Home About TVA Power System Environmental Stewardship River System Economic Development Investor Info Newsroom

BUSINESS - PRACTICE 29

Information Security

WHAT

This practice establishes TVA’s Information Security Policy.

This policy supersedes the PROTECTION OF SENSITIVE INFORMATION AND RECORDS POLICY issued on December 10, 1996 by a memorandum from Norman A. Zigrossi.

WHO

This policy applies to TVA employees, contractors, grantees, other federal agencies, state and local governments, industry partners, and others who possess TVA information or who operate, use, or have access to TVA’s information systems. In addition, the policy applies to every information system and network that stores or processes TVA data, and includes hardware, software, media, facilities, and data owned or in the custody of TVA, or operated for TVA by any contractor, federal agency, state and local government, industry partner, or other outside organization even if those systems and networks are located external to TVA. This policy also applies when TVA information is used within equipment that is acquired by a TVA contractor incidental to a TVA contract.

WHY

It is the policy of TVA to implement security controls to protect the confidentiality, integrity, and availability of TVA’s information commensurate with the criticality and sensitivity of the information, and to protect the privacy to which individuals are entitled. TVA shall implement such controls consistent with applicable federal laws and regulations and industry best practices.

HOW

To protect the confidentiality, integrity, and availability of TVA’s information - information in documentary (hard copy) or electronic form and to protect the privacy to which individuals are entitled, the following requirements are established.

I. Potential Impacts for Information

Potential impacts of low, moderate, or high shall be assigned to information types for the three security objectives: confidentiality, integrity, and availability based on the descriptions provided in Table 1 below.

Table 1 - Potential Impacts

	POTENTIAL IMPACT*
SECURITY OBJECTIVE	LOW	MODERATE	HIGH
*Confidentiality* Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., Sec 3542]	The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
*Integrity* Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., Sec. 3542]	The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
*Availability* Ensuring timely and reliable access to and use of information. [44 U.S.C., Sec. 3542]	The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.	The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.	The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

* No impact is also a potential impact.

II. Information Classifications

A. TVA Sensitive Information - Any information that could reasonably be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals, when disclosed or modified without authorization. Examples of TVA Sensitive Information includes:

1. · Critical Infrastructure Information as defined by 6 U.S.C. 131(3) Section 212(3) of the Homeland Security Act;

2. · Critical Energy Infrastructure Information; and

3. · Safeguards Information.

All information designated Sensitive Information is for official use only.

B. TVA Restricted Information - Any information that could reasonably be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals, when disclosed or modified without authorization. Examples of TVA Restricted Information include:

4. · Collections and Receivables Information;

5. · Continuity of Operations Planning Information; and

6. · Restricted Personally Identifiable Information (PII).

All information designated TVA Restricted Information is for official use only.

C. TVA Confidential Information - Any information that could reasonably be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals, when disclosed or modified without authorization. Examples of TVA Confidential Information include:

7. · Help Desk Services Information;

8. · Resource Training and Development Information; and

9. · Travel Information.

All information designated TVA Confidential Information is for official use only.

D. Public Information - All information suitable for public release or information that has already been made publicly available is public information. Some information designated as Public Information may have a limited adverse effect on organizational operations, organizational assets, or individuals. Public information is not marked when in documentary form.

E. Relationship of Information Classifications to Potential Impacts - As shown by Table 2, Information Classifications and Potential Impact Ratings below, all information having a High potential impact for Confidentiality or Integrity is TVA Sensitive Information; all information having a Moderate potential impact for Confidentiality or Integrity is TVA Restricted Information; and all information having None for a potential impact for Confidentiality and Integrity is considered Public Information. Most information having a Low potential impact rating for Confidentiality or Integrity is TVA Confidential Information. However, some Public information may require some level of protection and have a Low potential impact rating for Integrity such as information posted on TVA’s publicly accessible websites. TVA would not want that information altered even though it is publicly accessible.

