10.2 Trusted individuals

It is likely that organizations that may need to use federal cybersystems will be held responsible for the trustworthiness of individuals who are assigned to interact electronically with the government. In addition, organizations will be required to provide training on security issues for individuals who are assigned to use government computers. The organizations most likely to be effected by such requirements are the following:

• Government contractors that participate in electronic data interchange, online acquisition, e-commerce, or other forms of electronic interaction with government entities

• Other government entities that participate in electronic data interchange or other forms of electronic interaction with government entities

This will require that electronic interaction with government entities have an audit trail. A record of user activity will need to be maintained and users will need to be identified and authenticated so that they can be held accountable for their actions. An audit trail in computer usage often results in the recording of the following functions:

Type of event

• When the event occurred

• User ID associated with the event

• Program or command used to initiate the event

• Log-in attempts

• Password changes

• File creations, changes, or deletions

Audit trails are generally reviewed on a periodic basis. When anomalies are identified, they are reported to an appropriate supervisor for follow-up action. In addition, federal government policies generally require that audit files be stored in a locked room and kept for a period of three years.

It is advisable that employees in organizations that have some sort of formalized electronic interaction with the governments be asked to sign an agreement to safeguard sensitive data and to use computer systems properly. A typical agreement is shown in Figure 10.1.

Figure 10.1: Sample agreement to safeguard information.

In addition to a signed agreement from the employee, it is also advisable for there to be a warning banner on the systems being used by the employee that states the appropriate-use policy of the organization. A typical warning banner is shown in Figure 10.2.

Figure 10.2: Sample appropriate-use warning banner.

It may also be advisable to seek, if it is not already required, an interconnection security agreement (ISA), which documents and formalizes the interconnection of two systems owned by two different organizations. An ISA establishes the requirements for data exchange between two organizations. It specifies the requirement, and, more specifically, the security safeguards for the systems being interconnected. It is then adjudicated and signed by the respective designated individuals from those two organizations. Areas covered by a typical ISA include the following:

• General information and a description of data

• Services offered or used

• Data sensitivity levels

• User community characteristics and locations

• Information-exchange security requirements

• Trusted-behavior expectations

• Formal security policies

• Incident-reporting process

• Audit-trail responsibilities and process