ML18340A290

From kanterella
Jump to navigation Jump to search
Ismp Security Awareness Training Slides
ML18340A290
Person / Time
Issue date: 12/06/2018
From:
Office of Nuclear Material Safety and Safeguards
To:
Lukes K
References
Download: ML18340A290 (22)


Text

Integrated Source Management Portfolio (ISMP)

Security Awareness Training 1

ISMP Security Awareness Training Introduction Welcome to security awareness training for the Integrated Source Management Portfolio (ISMP). The information contained in this course is provided to inform ISMP Users of their responsibilities with regard to computer security while using ISMP.

This training is required by the Office of Management and Budget (OMB) under OMB Circular A-130 and the Nuclear Regulatory Commission (NRC) Office of Nuclear Material Safety and Safeguards (NMSS).

The course covers NRC policy on the authorized use of ISMP. The practices described in this course are designed to protect ISMP and ISMP information from unauthorized disclosure, alteration, or destruction.

You will be required to provide a digital acknowledgement of your understanding of the ISMP Rules of Behavior.

If you have any questions, please contact the ISMP Helpdesk at 1-877-671-6787.

2

ISMP Security Awareness Training Contents Attitudes & Fallacies IT Security Threats IT Security Measures Information Security System Use Message Rules of Behavior Best Practices 3

ISMP Security Awareness Training Attitudes & Fallacies Common Attitudes and Fallacies:

The security or system staff take care of security.

Nobody WANTS my authenticators (e.g., PIN, digital certificate, hard token).

It is MY machine.

Security is NOT my priority.

Attention: Security is everyones responsibility!

4

ISMP Security Awareness Training IT Security Threats Two categories of IT security threats that ISMP Users should be aware of are:

Illegal System Access Viruses and Malicious Software Unauthorized users access the system by:

Using an authorized users login credentials Hacking into the system Authorized users may also try to exceed their authorized level of access and hack into others resources.

5

ISMP Security Awareness Training IT Security Threats (cont.)

What is a computer virus?

A virus is a program that copies itself to other programs or files.

A virus is just one type of malicious software.

Other Types of Malicious Software Trojan - Disguised as a legitimate program, Trojans can create back doors to a system.

Time Bomb - Code on a computer that triggers some damaging event at a particular time.

Logic Bomb - Triggered by a particular event and behaves as a virus.

6

ISMP Security Awareness Training IT Security Measures ISMP Users must be aware of the following IT security measures that are implemented to protect ISMP from IT Security Threats:

Strong authentication Cryptography ISMP User Responsibilities and Rules of Behavior Types of Authenticators Digital Certificate: the digital equivalent of an ID card. Also called a digital ID, digital identity certificate, and public key certificate.

Hard Token: a hardware security device that is used to authenticate a user (e.g., a smart card).

One Time Password (OTP): a hardware security device providing Validated ID Protection used to authenticate a user (e.g., a security token).

Personal Identification Number (PIN): a number used to confirm a users identity when using a hard token.

Password: a string of characters that is entered into a computer system to gain access to a resource.

7

ISMP Security Awareness Training IT Security Measures (cont.)

Strong Authentication Access to ISMP requires strong authentication using:

NRC ICAM-issued digital certificates stored on NRC ICAM-issued hard tokens. (ICAM is identity, Credential and Access Management)

Digital certificates and hard tokens are PIN-protected.

One Time Password (OTP) and PIN.

Cryptography Key Terms:

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.

Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a U.S.

government computer security standard used to accredit cryptographic modules.

An encrypted connection is established between the ISMP User and ISMP to protect ISMP data while it is transmitted over the internet.

FIPS 140-2 compliant cryptography must be used. Additional details are provided later in this course under the Rules of Behavior.

8

ISMP Security Awareness Training IT Security Measures (cont.)

ISMP User Responsibilities and Rules of Behavior To ensure the secure access and use of the system, ISMP Users are responsible for implementing security measures on their computer and local environment.

The ISMP Rules of Behavior, which defines these measures and responsibilities, are addressed in detail later in this course.

9

ISMP Security Awareness Training Information Security ISMP information is categorized as Sensitive Unclassified Non-Safeguards Information (SUNSI).

SUNSI must not be viewed or accessed inadvertently or willfully by a person who is not authorized access.

10

ISMP Security Awareness Training System Use Notification Message The ISMP System Use Notification Message is displayed to the user prior to each login attempt.

The message informs the user that by using the system, he/she agrees to the following:

Consent to monitoring.

No privacy expectations.

Penalties for unauthorized access or misuse of system and system data.

11

ISMP Security Awareness Training Rules of Behavior (RoB)

The ISMP Rules of Behavior (hereinafter Rules of Behavior) establish a set of rules that describe ISMP resident application user responsibilities and expected behavior with regard to information and system usage.

The ISMP Rules of Behavior cover the following:

Applicability Consequence for Noncompliance General Protections NRC Identity, Credential, and Access Management (ICAM)

Authenticators User Desktops and Laptops 12

ISMP Security Awareness Training Rules of Behavior (RoB) (cont.)

Applicability The RoB apply to all individuals who use the ISMP resident applications: the National Source Tracking System (NSTS), Web-Based Licensing (WBL), the License Verification System (LVS), and the Portfolio Enrollment Module (PEM).

