ISMP Security Awareness Training Slides.Hacking into the system Authorized users may also try to...

1

Integrated Source Management Portfolio (ISMP) Security Awareness Training

2

ISMP Security Awareness Training

IntroductionWelcome to security awareness training for the Integrated Source Management Portfolio (ISMP). The information contained in this course is provided to inform ISMP Users of their responsibilities with regard to computer security while using ISMP.

This training is required by the Office of Management and Budget (OMB) under OMB Circular A-130 and the Nuclear Regulatory Commission (NRC) Office of Nuclear Material Safety and Safeguards (NMSS).

The course covers NRC policy on the authorized use of ISMP. The practices described in this course are designed to protect ISMP and ISMP information from unauthorized disclosure, alteration, or destruction.

You will be required to provide a digital acknowledgement of your understanding of the ISMP Rules of Behavior.

If you have any questions, please contact the ISMP Helpdesk at 1-877-671-6787.

3


Contents

Attitudes & FallaciesIT Security ThreatsIT Security MeasuresInformation SecuritySystem Use MessageRules of BehaviorBest Practices

4

ISMP Security Awareness TrainingAttitudes & Fallacies

Common Attitudes and Fallacies:The security or system staff take care of security.Nobody WANTS my authenticators (e.g., PIN, digital certificate, hard token).It is MY machine.Security is NOT my priority.

Attention: Security is everyone’s responsibility!

5

Two categories of IT security threats that ISMP Users should be aware of are:

Illegal System AccessViruses and Malicious Software

Unauthorized users access the system by:Using an authorized user’s login credentialsHacking into the system

Authorized users may also try to exceed their authorized level of access and hack into other’s resources.


IT Security Threats

6


IT Security Threats (cont.)

What is a computer virus?A virus is a program that copies itself to other programs or files.A virus is just one type of malicious software.

Other Types of Malicious SoftwareTrojan – Disguised as a legitimate program, Trojans can create back doors to a system.Time Bomb – Code on a computer that triggers some damaging event at a particular time.Logic Bomb – Triggered by a particular event and behaves as a virus.

7


ISMP Users must be aware of the following IT security measures that are implemented to protect ISMP from IT Security Threats:

Strong authenticationCryptographyISMP User Responsibilities and Rules of Behavior

Types of AuthenticatorsDigital Certificate: the digital equivalent of an ID card. Also called a digital ID, digital identity certificate, and public key certificate.Hard Token: a hardware security device that is used to authenticate a user (e.g., a smart card).One Time Password (OTP): a hardware security device providing Validated ID Protection used to authenticate a user (e.g., a security token). Personal Identification Number (PIN): a number used to confirm a user’s identity when using a hard token.Password: a string of characters that is entered into a computer system to gain access to a resource.

IT Security Measures

8


Strong AuthenticationAccess to ISMP requires strong authentication using:

NRC ICAM-issued digital certificates stored on NRC ICAM-issued hard tokens. (ICAM is identity, Credential and Access Management)Digital certificates and hard tokens are PIN-protected.One Time Password (OTP) and PIN.

CryptographyKey Terms:

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a U.S. government computer security standard used to accredit cryptographic modules.An encrypted connection is established between the ISMP User and ISMP to protect ISMP data while it is transmitted over the internet.FIPS 140-2 compliant cryptography must be used. Additional details are provided later in this course under the Rules of Behavior.

IT Security Measures (cont.)

9


ISMP User Responsibilities and Rules of BehaviorTo ensure the secure access and use of the system, ISMP Users are responsible for implementing security measures on their computer and local environment.The ISMP Rules of Behavior, which defines these measures and responsibilities, are addressed in detail later in this course.

IT Security Measures (cont.)

10


ISMP information is categorized as Sensitive Unclassified Non-Safeguards Information (SUNSI).SUNSI must not be viewed or accessed inadvertently or willfully by a person who is not authorized access.

Information Security

11


The ISMP System Use Notification Message is displayed to the user prior to each login attempt.

The message informs the user that by using the system, he/she agrees to the following:

Consent to monitoring.No privacy expectations.Penalties for unauthorized access or misuse of system and system data.

System Use Notification Message

12


The ISMP Rules of Behavior (hereinafter Rules of Behavior) establish a set of rules that describe ISMP resident application user responsibilities and expected behavior with regard to information and system usage.

The ISMP Rules of Behavior cover the following:ApplicabilityConsequence for NoncomplianceGeneral ProtectionsNRC Identity, Credential, and Access Management (ICAM)AuthenticatorsUser Desktops and Laptops

Rules of Behavior (RoB)

13


ApplicabilityThe RoB apply to all individuals who use the ISMP resident applications: the National Source Tracking System (NSTS), Web-Based Licensing (WBL), the License Verification System (LVS), and the Portfolio Enrollment Module (PEM).

