EVALUATION OF THE AGENCY'S INFORMATION SECURITY PROGRAM BY THE INFORMATION SECURITY OVERSIGHT OFFICE

Document Type: 
Collection: 
Document Number (FOIA) /ESDN (CREST): 
CIA-RDP85B00236R000200150024-1
Release Decision: 
RIPPUB
Original Classification: 
K
Document Page Count: 
8
Document Creation Date: 
December 12, 2016
Document Release Date: 
October 26, 2001
Sequence Number: 
24
Case Number: 
Publication Date: 
July 1, 1980
Content Type: 
MF
File: 
AttachmentSize
PDF icon CIA-RDP85B00236R000200150024-1.pdf338.38 KB
Body: 
Approved For'Iease 2001/11/08 : CIA-RDP85B0023ZF 000200150024-1 ISS Registry 1 JUL 1980 MEMORANDUM FOR: See Distribution STATINTL FROM: Chief, Information Services Staff, DDA SUBJECT: Evaluation of the Agency's Information Security Program by the Information Security Oversight Office 1. For your information, attached is the latest evaluation of the Agency's information security program by the Information Security Oversight office. 2. You will note the generally favorable findings in section IV. The recommendations for improvement in section VI will be the subject of a Headquarters notice. 3. I would like to thank each of the participants for their fine effort during this inspection. STATINTL Attachment Approved For Release 2001/11108: CIA-RDP85B00236R000200150024-1 Si t ed LFfSftI 2ncy'RDlnfozmacl!!h 5ec00rity Program by the Information Security Oversight Office Distribution: Deputy to the DCI for Collection Tasking Deputy to the DCI for Resource Management Director, National Foreign Assessment Center Deputy Director for Operations Deputy Director for Science and Technology Comptroller General Counsel Inspector General Legislative Counsel Director of Personnel, Policy, Planning, and Nhnagement Director of Public Affairs Director, Equal. Employment Opportunity Executive Secretary Director of Communications Director of Data Processing Director of Finance Director of Logistics Director of Nadical Services Director of Security Director of Training Chief, Classification Review Division Chief, Information and Privacy Division Chief, Regulations Control Division Approved For Release 2001/11/08: CIA-RDP85B00236R0002-00150024-1 Qr-N General Information Security d I4 asg 2061/ ! CIA-RDP85BOO2 00200150024-1 A ministration Office Washi ton, DC 20405 JUN 12 1980 Mr. Don I. Wortman Deputy Director for Administration Central Intelligence Agency Washington, D. C. 20505 The Information Security Oversight Office (ISOO), established under Executive Order 12065, is responsible for monitoring Executive Branch agencies and their actions to implement the provisions; of the Order. In compliance with Section 5-2 of the Order, ISOO analysts, during the period April 21-25, 1980, conducted an on-site review of the information-security program within nine offices of the Central Intelligence Agency (CIA) to determine the effectiveness and degree of compliance with the Order. The last review had been conducted on March 11, 1980. Our inspection report, a copy of which is attached, indicates that the CIA continues to implement and comply with the Order in a highly commendable manner. Your continued support of the program is appreciated. Section VI of the report does contain three specific recommendations for improvement of the agency program. I appreciate the courtesy and support provided by the officials who met with members of my staff. Sincerely, STEVEN GARFINKEL Director Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1 Approved Fonaolease 2001/11/08 : CIA-RDP85B00236W00200150024-1 INFORMATION SECURITY OVERSIGHT OFFICE INSPECTION OF THE CENTRAL INTELLIGENCE AGENCY I. PURPOSE. To review the Central Intelligence Agency (CIA) information security program; to determine progress in implementing Executive Order 12065 and Information Security Oversight Office (ISOO) Directive No. 1; and to conduct a review of classified information generated by CIA. II. AUTHORITY. Sections 5-202(a) and (h) of Executive Order 12065. III. GENERAL. Mr. John Cornett and Mr. Harold Mason, ISOO staff analysts, conducted a review of the CIA information security program during the period of April 21-25, 1980. The following areas were subject to inspection: Office, Director of Central Intelligence (O/DCI), Executive Registry Office, Director of Central Intelligence, Office of General Counsel (O/DCI/OGC) Deputy Director for Science and Technology, National Photographic Interpretation Center (DDS & T/NPIC) NFAC/Office of Imagery Analysis Deputy Director for Administration, Office of Security, Special Security Center (DDA/OS/SSC) Deputy Director for Administration, Office of Security, Information Systems Security Group (DDA/OS/ISSG) Deputy'Director for Administration, Office of Communications (DDA/OC) Deputy Director for Operations (DDO), IMS/Freedom, Privacy and Litigation Group Deputy Director for Operations (DDO), Area Branch IV. FINDINGS A. Status of Implementation. Throughout the CIA, there is consistency in marking, safeguarding, classification and general compliance with the provisions of Executive Order 12065. This is attributable to (1) an excellent central training program that is provided to all personnel, including the secretarial staff, who work Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1 Approved FoN lease 2001/11/08 : CIA-RDP85B0023&000200150024-1 with or are required to meet any provisions of the Order; (2) the preparation of specialized classi- fication guides for each Directorate; and (3) the mandates levied on the CIA under the National Security Act of 1947 supplemented by the Central Intelligence Agency Act of 1949 and other programs that prescribe the requirements for the protection of intelligence activities, sources and methods and other sensitive information. Results of the in- spection indicated that personnel had an excellent understanding of and were in compliance with the Order. 