Table 2 - Information Classification and Potential Impact Ratings*

	HIGHEST POTENTIAL IMPACT RATING *(Confidentiality* OR Integrity)**
	*None*	*Low*		*Moderate*	*High*
*Information* Classification*	Public Information		TVA Confidential	TVA Restricted	TVA Sensitive

*Designation of information as National Security Information is not based on highest potential impact rating

III. Designation of Information

A. Designation Authority

1. National Security Information - TVA does not have “Authority to Classify”, so no employee shall designate information as National Security Information.

2. TVA Sensitive Information, TVA Restricted Information, TVA Confidential Information, and Public Information - Any TVA, employee or contractor may designate information as Public Information, TVA Confidential Information, TVA Restricted Information, or TVA Sensitive Information based on the definitions provided in sections II A - D above.

B. Duration of Designation - Information designated as Public Information, TVA Confidential Information, TVA Restricted Information or TVA Sensitive Information will retain its designation until determined otherwise by the originator or a supervisory or management official having management responsibility over the originator and/or the information.

IV. General Handling Requirements

If information is governed by some other statute or regulation (for example, Safeguards Information), the markings and safeguards prescribed by that statute or regulation takes precedence.

Employees and contractors must exercise sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel or property as the basis for determining the need for safeguards in excess of the minimum requirements established by this practice and protect the information accordingly.

A. Marking Information - Information shall be marked when in documentary form as specified in section II above according to the following instructions.

1. Documents

a. TVA Sensitive Information

(i) A cover page is required with Tennessee Valley Authority and the TVA logo optionally at the top of the page, “TVA SENSITIVE INFORMATION” printed in 28 point bold uppercase Arial characters centered at the middle of the page and the following information included in 14 point Arial characters at the bottom of the page.

WARNING: This document is FOR OFFICIAL USE ONLY. It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with TVA policy relating to Information Security. This information shall not be distributed beyond the original addressees without prior authorization of the originator.

(ii) The top and bottom center of the title page and back cover, and the bottom center of each individual page containing such information shall be prominently marked as “TVA SENSITIVE INFORMATION” in 10 point bold uppercase Arial characters.

b. TVA Restricted Information

(i) A cover page is optional, but recommended, with Tennessee Valley Authority and the TVA logo optionally at the top of the page, “TVA RESTRICTED INFORMATION” printed in 28 point bold uppercase Arial characters centered at the middle of the page and the following information included in 14 point Arial characters at the bottom of the page.

WARNING: This document is FOR OFFICIAL USE ONLY. It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with TVA policy relating to Information Security.

(ii) The top and bottom center of the title page and back cover, and the bottom center of each individual page containing such information shall be prominently marked as “TVA RESTRICTED INFORMATION” in 10 point bold uppercase Arial characters.

c. TVA Confidential Information

(i) A cover page is optional with Tennessee Valley Authority and the TVA logo optionally at the top of the page, “TVA CONFIDENTIAL INFORMATION” printed in 28 point bold uppercase Arial characters centered at the middle of the page and the following information included in 14 point Arial characters at the bottom of the page.

(ii) The top and bottom center of the title page and back cover, and the bottom center of each individual page containing such information shall be prominently marked as “TVA CONFIDENTIAL INFORMATION” in 10 point bold uppercase Arial characters.

d. Public Information - No marking requirements.

2. Electronic Messages - All business related electronic messages should contain the following text at the bottom of each message.

NOTICE: This electronic message transmission contains information which may be TVA SENSITIVE, TVA RESTIRCTED or TVA CONFIDENTIAL. Any misuse or unauthorized disclosure can result in both civil and criminal penalties. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the content of this information is prohibited. If you have received this communication in error, please notify me immediately by email and delete the original message.

