Information Security Flashcards
For SFPC and SAPPC
What are the phases of the Information Security Program (ISP)?
Classification
Safeguarding
Dissemination
Declassification
Destruction
What is the purpose of the Information Security Program (ISP)?
Introduces the proper and effective way to:
- classify, protect and share information
- apply downgrading
- apply declassification instructions
- use authorized destruction methods
Information Security Policies
E.O. 13526
32 CFR 2; Parts 2001 and 2003 CNSI, Final Rule
DoDM 5200.01 v1-3
DoDI 5230.09
DoDI 5230.29
Name the two parts of National Security
National Defense
Foreign Relations
First Step of Classification
Determine if materials are controlled by the U.S. Government and if disclosure of the information could cause damage to national security
Classification Levels and Definitions
Levels - Top Secret, Secret and Confidential
Unauthorized disclosure may cause…
Top Secret - exceptionally grave damage
Secret - serious damage
Confidential - damage
What is required for access to classified information?
- National security eligibility
- Need-to-know
- SF-312 Classified Information Nondisclosure Agreement
*Eligibility + Need-to-know + SF-312 = Authorized Access
What is Eligibility?
Determinations made by adjudicative authorities that examine a sufficient period of an individual’s life and background
What is Need-to-know?
- Determination that an individual needs access to classified in order to perform lawful and authorized governmental functions
- Determination made by an authorized holder of classified information (custodian)
What is an SF-312?
- Advises cleared employees of their responsibility to protect classified and the possible consequences of failure to protect
- Must be executed as a condition of access to classified information
Define Original Classification
Making an initial classification decision for government information
Who can make an original classification determination?
A designated Original Classification Authority (OCA)
Who can authorize an OCA?
President
Vice President
Agency Heads
Officials designated by the President *Authorized in writing
How are OCA duties delegated?
- OCA is delegated to a position, not an individual person!
- The person occupying the position that is granted OCA holds OCA authority
Of the categories in E.O. 13526, how many is each OCA responsible for?
Only one of the categories
What are the steps in the Original Classification Process?
- Ensure information is official government information
- Determine if information is eligible for classification
- Determine if info could cause damage to national security
- Assign level of classification
- Determine how long the classification should last
- Document the level of classification
- Communicate decision
How does the OCA communicate classification decisions?
The SCG and properly marked source documents
Define Derivative Classification
The creation of new materials based on existing classification guidance
Who is responsible for derivatively classifying information?
All cleared personnel within the DoD
What are the responsibilities of Derivative Classifiers?
- Respect the OCA’s initial classification
- Apply required markings
- Use authorized sources of classification guidance
- Use caution when paraphrasing/restating classified information, as these can change the classification
- Take steps to resolve doubts or conflicts about the classification/level/duration
Classification Concept: Contained In
- Derivative classifiers incorporate classified, word for word from an authorized source
- No additional interpretation or analysis is needed to determine the classification of that information
Classification Concept: Compilation
If compiled information reveals an additional association or relationship, but it is individually…
- Unclassified
- Classified at a lower level
- May be classified
- Classified at a higher level
Classification Concept: Revealed By
Classification is deduced from interpretation or analysis via paraphrased or restated information
What are the basic rules of Portion Marking?
- Complete before banner markings
- Indicate highest level of classification in every portion
- Place at beginning of the portion
- Utilize abbreviations
What are the basics of Banner Marking?
- Highest level of classification of the overall document
- Determined by highest level of any one portion
- Top and bottom of each page
- Classification level spelled out in all capital letters
What information is in the Derivative Classification Authority Block?
Classified By
Derived From
Downgrade To (if applicable)
Declassify On
*Block is placed on the face of each classified document near the bottom
What is the purpose of the SCG?
- Provide derivative classification instructions
- Facilitate proper and uniform derivative classification
Who issues the SCG?
The OCA
What basic information is provided in the SCG?
- Classification level for each element
- Reason for classification
- Duration of classification
- Applicable downgrading instructions
- Special control notices
- OCA contact information (front cover)
What are the four Authorized Storage Methods?
- Authorized individual’s head
- Authorized individual’s hands
- GSA approved security container
- Authorized information technology
What is the purpose of a Coversheet?
- Alert holders to the presence of classified information
- Prevent inadvertent view of classified information
What are the SF-703, SF-704 and SF-705?
SF-703 = cover sheet for Top Secret
SF-704 = cover sheet for Secret
SF-705 = cover sheet for Confidential
What is the SF-700?
Security Container Information
- Used to maintain a record for each container
- Used to record combinations
What is an SF-701?
Activity Security Checklist
- Used to record checks of work areas
- Used at the end of each working day
Define Access
Ability and opportunity to obtain knowledge of classified
What is the difference between a Waiver vs an Exception?
Both are approved exclusions or deviations from INFOSEC standards
- Waivers are temporary
- Exceptions are permanent
What markings belong on the Inner Wrapping of a classified envelope/package?
