AIS SECURITY PROGRAM IMPLEMENTATION The risk analysis and higher authority instructions provide the basis for an AIS security program. Even though implementation of the program depends on local instructions/directives  and  conditions,  it  may  not  be clear just where to begin. AIS SECURITY PROGRAM PLANNING Following is a suggested outline to use as a basis for planning an AIS security program: o l l o l l l Perform preliminary planning.  Establish  an AIS security team to prepare an AIS security program and make responsibility assignments. Perform  a  preliminary  risk  analysis.  This  will identify major problem areas. Select and implement urgent “quick fix” security  measures.  This should be done on an as-needed basis. Perform  and  document  a  detailed  risk analysis.   This  will  allow  for  review  and approval. Justify  cost  and  document  action  plans. Based  on  the  approved  risk  analysis  selected, develop budgets and schedules for security measures,  contingency  plans,  training  and indoctrination plans, and test plans. Carry out the approved action plans. Repeat  the  detailed  risk  analysis  and subsequent steps regularly, at least annually. Conduct more frequently if required based on the results of tests, inspections, and changes in mission or environment. AIS SECURITY PLAN DOCUMENTATION Include adequate documentation in the action plans. For example, the documentation might include the  following: A security policy statement that provides general guidance and assigns responsibilities; A security handbook (with instructions) that describes in detail the security program and procedures and the obligations of AIS personnel, users, and supporting personnel; Q l l Command   standards   for   system   design, programming,  testing,  and  maintenance  to reflect security objectives and requirements; Contingency  plans  for  backup  operations, disaster recovery, and emergency response; and Booklets or command instructions for AIS staff indoctrination  in  security  program  requirements. Depending on the normal practices of the AIS facility, these documents may be completely separate items or they may be included in other documents. For example,  emergency  response  plans  for  the  AIS  facility might be included in the command’s Disaster Control Plan. Similarly, security standards could be added to existing   documents. The final point to be made is the importance of continuing the inspection and review of the security program. A major effort is required for the initial risk analysis, but once it is completed, regular review and updating  can  be  done  much  more  quickly.  By evaluating changes in command mission, the local environment,  the  hardware  configuration,  and  tasks performed,  the  AIS  technical  manager  can  determine what changes, if any, should be made in the security program to keep it effective. AUTHORITATIVE REFERENCES Numerous higher authority instructions relate to physical security, data protection, and security in general.  You  should  have  a  thorough  knowledge  of them before implementing any security plan. Refer to the following instructions and manuals to learn about AIS security and when making security decisions: l l l o Department  of  the  Navy  Automatic  Data Processing  Security  Program,  OPNAVINST 5239.1 with enclosures; Guideline for Automatic Data Processing Risk Analysis,   FIPS   PUB   65   (enclosure   3   to OPNAVINST   5239.1); Department  of  the  Navy  Information  and Personnel   Security   Program   Regulation, OPNAVINST  5510.1; Department of the Navy Information Systems Security (INFOSEC) Program,  SECNAVINST 5239.3. 4-13