10.10 Hardware Security

10.10 Hardware Security

Copyright(c), 1995 - Management Analytics - All Rights Reserved

DOC operating units shall assure that appropriate technical security requirements are included in specifications for the acquisition or operation of new IT equipment intended to process sensitive information. These specifications shall be reviewed and approved by the appropriate ITSO or IT System Security Officer (ITSSO) prior to the acquisition.

It may not be feasible or cost effective to retrofit existing, older computer hardware. However, the features below should be considered when acquiring new systems, to ensure that they are incorporated either within the hardware or operating system software:

For systems that process very sensitive or national security information the use of equipment that meets the requirements of either the "Department of Defense (DOD) Trusted Computer System Evaluation Criteria," DOD 5200.28-STD ("Orange Book") or the "Federal Criteria for IT Security," developed jointly by the National Institute of Standards and Technology and the National Security Agency is encouraged.

Government owned equipment is for official use only and is not to be used for personal business or other non-government activities.

Individual employees should be discouraged from bringing their personally owned hardware into DOC space for processing government data. If it is in the best interest of the DOC organization to allow the use of personally owned hardware on DOC premises, authorization must be granted in writing by the immediate supervisor, showing the justification. The written authorization must show that the DOC is not responsible for any damage or loss of personally owned equipment and will not pay for maintenance or repair. See Section 10.12.1 of this document and Section 12.1 of the "DOC IT Security Manual" for additional policies and guidance on copyrighted software.