The "Computer Security Act of 1987," Public Law 100-235 and Office of Management and Budget (OMB) Circular A-130 require all federal agencies to plan for the security of all sensitive IT systems throughout their life cycle. OMB Circular A-130 also establishes a minimum set of controls to be included in federal Information Technology (IT) security programs. The program must include the implementation of policies, standards, and procedures which are consistent with government-wide laws and regulations, to assure an adequate level of protection for IT systems whether maintained in-house or commercially. The circular directs agencies to assure:
The Department of Commerce (DOC) has established and implemented an IT security program which will provide reasonable and acceptable assurance that sensitive and classified national security IT systems are performing exactly as specified and doing nothing more; that sensitive and classified information is provided adequate protection; that data and software integrity is maintained; and, that unplanned disruptions of processing will not seriously impact mission accomplishment.
People, hardware, software, telecommunications, facilities and data together form an IT system that is highly effective and productive. However, all IT systems involve certain risks that must be addressed adequately through proper controls. The policies contained in this chapter represent management's commitment to assuring confidentiality, integrity, availability and control of the Department's IT resources.
Due to the complexity of the IT Security program requirements, the policy section of this chapter is divided into subsections that present policies by specific subjects, as appropriate.
The "DOC IT Security Manual," Attachment 1 to this chapter, is being published as a separate document, which combines all policies, procedures, current detailed guidance and methodologies for accomplishing the Department's IT security program. It is intended to provide individuals assigned IT security responsibilities and individual system owners with a more detailed single-source reference document, which will be up-dated as new policies, procedures, techniques, methodologies or program requirements are developed and issued.