STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020: STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:SV-41042r3_rule
V-30996
Information Assurance - System Security SOPs
IA-01.03.01
CAT III
10
1. Security Operating Procedures (SOPs) covering all systems, supporting infrastructure and physical facilities must be written.
2. The procedures must be readily available to both the Information Assurance Staff (ISSM, ISSO, SA) and all system users requiring information in the procedures to perform their jobs. Information can be placed in an Information System Users Guide (SFUG) and other applicable documents as appropriate. SOP availability must be on a site intranet, shared folders, WEB page, etc. for ease of reference by all employees - unless classified or otherwise requiring restricted access.
As a minimum the following areas must be documented:
a. Handling of suspected system compromise or spillage
b. Cyberspace Protection Conditions (CPCON) - formerly Information Operations Condition (INFOCON) - procedures and policies
c. Procedures for eradication after an attack
d. Proper password management
e. Purging of storage media (disks, CDs, DVDs, drives, etc.) prior to turn-in or disposal
f. Remote diagnostic and maintenance approval and procedure
g. Out-processing and turn-in of equipment
h. Use of screensavers/Unattended terminals
i. Virus detection and scanning
j. In-processing and vetting of employees for systems access (proper investigation and security clearance)
Check written SOPs covering all systems, supporting infrastructure and physical facilities. Conduct a cursory review of the SOPs and as a minimum ensure the following areas are documented:
a. Handling of suspected system compromise or spillage
b. Cyberspace Protection Conditions (CPCON) - formerly Information Operations Condition (INFOCON) - procedures and policies
c. Procedures for eradication after an attack
d. Proper password management
e. Purging of storage media (disks, CDs, DVDs, drives, etc.) prior to turn-in or disposal
f. Remote diagnostic and maintenance approval and procedure
g. Out-processing and turn-in of equipment
h. Use of screensavers/Unattended terminals
i. Virus detection and scanning
j. In-processing and vetting of employees for systems access (proper investigation and security clearance)
NOTE: This requirement for on-hand SOPs should not be applied to a tactical environment, unless it is a fixed computer facility in a Theater of Operations. The standards to be applied for applicability in a tactical environment are:
1) The facility containing the computer room has been in operation over 1-year.
2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.
3) Procedures for field/mobile elements are still required and should be available at a supporting headquarters, either in Theater or perhaps even CONUS. These may be requested during pre-trip coordination or obtained after visiting the tactical AO.
V-30996
False
IA-01.03.01
Check written SOPs covering all systems, supporting infrastructure and physical facilities. Conduct a cursory review of the SOPs and as a minimum ensure the following areas are documented:
a. Handling of suspected system compromise or spillage
b. Cyberspace Protection Conditions (CPCON) - formerly Information Operations Condition (INFOCON) - procedures and policies
c. Procedures for eradication after an attack
d. Proper password management
e. Purging of storage media (disks, CDs, DVDs, drives, etc.) prior to turn-in or disposal
f. Remote diagnostic and maintenance approval and procedure
g. Out-processing and turn-in of equipment
h. Use of screensavers/Unattended terminals
i. Virus detection and scanning
j. In-processing and vetting of employees for systems access (proper investigation and security clearance)
NOTE: This requirement for on-hand SOPs should not be applied to a tactical environment, unless it is a fixed computer facility in a Theater of Operations. The standards to be applied for applicability in a tactical environment are:
1) The facility containing the computer room has been in operation over 1-year.
2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc.
3) Procedures for field/mobile elements are still required and should be available at a supporting headquarters, either in Theater or perhaps even CONUS. These may be requested during pre-trip coordination or obtained after visiting the tactical AO.
M
2506