0
Computer Security Law
Computer security means protecting the confidentiality, integrity, and availability of information stored on, processed by, and transmitted by computers. In order to achieve this, various governments and organizations have established laws, regulations, and standards for securing computers and the data stored, processed, and transmitted by them. This category is for questions about existing and proposed laws and standards specifically related to computer security including the contents of the laws & regulations, who is legally responsible, who/what the laws/regulations/standards apply to, how the security is evaluated, and how it is documented.
310 Questions
How often does the DIACAP require you to review your IA posture?
According to DoD 8510.01 (DIACAP), paragraph 4.9:
"All DoD ISs with an authorization to operate (ATO) shall be reviewed annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing."
And according to paragraph 5.16.8, the Program Manager (PM) or System Manager (SM) shall:
"Ensure annual reviews of assigned ISs required by FISMA are conducted."
So reviews must occur at least once a year.
Is Jim required to assist the PM in this activity?
This question cannot be answered without first specifying the activity.
The Defense Information Systems Agency (DISA).
AR 25-2 requires all users to what?
As per Section 4-5, paragraph a.(8)(a):
All users must receive IA awareness training tailored to the system and information accessible before issuance of a password for network access. The training will include the following:
- Threats, vulnerabilities, and risks associated with the system. This portion will include specific information regarding measures to reduce malicious logic threats, principles of shared risk, external and internal threat concerns, acceptable use, privacy issues, prohibitions on loading unauthorized software or hardware devices, and the requirement for frequent backups.
- Information security objectives (that is, what needs to be protected).
- Responsibilities and accountability associated with IA.
- Information accessibility, handling, and storage considerations.
- Physical and environmental considerations necessary to protect the system.
- System data and access controls.
- Emergency and disaster plans.
- Authorized systems configuration and associated CM requirements.
- Incident, intrusion, malicious logic, virus, abnormal program, or system response reporting requirements.
- INFOCON requirements and definitions.
- AUP requirements.
DAA may waive the certification requirement under severe operational or personnel constraints
In accordance with the army training and BBP certification, the DAA can waive the certification requirements for the army and training due to several operational and personnel constraints.
source for DIACAP resources and knowledge services
How often does DIACAP allow you to review your IA posture?
DIACAP sets a minimum on how frequently you MUST conduct reviews but does not limit you to only do it that often.
According to DoD 8510.01 (DIACAP), paragraph 4.9:
"All DoD ISs with an authorization to operate (ATO) shall be reviewed annually to confirm that the IA posture of the IS remains acceptable. Reviews will include validation of IA controls and be documented in writing."
And according to paragraph 5.16.8, the Program Manager (PM) or System Manager (SM) shall:
"Ensure annual reviews of assigned ISs required by FISMA are conducted."
So reviews must occur at least once a year.
You are free to conduct reviews more frequently if you feel it is beneficial and justified. The IG can conduct reviews of your system as often as they wish as can DISA.
Which is the most acceptable list of DIACAP team members responsible for implementing DIACAP?
DAA, CA, SIAO, PM, IAM, and IAO (or IASO)
www.lunarline.com - best in the biz
Installation of software, configuration of an IS or connecting any ISs to a distributed computing environment with prior approval.
Which are the DIACAP team members?
According to DODI 8500.2, the "DIACAP team members" are defined as:
E2.25. DIACAP Team. Comprised of the individuals responsible for implementing the DIACAP for a specific DoD IS. At a minimum the DIACAP Team includes the DAA, the CA, the DoD IS program manager (PM) or system manager (SM), the DoD IS IA manager (IAM), IA officer (IAO), and a user representative (UR) or their representatives.
How does ditscap differ from diacap?
DITSCAP is the outdated version of the DoD process for assessing the security of DoD information systems. It was replaced by DIACAP. DIACAP is, in turn, being replaced by the RMF process where continuous montoring is to be implemented.
DIACAP :
- Platform-centric as opposed to system or network centric.
- Information belongs to system owner and risks are identified specific to the system
- Individual C/S/A defined IA controls
- Certification appointed Certification Authority
Who is responsible for implementing the DIACAP and planning and budgeting for IA controls?
Program or System Managers (PM or SM) for DoD information systems
Are dod instruction under DIACAP?
DIACAP is DoD Instruction 8510.01. In that respect, SOME DoD instructions fall under DIACAP, but most DoD instructions have nothing to do with DIACAP.
C. Continue DITSCAP
This might have been a correct answer to a quiz in the past, but DoDI 5200.40 (DITSCAP) and DoD 8510.1-M (DITSCAP Manual) were cancelled when DoDI 8510.01 (DIACAP) was issued on November 28, 2007. If a system does not have a signed Phase One System Security Authorization Agreement (SSAA) they are required to conduct their certification and accreditation under DIACAP. Anything prepared under DITSCAP is useful only as reference material to aid in preparing the DIACAP documentation.
What document implements csa of 1987 and fisma 2002?
FISMA is the Federal Information Security Management Act of 2002. It was passed as Title III of the E-Government Act (Public Law 107-347) in December 2002. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Who invented the data protection act 1998?
To a great degree, the Data Protection act of 1998 was passed by the British Parliament in response to the Directive 95/46/EC of the European Parliament so that could be considered the "who" that "invented" the Act. Somewhere there is probably a record of who first introduced the legislation and who introduced amendments and revisions to bring it into its current form, but so far I have been unable to find a good source for those details.
What is the maximum password length allowed by AR 25-2?
AR 25-2 specifies MINIMUM password length, but the only limitation on MAXIMUM length is how long a password the OS or application can handle; AR 25-2 does not specify a maximum password length, however,
According to AR 25-2, Section IV, paragraph 4-12 b:
The IAM or designee will manage the password generation, issuance, and control process. If used, generate passwords in accordance with the BBP for Army Password Standards.
BBP for Army password standards are contained in 04-IA-O-0001, paragraph 5A:
(1) All system or system-level passwords and privileged-level accounts (e.g., root, enable, admin, administration accounts, etc.) will be a minimum of 15-character case-sensitive password changed every 60 days (IAW JTF-GNO CTO).
(2) All user-level, user-generated passwords (e.g., email, web, desktop computer, etc.) will change to a 14-character (or greater) case-sensitive password changed every 60 days.
Continue DITSCAP for a set period of time
What represents the operational interests of the user community in the DIACAP?
The operational interests of the user community in the DIACAP (DIAM) include ensuring the availability, integrity, and confidentiality of information systems and data. Users want to have secure and reliable systems that support their operational needs, protect sensitive information, and mitigate risks. They also aim for efficient and effective use of resources, including personnel, technology, and budget.