3. Computer storage media, i.e., disks, tapes, CDs, DVDs, removable drives, etc.

a. TVA Sensitive, TVA Restricted, and TVA Confidential Information - Media shall be marked “TVA SENSITIVE INFORMATION”, TVA RESTRICTED INFORMATION” or “TVA CONFIDENTIAL INFORMATION” based on the highest classification of information stored on the media.

b. Public Information - Media containing only Public Information does not have to be marked.

4. Designator or originator information and markings, downgrading instructions, and date/event markings are not required for any information classification.

B. Clearance requirements

1. TVA Sensitive Information - A Sensitive Clearance or higher is required to access TVA Sensitive Information. Access may be granted on a temporary basis by the Senior Agency Information Security Officer while Security Clearances are being processed. Temporary access, if granted, shall be reviewed and reconsidered at least every 90 days.

2. TVA Restricted and TVA Confidential Information - A Suitability Clearance or equivalent or higher level clearance is required to access TVA Restricted and Confidential Information. Access to TVA Restricted and TVA Confidential Information may be granted on a temporary basis by the responsible manager while the required clearances are being processed. Temporary access, if granted, shall be reviewed and reconsidered at least every 90 days.

3. Public Information - No Clearance is required.

C. Dissemination of Information

1. TVA Sensitive, TVA Restricted, and TVA Confidential Information

a. Information shall not be disseminated in any manner - orally, visually, or electronically - to unauthorized persons.

b. Access to such information must be based on “need-to-know” as determined by the holder of the information.

c. The holder of the information must comply with any access control and dissemination restrictions.

d. When discussing or transferring TVA Sensitive, TVA Restricted, or TVA Confidential Information to another individual(s), you must ensure that the individual with whom the discussion is to be held or the information is to be transferred has an appropriate clearance and a valid need-to-know, and that precautions are taken to prevent unauthorized individuals from overhearing the conversation, observing the materials, or otherwise obtaining the information.

e. Information may be shared with other agencies; federal, state, tribal, or local governments; law enforcement officials; business partners; industry associations; and others provided a specific need-to-know has been established and the information is shared in furtherance of a coordinated and official activity. Where TVA Sensitive Information is requested by an individual of another agency or organization and there is no coordinated or other official activity, a written request will be made from the requesting agency/organization to the applicable TVA organization providing the name(s) of the personnel for whom access is requested, the specific information to which access is requested, and basis for need-to-know, the TVA office shall then determine if it is appropriate to release the information.

f. If the information requested or to be discussed belongs to another agency or organization, you must comply with that agency’s policy concerning third party discussion and dissemination.

g. When discussing TVA Sensitive Information over a telephone, the use of a STU III (Secure Telephone Unit), or Security Telephone Equipment (STE), is encouraged, but not required. For discussing TVA Restricted or TVA Confidential Information, use of a STU III phone is not necessary.

2. Public Information - There are no special dissemination requirements.

D. Storage of information in documentary form

1. TVA Sensitive

a. When unattended, information in documentary form and stored electronic media (i.e., CD, DVD, “thumb drives”, tapes, diskettes, etc.) or laptop computers shall, at a minimum, be stored in a locked file cabinet, locked desk drawer, or locked overhead storage compartment such as a systems furniture credenza, or similar locked compartment.

b. Information shall not be stored in the same container used for the storage of National Security Information unless there is a correlation between the information. When such information is stored in the same container used for the storage of National Security Information, they will be segregated from the National Security Information to the extent possible (i.e., separate folders, separate, drawers, etc.).

2. TVA Restricted, TVA Confidential, and Public Information - Information shall not be stored in the same container used for the storage of National Security Information unless there is a correlation between the information. When such information is stored in the same container used for the storage of National Security Information, they will be segregated from the National Security Information to the extent possible (i.e., separate folders, separate, drawers, etc.).

