Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems.

This guideline identifies system security responsibilities for Information System Security Officers ISSOs. It applies to computer security aspects of automated information systems AISs within the Department of Defense DOD and its contractor facilities that process classified and sensitive unclassified information. Computer security COMPUSEC includes controls that protect an AIS against denial of service and protects the AISs and data from unauthorized inadvertent or intentional disclosure, modification, and destruction. COMPUSEC includes the totality of security safeguards needed to provide an acceptable protection level for an AIS and for data handled by an AIS. 1 DOD Directive DODD 5200.28 defines an AIS as an assembly of computer hardware, software, andor firmware configured to collect, create, communicate, compute, disseminate, process, store, andor control data or information. 2 This guideline is consistent with established DOD regulations and standards, as discussed in the following sections. Although this guideline emphasizes computer security, it is important to ensure that the other aspects of information systems security, as described below, are in place and operational Physical security includes controlling access to facilities that contain classified and sensitive unclassified information. Physical security also addresses the protection of the structures that contain the computer equipment. Personnel security includes the procedures to ensure that access to classified and sensitive unclassified information is granted only after a determination has been made about a persons trustworthiness and only if a valid need-to-know exists.