 33-203; THE AFSPC TEMPEST PROGRAM The AFSPC approach to TEMPEST, the "science" addressing compromising emanations from communications and computer equipment, is presented in SI 33-203, The AFSPC TEMPEST Program. In this document you will find significant information to facilitate your involvement with TEMPEST issues within AFSPC. Situations involving TEMPEST, and requiring reference to SI 33-203 include, but are not limited to: a) installation of new equipment; b) relocation of existing equipment; c) facility construction and modification; d) relocation of organizational personnel, where non-AFSPC personnel and equipment are introduced into AFSPC workspace, and similar equipment-related situations. < NEXT SLIDE > SLIDE 4: DAA ISSUES You may be asking yourself by this time, "Who is responsible to make certain these requirements are met?" The individual directly responsible for ensuring that the security requirements are identified, allocated to different parts of the systems, and fulfilled within the system is the Designated Approval Authority, the DAA. Each AFSPC computer system which processes classified information must be accredited, to verify that security features are in place, are functioning, and are adequate to reduce the risk of violating the security of the system and the data. Because numerous computer systems exist and operate within AFSPC, there are multiple individuals serving as DAAs. To determine the responsible DAA for a particular system, consult SI 33-200, paragraph 4. When the DAA approves a computer system for processing information, this approval is based on: a) an identified set of security requirements for the system, b) a Computer Security Plan (CSP) identifying how the system will be operated to stay within the requirements, c) a precise listing of all system components, of hardware, software, users, etc., and d) results of security testing to verify the degree of compliance with the requirements. < NEXT SLIDE > SLIDE 5: AFSPC/SCX And now to the organization of AFSPC. AFSPC/SCX has been tasked by AFSPC with implementing Air Force directives concerning computer security. AFSPC/SCX fulfills this obligation through two primary roles: a) by developing, promulgating, and maintaining directives - SI 33-200 AFSPC C4 SYSTEMS SECURITY PROGRAM SI 33-202 AFSPC COMPUTER SECURITY (COMPUSEC) PROGRAM SI 33-203 AFSPC TEMPEST PROGRAM SI 33-204 AFSPC EDUCATION, TRAINING AND AWARENESS PROGRAM (ETAP) SI 33-1 C4 SECURITY CHECKLIST; and SI 33-2 DEVELOPMENTAL C4 SYSTEMS SECURITY, and b) by providing staff support to technical and task-driven activities. < NEXT SLIDE > SLIDE 6: BASE C4 SYSTEM SECURITY OFFICE Given the geographic distribution of AFSPC elements, the responsibilities for systems security issues at the local level have been delegated to base-level and to unit level C4 System Security offices. The Base C4 System Security Office is your link to obtain help, guidance, clarification or support in computer security issues. The Base C4 System Security Office representative at this base is , and the telephone number is . Their office is located in . < NEXT SLIDE > SLIDE 7: UNIT C4 SYSTEM SECURITY OFFICE Besides the Base C4 System Security Office, you have an even closer point-of-contact for computer security assistance. That point-of-contact is your Unit C4 System Security Office, and is your closest link to obtain help, guidance, clarification or support in computer security issues. The Unit C4 System Security Office representative at this base is , and the telephone number is . The office is located in . < NEXT SLIDE > SLIDE 8: C4 SYSTEMS PERSONNEL C4 Systems Personnel are pretty easy to find, because that is quite probably what YOU are. If you are in this briefing, and are seeing this presentation, you are a user, a provider, or are a link in the AFSPC C4 chain at some level. We will now discuss YOUR role in addressing computer security issues. The END USER is the individual who is really doing the day-to-day work. Computer security within AFSPC rises and falls with the user. If you, as a user, decide to try to work around the system, or to try and "get away" with some practices which go against policy, you probably can succeed for a period of time. Does this help you? Can you get your job done faster if you go around security? If so, you should be passing this information up the chain. The level of computer security protection was established knowing that SOME level of performance degradation may result. But feedback on the acceptability of the degradation can only come from you - the user. Do not assume that "everyone" has seen what you have seen. Feedback from you can help the entire command, so communicate! < NEXT SLIDE > SLIDE 9: UNDERSTANDING THE AFSPC COMPUSEC PROGRAM The AFSPC/SCX organization has made a commitment to proactively educate, indoctrinate, and train you to assist you in becoming the computer security-aware individual that is vitally needed for the forces of the