E. Storage of information in electronic form (data-at-rest)

1. TVA Sensitive Information

a. All information stored electronically internal or external to TVA by any means must be encrypted to TVA’s encryption standard. This includes all information stored on laptops, removable drives such as USB Flash Drives also referred to as “thumb drives” and removable media such as tapes, CDs, and DVDs.

b. Information must not be downloaded and stored on employee- or contractor-owned systems unless approved by the responsible Designated Approving Authority (DAA) in writing (complete and submit Form TVA 20044 per the instructions on the form).

2. TVA Restricted Information

a. Restricted PII stored external to TVA or on removable media and portable systems and devices must be encrypted to TVA’s encryption standard. This includes all such information stored on laptops, removable drives (including USB Flash Drives) and removable media such as tapes, CDs, and DVDs.

b. All other information having a potential impact of Moderate for Confidentiality or Integrity and stored electronically external to TVA by any means should be encrypted to TVA’s encryption standard (note: encryption in this case is strongly recommended, but not required). This includes all information stored on laptops, removable drives such as USB Flash Drives and removable media such as tapes, CDs, and DVDs.

c. Information having a potential impact of Moderate for Confidentiality or Integrity must not be downloaded and stored on employee- or contractor-owned systems unless approved by the responsible DAA in writing (complete and submit Form TVA 20044 per the instructions on the form).

3. TVA Confidential Information and Public Information -There are no special handling requirements.

Table 3 - Storage Options

Storage Medium	Access Control	TVA Sensitive* Information	TVA Restricted Information	TVA Confidential Information	Public Information	Retention Period
PC	Logged on User	Yes	Yes	Yes	Yes	As long as user has PC
Removable Media **	None	Yes	Yes	Yes	Yes	Varies
Temporary Shares	Open	No	No	Yes	Yes	Up to 7 days
Other Server Shares	Controlled by Access Control List	Yes	Yes	Yes	Yes	TBD
Business Support Libraries (BSLs)	Controlled by Access Control List	Yes	Yes	Yes	Yes	TBD
EDMS	Controlled by Access Control List	Yes	Yes	Yes	Yes	TBD

*Must meet TVA’s encryption standard.

**Additional caution should be used when utilizing this storage medium.

F. Transmission of information in documentary form

1. TVA Sensitive Information

a. Interoffice Mail - TVA Sensitive material must be placed in a single opaque envelope or container and sufficiently sealed to prevent inadvertent opening and to show evidence of tampering. The envelope or container must bear the complete name and address of the sender and addressee and has TVA's Sensitive Information label (Form TVA 7916) applied; and the envelope includes a transmittal sheet for signature as a return receipt.

b. Transmission within the United States by the Postal Service or other provider

(i) TVA Sensitive material must be placed in a single opaque envelope or container and sufficiently sealed to prevent inadvertent opening and to show evidence of tampering. The envelope or container will bear the complete name and address of the sender and addressee and the envelope includes a transmittal sheet for signature as a return receipt.

(ii) TVA Sensitive materials must be mailed by United States Postal Service First Class Mail or accountable commercial delivery service such as Federal Express or United Parcel Service.

c. Transmission overseas - TVA Sensitive materials must be sent through the Department of State, Diplomatic Courier or may be sent by military postal facility (if such service is available).

2. TVA Restricted Information

a. Interoffice Mail - TVA Restricted material must be placed in a single opaque envelope or container and sufficiently sealed to prevent inadvertent opening and to show evidence of tampering. The envelope or container must bear the complete name and address of the sender and addressee.

b. Transmission within the United States by the Postal Service or other provider

(i) TVA Restricted material must be placed in a single opaque envelope or container and sufficiently sealed to prevent inadvertent opening and to show evidence of tampering. The envelope or container will bear the complete name and address of the sender and addressee.

(ii) TVA Restricted materials must be mailed by United States Postal Service First Class Mail or accountable commercial delivery service such as Federal Express or United Parcel Service.

c. Transmission overseas - TVA Restricted material may be mailed by United States Postal Service First Class Mail or accountable commercial delivery service such as Federal Express or United Parcel Service.

