Tennessee Valley Authority
BUSINESS - PRACTICE 27
Information Systems Security
WHAT
This practice establishes TVA’s Information Systems Security Policy.
This policy supersedes the INFORMATION TECHNOLOGY (IT) SECURITY POLICY (all revisions), the INFORMATION TECHNOLOGY PROGRAM MANAGEMENT PLAN (all revisions) and the INFORMATION TECHNOLOGY SECURITY MANUAL (all revisions).
WHO
This policy applies to TVA employees, contractors, grantees, other federal agencies, state and local governments, industry partners, and others who possess TVA information or who operate, use, or have access to TVA’s information systems. In addition, the policy applies to every information system and network that stores or processes TVA data, and includes hardware, software, media, facilities, and data owned or in the custody of TVA, or operated for TVA by any contractor, federal agency, state and local government, industry partner, or other outside organization even if those systems and networks are located external to TVA. This policy also applies when TVA information is used within equipment that is acquired by a TVA contractor incidental to a TVA contract.
WHY
It is the policy of TVA to implement security controls to protect the confidentiality, integrity, and availability of TVA’s information and information systems commensurate with the criticality and sensitivity of the information and information systems, and to protect the privacy to which individuals are entitled. TVA shall implement such controls consistent with applicable federal laws and regulations and industry best practices.
HOW
To protect the confidentiality, integrity, and availability of TVA’s information and information systems and to protect the privacy to which individuals are entitled, the following requirements are established.
I. Information Systems
A. Information resources shall be logically grouped and uniquely assigned to information systems (e.g., a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information).
B. Information systems must: (i) generally be under the same direct management control; (ii) have the same function or mission objective and essentially the same operating characteristics and security needs; and (iii) reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments). Information systems may contain multiple subsystems (e.g., major subdivision or component of an information system consisting of information, information technology and personnel that perform one or more specific functions).
C. An Information System Owner shall be designated for each information system by the responsible agency official.
II. Security Categorization
A. Each information system and the information resident within the system shall be categorized to determine potential impact values (e.g., low, moderate, high) for confidentiality, integrity, and availability protection requirements, and the overall security category (e.g., low, moderate, high) for the information system.
B. Each information system and the information resident within the system shall have the categorization verified and updated as warranted every three years or whenever there is a significant change to the system.
III. Application Categorization
A. Each application shall be determined to be a major or minor application based on the security category of the application.
B. Each application shall have the application categorization verified and updated as warranted every three years or whenever there is a significant change to the system.
IV. Authorization/Accreditation Boundaries
A. Information resources shall be logically grouped and uniquely assigned to a general support system or major application for authorization/accreditation purposes.
B. Each general support system and major application must: (i) generally be under the same direct management control; (ii) have the same function or mission objective and essentially the same operating characteristics and security needs; and (iii) reside in the same general operating environment (or in the case of a distributed application or system, reside in various locations with similar operating environments).
C. General support systems and major applications may be combined within a common accreditation boundary in which case they become subsystems to the newly created general support system or major applications.
D. Minor applications must be assigned to a general support system or a major application.
E. An Information System Owner and an Information System Security Officer shall be designated by the responsible agency official for each general support system and major application.
F. Authorization/accreditation boundaries for general support systems and major applications shall be reviewed and updated as warranted every three years or whenever there is a significant change to any system or any subsystem of that system.
V. Security Controls
A. In order to adequately protect the confidentiality, integrity, and availability of general support systems and major applications and the information processed, stored, and transmitted by those systems, minimum or baseline security controls shall be implemented consistent with applicable federal requirements and industry best practices for each information system or subsystem based on the security category (e.g., low, moderate, high with high requiring more stringent controls than moderate and moderate more stringent than low) of the system and tailored based on the unique needs of the system or subsystem.
B. When minor applications or subsystems with varying security categories are grouped into single general support systems or major applications, security controls shall be defined based on the highest security category for any minor application/subsystem unless there is adequate boundary protection around those subsystems with the highest security categories.
C. Minimum controls required by all information systems include:
1. Access Control (AC): Information system access must be limited to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
2. Awareness and Training (AT): Managers and users of information systems must be made aware of the security risks associated with their activities and of the applicable federal and agency requirements related to the security of TVA’s information systems; and those with significant security responsibilities must be adequately trained to carry out their assigned information security-related duties and responsibilities.
3. Audit and Accountability (AU): Information system audit records must be created, protected, and retained to the extent needed to: (i) enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
4. Certification, Accreditation, and Security Assessments (CA): Information systems must: (i) be assessed at least every three years or whenever a significant change occurs to the information system to determine if security controls are effective in their application; (ii) have plans of action with milestones designed to correct deficiencies and reduce or eliminate vulnerabilities; (iii) be authorized for processing including any associated information system connections by a designated senior agency official; and (iv) be monitored on an ongoing basis to ensure the continued effectiveness of the controls.
