conversation monitoring. These policies shall contain at a minimum the following instructions: (1) No telephone call shall be monitored unless the Federal agency has taken continuous positive action to inform the callers of the monitoring. (2) No data identifying the caller shall be recorded by the monitoring party. (3) The number of calls to be monitored shall be kept to the minimum necessary to compose a statistically valid sample. (4) Agencies using telephone instruments that are subject to being monitored shall conspicuously label them with a statement to that effect. (5) Since no identifying data of the calling party will be recorded, information obtained by the monitoring shall not be used against the calling party. (c) Current copies and subsequent changes of agency documentation, determinations, policies, and procedures supporting operations under § 2016.202-2 (c), (d), or (e) shall be forwarded before the operational date to the General Services Administration (KMPP), Washington, DC 20405. Specific telephones shall be identified in the documentation and/or determination to prevent any possible abuse of the authority. (d) Procedures for monitoring performed under § 201-6.202(a) (law enforcement) shall contain at a mini mum (1) The identity of an agency official who is authorized to approve the actions in advance; (2) An emergency procedure for use when advanced approval is not possible; (3) Adequate documentation on all actions taken; (4) Records administration and dissemination procedures; and (5) Reporting requirements. (e) Those requests that are required to be submitted to GSA for review shall be accompanied by a "determination" as defined in § 201-6.001. (f) A program is established to reevaluate at least every 2 years the need for each determination authorizing listening-in or recording of telephone conversations. (g) Conversations recorded or relayed by operators of telecommunications device for the deaf (TDD) relay systems are kept confidential to comply with § 201-6.202-2(d). [FIRMR Amdt. 1, 50 FR 4339, Jan. 30, 1985, as amended by FIRMR Interim Rule 3, 54 FR 42303, Oct. 16, 1989] § 201-6.204 GSA responsibilities. (a) General Services Administration (KMPP), Washington, DC 20405, will be accountable for information and determinations concerning the use of listening-in or recording of telephone conversations in the Federal Government as requested under § 201-6.2022(c), (d), or (e). (b) GSA will periodically review the listening-in programs within the agencies to ensure that agencies are complying with the intent of this subpart 201-6.2. (c) GSA will provide assistance to agencies in determining what communications devices and practices fall within the listening-in or recording category; i.e., those that have the capacity to listen-in, monitor, or intercept telephone conversations. GSA will also help develop administrative alternatives to the listening-in or recording of telephone conversations. Requests for assistance shall be addressed to: General Services Administration (KJ), Washington, DC 20405. (d) GSA will take appropriate steps to obtain compliance with this regulation if an agency has not documented its devices in accordance with this subpart 201-6.2. tion of the safeguards required to protect a sensitive computer application or telecommunication system. as Sensitive application systems, used in part 201-7 means those ADP and telecommunication systems that require a degree of protection. The protection is required because these systems process sensitive data; the risk of loss or harm that could result from data disclosure, modification, or destruction is substantial; or the improper operation of the software or equipment related to the application system would have a serious effect on the ability of the agency to function. Examples of sensitive applications systems are (a) automated systems with little or no human intervention; e.g., check-issuing systems; (b) systems that process privileged information; e.g., proprietary data and economic forecasts; (c) systems that process personal information subject to the Privacy Act of 1974; and (d) systems where the loss or harm would be such that the organization could not effectively perform its mission and would have a substantially adverse effect on the Nation. Sensitive data, as used in part 201-7 means data that require a degree of protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data. Subpart 201-7.1-Security § 201-7.101 Policy. Federal agencies shall ensure that an adequate level of security is provided for all ADP and telecommunication systems and services, including those provided by contractors. An adequate security program shall be established to ensure automated information system integrity; i.e., a security program that (a) ensures that under all conditions sensitive data is safeguarded from disclosure and protected from unauthorized modification or destruction, (b) provides for operational reliability of the ADP and telecommunication systems, and (c) provides asset integrity for prevention of loss from natural hazards, fire, etc. § 201-7.102 Agency security responsibilities. Each agency shall establish an agency security program that clearly delineates the responsibility for security agencywide. The agency head shall establish policies and procedures and assign responsibility