3. TVA Confidential Information

a. Interoffice Mail - TVA Confidential material may be placed in “chain envelope.” and should bear the complete name and address of the addressee.

b. Transmission within the United States by the Postal Service or other provider.

(i) TVA Confidential material must be placed in a single opaque envelope or container and sufficiently sealed to prevent inadvertent opening and to show evidence of tampering. The envelope or container must bear the complete name and address of the sender and addressee.

(ii) TVA Confidential material must be mailed by United States Postal Service First Class Mail or accountable commercial delivery service such as Federal Express or United Parcel Service.

c. Transmission overseas - TVA Confidential material may be mailed by United States Postal Service First Class Mail or accountable commercial delivery service such as Federal Express or United Parcel Service.

4. Public Information - There are no special handling requirements.

G. Electronic transmission of information (data-in-motion)

1. TVA Sensitive Information

a. Transmission via fax - The use of secure fax is highly encouraged. However unless otherwise restricted by the originator, TVA Sensitive Information may be sent via non-secure fax provided the recipient is waiting by the receiving fax machine to retrieve the fax such that it will not be left unattended or subjected to unauthorized disclosure at the receiving end.

b. Transmission via Electronic Mail

(i) Information transmitted by e-mail must be protected by encryption. When this is impractical, TVA Sensitive Information may be transmitted by e-mail provided the information can be safeguarded in a password protected attachment with the password provided in a separate message. Recipients of TVA Sensitive Information must comply with any e-mail restrictions imposed by the originator. If encryption is used, it must comply with TVA’s encryption standard.

(ii) TVA Sensitive Information must not be sent to/from personal non-TVA e-mail accounts such as those provided by AOL, Yahoo, etc., due to the unknown security status of those services.

c. Internet/Intranet

(i) Information shall not be posted on any public website, file share, or FTP server, including TVA websites, file shares such as temporary shares (tempshares), and FTP servers accessible to the general public.

(ii) Information may be posted on the TVA Intranet, file shares except for tempshares, or Secure FTP servers or any other government controlled or sponsored protected website, file share, or Secure FTP server provided the data is encrypted and/or password protected and made accessible to only those with a need-to-know. The information posted must be marked as specified in section IV.A.1 above. Encryption must comply with TVA’s encryption standard.

(iii) Information transmitted over a wireless network must be encrypted. Encryption must comply with TVA’s encryption standard.

(iv) Information transmitted over networks must use Secure Shell (SSH) and Secure Sockets Layer (SSL) connections.

2. TVA Restricted Information

a. Transmission via fax - Information may be sent via non-secure fax. The use of secure fax is highly encouraged for Restricted PII. However unless otherwise restricted by the originator, Restricted PII may be sent via non-secure fax provided the recipient is waiting by the receiving fax machine to retrieve the fax such that it will not be left unattended or subjected to unauthorized disclosure at the receiving end.

b. Transmission via Electronic Mail

(i) Restricted PII must be encrypted to TVA’s encryption standard when transmitted external to TVA. When this is impractical, such information may be transmitted over regular e-mail channels provided the information can be protected as a password protected attachment with the password provided in a separate message. Recipients must comply with any e-mail restrictions imposed by the originator.

(ii) Encryption is recommended, but not required, for all other types of TVA Restricted Information transmitted external to TVA by e-mail. When this is impractical, such information may be transmitted over regular e-mail channels provided the information can be protected as a password protected attachment with the password provided in a separate message. Recipients of TVA Restricted Information must comply with any e-mail restrictions imposed by the originator. If encryption is used, it must comply with TVA’s encryption standard.

(iii) TVA Restricted Information must not be sent to/from personal non-TVA e-mail accounts such as those provided by AOL, Yahoo, etc., due to the unknown security status of those services.

c. Internet/Intranet

(i) Information shall not be posted on any public website, file share, or FTP server, including TVA websites, file shares such as tempshares and FTP servers accessible to the general public.