Consequence for NoncomplianceThe RoB comply with the RoB for all NRC Automated Information System (AIS) Users provided in NRC Management Directive 12.5, ‘NRC Automated Information Security Program,’ Section 2.5 (ML052310031). The RoB are to be followed by all ISMP resident application users. Users shall be held accountable for their actions on the ISMP resident applications. Non-compliance with the RoB may subject the user to sanctions including, but no limited to, verbal or written warnings; removal of access to an ISMP resident application for a specific period of time or permanently; and/or prosecution under applicable Federal law consistent with the nature and the severity of the violation. NRC employees may also be subject to reassignment to other duties or termination. The Office of the Inspector General (OIG) is charged with the investigation of allegations of misconduct related to the misuse of ISMP resident applications, and ISMP management shall report all allegations of violations of the RoB to the OIG.

Rules of Behavior (RoB) (cont.)

14


General ProtectionsUsers:

Shall use the ISMP resident applications in accordance with procedures provided in each resident application User Guide.Shall only use the ISMP resident applications to perform authorized functions.Shall complete the security awareness training prior to using an ISMP resident application for the first time and annually thereafter. Also, users shall complete additional security awareness training as required by changes to the ISMP resident applications.Shall take appropriate precautions to protect ISMP resident application data, including securing output generated from the system (i.e., printed or digital reports, query results, other system output), from unauthorized access.


15


General Protections (cont.)Users:

Shall follow established procedures for requesting and disseminating information.Shall not attempt to bypass or circumvent security features within the ISMP resident applications.Shall immediately report anomalies and security incidents to the ISMP Helpdesk at 1-877-671-6787. Security incidents include attempted access by unauthorized individuals; violations of the RoB; disclosure of sensitive information; loss of availability of the application; destruction of data; detection of malicious code or other compromise of the system; or unexplained system activity.Shall promptly follow the advice and direction of the ISMP Helpdesk in response to security incidents.Shall not use wireless technologies to access ISMP resident applications.Shall promptly report when no longer requiring access to ISMP resident applications to the ISMP Helpdesk at 1-877-671-6787.


16


NRC Identity, Credential, and Access Management (ICAM) ICAM identifies and authenticates users and provides management capabilities for those identifiers and authenticators issued by the NRC.Users:

Shall use NRC ICAM-issued digital certificates stored on the ICAM-issued hard token or soft token OTP to access ISMP. Tokens and digital certificates are PIN-protected.

Rules of Behavior (RoB)

17


AuthenticatorsUsers:

Shall take reasonable measures to safeguard all authenticators (i.e., digital certificates, hard tokens, soft tokens, passwords, and PINs) including maintaining possession of individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately to the ISMP Helpdesk at 1-877-671-6787.Shall remove hard tokens from card readers when not in use and shall ensure that hard tokens are stored in a secure location, if applicable.


18


User Desktops and LaptopsUsers:

Shall logout of ISMP resident applications by clicking the logout link. This is especially important when using tabbed browsers to ensure maximum protection of data.Shall close internet browsers immediately after logging out of ISMP resident applications. Shall not use wireless devices to access ISMP resident applications. Laptops are permitted for use only when used with wired network connections.Shall keep computers used to access ISMP resident applications current with the latest security patches and updates.Shall use anti-virus software on computers used to access ISMP resident applications and shall ensure that it is configured with the latest anti-virus updates/virus definition files.


19


User Desktops and Laptops (cont.)Users:

Shall take appropriate precautions to prevent the entry of malicious code into the ISMP environment, including the scanning for malware of email and media (e.g., USB flash drives, CDs, etc.) before assessing them from computers used to access ISMP resident applications.Shall either log off ISMP resident applications by clicking the logout link, or log off or lock the computer (for example, by using Ctrl-Alt-Delete) before leaving computers used to access ISMP resident applications unattended.Shall position computer monitors to prevent the viewing of sensitive data by unauthorized individuals.Shall ensure that the screen-saver password protection option on computers used to access ISMP resident applications is selected and that the wait time is set to 15 minutes.


20


AuthenticatorsWhen selecting a PIN, users should avoid using the following:

Your name, nickname, or initialsYour user identification code or name (user ID)Special datesYour spouse or child’s nameYour telephone number, employee number, or social security numberAnything that can be easily associated with youConsecutive or repeated numbers or letters (ABCDE, CCCCC, 123456, 88888)Dictionary words

Us3$tr0ngP@&SwOrd$!

Best Practices

21


Authenticators (cont.)Sharing authenticators is prohibited.Never disclose or write down PINs.Remember to:

Protect yourself from misuse or abuse, protect your authenticators.Report compromised authenticator incidents.

OthersCut and paste internet addresses from email messages into browsers instead of clicking links provided in the message.Do not download attachments, files, or programs from unknown sources.Never supply personal information to unknown addresses.Do not download shareware, freeware, or other programs.Contact the ISMP Helpdesk for suspected virus or malicious code incidents.

Best Practices

22


CONGRATULATIONS

This completes ISMP Security Awareness Training.

ISMP Security Awareness Training Slides.Hacking into the system Authorized users may also try to...

Documents

Transcript of ISMP Security Awareness Training Slides.Hacking into the system Authorized users may also try to...