nineties and beyond. This section of the presentation discusses how the elements of AFSPC support this program through their assigned roles. As the user you are a key component of this process. The Air Force establishes high-level policy for all aspects of USAF, to include AFSPC. Where USAF addresses computer security, this occurs at the policy level. A direction is set; a commitment is made to achieve a particular level or state of readiness in computer security. INFORMATION RESOURCES MANAGEMENT has a wide range of responsibility for the Information Resources of AFSPC. You may have understood that already, given their organization's name. One aspect of their role is to serve as the "owners" of all AFSPC information assets. Files, media, etc., belong to their area. Over time, you will become familiar with the day-to-day implications of this organization for you, but unless you routinely share files or data, you may have only minimal interaction with them. The SECURITY & AUDIT organization provides the real heart of the AFSPC computer security program. SECURITY & AUDIT will provide you with your boot disk and media. SECURITY & AUDIT will establish your operational parameters for your use of AFSPC computing resources, by establishing levels of permissions and your need-to-know of information. < NEXT SLIDE > SLIDE 10: AFSPC COMPUSEC ROLES AND RESPONSIBILITIES AFSPC roles & responsibilities for computer security are defined in SI 33-200. The organization that AFSPC has put in place reflects the guidance in SI 33-200. The specific roles described by SI 33-200 include the DAA, AFSPC/SCX C4 Systems Security Office, Base C4 Systems Security Office, Unit C4 Systems Security Office, and the role of C4 Systems Personnel, as listed in the preceding pages/slides. < NEXT SLIDE > SLIDE 11: COMPUTER SECURITY (COMPUSEC) SI 33-202 describes the AFSPC Computer Security (COMPUSEC) Program. The major components of the AFSPC COMPUSEC program address obtaining approval to operate from the DAA, minimum security requirements and automated computer security features, and Security Test and Evaluation (ST&E) as a means to verify the effectiveness of the security features. < NEXT SLIDE > SLIDE 12: INFORMATION SECURITY (INFOSEC) Information Security addresses the protection that we afford to the actual information in terms of documents, data, files, etc. Issues such as determining the proper security classification of the information, determining who has/does not have a valid need-to-know for the information, etc., are Information Security issues. The determination of whether or not to grant access to information causes us to think about, "What protection does this information require?" Much of the information we deal with on a daily basis may seem trivial to us, or not requiring extraordinary protection. When we print, and the paper looks bad, do we throw the COMMUNICATIONS ROUTING TABLE into the recycling box? Into the wastebasket? Into classified waste? Users need to be aware that the determination of sensitivity or classification may originate in another location, but each user can raise a voice to say, "This needs to be protected!" Look at your data in this way. If you are working with labeled classified data, this level of assessment may be unnecessary. The labels reflect the assigned security classification of the data, or of SOME PART of the data. Reclassification, declassification or relabeling of the data must occur only in accordance with your specific operating instructions, as approved by the DAA. For questions see your Unit C4 System Security Office. < NEXT SLIDE > SLIDE 13: AUTOMATED COMPUTER SECURITY FEATURES The procedures regarding automated security features address measures which are implemented as an operational component of the computer system. The computer system then constitutes a part of the overall security mechanism. Individual automated features which have been implemented in Class C2 computer systems, and in AFSPC computer systems include: user IDs, passwords, audit controls, audit data and analysis, file protection and access controls, as well as object reuse measures. These automated features are easily used, and introduce no significant complexity or delay into processing. Can you imagine manually logging your use of the system in hardcopy, rather than creating an automated audit record? Also, the audit trail doesn't forget, and it doesn't lie. The responsibility for instituting the controls is a system management issue, not a user issue. Cooperating & applying the appropriate controls is a user issue. < NEXT SLIDE > SLIDE 14: COMMON EXAMPLES OF VULNERABILITIES Terminology for computer security is not just the "buzzwords," like HACKER, CRACKER, TROJAN HORSE, and others. Plain English is also included such as RISK, THREAT, VULNERABILITY. A THREAT is an adverse event that could affect your system(s) or your facility. A VULNERABILITY is the likelihood of damage resulting from the occurrence of