(ii) Information may be posted on the TVA Intranet, file shares except for tempshares, or Secure FTP servers or any other government controlled or sponsored protected website, file share, or Secure FTP server provided the data is adequately protected and made accessible to only those with a need-to-know. The information posted must be marked as specified in section IV.A.1 above. Encryption, if used, must comply with TVA’s encryption standard.

(iii) Information transmitted over a wireless network must be encrypted. Encryption must comply with TVA’s encryption standard.

(iv) Restricted PII must be securely transmitted external to TVA over networks using SSH and SSL connections.

(v) It is recommended that all other types of TVA Restricted Information be securely transmitted external to TVA over networks using SSH and SSL connections.

3. TVA Confidential Information

a. Transmission via fax - Information may be sent via non-secure fax.

b. Transmission via Electronic Mail

(i) Encryption is not required. Recipients of TVA Confidential Information must comply with any e-mail restrictions imposed by the originator. If encryption is used, it must comply with TVA’s encryption standard.

(ii) TVA Confidential Information must not be sent to/from personal non-TVA e-mail accounts such as those provided by AOL, Yahoo, etc., due to the unknown security status of those services.

c. Internet/Intranet

(i) Information shall not be posted on any public website, file share, or FTP server, including TVA websites, file shares such as tempshares and FTP servers accessible to the general public.

(ii) Information may be posted on the TVA Intranet, file shares including any tempshares, or FTP servers or any other government controlled or sponsored protected website, file share, or Secure FTP server provided the data is adequately protected and made accessible to only those with a need-to-know. The information posted must be marked as specified in section IV.A.1 above.

(iii) Information transmitted over a wireless network must be encrypted. Encryption must comply with TVA’s encryption standard.

4. Public Information

a. Transmission via fax - Public Information may be sent via non-secure fax.

b. Transmission via Electronic Mail - Public Information may be sent to personal e-mail accounts.

c. Internet/Intranet - Public Information may be posted on any website, including TVA websites accessible to the public unless additional controls are required to safeguard the integrity of such information. In those cases, such information may only be posted on a TVA website or a website secured according to TVA’s Information Systems Security Policy.

H. Safeguarding information when the information is removed from authorized storage locations (see section IV.D).

1. TVA Sensitive

a. Information must not to be left unattended.

b. Information may be only left in the care of persons having a need-to-know.

c. When persons without a need-to-know are present and where casual observation would reveal the information to the unauthorized persons, employees and contractors must exercise sound judgment to prevent unauthorized or inadvertent disclosure of TVA information.

2. TVA Restricted and TVA Confidential Information

a. Information may be only left in the care of persons having a need-to-know.

b. When persons without a need-to-know are present and where casual observation would reveal the information to the unauthorized persons, employees and contractors must exercise sound judgment to prevent unauthorized or inadvertent disclosure of TVA information.

3. Public Information - There are no special handling requirements.

I. Destruction of Information

1. TVA Sensitive Information

a. Information in documentary form - Materials must be destroyed by shredding, burning, pulping, pulverizing, such as to assure destruction beyond recognition and reconstruction. After destruction, materials may be disposed of with normal waste.

b. Information on electronic storage media - Media must not be reused. CDs, DVDs, diskettes, and USB Flash Drives containing Sensitive Information must be shredded in a shredder designed to shred such media or destroyed by other means and tapes and disk drives must be degaussed.

2. TVA Restricted or TVA Confidential Information

a. Information in documentary form - Sound judgment should be exercised to determine the appropriate disposal method. Materials may be destroyed by shredding, burning, pulping, pulverizing, such as to assure destruction beyond recognition and reconstruction or disposed of with normal waste. If destroyed, materials may be disposed of with normal waste.

b. Information on electronic storage media - Sound judgment should be exercised to determine the appropriate disposal method. Media may be reused if information is wiped or overwritten prior to reuse or else CDs, DVDs, diskettes, and USB Flash Drives containing such information must be shredded in a shredder designed to shred such media or otherwise be destroyed and tapes and disk drives must be degaussed.

