Information Security Flashcards
What are the names of the policies that provide guidance for the DOD Information Security Program?
- E.O 13526
- 32 CFR 2, parts 2001 and 2003, CNSI Final Rule
- DODM 5200.01 VOL 1-4
- DODI 5230.09
- DODI 5230.29
What is the responisbility of the Information Security Oversight Office, or ISOO?
To oversee and manage the information security program, under the guidance of the National Security Council
What is the responsibility of the National Security Council (NSC)?
- To provide the overall policy direction for the informatin security program.
- It assists the President in develping and issuing National Security Policies, and it guides and directs the implementation and application of the Executive Order.
- The NSC exervises its guidance primarily through the ISOO
What is the USD(I) and their responsibility?
The Under Secretary of Defense for Intelligence has the primary responsibility for providing guidance, oversight, and approval authority of policies and procedures that govoern the DoD ISP (by issuing the DoD Instruction 5200.01)
The three levels of classified information are designated by what exectuive order?
EO 13526
What are the 5 requirements for dreivatie classification?
- Observe and respect the OCAs original class determination
- Apply the required markings
- Only use authorized sources
- Use caution when paraphrasing
- Always take the appropriate steps to resolve any doubts you have
What are the 4 tpes of Declassification systems?
- Systematic
- Automatic
- Mandatory
- Scheduled
What is a scheduled declassification?
Instructions consist of either a date or event for declassification.
What is automatic declassification?
Classified records that have been determined to have permanent historical value, will be automaticall declassified on December 31st of the year that is 25 years from data of its original classification.
There are 9 categories of Information that may be classified beyond 25 years. You can easily identify this information by the yse of 25X instruction for declassificaiton. The exemptions are annotated as 25X with the category nymber following the X, for example, 25X9.
What is Mandatory Declassification Review, or MDR?
It is another method of declassifiying information based on requesting a review of information to see if classification is still necessary.
What is Systematic Declassification?
A program to review classified records after a certain age.
What are the options an OCA has when determining declassification?
- Specific Date
- Specific Event
- 50X1-HUM Exception
What type of information does not provide declassification instructions?
- Restricted Data
- Formerly Restriced Data
What are the purposes of the SF 701 and SF 702?
The SF 701, or the Activity Security Checklist, is used to record your End of Day Checks.
The SF 702, or the Security Container Check Sheet, is used to record the opening and closing of your security container.
What does the term Information System refer to?
Refers to a set of Information Resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, dispoistion, display, or transmission of information.
What is COMSEC?
Communication Security, COMSEC, is defined as the protection resultinf from all measured designed to deny unauthorized persons, information of value that might be derived from the possession and study of telecommunications, and to ensure the authenticity of such communications.
COMSEC includes crypto security, emission security, transmission security, and physical security of COMSEC material and information.
How is classified information prepared for transmission?
Classified material needs to be prepared for shipment, packaged, and sealed in ways that minimize risk of accidental exposure and facilitates detection of tampering.
Requirments to hand carry classified information
- Should be done as a last resort
- Written authorization is required
- Courier must be briefed.
What must be included in the Courier Brief?
- Couriers liability for the materials.
- Material cannon be left unattended
- Should not be opened en route (unless customs)
- No public discussion
- Follow an authorized travel route and schedule
- In case of ER, protect classified materials
- All travel documents must be valid and current.
When can SECRET information be sent via USPS?
Only when it is the most effective means considering security, time, cost, and accountability.
List 3 approved methods for destroying classified material
- Burning
- Shredding
- Pulverizing
- Disintegrating
- Pulping
- Melting
- Chemical Decomposition
- Mutilation to preclude recognition
Which agency creates the desctruction standard that DoD users?
NSA
What is NATO?
The North Atlantic Treaty Organization is an alliance of 28 countries from North America and Europe, committed to fulfilling the goals of the North Atlantic Treaty signed on April 4, 1949.
The United States is a member of NATO, and as such, has access to NATO Classified documents.
NATO classified information, or documents prepared by for NATO and NATO member nation documents that have been released into the NATO security system, and that bear a NATO classification marking, needs to be safeguarded and marked in compliance with the United States Security Authority for NATO or USSAN.
List 3 FOIA exemption categories
- National Defense
- DoD personnel practices
- Statutes
- Trade Secrets
- Litigation
- Personal and Private
- Law Enforcement
- Regulation of financial institutions
- Well location
What is FOIA?