for development, implementation, and operation of the agency's ADP and telecommunication security program. This responsibility applies to work performed internally or by contract. (a) Personnel. The agency security program shall include policies and procedures for the screening and clearance of all persons involved in the design, operation, or maintenance of ADP or telecommunication systems. The level of screening required will vary from minimal checks to full background investigations commensurate with the sensitivity of the data handled and the risk and magnitude of loss or harm that could be caused by the individual. Policies shall be consistent with policies issued by the Office of Personnel Management (see Federal Personnel Manual (FPM) 7324.1). (b) Facility security officer. Each ADP and telecommunication system location shall have a designated security person responsible for the implementation, operation, and testing of the agency security program for that installation, including the adequacy of the security training of personnel involved. (c) Security evaluations. The agency security program shall include procedures for conducting periodic (at least once every 3 years) audits or evaluations of the adequacy of the security safeguards of each sensitive application. Audits or evaluations shall be conducted on applications that process personal, proprietary, or other sensitive data or that have a high potential for financial loss; e.g., an automated decision making application. They shall be conducted by persons independent of the facility users and facility management. § 201-7.103 Security program elements. The agency security program shall contain all of the elements necessary to ensure an adequate level of security for all agency data, whether processed by the agency, other Government agencies, or commercially. The program shall be consistent with policies, procedures, and standards issued by OMB, GSA, the Department of Commerce, and the Office of Personnel Management. (Transmittal Memorandum No. 1 to Office of Management and Budget (OMB) Circular No. A-71, July 27, 1978, addresses security of Federal automated information systems. See also the National Bureau of Standards (NBS) publication FIPS PUB 73, Guidelines for Security of Computer Applications, June 1980.) Where national security information or cryptologic systems are involved, the provisions of Executive Order 12065, dated June 28, 1978 (3 CFR), other applicable national security issuances, and the agency implementations shall also apply. § 201-7.103-1 Identification of sensitive systems and facilities. A review of ADP and telecommunication facilities and systems is necessary to identify sensitive applications. The risks (threats and hazards) shall be identified for each facility to determine the level of security required. § 201-7.103-2 Risk analysis. (a) The agency shall perform a risk analysis for each ADP and telecommunications facility to provide an understanding of the probable losses and the effect of those losses (for example, what is the probability of loss of a tape or microfilm library and what is the economic or other consequence of that loss?). Expected losses should be estimated in dollars or other significant indicators, such as loss of data affecting vital programs. The analysis shall be performed before the approval of design specifications for new installations or whenever there is a significant change to the physical facility or to the hardware or software. The analysis shall be reviewed and updated whenever changes affecting the degree of protection occur. In any event, the interval between reviews shall not exceed 5 years. Each risk analysis shall be maintained for evaluation and audit purposes. These should be protected to the greatest extent practicable under law. Where national security systems are involved, appropriate classification and declassification markings shall be applied to the risk analysis package. These risk analyses are the basis for determining the type and scope of security measures required at each location. The National Bureau of Standards (NBS) publication, FIPS PUB 65, Guideline for Automatic Data Processing Risk Analysis, provides guidance on risk analysis. (b) The analyses should include but not necessarily be limited to the following factors: (1) Physical destruction or loss of data and program files; (2) Impact of loss, destruction, or alteration of data on systems or programs; (3) Theft or disclosure of information; (4) Misuse of ADP system (fraud, vandalism, etc.); (5) Delay or prevention of ADP operation; and (6) Reliability of ADPE and utilities. Administrative, physical, and technical controls shall be developed to ensure attainment of security objectives. These controls encompass a continuous program of system and application security. They should be compatible with other practices, such as cost accounting and management oversight. Included are (a) Organizational controls; e.g., those that have the potential to reduce damage or loss to the agency through concentration or distribution of functions; (b) Media and logistic controls; e.g., those used in ADP operations to protect data during physical handling; and (c) Accountability controls; e.g., those that identify specific individuals at any time an action is taken that may have an effect on