2 4 SEP 2014

advertisement
DEPARTMENT OF THE NAVY
UNITED STATES NAVAL ACADEMY
121 BLAKE ROAD
ANNAPOLIS MARYLAND 21402-1300
USNAINST 5230.1A
6/ITSD
2 4 SEP 2014
USNA INSTRUCTION 5230.1A
From:
Superintendent
Subj:
INFORMATION TECHNOLOGY AND CYBERSECURITY POLICY AND
STANDARDS
Ref:
(a) DODD 8320.03 Unique Identification (UID) Standards for a
Net-Centric Department of Defense
(b) DODD 8570.01 Information Assurance Training,
Certification, and Workforce Management
(c) DODCIO Policy on Use of Department of Defense (DOD)
Information Systems Standard Consent Banner and User
Agreement, 09 May 2008
(d) USNAINST 5231.1C, Life Cycle Management Policy for
Information Systems
(e) USNAINST 7320.1 Management of Personal Property
(f) Navy Higher Education Network Cybersecurity Concept of
Operations (CONOPs)
Encl:
(1) Information Technology and Cybersecurity Policy and
Standards
(2) Acceptable Use Policy for USNA IT Resources
(3) Information Technology Services Division (ITSD)
Project Request
(4) Providing IT Assets, Services and Support to Semester
Exchange Students.
1.
Purpose.
To establish information technology (IT) and
cybersecurity policy and standards for the United States Naval
Academy (USNA) in accordance with references (a) through (f) .
2.
Cancellation.
USNAINST 5230.1
3. Applicability. All elements of this instruction apply to
all organizations and personnel using the USNA Mission network
and to all IT resources including any network and communication
infrastructure and attached devices, software systems, web
services, and cloud services.
USNAINST 5230.1A
2 4 SEP 2014
4.
Background.
a.
Institutional IT policy and standards provide the
structure and good order necessary for productivity.
Policy and
standards also support an environment that provides costeffective service while maintaining currency in technology.
Well-defined policy best serves the uncertain nature of a
limited budget and IT support staff, increased demand for
technology, necessity for - training, shortened product lifecycles, urgency of immediate service, dependence on IT for
mission support, and constraints imposed by outside authority.
Institutional policy provides the foundation for prudent
management of IT resources and a format to analyze courses of
actions, select methodologies, and make decisions.
b. USNA embraces an "information engineered" IT
environment.
Information engineering refers to the seamless
integration of information technologies; makes available IT
products and services for teaching, learning, training,
researching, managing, communicating, and decision making;
engineers data into accurate information; strives to make
complex IT transparent to the user; and affords everyone from
novice to expert the opportunity to increase productivity.
c.
IT must be affordable, achievable, flexible, scalable,
migratable, and secure. Affordable means that existing
financial assets allow USNA to procure or develop, maintain,
upgrade, modernize, and eventually replace technology.
Achievable means that existing staff provides for acquisition,
systems integration, and operation.
Flexible means the
technology supports multiple functions.
Scalable means the same
technology can meet varying demands.
Migratable means that the
architecture includes a path for the future.
Secure means that
policies, mechanisms and infrastructure are in place to manage
risks related to confidentiality, integrity, and availability of
services and information.
d.
This instruction is a complete revision and should be
reviewed in its entirety.
Significant changes include:
(1) Establishment of the User Repository Database as the
authoritative information source for provisioning user accounts
and services.
2
USNAINST 5230 . 1A
2 4 SEP 2014
(2) Establishment of user identity standards .
(3) Formalization of remote access policy .
(4) Assignment of r esponsibilities for prov iding IT
serv ices to e x change students.
(5) Incorporation of Cy bersecurity Workforce
requirements.
5.
Responsibilities.
a.
The Command Information Officer (Chief Information
Officer, CIO) shall ensure compliance with applicable DOD/DON IT
and cybersecurity policies. The CIO shall promulgate standard
procedures (enclosures (1) through (4)) and is responsible for
their revision.
b.
All hands shall follow CIO standard procedures
per this instruction.
impl ~ mented
Distribution:
Non Mids(electronically)
Brigade (electronically )
3
USNAINST 5230.1A
2 4 SEP 2014
Information Technology and Cybersecurity Policy and Standards
1.