the THREAT. A RISK is the combination of THREAT + VULNERABILITY. In an attempt to quantify just how dangerous a VULNERABILITY may be to a particular installation, THREATS are evaluated against two criteria: 1) Frequency, and 2) Extent of Damage. A THREAT which occurs only once per hundred years, such as a local flood, would be serious, but may be "accepted," that is, "discounted" as a viable THREAT, because it is so infrequent. However, the EXTENT OF DAMAGE of such a THREAT may cause it to be re-evaluated, as the damage from such a flood would be catastrophic. Striking a balance between the Frequency and the Extent of Damage makes up a Risk Assessment. An EVENT that occurs only once every hundred years may be ignorable, but only if we look at how far into the hundred years we are. To counter the THREAT of flooding, a new building may be required to reduce the VULNERABILITY to the THREAT. The possibility of the THREAT (flooding) cannot be reduced, but the potential exposure to damage (VULNERABILITY) can certainly be reduced. A THREAT may also be something that would occur much more frequently, such as an ANNUAL blizzard. The VULNERABILITY may become an inability for personnel to get into the facility to accomplish their work. Here the frequency of an ANNUAL event is great. What is the VULNERABILITY? What does it cost? What do countermeasures provide? A frequent event, with a low cost may be "accepted" or "discounted" as a viable threat, because the organization can work around the problem. But how do we know the severity? How do we know whether we can work around the problem? This can be determined by the Risk Assessment process. Moving a computer with the cables attached can result in damage to the computer, and unhealthy consequences to the mover. This may be trivial, or this may be non-trivial. We make decisions at this level without even thinking about them. PCs are portable. They can be moved, and they can be stolen. Have you ever come into work in the morning and found your computer on? Things moved around at your desk? A possible virus on your computer? The sanctity of the workplace, even for a military organization, is threatened today. < NEXT SLIDE > SLIDE 15: GOOD COMPUTER SECURITY PRACTICES PROGRAM MANAGERS & FUNCTIONAL MANAGERS are tasked with getting the job done. Part of the criteria used to evaluate these managers is their track record of security violations or problems. A MANAGER who urges you to "go around" a security feature in the name of expediency is wrong. A MANAGER who winks at you going around a protective feature is also wrong. If you are faced with a time-critical task, and you need relief from some feature, discuss that with your MANAGER. Ask for advice on how to do your job. Have a solution ready to be suggested, though, because you know it best, as the END USER. For example, if your system requires a lengthy, complicated LOGON procedure, and you just want to leave the system up when you go to lunch, so you won't have to go through that LOGON process, what do you suggest in place of shutting down the system? Will that be effective in preventing unauthorized access to your system? ASK FIRST! Do not decide on your own to "accept the risk," because "I'm only going out for a sandwich." < NEXT SLIDE > SLIDE 16: REPORTING SECURITY VIOLATIONS When security violations occur, or become known, the response to the violation is of critical importance. The way we respond clearly indicates how we value the security of the information, and the trust reposed in us as users. We don't need to intimidate or to ostracize someone for forgetting their password; in fact, this is certainly not a security violation. However, when Airman X writes a password onto a yellow sticky, and tapes that password to the front of the TOP SECRET computer terminal in our area, we may feel that Airman X has stepped over the bounds. The real benefit of reporting security violations is not only in that the violation is STOPPED, but is also in that we can then collect data about how secure our environment really is, and about how benign or malignant. If no one is trying to obtain access to our resources, maybe we will become complacent. But if the cleaning personnel are trying to log in on a terminal, maybe we DO have a problem. < NEXT SLIDE > SLIDE 17: This has been an AFSPC Production THIS CONCLUDES THE PRESENTATION PORTION OF THIS SESSION. WE WILL NOW OPEN THE SESSION TO A DISCUSSION PERIOD. PLEASE REMAIN IN YOUR SEATS, AS YOU ARE NOT DISMISSED. (** Open Discussion Session **) Closing Comments Thank you for your attendance at this presentation on the AFSPC Computer Security Education, Training, & Awareness Program (ETAP). My name is . I am the with the . I can be reached at . If you feel that you do not understand any portion of this presentation, please do not leave here without discussing the issues with me today. Thank you. You are now dismissed. <***** LAST SLIDE *****> AFSPC PCS TRAINING SCRIPT Page 5