Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Scope of Requirement Security Requirements

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Agenda Scope of Requirement Security Requirements"— Presentation transcript:

0 Security Requirements
DRAFT: EOBR Security Requirements

1 Agenda Scope of Requirement Security Requirements
Applicable Guidelines Access Control Requirement Data Protection Requirement Security Controls

2 Scope of Requirement Roadside EOBR Data Receiver (Mobile Devices)
Commercial Motor Vehicle Onboard EOBR Equipment

3 Security Requirements
Major Security Requirements Access Control Device must be uniquely identified EOBR should uniquely identify each driver Users must be uniquely identified for EOBR access Data Protection Sensitive data and PII must be encrypted Data at rest must be protected Data in Transit must be protected Device should be tamper resistant I understand that Federal law provides for punishment under Title 18, U.S. Code, including a fine and up to 10 years in jail for the first offense for anyone who: a) Knowingly accesses an information system without authorization, or exceeds authorized access and obtains information that requires protection against unauthorized disclosure. b) Intentionally, without authorization, accesses a Government information system and impacts the Government’s operation, including availability of that system. c) Intentionally accesses a Government information system without authorization, and alters, damages or destroys information therein. d) Prevents authorized use of the system or accesses a Government information system without authorization, or exceeds authorized access, and obtains anything of value. My signature below indicates that I have read, have understood, and will comply with the above stated requirements as a condition of maintaining active accounts with access to FMCSA IT systems. I also understand that failure to comply with these requirements may result in disciplinary action.

4 Applicable Guidelines
National Institute for Standards and Technology (NIST) recommendations – Wireless Security SP : Establishing Wireless Robust Security Networks - A Guide to IEEE i SP : Guide to Bluetooth Security SP Rev. 1:Guide to Securing Legacy IEEE Wireless Networks SP : DRAFT Guidelines for Securing Wireless Local Area Networks (WLANs) SP : Guide to Securing WiMAX Wireless Communications SP :Recommendation for EAP Methods Used in Wireless Network Access Authentication SP : Guidelines for Securing Radio Frequency Identification (RFID) Systems

5 Applicable Guidelines
NIST recommendations – Access Control and Data Protection SP : Electronic Authentication Guideline SP Rev.3: Recommended Security Controls for Federal Information Systems and Organization Federal Information Processing Standards (FIPS)140—2: Security Requirements for Cryptographic Modules NIST SP : Guide to Protecting the Confidentiality of PII

6 Access Control Requirements
The Access Control Function provides for the user access control that allows users to gain access to information and control parts of the EOBR system for which they are authorized. The EOBR system shall implement, manage and maintain an access control system that authorizes user access levels. All subsystems that transmit, receive or store data on behalf of the EOBR system shall maintain data access controls. All EOBR system users shall be registered and authorized by the access control system. The EOBR system shall control access to data based on access rules and the assignment of user roles.

7 Access Control Requirements
The EOBR shall restrict access to those parts of the system for which a user is not authorized. The EOBR shall detect and alert attempts to access parts of the EOBR system by unauthorized users. Authorized Motor Carrier/Service Provider users shall be granted access to EOBR information pertaining to their operations. Authorized Commercial Motor Vehicle Driver users shall be granted access to EOBR information pertaining to their operations. The EOBR shall allow access to EOBR data with or without the unique identification data elements intact, depending on the user access privileges. The EOBR shall track all data exchanges, and associate what data is provided to which user.

8 Data Protection Requirements
The Data Protection function protects the system from tampering, and protects the EOBR data from exposure to unauthorized users. The EOBR shall implement safeguards to defend against unauthorized attempts to access data. The EOBR shall protect EOBR data collected, stored, disseminated, or transmitted from inadvertent alteration, spoofing, tampering, and other deliberate corruption. The EOBR shall implement measures to protect data privacy and maintain system security (including protection against unauthorized access, use, modification, destruction, or denial of service)

9 Data Protection Requirements
All subsystems which transmit, receive or store EOBR data shall also handle the data in accordance with federal and state regulations including the Drivers Privacy Protection Act and related state laws The EOBR shall implement methods for system disaster recovery and rebuild. The EOBR shall provide auditing capability The EOBR shall provide a self check to ensure accuracy of data EOBR shall use industry best practices for file formats Allow only one way transfer from EOBR device to the data receiver (wired or wireless)

10 Security Controls Management Well defined usage policy
IT Security Policies Agreements with External Organizations Minimizing sensitive data stored on Tags Operational Secure Disposal of Tags containing sensitive data Warning Banner upon login

11 Questions? Questions Andrew Orndorff-DOT CISO andrew.orndorff@dot.gov
Bunmi Ogunlade - FMCSA ISSO Pam Gosier-Cox – FMCSA Privacy Officer

Download ppt "Agenda Scope of Requirement Security Requirements"

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Auditing Computer Systems

Auditing Computer Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Proposal for an achievable, cost effective Security Concept for EOBRs C. Hardinge / A. Lindinger.

Proposal for an achievable, cost effective Security Concept for EOBRs C. Hardinge / A. Lindinger.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.

UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.
Information Systems Security Officer

Information Systems Security Officer

Similar presentations

Ads by Google