Definitions.
a.
IT resources include all computing and communications
systems.
Computing systems include all devices with a
processing unit (e.g., server, desktop, laptop, tablet, printer,
copier, smartphone, storage device, router, switch, intrusion
prevention and detection devices, traffic shaping appliances),
devices that can connect to a processing unit (e . g., monitor,
external disk, keyboard, mouse, UPS), software (operating
systems, hypervisors and applications including shareware,
freeware, licensed and public domain), and firmware.
Communications systems include telephones, telephone switching
devices, facsimile machines, and pagers.
b.
The USNA mission network consists of the USNA EDU
network partitioned into an internal intranet and an extranet
demilitarized zone (DMZ), and the USNA MIL network.
The USNA
EDU network consists of IT resources with connectivity via a
usna.edu domain name to the Maryland Research and Education
Network (MDREN) . The USNA MIL network consists of IT resources
with connectivity via a usna.navy.mil domain name to the Defense
Research and Engineering Network (DREN) .
c.
The USNA guest network consists of access to MDREN from
usna . edu tunneled to the DMZ, and is used to facilitate
communications for guests attending officially sponsored USNA
activities such as conferences and workshops.
d.
IT Services consist of the applications and
functionality made available through IT resources and via USNA
contracted cloud services.
e.
Remote access is access to a USNA information ' system by
an authorized user communicating through an external; non-USNA
controlled network (e.g. a home network via an internet service
provider) . Authorized use of USNA contracted web-based cloud
services from a browser on a mobile device is not considered to
be remote access.
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
f.
A student is a midshipman, Naval Academy Preparatory
School (NAPS) midshipman candidate, or Service Academy exchange
student (domestic and foreign) .
g. A group account (positional account) is one that by
policy, authorizes more than one user to share the same
authentication credentials, e.g., the Naval Academy Duty Officer
account, nado®usna.edu.
2.
Authorized Users.
a.
Students matriculating at USNA and NAPS and personnel
assigned to billets listed in the Activity Manpower Document
(AMD) of USNA and NAPS are authorized to use the USNA mission
network.
Select former civilian USNA faculty members retired
from government service, prospective AMD gains and military on
temporary additional duty (TAD) to USNA, and others may be
authorized to use the USNA mission network if there is a mission
requirement to do so.
b.
The User Repository (UR) database is the authoritative
source for information employed to populate the enterprise
directory, to create network accounts and to provision IT
services.
UR information shall be entered and maintained by the
respective data owners.
3.
Identity. As a DOD component, the identity management
standards for persona display names and email addresses
established per reference (a) shall be followed where possible.
Military, civilians, contractors, and foreign nationals will be
distinctly identified. As an institution of higher education,
accommodation may be made for civilian faculty upon request.
4 . Managed Services. Authorized users will appear in the
enterprise directory. Additional managed IT services required
for the performance of duty may be authorized upon request.
These include:
a.
Mission network account.
b.
Email account.
Because email is a contracted cloud
service that incurs cost, it is not necessarily provided to all
2
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
authorized users.
For example, email service is not provided to
all employees paid through non-appropriated funds, Naval Academy
Athletic Association (NAAA) employees, and TAD military unless a
justified need is demonstrated.
c.
Enterprise Information System account (e.g., AIS, MIDS,
NSTAR).
d.
USNA public and intranet webserver and web content
management system account.
e.
Network shared file system.
f.
Cloud service account (e.g., Blackboard, Ungerboeck)
5. Access Control.
The USNA EDU, .MIL , and guest networks, and
remote user access require different manners of access control.
a.
USNA EDU network. A System Access Authorization Request
- Navy (SAAR-N) shall be used to request access to the USNA EDU
network and associated IT services. Access will not be granted
without an approved SAAR-N. A new SAAR-N shall be initiated to
request IT services for USNA faculty who retire from the civil
service.
(1) An appropriate supervisor shall initiate each
request.
Supervisors shall certify that the request is for
legitimate and justified needs that support the USNA mission:
(a) IT service for retired USNA faculty members must
be requested via the Academic Dean and Provost.
