Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems [open pdf - 3MB]
"This guideline identifies system security responsibilities for Information System Security Officers (ISSOs). It applies to computer security aspects of automated information systems (AISs) within the Department of Defense (DOD) and its contractor facilities that process classified and sensitive unclassified information. Computer security (COMPUSEC) includes controls that protect an AIS against denial of service and protects the AISs and data from unauthorized (inadvertent or intentional) disclosure, modification, and destruction. COMPUSEC includes the totality of security safeguards needed to provide an acceptable protection level for an AIS and for data handled by an AIS. 1 DOD Directive (DODD) 5200.28 defines an AIS as 'an assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information.' 2 This guideline is consistent with established DOD regulations and standards, as discussed in the following sections. Although this guideline emphasizes computer security, it is important to ensure that the other aspects of information systems security, as described below, are in place and operational: Physical security includes controlling access to facilities that contain classified and sensitive unclassified information. Physical security also addresses the protection of the structures that contain the computer equipment. Personnel security includes the procedures to ensure that access to classified and sensitive unclassified information is granted only after a determination has been made about a person's trustworthiness and only if a valid need-to-know exists."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/