1. Classification. a. Classification Guides. Each Directorate within the CIA utilizes a classification guide oriented towards its particular area of operations. The CIA is unique among agencies in the manner in which it utilizes classification guides; in addition to identifying the guide, they also identify the section in which the particular subject is located; the person who deriva- tively classified the document; the date for review or declassification; and the reason for extension, when extended. When the guide and section are shown, the ISOO inspectors are able to conduct an audit trail in a minimal period of time. Most agencies simply cite the identification of the guide. Also, in some offices visited, if more than one section of the guide is used, they identify the guide and section after each paragraph and mark "multiple source" in the "derived from" section of the stamped marking. Most guides used in DDS&T/NPIC are published by the Committee on Imagery Exploitation (COMIREX). Caveats for markings, other than those prescribed in the Order, are established in the Director of Central Intelligence Directive (DCID) 1/7. Each Directorate had developed classification guides concurrent with the effective date of the Order. The Records Management Division has now completed a draft of a classification guide covering general topics of interest to Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1 Approved ForQelease 2001/11/08 : CIA-RDP85B002 1000200150024-1 all Directorates. A review of the guide indicated it was the result of much thought and research. As a "general subjects" guide it is possibly the first of its type. Target date for formal publication is December 1980. b. Use of Derivative Classification. The CIA is one of the few agencies which identifies personnel authorized to derivatively classify information. Again, through this procedure the analysts were able to determine which person was responsible for derivatively classifying the document and then question him on the justification for his decision. c. Original Classification. Since most subjects are covered in classification guides, the number of originally classified decisions is only approximately 15 percent of all CIA actions. As a general rule, if a subject is not covered in a classification guide, then it is recorded as an original classification decision. 2. Document Review. a. Results of the document review indicated that the majority of documents were classi- fied at the Secret level with an established review date of 20 years. This was-attribut- able to the subject matter and sensitivity of the information involved. Normally, throughout the agency, the number of original classification decisions are 2 percent at the Top Secret level, 20 percent Secret and 78 percent Confidential. Approximately 90 percent of the documents extended beyond 20 years are at the Confidential level. b. In one instance, a document reviewed in the O/DCI/OGC was marked SECRET-SENSITIVE. However, the document did not originate in that office. During a visit to another agency, an official interviewed stated that he had been in receipt of documents with this marking. c. In two instances, documents were marked "entire text classified Secret." The reviewers contended that they could have Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1 Approved Fot elease 2001/11/08 : CIA-RDP85B002 000200150024-1 been portion marked and 1 or 2 paragraphs marked Confidential or unclassified. The persons interviewed agreed with the analysts' decision. d. Within DDA/OC, all portions of their documents were properly marked with the level of classi- fication. In addition, each portion also included reference to the section in the guide even though each involved the same section. Although this practice is not a violation of the Order, the ISOO reviewers contend that it is not necessary and creates an additional burden on the classifiers. e. In a few instances, subjects were not portion marked. f. Some documents were prepared on paper with pre-printed classification markings that resulted in the classification being in type smaller than that of the text. 3. Safeguarding. In DDA/OS/ISSG, logs are maintained for all Top Secret documents provided to other agencies. However, audit trails are not conducted by CIA to determine the status of the documents. Instead, they rely upon audit trails that are conducted by the recipient agency Top Secret Control Officer. The CIA Office of Security does conduct inspections of agencies that receive their material to make certain that proper safeguarding practices are observed. 4. Declassification. The ISOO analysts received an excellent briefing from the DDO/IMS;/Freedom, Privacy and Litigation Group. They explained the magnitude of the operation involved in a Freedom of Information, Privacy Act or Mandatory Review request. Many requests involve thousands of pages, with each request encompassing tremendous coordination, record keeping, review, litigation and liaison activity between agencies. Many personnel and hours are required for each request. Since all the documents in this office predated E. 0. 12065, no review was conducted. Other aspects of the CIA mandatory and systematic,review program have been discussed in prior reports. Initial requests for classified documents under the Freedom of Information Act (FOIA) or Privacy Act, Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1 Approved For lease 2001/11/08 : CIA-RDP85B0023W00200150024-1 and appeals to denials of these requests, are not subject to immediate formal classification review. However, each document is reviewed to determine if it can be sanitized or released in its-entirety. If it is determined that the document can not be released in whole or in part, then it is further reviewed to determine if it meets the exemptions for denial under the FOIA or Privacy Act. In the event a case goes to litigation, then a formal classification review is conducted. The document is then provided to each component with subject matter interest where a line-by-line review is conducted to determine if any portion of the document can be released. The document is sent to the Office of the General Counsel for final review and evaluation. In the case of mandatory review requests under Executive Order 12065, a formal classification review is immediate. The document is submitted directly to the component with subject matter interest and reviewed for possible declassification or sanitation. The proposed legislation to partially exempt the agency from the FOIA is not expected to reduce their work load in this area. V. CONCLUSION. Personnel interviewed were extremely cooperative with the ISOO analysts; their briefings were open and frank, consistent with the sensitivity of the information. VI. RECOMMENDATIONS. Based upon the results of the survey, the ISOO analysts recommend 'that the CIA: 1. Discontinue the practice of using SECRET-SENSITIVE on documents. 2. Use the statement "entire text" sparingly, and only when the entire text warrants the same level of classification. 3. Inform individuals who apply portion markings that subject classification is included in their marking requirements. Approved For Release 2001/11/08 : CIA-RDP85B00236R000200150024-1