Consequence for Noncompliance The RoB comply with the RoB for all NRC Automated Information System (AIS) Users provided in NRC Management Directive 12.5, NRC Automated Information Security Program, Section 2.5 (ML052310031). The RoB are to be followed by all ISMP resident application users. Users shall be held accountable for their actions on the ISMP resident applications. Non-compliance with the RoB may subject the user to sanctions including, but no limited to, verbal or written warnings; removal of access to an ISMP resident application for a specific period of time or permanently; and/or prosecution under applicable Federal law consistent with the nature and the severity of the violation. NRC employees may also be subject to reassignment to other duties or termination. The Office of the Inspector General (OIG) is charged with the investigation of allegations of misconduct related to the misuse of ISMP resident applications, and ISMP management shall report all allegations of violations of the RoB to the OIG.

13

ISMP Security Awareness Training Rules of Behavior (RoB) (cont.)

General Protections Users:

Shall use the ISMP resident applications in accordance with procedures provided in each resident application User Guide.

Shall only use the ISMP resident applications to perform authorized functions.

Shall complete the security awareness training prior to using an ISMP resident application for the first time and annually thereafter. Also, users shall complete additional security awareness training as required by changes to the ISMP resident applications.

Shall take appropriate precautions to protect ISMP resident application data, including securing output generated from the system (i.e., printed or digital reports, query results, other system output), from unauthorized access.

14

ISMP Security Awareness Training Rules of Behavior (RoB) (cont.)

General Protections (cont.)

Users:

Shall follow established procedures for requesting and disseminating information.

Shall not attempt to bypass or circumvent security features within the ISMP resident applications.

Shall immediately report anomalies and security incidents to the ISMP Helpdesk at 1-877-671-6787. Security incidents include attempted access by unauthorized individuals; violations of the RoB; disclosure of sensitive information; loss of availability of the application; destruction of data; detection of malicious code or other compromise of the system; or unexplained system activity.

Shall promptly follow the advice and direction of the ISMP Helpdesk in response to security incidents.

Shall not use wireless technologies to access ISMP resident applications.

Shall promptly report when no longer requiring access to ISMP resident applications to the ISMP Helpdesk at 1-877-671-6787.

15

ISMP Security Awareness Training Rules of Behavior (RoB)

NRC Identity, Credential, and Access Management (ICAM)

ICAM identifies and authenticates users and provides management capabilities for those identifiers and authenticators issued by the NRC.

Users:

Shall use NRC ICAM-issued digital certificates stored on the ICAM-issued hard token or soft token OTP to access ISMP. Tokens and digital certificates are PIN-protected.

16

ISMP Security Awareness Training Rules of Behavior (RoB) (cont.)

Authenticators Users:

Shall take reasonable measures to safeguard all authenticators (i.e.,

digital certificates, hard tokens, soft tokens, passwords, and PINs) including maintaining possession of individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately to the ISMP Helpdesk at 1-877-671-6787.

Shall remove hard tokens from card readers when not in use and shall ensure that hard tokens are stored in a secure location, if applicable.

17

ISMP Security Awareness Training Rules of Behavior (RoB) (cont.)

User Desktops and Laptops Users:

Shall logout of ISMP resident applications by clicking the logout link. This is especially important when using tabbed browsers to ensure maximum protection of data.

Shall close internet browsers immediately after logging out of ISMP resident applications.

Shall not use wireless devices to access ISMP resident applications. Laptops are permitted for use only when used with wired network connections.

Shall keep computers used to access ISMP resident applications current with the latest security patches and updates.

Shall use anti-virus software on computers used to access ISMP resident applications and shall ensure that it is configured with the latest anti-virus updates/virus definition files.

18

ISMP Security Awareness Training Rules of Behavior (RoB) (cont.)

User Desktops and Laptops (cont.)

Users:

Shall take appropriate precautions to prevent the entry of malicious code into the ISMP environment, including the scanning for malware of email and media (e.g., USB flash drives, CDs, etc.) before assessing them from computers used to access ISMP resident applications.

Shall either log off ISMP resident applications by clicking the logout link, or log off or lock the computer (for example, by using Ctrl-Alt-Delete) before leaving computers used to access ISMP resident applications unattended.

Shall position computer monitors to prevent the viewing of sensitive data by unauthorized individuals.

Shall ensure that the screen-saver password protection option on computers used to access ISMP resident applications is selected and that the wait time is set to 15 minutes.

19

ISMP Security Awareness Training Best Practices Authenticators When selecting a PIN, users should avoid using the following:

Your name, nickname, or initials Your user identification code or name (user ID)

Special dates Your spouse or childs name Your telephone number, employee number, or social security number Anything that can be easily associated with you Consecutive or repeated numbers or letters (ABCDE, CCCCC, 123456, 88888)

Dictionary words Us3$tr0ngP@&SwOrd$!

20

ISMP Security Awareness Training Best Practices Authenticators (cont.)

Sharing authenticators is prohibited.

Never disclose or write down PINs.

Remember to:

Protect yourself from misuse or abuse, protect your authenticators.

Report compromised authenticator incidents.

Others Cut and paste internet addresses from email messages into browsers instead of clicking links provided in the message.

Do not download attachments, files, or programs from unknown sources.

Never supply personal information to unknown addresses.

Do not download shareware, freeware, or other programs.

Contact the ISMP Helpdesk for suspected virus or malicious code incidents.

21

ISMP Security Awareness Training CONGRATULATIONS This completes ISMP Security Awareness Training.

22