The Freedom of Information Act recognizes the need to withhold certain types of information from public release and, therefor, establises guidance and framwework for evaluating information for release to the public.
The FOIA provides that, for information to be exempt from mandatory release, it must first fit into one of nine qualifying categories and there must be a legitimate Government purpose served by withholding it.
What is STIP?
STIP stands for the DoD Scientific and Technical Information Program.
STIP is not a control marking.
STIP was established to improve and enhance the acqusition of data sources to prevent redundant research to dissemniate technical information efficiently to prevent the loss of technical information to U.S. adversaries and competitors and last, but no less important, STIP was established to aid the transfer of technical information to qualified researchers in U.S. Industry and government agencies.
List 5 common briefings
- Initial
- Indoctrination (access to special types of class data, such as SCI/G/H, etc.)
- Annual Refresher
- Debriefing
- Courier
- NATO
- Non-Disclosure Briefing (unathorized access)
- Foreign Travel Briefing
- Attestation (SAP briefing)
- Antiterrorism/Force Protection (AT/FP)
What must an intitial breifing accomplish?
Define classified information and CUI
Explain the importance of protecting such information
Provide a basic understanding of security policies and principles.
Notify personel of their responsibilities within the security program
Inform them of the administrative, civil, and/or criminal sanctions that can be applied when appropriate
Provide individual enough information to ensure the proper protection of classified information and CUI in their possesion, including actions to be taken if such information is discovered unseured, a security vulnerability is noted, or a person has been seeking unathorized acccess to such information
Inform personnel of the need for re view of ALL unclassified DoD information prior to its release to the public.
What must a debriefing accomplish?
Emphasizes an individuals continued responsiblity to protect classfied information to which they have had access.
Instructions for reporting any unathorized attempt to gain access to such information
Advised on the prohibition against retaining matrial once they depart the organization
Reminded of the potential civil and criminal penalties for the failure to fulfill their continuing security responsibilities.
In what circumstance is a foreign travel briefing required?
For individuals with SCI/SAP access
Attendance at meetings where foreign nationals are likely to be present.
Which DoD policy document establishes the requirements and minimum standards for developing classification guidance?
DoDM 5200.01
DoD Information Security Program, Volumes 1-4
Which policy document provides guidance to all Government agencies on classification, downgrading, declassification, and safeguarding of classified national security information?
ISOO 32 CFR Parts 2001 and 2003, Classified Antional Security Information (CNSI), Final Rule
Which policy document prescribes a uniform system for classifying, safeguarding, and declassifying national security information?
E.O. 13526, Classified National Security Information
What are the 6 steps for an OCA to classify information?
- Confirm the info is owned/controlled by the Government
- Confirm the info is elegible for classification
- Determine impact
- Determine classification level
- Determine classfication duration
- Provide Guidance
What are the 4 steps to determine if information is eligible for classification?
- Is the information official?
- Is it under any prohibitions or limitations?
- Is it already classified?
- Does it fall into on of the 8 categories of classied information?
List 4 of the 8 categories of classified information
- Military plans, weapon systems
- Foreign Government Information
- Intelligence activities/sources/methods
- Foreign relations/activities
- Science/Technology or economic matters relating to National Security
- Safeguarding nuclear material or facilities
- Vulnerabilities or capabilities related to National Security
- Weapons of Mass Destruction
Whats not a reason to classify information?
- Concealment of a crime or error
- Preventing embarrassment
- Retrain competition
- Prevent or delay public release
How is the level of classifcation determined by the OCA?
- Probable impact
- Verbal determinations must be followed by a written confirmation within 7 days
- Be prepared to present reason in a court of law
- Be prepared to provide a written description of damage.
Describe net national advantage
Net national advantage is information that is or will be valuable to the U.S, either directly or indirectly.
What must be included on a SCG cover page?
The name of the sytem, plan, program, or project
The date
The office issuing the guide, identified by name or ersonal identirifer and position
The OCA approving the Guide
a statememnt of supercession, if necessary
Distribution statement
What must be submitted when requesting DoD Original Classification Authority?
Requests must specify the position title for which the authority is requested
Provide a brief mission specific justification for the request and be submitted through established organizational channels.
When authority is granted to a position that authority is document by an appointment officer.
When will Agency grant a request for OCA?
Requests will be granted only when an existing Security Classification Guides are insufficient to address the information in question, and when it is impractical to refer decisions to another OCA.
