DHS Sensitive Systems Handbook 4300A V11
DHS 4300ASensitive Systems HandbookVersion 11.0January 14, 2015Protecting the Information that Secures the Homeland
DHS 4300A SENSITIVE SYSTEMS HANDBOOKThis page intentionally left blankv11.0, January 14, 2015ii
DHS 4300A SENSITIVE SYSTEMS HANDBOOKFOREWORDThis Handbook and its Attachments provide guidance and best practices for implementation, andchecklists of required and recommended measures that protect the security of DHS information.The Handbook is based on the Department of Homeland Security (DHS) 4300 series ofinformation security policies, which are the official documents that create and publishDepartmental standards in accordance with DHS Management Directive 140-01 InformationTechnology System Security.Comments concerning DHS Information Security publications are welcomed and should besubmitted to the DHS Director for Information Systems Security Policy atinfosecpolicy@hq.dhs.gov or addressed to:DHS Director of Security Policy and RemediationOCIO CISO Stop 0182Department of Homeland Security245 Murray Lane SWWashington, DC 20528-0182/S/Jeffrey EisensmithChief Information Security OfficerDepartment of Homeland Securityv11.0, January 14, 2015iii
DHS 4300A SENSITIVE SYSTEMS HANDBOOKContents1.0INTRODUCTION.11.1Information Security Program and Implementation Guidelines .11.2Authorities.21.3Handbook Overview .21.4Definitions.21.4.1 Sensitive Information .31.4.2 Public Information .31.4.3 Classified National Security Information .31.4.4 National Intelligence Information .31.4.5 Foreign Intelligence Information .41.4.6 Information Technology .41.4.7 DHS System .41.4.8 Component .51.4.9 Trust Zone .51.4.10 Continuity of Operations.51.4.11 Continuity of Operations Plan .51.4.12 Essential Functions .51.4.13 Vital Records .61.4.14 Operational Data .61.4.15 Federal Information Security Management Act .61.4.16 Personally Identifiable Information .81.4.17 Sensitive Personally Identifiable Information .81.4.18 Privacy Sensitive System .81.4.19 Strong Authentication .81.4.20 Two-Factor Authentication .81.5Waivers .81.5.1 Waiver Requests .91.5.2 Requests for Exception to U.S. Citizenship Requirement .91.6Electronic Signature .91.7Information Sharing .101.8Threats.101.8.1 Insider Threats .111.8.2 Criminal Threats .111.8.3 Foreign Threats .111.8.4 Lost or Stolen Equipment .111.8.5 Supply Chain Threats .111.9Changes to this Handbook, and Requests for Changes.122.0ROLES AND RESPONSIBILITIES .132.1Information Security Program Roles .132.1.1 DHS Senior Agency Information Security Officer .132.1.2 DHS Chief Information Security Officer .132.1.3 Component Chief Information Security Officer .152.1.4 Component Information Systems Security Manager .172.1.5 Risk Executive .18v11.0, January 14, 2015iv
DHS 4300A SENSITIVE SYSTEMS HANDBOOK2.1.62.1.72.1.82.1.92.23.0Authorizing Official .19Security Control Assessor .19Information Systems Security Officer .20Ongoing Authorization Manager and Operational Risk ManagementBoard .202.1.10 DHS Security Operations Center .202.1.11 Component Security Operations Centers .22Other Roles .232.2.1 Secretary of Homeland Security .232.2.2 Under Secretaries and Heads of DHS Components .242.2.3 DHS Chief Information Officer .242.2.4 Component Chief Information Officer .252.2.5 DHS Chief Security Officer .262.2.6 DHS Chief Privacy Officer .262.2.7 DHS Chief Financial Officer .282.2.8 Program Managers .282.2.9 System Owners .282.2.10 Common Control Provider.282.2.11 DHS Employees, Contractors, and Others Working on Behalf of DHS .28MANAGEMENT POLICIES .293.1Basic Requirements .293.2Capital Planning and Investment Control .293.2.1 Capital Planning and Investment Control Process .303.3Contractors and Outsourced Operations .313.4Performance Measures and Metrics .323.5Continuity Planning for Critical DHS Assets .333.5.1 Continuity of Operations Planning .333.5.2 Contingency Planning .363.6System Engineering Life Cycle .383.6.1 Planning .403.6.2 Requirements Definition .403.6.3 Design .403.6.4 Development .413.6.5 Test .413.6.6 Implementation .413.6.7 Operations and Maintenance.423.6.8 Disposition .423.7Configuration Management .423.8Risk Management .443.8.1 Risk Assessment .453.8.2 Risk Mitigation .463.8.3 Evaluation and Assessment.463.9Security Authorization and Security Control Assessments .463.9.1 Ongoing Authorization .503.9.2 FIPS 199 Categorization and the NIST SP 800-53 Controls .543.9.3 Privacy Assessment .55v11.0, January 14, 2015v