the data, application, or physical installation. § 201-7.103-4 Privacy considerations. ADP and telecommunication system security considerations related to implementation of the Privacy Act of 1974 (5 U.S.C. 552a) are contained in subpart 201-6.1. National Bureau of Standards (NBS) publication FIPS PUB 41, provides further guidance. § 201-7.104 Security program objectives. The security program requires continuing day-to-day attention. The following program objectives need to be considered: (a) Reduction of sensitive facilities. All locations need to be designed to safeguard the equipment and data against varying degrees of projected threats and hazards. Although all facilities must provide protection under varying circumstances, it may be prudent to move a sensitive data application to a system that provides adequate protection rather than spend enormous sums to upgrade security. (b) Improvement of security at existing facilities. Security may be improved at existing facilities by either upgrading the physical security at the facility and/or by strengthening the administrative security practices. Strengthening administrative security, by applying sound management practices, can often be effective in minimizing losses and limiting alteration costs. Actions such as closing and locking doors, maintaining logs, verifying signatures, inspecting fire equipment, replacing air filters, and verifying emergency procedures are important continuing considerations. Security must be a daily concern that is given priority attention. (c) Contingency plans. Plans should be developed to provide continuity of data processing support should normal operations be interrupted. Alternate facilities are essential for systems that process sensitive data applications. The alternate facility should have sufficient capacity to run its own sensitive data applications plus the sensitive applications of the downed system. The backup capability may reside in one or more systems or facilities but should be located so that operating personnel, programs, data, paper, forms, etc., can be made avail able on short notice. Agreements for use of the backup (alternate) facility should be made in advance so that sensitive data applications are operated with minimum interruption. Plans should be reviewed and tested at periodic intervals. §201-7.105 Security specifications. (a) The agency security program shall include a management control process to develop security specifications for new sensitive applications or modifications of sensitive applications. The development of a security specification consists of the identification of the sensitive application, a list of potential threats and hazards, and a description of the measures needed to protect the application. (b) The security program should include procedures that ensure that security specifications are developed to meet the requirements of those responsible for the security of the various application systems. (c) The security program must include procedures requiring the certification of each system after completion of the system acceptance tests and before operational use of that system. This action certifies that (1) the system meets the documented and approved system security specifications, (2) the results of the system test demonstrate adequacy of application security provisions, and (3) all applicable Federal policies, regulations, standards are met. and (c) The agency security program shall establish policies, criteria, and timetables for periodic recertification of all sensitive application systems, including those operated at contractor locations. The recertification timetable shall be based on the sensitivity of the information processed and the risk involved, but shall be conducted at least every 3 years. §201-7.107 Security audit or evaluation. (a) Agencies shall establish a program for conducting periodic audits or evaluations for evaluating and recertifying the adequacy of the security safeguards of each operational sensitive application. (b) Audits shall be conducted by personnel other than those responsible for the operation and development of the system. (c) The audit or evaluation shall include an examination of the data sensitivity; a verification and validation of the adequacy of physical, administrative, financial, and technical controls; and a review of the adequacy of security administration. Time intervals for audits or evaluations will be determined by the agency, based on the sensitivity of the operation, but at least every 3 years. All ADP and telecommunication facilities shall be included in this audit and evaluation. Subpart 201-7.2—Environmental and Physical Security of Data Processing Facilities § 201-7.201 Facility environment. An ADP facility environment conducive to both the protection of the Government's investment in ADP resources and the effective performance of the ADP function is essential. Care should be exercised in the selection of the ADP facility location to ensure the protection of supporting utilities and the minimization of natural disaster probabilities. (a) Temperature and humidity. (1) Wherever possible, manufacturers' specifications for data processing equipment and Federal energy conservation considerations shall be used to determine the optimum temperature and humidity ranges for the computer |