DATA SECURITY IMPROVEMENT PROGRAM

Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87M01152R000200140010-9 6( 7- / 2 O - -1--Office of Legislative Liaison Routing Slip aJ wc-mie/Date I I Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87M01152R000200140010-9  Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87MO1152R000200140010-9 ;~~ C-O-N-F-I-D-E-N-T-I-A-L ROUTING AND RECORD SHEET Data Security Improvement Program FROM: EXTENSION William F. Donnelly Director of Information Technology) 2DOO Headquarters TO: (Officer designation, room number, and building) D/OLL . 7B24 Hqs 12. 15. OFFICER'S. INITIALS OIT 12059-85 C'9 d COMMENTS (Number each . comment to. show from whom to whom. Draw a line across column after each comment.) FORM 61 O USE PREVIOUS 1_79 EDITIONS GPO : 1993 0 411-632 r-n-M-P-T-Tl-E-M-T-T-A-T. Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87MO1152R000200140010-9  Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87M01152R000200140010-9 OIT 12059-85 2 0 SEP 1985 MEMORANDUM FOR: See Distribution FROM: William F. Donnelly Director of Information Technology SUBJECT: Data Security Improvement Program 1. In a continuing effort to enhance the security of this Agency's information processing systems, the Office of Information Technology (OIT) has begun a Data Security Improvement Program. This initiative will concentrate on improving the data security protection for two major Agency computer systems - MVS and VM. Representatives from OIT's Computer Security Group (CSG) and Systems Administration Branch will assist each component in implementing controls for improving the security of sensitive 2. Pursuant to ADP Control Officer Bulletin 83-002, dated 5 July 1983, each office's ADP Control Officer will serve as a focal point for this project. This individual will be responsi- ble for identifying the component's most sensitive data and will provide this information to CSG. OIT personnel, in coordination with the component representative, will insure that the maximum software security protection for this data is implemented.0 25X1 3. The success of this Data Security Improvement Program and the benefits received will depend on the direct involvement of each component. I am seeking the support of each Office Director to insure that this important security initiative is a success. Attached to this memorandum are further details con- cer this program. The point of contact in OIT is I?tixl 109 Headquarters, who may be contacted on secure 25X1 25X1 25X1 25X1 STAT LZDAI Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87M01152R000200140010-9  Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87MO1152R000200140010-9 STAT Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87MO1152R000200140010-9  Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87MO1152R000200140010-9 Data Security Improvement Program The Data Security Improvement Program will implement minimum acceptable security controls necessary for the protection of Agency classified and sensitive data. The ADP Control Officer Bulletin 83-002, dated 5 July 1983, describes the duties and responsibilities of ADP Control Officers and their relationship to the Office of Information Technology. The ADP Control Officer will be the component's referent for the Data Security Improvement Program. This individual will be responsible for working with the SAB/CSG team to determine the component's sensitive data, who should have access and under what conditions individuals can access the data. The SAB/CSG team will also discuss related data security responsibilities with the component's ADP Control Officer. The SAB/CSG team will work with the component's ADP Control Officer to establish the necessary minimal controls to protect the component's MVS data sets as well as sensitive VM minidisks. Regarding your component's MVS data sets, the minimal control will be a default rule, authorizing only component users to access the component's data. Accordingly, any additional accesses will be discussed and/or implemented at the time of the SAB/CSG team and ADP Control Officer meeting. In respect to the establishment of sensitive VM minidisks, it is requested that the component ADP Control Officer make a determination, through discussions with the minidisk owner, as to the sensi- tivity of the data on the minidisk. In order to assist the ADP Control Officer in determining what types of data should be included in the component's sensitive minidisks, CSG offers the following criteria: minidisks that are shared within the component and especially those that are shared among multiple components; minidisks that contain classified and sensitive in- formation; asset information; national program data; restricted codeword data; and employee identification. This list is by no means all inclusive. Upon the establishment of a list of the component's sensitive minidisks, the SAB/CSG team will implement a V-Link protection (a minidisk access control mechanism) to ensure that only authorized users can gain access. It is requested that the component ADP Control Officer forward sensitive minidisk lists to CSG, 2DO109 Headquarters, by 30 Se tember 1985. The SAB/CSG team will then contact the component ADF ontro Officers, in a systematic manner, and schedule a meeting. Sanitized Copy Approved for Release 2009/12/30: CIA-RDP87MO1152R000200140010-9