(b) For exchange students, the request shall
originate from the Office of the Commandant of Midshipmen.
(c) For military assigned TAD to USNA, the request
shall originate from the Officer Personnel Office.
Group
accounts are discouraged and alternate means shall be used
wherever possible.
3
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
(2) A group account may be authorized only when no other
technical means can provide its functionality.
(3) Privileged users are defined in reference (b).
(a) Privileged access shall not be used to perform
computing tasks that do not require elevated privilege.
(b) The internet shall not be accessed from a web
browser while logged in to a privileged user account, nor shall
email be sent from this account.
(c) Some users perform privileged access system
administration functions on information systems that are not
enterprise systems (e.g., a faculty research server).
These
users are not members of the USNA Cybersecurity Workforce (CSWF)
as defined in reference (b), but shall sign a privileged access
agreement.
b.
USNA MIL network. Access will be via VPN from a nonprivileged user account on the usna.edu intranet.
c. USNA Guest Network. Access is not granted but may be
authorized upon special request.
d.
Remote access may be authorized for administrative or
end-user purposes in support of the USNA mission.
(1) Remote administrative access involves users who
connect from a remote location to perform system administration
tasks on enterprise systems.
Remote administrative access is
authorized for members of the CSWF.
It shall not be used
routinely, but may be used to resolve emergent critical issues
that require timely response.
Supervisors shall remain informed
of this use.
(2) Remote end-user access involves users who connect
from a remote location to perform tasks typical of their USNA
job description.
Remote end-user access is for occasional use
and is not telework, which requires separate authorization.
4
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
(3) Users must sign a Remote Use Agreement before being
authorized remote access.
e.
Approval Authority.
(1) The Command Information Systems Security Manager
(ISSM) or designated assistant is the approval authority for
granting access to USNA mission and guest networks.
(2) The Deputy Director of the cognizant ITSD department
is the approval authority for granting access to a managed IT
service.
(3) The CIO shall approve all retired USNA faculty IT
service requests.
6.
Authorized Use.
a. Authorized use indicates the IT resource is used to
directly support the USNA mission and is not prohibited by law,
regulation, instruction, or command policy.
Questions
concerning authorized use shall be resolved by an appropriate
supervisor; the user does not determine what use is authorized.
b.
The USNA mission network is a U.S. Government (USG)
information system (IS) . By accessing a USG IS, the user gives
consent to conditions on government-authorized use specified in
the reference (c) User Agreement and summarized in login notice
and consent banners . The provisions of this agreement and
banners apply for all IT services including cloud services
accessed from a web browser on a mobile device in any location.
c.
Consistent with DOD policy, Cost Center Heads may
authorize limited personal use while in the workplace.
Authorized personal use includes personal communications (e.g.,
with family members and medical staff or for scheduling
appointments) as long as the use:
(1) Does not adversely affect the employee's performance
of duty.
5
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
(2) Is of reasonable duration and frequency, and
conducted during the individual's personal time.
(3) Serves a legitimate interest that in some manner
indirectly supports the USNA mission, such as improving morale,
enhancing professional skill, or furthering education.
(4) Does not adversely impact mission network
performance.
(5) Does not incur additional cost to USNA.
(6) Is continuously attended.
d. A computing device that is government property issued
for employee use while in the USNA workplace may be used outside
of the workplace (e.g., during official travel) under the
following conditions:
(1) The use is approved by the employee's supervisor.
(2) Unless a formal telework agreement has been
approved, the use is temporary (e.g., a laptop may not be used
as a "home computer").
(3) The Deputy for Cybersecurity, ITSD, must be
contacted in advance if a government computing device is to be
used during international travel.
The device may require reimaging upon return.
7.
General User Responsibilities.
Prudent, efficient, cost
effective, and secure use of information technology is a
professional responsibility . Users shall adhere to the
Acceptable Use Policy for USNA IT Resources in enclosure (2),
and the Navy User Agreement and Consent Provisions.
Additionally,
a.
Users are expected to be able to perform basic computing
tasks without assistance.
b.
