landwarnet 2011america’s army: the strength of the nation unclassified

LANDWARNET 2011AMERICA’S ARMY: THE STRENGTH OF THE NATION UNCLASSIFIED

UNCLASSIFIED

Meeting and Sustaining the Standard

US Army IA Compliance Inspection

Information Exchange ForumSessions: 1 and 3

IEF IA

LTC Rob TurkU.S. Army Inspector General Agency (USAIGA)


UNCLASSIFIED 2

PurposeDAIG Information Assurance Mission Information Assurance ActionsWhat does DAIG IA Inspect? Army IA Functional

Areas Information Assurance Take-AwaysPanel Member IntroductionForum Discussion/Question and Answer PeriodClosing

IEF Sessions: 1 and 3, USAIGA2011-08-23// LWN11_IA_DAIG IA Compliance.pptx


UNCLASSIFIEDIEF Sessions: 1 and 3, USAIGA 3

To provide insights from the Department of the Army Inspector General Information Assurance Team and organizations

that have met the standard the last two years

2011-08-23// LWN11_IA_DAIG IA Compliance.pptx



IA Establishment: 12 May 2005, the CSA directs The Inspector General (TIG) to establish an Information Assurance (IA) Inspection Division to conduct cyclical IA compliance inspections across the Army (Active, Guard and Reserve).

The purpose of IA Inspections:• Measure level of deviation from established Army IA polices, regulations, doctrine, and

procedures (compliance)• Identify systemic IA problems, determine root causes, develop recommendations, and fix

responsibilities for corrective action

Information Assurance Inspections conducted:• 74 inspections from FY 08 to 1 Aug 11 (57 Active, 12 ARNG, 3 USAR, 2 MWR)• Fiscal Year Annual Army Information Assurance (IA) Reports published (FY 08, 09 and 10 (Trends and Recommendations))

BLUF: DAIG IA Division is the eyes and ears for Army Senior Leaders in evaluating the Army’s IA posture IAW Army CIO/G-6 IA checklist, regulations, and policy




Information Assurance key insights:- Establish command/leadership accountability- Establish the need for continuous oversight (Command Channels)- Formalize an acceptable level of risk/compliance for existing IA policies and standards

VCSA action Memorandum to Commanders (28 Nov 10)Subject: Commander and Leader Responsibilities for Information Assurance Capabilities and Standards Enforcement

The VCSA memo directed:• Army CIO/G-6 & the CDR, ARCYBER to review & improve, where necessary, IA

processes/policies• CDR, ARCYBER to monitor & assist commanders in the enforcement of IA compliance• Senior Installation Commanders are responsible for their organization’s complying with

the Army Information Assurance Program

• Commanders (Brigade equivalent and higher) will assess their organization’s IA program using the Army IA Self-Assessment Tool

• Every organization will incorporate IA into its organizational inspection program at all levels




Army Focus Areas are those that pose a significant risk to the Army LandWarNet

(Army IA Functional Areas and Army Focus Areas are established by Army CIO/G-6)

Inspection Breakout(FY 08-11)

Type Qty

AC 57

ARNG 12

USAR 3

MWR 2

Total 74

Checklist Functional Areas Army Focus Areas

1. Incident Handling 2. IA Training and Certification3. IA Vulnerability Management (IAVM)4. IA Program Management5. Public Key Infrastructure (PKI)6. Certification and Accreditation7. Contingency Planning8. Wireless Security9. Portable Electronic Device (PED)10. Army Web Risk Content Management11. Personally Identifiable Information (PII)12. Minimum IA Technical Requirements13. Classified Systems Management14. Physical Security




Accountability: Information Assurance requires Command/Leader accountability and oversight in order to protect and defend operational information

Self Assessment: Conduct an honest self assessment – develop realistic goals and empower subordinates

Standard: Be willing to make hard decisions – enforce the standard otherwise you allow deviations to become the new baseline

Assets: Ensure assets are configured IAW current DISA STIGs (to include manual checks)

PII: Complete your PII assessment (DD Form 2930, Privacy Impact Assessments) and coordinate with your customer organizations

Audits: Conduct full audit scans and review audit logs - Retina/Q-Tip scans – all assets, vulnerabilities (conduct one week prior to inspection)

Document: Document your internal and command wide procedures Record: Establish a formal record retention program (hard drive and

media destruction, wireless scanning/war driving (5yrs / 1yr)




Identify: IT Contingency alternate site and document the results from the last contingency plan exercise

Develop: Build the IT Contingency Plan around supporting mission essential services

Ensure: - POA&M for all past due IAVAs are entered into NETCROP or VMS- Waivers are submitted for all deviations from the AGM and/or DISA STIGS- Incident Response Plans are complete and personnel are trained- Webmaster, OPSEC & PAO are trained in OPSEC WEB content vulnerability

and web risk assessment training- Marking and labeling of media and peripheral devices are completed- Wireless security - complete scans (war drive, protocol analysis) are done- Register and track all IA Workforce personnel in ATCTS

Verify: SF700, SF701 forms are properly filled out (Safes/offices)

A vulnerability allowed by one is a vulnerability assumed by all !2011-08-23// LWN11_IA_DAIG IA Compliance.pptx



Panel Member Introduction

Forum Discussion/Question and Answer

Period




DAIG AKO Portal: https://www.us.army.mil/suite/page/475521




DAIG Office Phone NumberCommercial (703) 545-4398

DSN: 865-4398


landwarnet 2011america’s army: the strength of the nation unclassified

Documents

established army ia

ia checklist

ia establishment

americas army

daig ia division

army active

organizations ia program

purpose of ia inspections