5. Configuration Management (CM): Baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) must be established and maintained throughout the respective system life cycles; and security configuration settings for information products employed in information systems must be established and enforced.
6. Contingency Planning (CP): Contingency plans for emergency response, backup operations, and disaster recovery for organizational information systems must be established, maintained, and effectively implemented to ensure the availability of critical information resources and continuity of operations in emergency situations.
7. Identification and Authentication (IA): Information system users, processes acting on behalf of users, or devices must be identified and the identities authenticated (or verified), as a prerequisite to allowing access to information systems.
8. Incident Response (IR): An operational incident handling capability for information systems must be established that includes preparation, detection, analysis, containment, recovery, and user response activities; and incidents must be tracked, documented, and reported.
9. Maintenance (MA): Periodic and timely maintenance on organizational information systems must be performed; and effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance must be established.
10. Media Protection (MP): Information system media, both paper and digital must be protected by: (i) limiting access to information on information system media to authorized users; and (ii) sanitizing or destroying information system media before disposal or release for reuse.
11. Physical and Environmental Protection (PE)
a. Physical access to information systems, equipment, and the respective operating environments must be limited to authorized individuals.
b. The physical plant and support infrastructure for information systems must be protected.
c. Supporting utilities for information systems must be provided.
d. Information systems must be protected against environmental hazards.
e. Appropriate environmental controls must be provided in facilities containing information systems.
12. Planning (PL): System security plans for information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems must be developed, documented, implemented, and updated at least every three years or whenever a significant change occurs to the information system.
13. Personnel Security (PS)
a. Individuals occupying positions of responsibility within organizations (including third-party service providers) must be trustworthy and meet established security criteria for those positions.
b. Information and information systems must be adequately protected during and after personnel actions such as terminations and transfers.
c. Formal sanctions for personnel failing to comply with organizational security policies and procedures must be employed.
14. Risk Assessment (RA): The risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information must be accessed at least every three years or whenever a significant change occurs to the information system.
15. System and Services Acquisition (SA)
a. Sufficient resources to adequately protect organizational information systems must be allocated by the responsible organization.
b. System development life cycle processes that incorporate required information security considerations must be employed.
c. Software usage and installation restrictions must be employed.
d. Security specifications, either explicitly or by reference, shall be included in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal requirements and industry best practices.
e. Require and verify that third-party providers employ adequate security measures consistent with applicable federal requirements and industry best practices to protect information, applications, and/or services outsourced from the organization.
16. System and Communications Protection (SC)
a. Communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems must be monitored, controlled, and protected.
b. Architectural designs, software development techniques, and systems engineering principles that promote effective information security within information systems must be employed.
17. System and Information Integrity (SI)
a. Information and information system flaws must be identified, reported, and corrected in a timely manner.
b. Protection from malicious code must be provided at appropriate locations within organizational information systems.
c. Information system security alerts and advisories issued by US-CERT shall be monitored and appropriate action taken in response.
D. Minimum security controls shall be supplemented, as warranted, based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analysis, or special circumstances.
VI. Related Policies and Implementing Procedures
A. Refer to the following policies and associated implementing procedures for additional instructions for safeguarding information in electronic form.
1. TVA Business Practice 29, Information Security specifies security requirements for safeguarding information.
2. TVA Business Practice 28, Acceptable Use Requirements (Rules of Behavior) for Information Systems specifies security requirements for users of TVA information systems.
B. TVA Business units may develop more stringent policies for information security, but may not relax any requirements defined by this policy.
C. The Information Security and Privacy Program shall be responsible for developing or facilitating the development of implementing procedures for agency-level controls while Information System Owners shall be responsible for developing or facilitating the development of procedures for system-level controls.
ROLES
Agency Head - The Agency Head provides oversight for TVA’s Information Security and Privacy Program and ensures that adequate resources are available to support the success of the program.
Chief Information Officer (CIO) - The Senior Vice President of Information Services serves as the agency CIO and is responsible for the organizations’ information system planning, budgeting, investment, performance, and acquisition. As such, the CIO provides advice and assistance to senior agency officials in acquiring the most efficient and effective information system to fit the organization’s enterprise architecture. The CIO is also responsible for managing TVA’s Information Security and Privacy Program, both within TVA and with external business partners and other federal agencies and ensuring compliance with the program.
Designated Approving Authority (DAA) - The DAA is responsible for approving the final categorization of systems as (or part of) general support system or major application and for formally approving (accrediting) the operation of a general support system or major application at an acceptable level of risk.
Information System Owner or Program Manager - The Information System Owner/Program Manager:
· represents programmatic interest during the acquisition process and must be aware of functional system requirements;
· facilitates the development of system-level implementing procedures for necessary security controls; and
· ensures that proper controls are in place to address integrity, confidentiality, and availability of the systems and data they own.