Users shall acquire training in the use of the systems
6
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
required to perform their assigned duties, by attending classes,
reading instructions and manuals, viewing tutorial videos, etc.
c. Data to be backed up consumes primary and backup storage
space and network bandwidth during backup. Users should be
cognizant of what data is being backed up as a service, take
care to not duplicate this data, and shall assume responsibility
for backing up all other of their own critical data.
d.
Users should follow cybersecurity best practices in the
workplace, including:
(1) Being wary of email and attachments from unknown
sources.
(2) Not clicking links that cannot be verified.
(3) Not downloading anything from untrusted sources.
(4) Not using the same password to authenticate to
different accounts or services.
8.
Life Cycle Management (LCM).
a. Abbreviated System Decision Paper (ASDP).
Per reference
(d) , all mission IT resource needs will be planned and
documented annually in an ASDP. A request for emergent project
support not included in a current ASDP should be documented by
submitting enclosure (3) which amends the current ASDP.
b. Acquisition. All USNA IT acquisitions require LCM
documentation and approval by the Deputy for ITSD prior to
procurement.
Required documentation (specifications,
descriptions, justifications, privacy impact assessments,
documents required by the configuration control board (CCB),
etc.) prepared by the requesting organization must be accurate.
Acquisition of capital equipment or other items resulting in a
new or improved information system are funded through an
Operations and Maintenance, Navy (O&MN) or Other Procurement,
Navy (OPN) account as applicable.
Operational support and
maintenance to sustain existing information systems as currently
7
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
configured are funded through the O&MN centralized maintenance
account.
Consumable supplies, designated non-centralized
maintenance actions, and incidental software acquisitions are
funded from organizational O&MN expense accounts.
Telecommunications equipment and services are funded through the
telecommunications account.
c.
Per reference (e), Property Responsible Officers shall
maintain an accurate inventory and disposition of IT assets
within their department.
Lost or stolen IT assets shall be
reported per reference (e) .
9.
World Wide Web.
a.
The official USNA internal and external web sites are
administered by ITSD.
Certain areas of the web site are
maintained by non-ITSD personnel with oversight and assistance
provided by software/application developers assigned to ITSD.
b. Additional USNA policy pertaining to web-page
maintainers and content developers is published on the internal
USNA web site.
10. Semester Exchange Students.
ITSD is responsible for
providing IT services to visiting cadets participating in the
Service Academy Exchange Program, and to Foreign Service Academy
cadets identified by the Academic Dean (AcDean) . The Commandant
of Midshipmen (COMDT) manages the military affairs of all
midshipmen and NABSD is responsible for issuing and maintaining
midshipmen computers.
These parties shall coordinate efforts
per enclosure (4) to ensure exchange students receive IT
services in a timely manner before an academic semester begins.
11.
Cybersecurity and Configuration Control.
a.
Before a federal agency can grant an Authority to
Operate (ATO) , a government information system, the Federal
Information Security Management Act (FISMA) requires these
systems to be certified and accredited with respect to
cybersecurity risk management.
The risk management framework
includes continuous monitoring and periodic recertification.
8
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
b. A baseline level of cybersecurity is established through
a set of controls. A cybersecurity control describes an
objective condition of integrity, availability, or
confidentiality achieved by applying specific safeguards or
regulating specific activities. The objective condition is
testable, compliance is measurable, and the activities required
to achieve the control are assignable and accountable.
Controls
include such things as training and education, technical
implementation requirements, configuration control processes,
logging and reporting, and physical security .
c.
The risk category of the information system determines
the controls that are applied. USNA systems are not designated
as National Security Systems and do not store nor transmit
classified information but do contain sensitive information such
as Personally Identifiable Information (PII), financial data,
and operational data that must be protected.
The USNA ATO is
based on the reference (f) Concept of Operations for an
educational environment.
The following policies support USNA
certification and accreditation:
(1) Personal Electronic Devices (PEDs) are not permitted
on the mission network without prior written approval.
(2) A personally owned mobile device shall be registered
before it is used to access USNA contracted cloud services, and
users shall comply with all conditions of registration (e.g.,
PIN/password requirements, maintenance of registration, etc.)
Loss or theft of registered personally owned mobile devices
shall be reported to ITSD.
