WIXLIB

IA/CYBERSECURITY IS CRITICALTO OPERATE IN CYBERSPACECommanders, leaders, and managers are responsible forensuring that Information Assurance/Cybersecurity ispart of all Army operations, missions and functions. Youmust make certain that your organization adopts andinstitutes the practices necessary to ensure theprotection of information and personnel.This Handbook is designed to provideleaders the information and tools toaddress today’s complex security challenges. It is also a quick reference formanaging Cybersecurity issues that willhelp ensure that Soldiers, Civilians andcontractors know their responsibilities for daily practicesthat will protect information and our IT capabilities.WE MUST PROTECT THE NETWORK!Information Assurance (IA)/Cybersecurity is the Armyunified approach to protect the confidentiality, integrity andavailability of our information and operations. IA/Cybersecurity is critical to your mission success and therefore must be part of your risk management processes. It isessential in assisting you with identifying vulnerabilities andtaking the necessary steps to conduct your daily operations. Army regulations, policies and guidance provide theArmy imperatives authority, responsibility and accountability necessary to promote a culture that is risk aware andcomplies with practices that minimize vulnerabilities toArmy networks, systems and information. As leaders, youmust ensure that your organization remains committed topractices that protect Army networks, systems and information as well as personnel identity.2

INSTITUTING THEIA/CYBERSECURITY IMPERATIVES Incorporate IA/Cybersecurity into your RiskManagement Process Treat IA/Cybersecurity like Safety Link IA/Cybersecurity to ReadinessAs a leader, it is your responsibility to ensure that yourbusiness and information systems are protected.You must make certain yourpersonnel are responsible fordaily practices that protectinformation and IT capabilitiesfor mission success.It is your responsibility toassess your mission capabilityand practice good CyberHygiene - personal practices that comply with policies,process, and standards that safeguard computer use.Remember: It is your responsibility to ensure theprotection of our networks, information, andpeople, through increased IA training, improvedCybersecurity practices, and appropriate riskmanagement.3

EMPOWER YOURIA/CYBERSECURITY TEAMKnow Your IA Team!Your IA team manages yourIA/Cybersecurity program.Get to know these professionals as they are key inhelping you set your prioritiesfor protecting the networkand safeguarding information.Your organization must knowthat you make Cybersecurity a priority and understandthat Cybersecurity is everyone’s business.Your IA/Cybersecurity team may include: G-6/S-6 - The principle staff officer with theresponsibility for the management of thecommander’s IA program IA Program Manager (IAPM) - Senior IA advisorto the commander IA Manager (IAM) - Implements the IA/Cybersecurity program with assistance from theIASOs. IA Support Officer (IASO) - Provides InformationAssurance oversight, guidance and support tothe general user4

TRAIN YOUR PERSONNELEveryone must complete theappropriate training requiredfor their position.The Army Training andCertification Tracking System(ATCTS) provides reports andmanage personnel IA trainingrecords for your IA/Cybersecurity training management.IA training is provided through the Army IA virtual training, and successful completion of training courses is automatically reported to the ATCTS site.The Army IA Virtual Training site also offers training for Portable Electronic Devices Personally Identifiable Information (PII) Safe Home ComputingArmy Training and Certification Tracking System(ATCTS): https://atc.us.army.mil/Army IA Virtual Training:https://iatraining.us.army.mil/DoD Cyber Awareness .aspYour local IA/Cybersecurity team can answer your questions about IA training requirements. Questions concerningATCTS or the Army IA virtual training site can be directedto ciog-6netcomiawip.inbox@mail.mil.5

IA/CYBERSECURITY ISEVERYONE’S RESPONSIBILITYCyber Hygiene is adherence to laws andregulations, DoD and Army policies, procedures,and standards. Enforcing IA compliance is criticalto strengthening the Army Cybersecurity posture.Beyond required securitytraining, leaders must ensure that Soldiers, Civiliansand contractors understandthe threat they pose tooperational security withnon-compliance to IA/Cybersecurity policies andpractices. People are theArmy’s first line of defense in sustaining good cyber hygieneand reduction in the insider threats. Most vulnerabilities andmalicious acts against Army systems and information can beaddressed through comprehensive and effective cyberhygiene.Everyone is responsible for Cybersecurity!As leaders, you must remain vigilant and constantlyassess your IA/Cybersecurity posture and programwith regard to readiness, risk, resources, andreporting. Have your IA/Cybersecurity team usethe IA Self Assessment Tool located at https://iatraining.us.army.mil to evaluate your securityposture, and report back to you with the results,and their plans to address any weaknessesidentified.6

PHISHING:UNDERSTANDING THE THREATEveryone has seen them;an email that claims to befrom a trusted source andrequests your personalinformation, or directs youto a seemingly innocentwebsite. These phishingattempts are usually obvious. However, phishing isa major issue that plagues the DoD and Army. Phishing isoften successful because the improved quality of theseattacks make it more difficult to identify them as a hoax.Phishing attacks have also become more sophisticated,targeting specific individuals with content customizedspecifically to them.Everyone must be constantly aware of the phishingthreat. Always be sure an email is legitimate beforeclicking any links or attachments, and never clickany links or attachments that were received in anemail that was not digitally signed.Ensure your personnel annually complete the antiphishing course located at:https://iatraining.us.army.mil/7