3. Public Information - There are no special disposal requirements.

J. When receiving information similar to TVA Sensitive Information, often marked as “For Official Use Only” or “Sensitive but Unclassified,” from other federal agencies, the information must be handled in accordance with the instructions provided by the other agency. If no guidance is provided, handle in accordance with the requirements specified by this practice for “Sensitive Information.”

V. Related Policies

A. Refer to the following policies and associated implementing procedures for additional instructions for safeguarding information in electronic form.

1. TVA Business Practice 27, Information Systems Security specifies security requirements for information systems.

2. TVA Business Practice 28, Acceptable Use Requirements (Rules of Behavior) for Information Systems specifies security requirements for users of TVA information systems.

B. TVA Business units may develop more stringent policies for information security, but may not relax any requirements defined by this policy.

ROLES

Agency Head - The Agency Head provides oversight for TVA’s Information Security and Privacy Program and ensures that adequate resources are available to support the success of the program.

Chief Information Officer (CIO) - The Senior Vice President of Information Services serves as the agency CIO and is responsible for the organizations’ information system planning, budgeting, investment, performance, and acquisition. As such, the CIO provides advice and assistance to senior agency officials in acquiring the most efficient and effective information system to fit the organization’s enterprise architecture. The CIO is also responsible for managing TVA’s Information Security and Privacy Program, both within TVA and with external business partners and other federal agencies and ensuring compliance with the program.

Designated Approving Authority (DAA) - The DAA is responsible for approving the final categorization of systems as (or part of) general support system or major application and for formally approving (accrediting) the operation of a general support system or major application at an acceptable level of risk.

Information System Owner or Program Manager - The Information System Owner/Program Manager:

· represents programmatic interest during the acquisition process and must be aware of functional system requirements;

· facilitates the development of system-level implementing procedures for necessary security controls; and

· ensures that proper controls are in place to address integrity, confidentiality, and availability of the systems and data they own.

Information System Security Officer (ISSO) - The ISSO is responsible for ensuring the security of an information system throughout its life cycle. The responsibilities include the development and maintenance of the system security plan and ensuring that controls specified in the plan are implemented and maintained.

Inspector General (IG) - The IG is responsible for promoting the efficiency, effectiveness, and integrity of TVA’s Information Security and Privacy Program. This responsibility is accomplished, in part, by performing independent and objective security audits, investigations, and inspections to evaluate compliance of the program to established federal laws, regulations, and accepted best practices. The IG responsibilities may also be met by performing an annual, comprehensive review of the TVA’s Information Security and Privacy Program.

Manager and Equivalents - Each Manager (all levels) or other equivalent is responsible for the security of information and information systems within their business unit or business component. As such, they will have centralized responsibility for the enforcement of this policy within their business unit or business component.

Organization Security Officer (OSO) - The OSO is designated by an organization’s senior officer, serves as the primary point of contact and coordinator with the business unit for all IT security matters, and is responsible for the implementation of TVA’s Information Security and Privacy Program within that organization. The OSO is also responsible for performing periodic reviews to ensure that their organization is adhering to the provisions of the Information Security and Privacy Program.

Senior Agency Information Security Officer (SAISO) - The Senior Manager of Information Services, IT Security serves as the SAISO. The SAISO is responsible for carrying out the CIO information security responsibilities such as developing and maintaining TVA’s Information Security and Privacy Program and ensuring compliance with the program. This individual plays a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize information security risks to an organization. The SAISO:

· serves as the CIO’s principal point of contact for all matters relating to the security of TVA’s systems and information resources;

· develops, establishes, promulgates, maintains, and enforces information security policies, procedures, and standards to ensure the confidentiality, integrity, and availability of TVA’s information resources and to ensure compliance with federal laws and regulations and accepted best practices in information security and privacy;

· facilitates the development of agency-level implementing procedures for security controls;

· monitors, evaluates, and reports to the CIO on the status and adequacy of the Information Security and Privacy Program within TVA;

· provides oversight, guidance, and support to TVA’s information security and privacy personnel; and

· conducts periodic reviews to ensure that TVA is adhering to the provisions of the Information Security and Privacy Program.