- Complete return address
- Specific person to receive the package, if applicable
- Mailing address
- Highest classification level
- Applicable special markings
What are the markings on the Outer Wrapping of a classified envelope/package?
- Return address
- Mailing address
- Do NOT address it to an individual’s name!
- Do NOT put any classification markings or indicators!
Who is responsible for Prepublication Review?
Defense Office of Prepublication and Security Review (DOPSR)
When is there a Security Violation?
- Inquiry reveals there has been a compromise of classified information
- Knowing, willful or negligent action that could reasonably be expected to result in the loss, suspected compromise or compromise of classified
When is there a Security Incident?
- Inquiry confirms that failure to comply with security requirements did not result in a compromise of classified
- Cannot reasonably be expected to and does not result in the loss, suspected compromise or compromise of classified information
What is a Spillage?
Classified data is introduced to an information system not approved for that level of information
Define Unauthorized Disclosure
Communication or physical transfer of classified to an unauthorized recipient
Define Declassification
- Authorized change from classified to unclassified
- Information no longer requires protection in the interest of national security at any level
Declassification Type: Scheduled
OCA sets a date or event for declassification
Declassification Type: Automatic
Information is declassified when it is 25 years old
Declassification Type: Mandatory
The public can ask for classified information to be reviewed for declassification and public release
Declassification Type: Systematic
Information is reviewed due to being exempt from automatic declassification
Define Destruction
Destroying classified information to ensure it cannot be recognized or reconstructed
Name 5 of the 8 Authorized Methods for Destroying Classified
Burning
Shredding
Pulverizing
Disintegrating
Pulping
Melting
Chemical Decomposition
Mutilation
Where can you find a list of approved destruction equipment?
The NSA’s evaluated products list (EPL)
What is the purpose of the Information Security Oversight Office (ISOO)?
Oversee and manage the Information Security Program under the guidance of the National Security Council
What is the purpose of the National Security Council (NSC)?
- Provide overall policy direction for the Information Security Program
- Assist the President in developing and issuing National Security Policy
What is the purpose of Under Secretary of Defense for Intelligence (USD(I))?
Provides guidance, oversight and approval authority of policies and procedures that govern the DoD Information Security Program
List 4 Types of Declassification Systems
Scheduled
Automatic
Mandatory
Systematic
What 2 types of information do not provide declassification instructions?
- Restricted Data
- Formerly Restricted Data
What information is in a Courier Briefing?
- The courier is liable for materials
- Material cannot be left unattended
- Do not open en route (exception: customs)
- No public discussion
- Follow authorized travel route and schedule
- In emergency, protect classified material
- Travel documents must be current and valid
List 5 Common Briefings
Initial Indoctrination
Annual Refresher
Debriefing
Courier
NATO
Non-Disclosure
Foreign Travel
Attestation Antiterrorism/Force Protection
List Categories of Classified Information
- Military plans, weapons systems, or operations;
- Foreign government information;
- Intelligence activities (including covert action), intelligence sources or methods, or cryptology;
- Foreign relations or foreign activities of the United States, including confidential sources;
- Scientific, technological, or economic matters relating to the national security;
- United States Government programs for safeguarding nuclear materials or facilities;
- Vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security or
the development, production, or use of weapons of mass destruction
List 4 Reasons NOT to Classify Information
Concealment of a crime or error
Preventing embarrassment
Restrain competition
Prevent or delay public release
List 3 Methods to Derivatively Classify Info
Restating: Taken directly from an authorized source
Paraphrase: Re-word in a new or different document
Generate: Take from one form and generate into another
Who can declassify information?
Secretary of Defense
Secretaries of the Military Departments
Officials delegated by the OCA
Officials delegated as declassification authorities
Define Actual Compromise
An unauthorized disclosure of information
List 4 Topics of OCA Training
- OCA Responsibilities
- Classification Principles and Avoidance of Over Classification
- Proper Safeguarding
- Criminal, Civil and Administrative penalties for failing to protect classified nfo
What must be included on an SCG cover page?
Date
Name of system, plan, program or project
Official issuing the guidance (name/personal identifier and position)
OCA approving the guide
Distribution statement
Statement of supercession, if necessary
What must be submitted when requesting DoD Original Classification Authority?
Mission specific justification for the request Position
Declassification Guide Content
Identifies the subject matter
Name and position of the OCA
Declass Authority Date of issuance or last review
States info to be declassified, downgraded or to remain classified
Security Classification Guide Content
Subject matter
OCA
Agency point of contact
Date of approval or last review
Identification and delineation of the specific items or elements of information warranting protection
Classification levels
Reasons for classification
Duration of classification
Warning and handling notices
Dissemination controls
Declass instructions
If classified information appears in the public media, what is DoD personnel appropriate response?
Neither confirm nor deny
Personnel must be careful not to make any statement of comment that would confirm the accuracy or verify the classified status of the information
Define Potential Compromise
Possibility that compromise could exist but it is not known with certainty.
What must be submitted when requesting DoD Original Classification Authority?
Mission specific justification for the request Position