(3) Device quarantine, seizure, and re-configuration may
be used to mitigate risk.
Vulnerable software that is not
accepted with an approved mitigation plan and is not remediated,
as required, will be disabled.
_
(4) Configuration Control shall be implemented in
accordance with reference (f) and amplifying procedures as
promulgated by ITSD.
(5) Members of the USNA CSWF shall maintain
9
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
certification and training per reference (b) and procedures
established by the CIO.
12.
Information Technology Services Division (ITSD) Support.
a.
ITSD will assist
acquisition, operations,
information technologies
Support will be provided
the customer and approve the
maintenance, and management of
needed to support the USNA mission.
with the following priorities:
(1) Emergent critical (e.g., equipment failure, disaster
recovery)
(2) Externally driven (e.g., security, legal)
(3) Enterprise mission (e.g . , MIDS, AIS, NSTAR,
contracted cloud services)
(4) Academic core (core courses)
(5) Academic major (majors, courses and electives)
(6) Academic research and administrative (Faculty
Research Office)
b.
(7)
Administrative (e.g., Institutional Research)
(8)
Command support (e.g., conferences, meetings, ECAs)
Information Technology Service Center (ITSC).
(1) The ITSC supports authorized users and is a single
point of contact for reporting problems with or asking questions
about managed IT services and the associated IT resources.
The
ITSC does not provide general education or training in basic
computer use, does not assist with questions related to use of
specialized customer software, and does not maintain student
computers.
(2) "Level-1n support is primarily accessible through
telephone, remote assistance, or face-to-face help in Ward Hall
10
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
Room G-1 and departmental IT Specialists. Users with simple
issues should use one of these means.
ITSC and IT specialists
will attempt to resol v e these issues as soon as possible;
however, support is only provided during normal business hours .
These support requests may also be emailed at any time for entry
into the support ticketing system, but response time will
include ticket processing time.
Issues that cannot be resolved
at this lev el are escalated to level-2 and entered into the
ticketing system for tracking.
(3) "Level - 2" support is for level-1 issues identified
outside of normal business hours and for issues that might not
be resolved in the same day.
Technical expertise from a single
ITSD department is typically required to address level - 2 issues
as they often require gathering additional information.
ITSD
will attempt to resolve level-2 issues within several workdays.
Issues not resolved in this timeframe or by a single department
are escalated to level-3.
(4) "Level-3" support is required if new solutions must
be devised or more than one ITSD department is involved .
Resolving level-3 issues will usually take more than sev eral
days.
c. Any support issues requiring acquisition to resolve
should also be addressed where appropriate through the Life
Cy cle Management process per reference (d) or Configuration
Control Board.
11
Enclosure (1)
USNAINST 5230.1A
2 4 SEP 2014
Acceptable Use Policy for USNA IT Resources
The USNA mission network is a U.S. Government (USG) information
system (IS).
By accessing a USG IS, the user gives consent to
conditions on government-authorized use specified in the DOD
Standard User Agreement and summarized in login notice and
consent banners.
The provisions of this agreement and banners
apply for all IT services including cloud services accessed from
a web browser on a mobile device in any location .
A user shall comply with all DOD/DON/USNA policies on use of IT
resources, and:
•
Must use information technology resources only for authorized
education, research, and administrative activities in support
of the Naval Academy mission.
•
Must remain aware of the licensing terms and conditions of all
software they use .
•
Must permit system access for vulnerability scanning and
remediation.
•
Must use official email distribution lists only for missionrelated purposes that are germane to the list.
•
Must NOT participate in any behavior that unreasonably
interferes with the fair use of IT resources by another (e.g.,
bandwidth or disk space consumption) .
•
Must NOT use images or graphics that reflect adversely on the
Naval Academy, including personal images associated with
contracted USNA cloud services.
•
Must NOT override a displayed persona identity (display name)
formatted in accordance with DOD/DON/USNA policy.
•
Must NOT remove or disable client software required for
network access control or vulnerability scanning and
remediation.
Enclosure (2)
USNAINST 5230.1A
I 4 SEP ?014
•
Must NOT use IT resources for illegal or unethical purposes,
including:
o
o
o
o
o
o
o
o
o
o
Possessing, copying, or using illegal software.