SECURING THE SYSTEMThe Internet poses serious potential threats. Wemust constantly ensure all computers and devicesmeet the appropriate security requirements beforeconnecting them to the network.All office and home computersmust be up to date with requiredsystem security patches, AntiVirus software application, andshould only be connected to theinternet from behind a firewall.The Army Home Use programmakes it easy for Army Soldiersand Government Civilians, tosecure their home computers by giving them free access toboth Symantec and McAfee anti-virus and virus/Protecting your home computer with currentantivirus applications and connecting to theinternet from behind a firewall, are vital topreventing malware from infecting your computer.You should discuss with personnel the importance of IA/Cybersecurity on their home computers. Ensure they areaware of the free resources available to soldiers and government civilians, and are practicing good Cyber Hygieneboth at work and at home.8

PERSONAL MOBILE DEVICESDepartment of Defense and Army policies prohibitconnecting unauthorized information systems tothe network, and prohibit conducting officialbusiness on personally owned devices that do notmeet Army standards and certificationrequirements.Although the Army iscurrently considering astrategy to allow personalmobile devices access tothe Army Network, personal cell phones, tabletsor other mobile devicesare currently not authorized for access andgovernment use. Using unapproved devices for officialbusiness is not only a security violation, but could alsocause major security incidents jeopardizing sensitiveinformation and putting our operations and personnel atrisk. Compromising classified information in these casesis a serious security violation that may result in punitiveactions.More information on personal mobile devices can befound at:https://informationassurance.us.army.mil/9

THE COMMON ACCESS CARD (CAC)Your CAC is your physical and digital identification;treat it as a sensitive item! Your CAC allows you to digi-tally sign emails so recipientscan verify that you are thesender and the informationwas not altered in transit. Your CAC protects sensitiveinformation in emails andcomputer files by allowing youto encrypt them. Your CAC is a physical piece ofIA/Cybersecurity and is tightlybound to your online identify. Therefore, it must beprotected at all times, even when not in use. Report a lost CAC card as soon as it’s confirmed to bemissing.SIPR Tokens for SIPRNet access, have many CAClike security capabilities and will be required toaccess SIPR systems. Treat it as a sensitive itemand protect them as you would your CAC.10

RISK MANAGEMENTLeaders must always assess potential threats andthe impact on operations. Contingency plans arecritical for sustaining operations through attacks orinterruptions to network service.Organizations must develop Continuity of Operations Plan(COOP) in order to maintain and sustain operations.For your COOP to be effective,it must include: A Business Recovery Plan An Information TechnologyContingency Plan A Facility Disaster RecoveryPlanEnsure that your plan works in conjunction with any existing COOPs adjacent to your area of control.In addition to a fully developed COOP you must reviewthe plans annually and practice its execution as required forthe sensitivity level of the information being handled.More information on COOPs is found in DA PAM 25-1-1.11

INCIDENT RESPONSEEvery organization should have processes in placeand the people to contact in case of an incidentwhether it is a security breach, informationspillage, or disclosure of Personally IdentifiableInformation (PII). Guidelines on reportingprocesses are defined in AR 25-2.http://www.apd.army.mil/pdffiles/r25 2.pdfCommon Examples of Reportable Incidents Include: Unauthorized Disclosure of ClassifiedInformation (spillage) - Higher-levelclassified information is placed on alower level classified information system (i.e. Sending an email that contains Secret content on the NIPRNET).US CERT has a one-hour reporting requirement forPII related incidents. Ensure your IA team’sresponse plan meets this requirement. Loss or Compromise of Personally Identifiable Information(PII) - PII information that can uniquely identify, contact,or locate a single person (i.e. Posting a personnel rosterwhich includes names, SSNs, addresses and medicalinformation on a public website). Specific instructions onPII incidents and the reporting processes are on theRecords Management and Declassification Agency’swebsite located at: https://www.rmda.belvoir.army.mil Receipt of suspicious emails and phishing scams.Examples include requests to provide passwords or othersensitive information to an unknown source.Always contact your IA team or NEC if there is anyquestion concerning a security matter.12

INFORMATION ASSURANCEENFORCEMENTAR 25-2 outlines sanctions that may be imposedfor civilian, military and contractor personnel foundin violation of Army security practices.AR 25-2, paragraph 1-5.jstates that military andcivilian personnel may besubjected to administrativeand/or judicial sanctions ifthey knowingly, willfully, ornegligently compromise,damage, or place Armyinformation systems at riskby not ensuring the implementation of DoD and Armypolicies and procedures.AR 25-2 further stipulatesthat military personnel mayface administrative as wellas non-judicial or judicial punishments authorized by theUniform Code of Military Justice. Similarly, sanctions forcivilian personnel may include administrative actions aswell as judicial punishment. And defense contractorsemployees must perform under the terms of the contractand applicable directives, laws, and regulations.13