DHS 4300A SENSITIVE SYSTEMS .4 E-Authentication .563.9.5 Risk Assessment .563.9.6 Security Plan .563.9.7 Contingency Plan .573.9.8 Security Control Assessment Plan .573.9.9 Contingency Plan Testing .573.9.10 Security Assessment Report .593.9.11 A SAR is automatically created in IACS. Plan of Action and Milestones593.9.12 Authorization to Operate Letter .593.9.13 Interim Authorization to Operate .603.9.14 Annual Self-Assessments.60Information Security Review and Assistance .613.10.1 Review and Assistance Management and Oversight .623.10.2 Information Security Assistance .623.10.3 Information Security Reviews .62Security Working Groups and Forums .623.11.1 CISO Council .633.11.2 DHS Information Security Training Working Group .633.11.3 DHS Security Policy Working Group.633.11.4 DHS Enterprise Services Security Working Group .63Information Security Policy Violation and Disciplinary Action .63Required Reporting .64Privacy and Data Security.653.14.1 Personally Identifiable Information .653.14.2 Privacy Threshold Analyses .673.14.3 Privacy Impact Assessments .673.14.4 System of Record Notices .683.14.5 Protecting Privacy Sensitive Systems .693.14.6 Privacy Incident Reporting .693.14.7 E-Authentication .713.14.8 Use Limitation and External Information Sharing.71DHS CFO Designated Systems .71Social Media .73Health Insurance Portability and Accountability Act .74Cloud Services .74OPERATIONAL CONTROLS .774.1Personnel .774.1.1 Personnel Screening and Position Categorization .774.1.2 Rules of Behavior .794.1.3 Access to Sensitive Information .804.1.4 Separation of Duties .814.1.5 Information Security Awareness, Training, and Education .824.1.6 Separation from Duty.854.2Physical Security.864.2.1 General Physical Access .864.2.2 Sensitive Facility.90v11.0, January 14, 2015vi
DHS 4300A SENSITIVE SYSTEMS HANDBOOK4.34.44.54.64.74.84.94.104.114.125.0Media Controls.904.3.1 Media Protection .904.3.2 Media Marking and Transport .914.3.3 Media Sanitization and Disposal .934.3.4 Production, Input/Output Controls .96Voice Communications Security .974.4.1 Private Branch Exchange .974.4.2 Telephone Communications .1014.4.3 Voice Mail .102Data Communications .1034.5.1 Telecommunications Protection Techniques .1034.5.2 Facsimiles .1044.5.3 Video Teleconferencing .1064.5.4 Voice over Data Networks .107Wireless Network Communications .1084.6.1 Wireless Systems .1104.6.2 Wireless Mobile Devices .1114.6.3 Wireless Tactical Systems .1164.6.4 Radio Frequency Identification.118Overseas Communications.118Equipment .1194.8.1 Workstations .1204.8.2 Laptop Computers and Other Mobile Computing Devices .1204.8.3 Personally Owned Equipment and Software .1224.8.4 Hardware and Software.1234.8.5 Personal Use of Government Office Equipment and DHSSystems/Computers.1244.8.6 Wireless Settings for Peripheral Equipment .126Department Information Security Operations .1264.9.1 Security Incidents and Incident Response and Reporting.1274.9.2 Law Enforcement Incident Response .1314.9.3 Definitions and Incident Categories.131Documentation .133Information and Data Backup .134Converging Technologies .136TECHNICAL CONTROLS .1385.1Identification and Authentication .1385.1.1 Passwords .
Attachment M—Tailoring the NIST SP 800-53 Security Controls . Attachment N—Preparation of Interconnection Security Agreements . Attachment O—Vulnerability Assessment Program [UNDER REVISION] Attachment P—Document Change Requests . Atta
DHS PD 4300A, 5.3.a Audit Trail Content DHS PD 4300A, 5.3.b: Financial/PII Audit Review DHS PD 4300A, 5.3.c: Audit Records and Logs Protection DHS PD 4300A, 5.3.e: Risks from PII DHS PD 4300A, 5.3
March 14, 2011 . This is the implementation of DHS Management Directive 140-01 Information Technology System Security, July 31, 2007
Staniel ss steel /TAN Length 65 – 145 mm Outer diameter 13 mm DHS Emergency Screw Stainless steel Length 50 –145 mm Outer diameter 14 mm Plates DHS plate with DCP holes Used for more than 25 years. Stainless steel / TAN Barrel angle 130 –150 2 to 20 holes Barrel length: standard and short Thickness 5.8 mm
Nov 09, 2017 · NY JFK CURRID KATHLEEN A kathleen.a.currid@cbp.dhs.gov NY Buffalo DIAMOND RICHARD P richard.p.diamond@cbp.dhs.gov NY JFK DISALVO JOSEPH joseph.disalvo@cbp.dhs.gov NY Alexandria Bay ERWIN DARREN R darren.r.erwin@cbp.dhs.gov NY Massena GRANIE DOUGLAS douglas.m.granie@cbp.dhs.gov NY Alexandria Ba
NIST SP 800-61, Rev 2, “Computer Security Incident Handling Guide,” August 2012 . NIST SP 800-86, “Guide to Integrating Forensic Techniques into Incident Response,” August 2006 . NIST SP 800-126, Rev 1.2, “The Technical Specification for the Security File Size: 673KB
for ease of management understanding, but the original source, such as test results from IT control audits or assessments that identified the weakness, should be available. Each POA&M should be clearly traceable back to its original source(s). In some cases, additional, more detailed
Owner Name, POA&M Weakness Number, and Scheduled Remediation Completion Date, and Identificaiton of 800-53 controls. 6.1 . September 23, 2008 : Section 1.0 Updated Introduction text to specify that the form shall only be submitted by the “Component Infor
Anatomi Panggul Panggul terdiri dari : 1. Bagian keras a. 2 tulang pangkal paha ( os coxae); ilium, ischium/duduk, pubis/kemaluan b. 1 tulang kelangkang (os sacrum) c. 1 tulang tungging (0s coccygis) 2. Bagian lunak a. Pars muscularis levator ani b. Pars membranasea c. Regio perineum. ANATOMI PANGGUL 04/09/2018 anatomi fisiologi sistem reproduksi 2011 19. Fungsi Panggul 1. Bagian keras: a .
