| < Day Day Up > |
|
It is likely that organizations that may need to use federal cybersystems will be held responsible for the trustworthiness of individuals who are assigned to interact electronically with the government. In addition, organizations will be required to provide training on security issues for individuals who are assigned to use government computers. The organizations most likely to be effected by such requirements are the following:
Government contractors that participate in electronic data interchange, online acquisition, e-commerce, or other forms of electronic interaction with government entities
Other government entities that participate in electronic data interchange or other forms of electronic interaction with government entities
This will require that electronic interaction with government entities have an audit trail. A record of user activity will need to be maintained and users will need to be identified and authenticated so that they can be held accountable for their actions. An audit trail in computer usage often results in the recording of the following functions:
Type of event
When the event occurred
User ID associated with the event
Program or command used to initiate the event
Log-in attempts
Password changes
File creations, changes, or deletions
Audit trails are generally reviewed on a periodic basis. When anomalies are identified, they are reported to an appropriate supervisor for follow-up action. In addition, federal government policies generally require that audit files be stored in a locked room and kept for a period of three years.
It is advisable that employees in organizations that have some sort of formalized electronic interaction with the governments be asked to sign an agreement to safeguard sensitive data and to use computer systems properly. A typical agreement is shown in Figure 10.1.
Figure 10.1: Sample agreement to safeguard information.
In addition to a signed agreement from the employee, it is also advisable for there to be a warning banner on the systems being used by the employee that states the appropriate-use policy of the organization. A typical warning banner is shown in Figure 10.2.
Figure 10.2: Sample appropriate-use warning banner.
It may also be advisable to seek, if it is not already required, an interconnection security agreement (ISA), which documents and formalizes the interconnection of two systems owned by two different organizations. An ISA establishes the requirements for data exchange between two organizations. It specifies the requirement, and, more specifically, the security safeguards for the systems being interconnected. It is then adjudicated and signed by the respective designated individuals from those two organizations. Areas covered by a typical ISA include the following:
General information and a description of data
Services offered or used
Data sensitivity levels
User community characteristics and locations
Information-exchange security requirements
Trusted-behavior expectations
Formal security policies
Incident-reporting process
Audit-trail responsibilities and process
| < Day Day Up > |
|