Destruction or damage to Naval Academy or personal
resources.
Disruption or unauthorized monitoring of communications.
Harassment of others.
Dishonesty (plagiarism, cheating, using false identity).
Violation of another individual's privacy.
Violation of copyright and fair use laws.
Violation of licensing agreements.
Any use whose intended purpose is financial gain.
Pornography (viewing or downloading)
2
Enclosure · (2)
USNAINST 5230.1A
? 4 SEP 2014
Information Technology Services Division (ITSD) Project Request
Date
MEMORANDUM
From:
To:
Cost Center Head
Deputy for Information Technology Services
Subj:
REQUEST FOR PROJECT SUPPORT
Encl:
(as needed)
1. Request for Service.
support.
Summarize the details of the requested
2. Organizational Point of Contact.
Provide the name, title,
email address, and telephone number of the principal point of
contact on all matters relating to the project.
3.
Priority of Request.
Indicate one of the following
priorities, with justification:
a. Mandatory: the accomplishment is critical to the USNA
mission. Alternative action is neither unavailable nor
feasible.
Immediate resolution may be required.
b. Necessary: the accomplishment contributes significantly
to improved effectiveness and/or efficiency.
c. Desired: the accomplishment would contribute to improved
effectiveness, efficiency, economy, or convenience.
4.
Required Date.
Provide two realistic dates:
a. Desired Date.
Provide the optimum date from the
requestor's viewpoint.
b.
Critical Date.
Provide the latest acceptable date for
satisfying the request, beyond which a critical deficiency will
exist (N/A if priority is desired) .
Enclosure (3)
USNAINST 5230.1A
? 4 SFP ?011.1
Subj:
REQUEST FOR PROJECT SUPPORT
5. Detailed Description of the Service Requested.
Include
functional requirements, drawings, system specifications, etc.
6. Reason for Request.
Justify the request. Address
weaknesses in existing systems, the proposed corrections or
improvements, and the specific benefits to be realized.
Expected benefits may be described in terms of cost reductions
in manpower, supplies, equipment, response time, etc.; or
increased capabilities.
7. References.
List instructions, letters, documents,
memoranda, and publications that make the case for and
substantiate the request.
8.
Funding.
Identify the source of funding.
2
Enclosure (3)
USNAINST 5230.1A
I 4 SEP 2014
Providing IT Assets, Services, and Support to Exchange Students
1.
The Academic Dean shall, before each semester begins:
a.
Identify to ITSD and NABSD the number of computers
required by foreign exchange students .
b.
Ensure each foreign exchange student has a record in the
USNA enterprise MIDS system .
2.
The Commandant of Midshipmen shall:
a.
Before each semester begins:
(1) For asset and systems support planning purposes,
identify to NABSD the number of computers that will be needed by
domestic exchange students.
(2) To permit assignment of IT services, ensure each
inbound domestic exchange student has a record in the USNA
enterprise MIDS system.
(3) Initiate a SAAR-N for all exchange students, foreign
and domestic.
(4) Identify and communicate to ITSD any special
computer configuration required by the exchange student source
organization for consideration in network configuration control
(e.g., VPN client software and settings for on-line coursework,
course registration) .
b. Before an exchange student returns to their source
organization, ensure IT assets are returned to NABSD.
This
action is necessary for efficient life-cycle management.
3.
The Director, NABSD shall:
a.
Coordinate with ITSD to provide IT assets with hardware
and software functionally equivalent to that issued to an
exchange student's USNA year group.
Enclosure (4)
USNAINST 5230.1A
') A SFP ?01A
b . . Before each semester begins, have sufficient laptop
computers available for the number of exchange students
identified by ACDEAN and COMDT.
c.
Provide exchange students with the same computer support
services provided midshipmen.
4.
The Deputy, ITSD shall:
a.
Coordinate transferring computer custody between NABSD,
ITSD and exchange students.
b.
Grant exchange students the standard network services of
a USNA midshipman.
c.
When possible, accommodate special computer
configurations required by the exchange student source
organizations.
2
Enclosure (4)
Download