Information System Security Officer (ISSO) - The ISSO is responsible for ensuring the security of an information system throughout its life cycle. The responsibilities include the development and maintenance of the system security plan and ensuring that controls specified in the plan are implemented and maintained.
Inspector General (IG) - The IG is responsible for promoting the efficiency, effectiveness, and integrity of TVA’s Information Security and Privacy Program. This responsibility is accomplished, in part, by performing independent and objective security audits, investigations, and inspections to evaluate compliance of the program to established federal laws, regulations, and accepted best practices. The IG responsibilities may also be met by performing an annual, comprehensive review of the TVA’s Information Security and Privacy Program.
Manager and Equivalents - Each Manager (all levels) or other equivalent is responsible for the security of information and information systems within their business unit or business component. As such, they will have centralized responsibility for the enforcement of this policy within their business unit or business component.
Organization Security Officer (OSO) - The OSO is designated by an organization’s senior officer, serves as the primary point of contact and coordinator with the business unit for all IT security matters, and is responsible for the implementation of TVA’s Information Security and Privacy Program within that organization. The OSO is also responsible for performing periodic reviews to ensure that their organization is adhering to the provisions of the Information Security and Privacy Program.
Senior Agency Information Security Officer - The Senior Manager of Information Services, IT Security serves as the Senior Agency Information Security Officer. The Senior Agency Information Security Officer is responsible for carrying out the CIO information security responsibilities such as developing and maintaining TVA’s Information Security and Privacy Program and ensuring compliance with the program. This individual plays a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize information security risks to an organization. The Agency Senior Information Security Officer:
· serves as the CIO’s principal point of contact for all matters relating to the security of TVA’s systems and information resources;
· develops, establishes, promulgates, maintains, and enforces information security policies, procedures, and standards to ensure the confidentiality, integrity, and availability of TVA’s information resources and to ensure compliance with federal laws and regulations and accepted best practices in information security and privacy;
· facilitates the development of agency-level implementing procedures for security controls;
· monitors, evaluates, and reports to the CIO on the status and adequacy of the Information Security and Privacy Program within TVA;
· provides oversight, guidance, and support to TVA’s information security and privacy personnel; and
· conducts periodic reviews to ensure that TVA is adhering to the provisions of the Information Security and Privacy Program.
Senior Agency Official for Privacy - The Senior Vice President of Information Services serves as the Senior Agency Official for Privacy (SAOP) and is responsible for policies regarding protection, dissemination (information sharing and exchange) and information disclosure to ensure agency compliance with the Privacy Act and privacy provisions of the E-Government Act.
TVA Employee, Contractor, and Other - All TVA employees, contractors, grantees, other federal agencies, state and local governments, industry partners, and others who possess TVA information or who operate, use, or have access to TVA’s information systems are responsible for:
· Complying with this policy and information security-related communications, plans, practices, procedures, and standards issued as part of the Information Security and Privacy Program.
· Completing mandatory security awareness, training, and education commensurate with assigned duties.
Reporting all security and privacy incidents related to TVA information and information systems and violations of this policy (including implementing procedures) to TVA’s IT Service Center (ITSC).
TVA Officer - Each TVA Officer is administratively and operationally responsible for overseeing the establishment, maintenance, and enforcement of the Information Security and Privacy Program requirements within their respective business unit.
DEFINITIONS
Application - A subclass of computer software that employs the capabilities of a computer directly to a task that the user wishes to perform.
Availability - The security goal that generates the requirement for protection against:
· Intentional or accidental attempts to (1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data
· Unauthorized use of system resources.
Computer Program - A collection of instructions that describe a task, or set of tasks, to be carried out by a computer. More formally, it can be described as an expression of a computational method written in a precisely defined computer language. The formal expression of computational methods in a human-readable computer language is often referred to as source code, while the machine-executable expressions of computational methods are commonly referred to as executables, object code, or simply as binaries — a reference to the binary file format commonly used to store the executable code.
Computer Software - Consisting of computer programs, enables a computer to perform specific tasks, as opposed to its physical components (hardware) which can only do the tasks they are mechanically designed for. The term includes application such as word processors which perform productive tasks for users, system software such as operating systems, which interface with hardware to run the necessary services for user-interfaces and applications, and middleware which controls and co-ordinates distributed systems.
Confidentiality - The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit.
General Support System - An interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Individual applications may be from the same or different organizations.
Information - An instance of a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation.
Information System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Integrity - The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).
Major Application - An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or comprise many individual application programs and hardware, software, and telecommunication components. A major application can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.
Network - Communication capability that allows one user or system to connect to another user or system and can be part of a system or a separate system. Examples of networks include local area network or wide area networks, including public networks such as the Internet.
Risk - The possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity.
RESOURCES
- Information Services, IT Security
BUSINESS
PRACTICE 27
Information Systems Security
Last Revised 06/07
