AIS SECURITY PROGRAM
The risk analysis and higher authority instructions
provide the basis for an AIS security program. Even
though implementation of the program depends on local
instructions/directives and conditions, it may not be
clear just where to begin.
AIS SECURITY PROGRAM PLANNING
Following is a suggested outline to use as a basis
for planning an AIS security program:
Perform preliminary planning. Establish an
AIS security team to prepare an AIS security
program and make responsibility assignments.
Perform a preliminary risk analysis. This will
identify major problem areas.
Select and implement urgent quick fix
security measures. This should be done on an
Perform and document a detailed risk
analysis. This will allow for review and
Justify cost and document action plans.
Based on the approved risk analysis selected,
develop budgets and schedules for security
measures, contingency plans, training and
indoctrination plans, and test plans.
Carry out the approved action plans.
Repeat the detailed risk analysis and
subsequent steps regularly, at least annually.
Conduct more frequently if required based on the
results of tests, inspections, and changes in
mission or environment.
AIS SECURITY PLAN
Include adequate documentation in the action
plans. For example, the documentation might include
A security policy statement that provides general
guidance and assigns responsibilities;
A security handbook (with instructions) that
describes in detail the security program and
procedures and the obligations of AIS personnel,
users, and supporting personnel;
Command standards for system design,
programming, testing, and maintenance to
reflect security objectives and requirements;
Contingency plans for backup operations,
disaster recovery, and emergency response; and
Booklets or command instructions for AIS staff
indoctrination in security program requirements.
Depending on the normal practices of the AIS
facility, these documents may be completely separate
items or they may be included in other documents. For
example, emergency response plans for the AIS facility
might be included in the commands Disaster Control
Plan. Similarly, security standards could be added to
The final point to be made is the importance of
continuing the inspection and review of the security
program. A major effort is required for the initial risk
analysis, but once it is completed, regular review and
updating can be done much more quickly. By
evaluating changes in command mission, the local
environment, the hardware configuration, and tasks
performed, the AIS technical manager can determine
what changes, if any, should be made in the security
program to keep it effective.
Numerous higher authority instructions relate to
physical security, data protection, and security in
general. You should have a thorough knowledge of
them before implementing any security plan. Refer to
the following instructions and manuals to learn about
AIS security and when making security decisions:
Department of the Navy Automatic Data
Processing Security Program, OPNAVINST
5239.1 with enclosures;
Guideline for Automatic Data Processing Risk
Analysis, FIPS PUB 65 (enclosure 3 to
Department of the Navy Information and
Personnel Security Program Regulation,
Department of the Navy Information Systems
Security (INFOSEC) Program, SECNAVINST