Senior Agency Official for Privacy (SOAP) - The Senior Vice President of Information Services serves as the SAOP and is responsible for policies regarding protection, dissemination (information sharing and exchange) and information disclosure to ensure agency compliance with the Privacy Act and privacy provisions of the E-Government Act.

TVA Employee, Contractor, and Other - All TVA employees, contractors, grantees, other federal agencies, state and local governments, industry partners, and others who possess TVA information or who operate, use, or have access to TVA’s information systems are responsible for:

· complying with this policy and information security-related communications, plans, practices, procedures, and standards issued as part of the Information Security and Privacy Program;

· completing mandatory security awareness, training, and education commensurate with assigned duties; and

· reporting all security and privacy incidents related to TVA information and information systems and violations of this policy (including implementing procedures) to TVA’s IT Service Center (ITSC).

TVA Officer - Each TVA Officer is administratively and operationally responsible for overseeing the establishment, maintenance, and enforcement of the Information Security and Privacy Program requirements within their respective business unit.

DEFINITIONS

Availability - The security goal that generates the requirement for protection against:

· Intentional or accidental attempts to (1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data

· Unauthorized use of system resources.

Civil Discovery - The pre-trial phase in a lawsuit in which each party through the law of civil procedure can request documents and other evidence from other parties or can compel the production of evidence by using a subpoena or through other discovery devices, such as requests for production and depositions.

Confidentiality - The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit.

Critical Energy Infrastructure Information (CEII) - CEII is specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure (physical or virtual) that: (i) relates details about the production, generation, transmission, or distribution of energy; (ii) could be useful to a person planning an attack on critical infrastructure; (iii) is exempt from mandatory disclosure under the FOIA; and (iv) gives strategic information beyond the location of the critical infrastructure.

Critical Infrastructure Information - Information not customarily in the public domain and related to the security of critical infrastructure or protected systems.

General Support System - An interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Individual applications may be from the same or different organizations.

Information - An instance of a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation.

Information System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Integrity - The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

Major Application - An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or comprise many individual application programs and hardware, software, and telecommunication components. Major applications can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.

National Security Information - Information that has been determined pursuant to Executive Order (E.O.) 12958 as amended by E.O. 13292, or any predecessor order, or the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure. and is marked (Secret, Top Secret, etc.) to indicate its classified status when in documentary form. National Security Information is synonymous with Classified Information. NOTE: TVA does not have “Authority to Classify” and will not designate information as National Security Information, however, individuals holding requisite security clearances and having the appropriate need to know may work with information previously designated as National Security Information by an agency having “Authority to Classify” in performing assigned duties.

Network - Communication capability that allows one user or system to connect to another user or system and can be part of a system or a separate system. Examples of networks include local area network or wide area networks, including public networks such as the Internet.

Personally Identifiable Information - Any piece of information which can potentially be used to uniquely identify, contact, or locate a single person.

Restricted Personally Identifiable Information - Restricted PII is information the unauthorized disclosure of which could create a substantial risk of identity theft (i.e., social security number, bank account number, etc.).

Risk - The possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity.

Safeguards Information (SGI) - Pursuant to 10 Code of Federal Regulations (CFR) 73.21 and 10 CFR 73.57, SGI is information which specifically identifies a nuclear plant’s detailed security measures required for protection of special nuclear material and plant equipment vital to the safety of the facility and general public. SGI is marked to indicate its status when in documentary form.

RESOURCES

Information Services, IT Security

BUSINESS
PRACTICE 29

Information Security

Last Revised 06/07