Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sensitive But Unclassified (SBU) Information

Published byJonas Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Sensitive But Unclassified (SBU) Information"— Presentation transcript:

1 Sensitive But Unclassified (SBU) Information
Introduction: With a show of hands, how many of you have personal shredders? Why do you have personal shredders? What can an adversary learn about you or an agency by looking through the trash. Now let’s talk about safeguarding information which requires additional controls and protective measures. Developed by: Jesse R. Valdiviez, Program Manager, Training Office of Security Department of Homeland Security

2 Define Sensitive But Unclassified (SBU) information
Objectives Define Sensitive But Unclassified (SBU) information Properly mark SBU information Identify the methods of properly safeguarding SBU information Describe the proper methods of destroying SBU information List the steps to take in the event of an incident involving SBU information Our objectives today are as follows; upon completion of this training, you will be able to: 1. define Sensitive But Unclassified, or SBU, information; 2. properly mark SBU information; 3. identify the methods of properly safeguarding SBU information; 4. describe the proper methods of destroying SBU information; and 5. list the steps to take in the event of an incident involving SBU information.

3 References For Official Use Only (FOUO)
MD , Safeguarding Sensitive But Unclassified (FOUO) Information Sensitive Security Information (SSI) MD ; 49 CFR Part 15 and 1520 Protected Critical Infrastructure Information (PCII) 6 CFR Part 29 Here are some references that pertain to Sensitive But Unclassified information.

4 Sensitive But Unclassified Information
Is concerned with information - other than classified information - that requires some type of control or protective measure. This information is generally known as “Sensitive But Unclassified (SBU)” information. USCG uses FOUO, SSI & LES Sensitive But Unclassified The Information Security program is concerned with protecting information that is unclassified but is sensitive in nature. Information that requires some type of control and protection from unauthorized disclosure is known as Sensitive But Unclassified information or SBU. These are some of the SBU terms you may come in contact with and work with on a daily basis. Here at USCG we use For Official Use Only, Sensitive Security Information (see DHS ) and Law Enforcement Sensitive. OUO SSI FOUO DEA Sensitive LES

5 Caveats Used by Various Agencies to Identify Sensitive Information
Official Use Only (OUO) Law Enforcement Sensitive (LES) Limited Official Use (LOU) DEA Sensitive Many others used by government agencies The following are some caveats used by various agencies to identify sensitive information. Remember this is not all inclusive. There are well over 150 terms used throughout the Federal Government. Regardless of the caveat used to identify the information, the reason for the designation does not change. It must be protected in the same manner as we protect FOUO.

6 For Official Use Only (FOUO) Information
A DHS term used to Identify unclassified information of a sensitive nature, not otherwise categorized by statute or regulation, the unauthorized disclosure of which could adversely impact a person’s privacy or welfare, the conduct of Federal program, or other programs or operations essential to the national interest. (As described in DHS MD ) Here at USCG we use the DHS FOUO as the designator to identify our SBU information. FOUO information if disclosed could jeopardize our privacy or welfare of our personnel, programs, operations and projects we are involved with.

7 For Official Use Only (FOUO) Information
- Retains the FOUO designation until determined otherwise by someone with jurisdiction over the information - Does not require declassification markings - Will not be posted to public websites - No clearance needed for access; however, there has to be a ‘need-to-know’ FOUO retains the designation until someone with jurisdiction over the information determines otherwise. Remember, FOUO is not a classification and does not require classification markings. However, it is sensitive information and should not be release to persons with out a valid need-to-know. Do not post FOUO on any public websites

8 What is “Need-to-Know”?
“A determination made by an authorized holder of the information that a prospective recipient requires access to the information in order to perform or assist in a lawful and authorized governmental function.”* *DHS MD If I am holding information that is FOUO and someone is asking for it, I must first determine if that person has a Need-to-Know and requires this info to perform their official government duties. Once I have made that determination I can turn this information over that person. How should I determine if they are authorized to have this information? If I have FOUO info that has been generated by my office I could request dissemination instructions from my next-level supervisor. If the information was generated by another agency or organization I can contact them for instructions and policy on third party dissemination. I could call the persons agency and talk to their supervisor to verify their Need-to-Know and verify who they are. I would make a memo for record on who I gave that info to and describe the type of info and date and time it was issued. If I am sending this information via or fax, I need to verify the person who is receiving this information on the other end and has the Need-to-Know. Once a fax or is complete you should make contact with that person and verify they are in receipt of all information that was sent.

9 Examples of FOUO System security data, such as threat assessments, system security plans, contingency plans, risk management plans, etc. Reviews or reports illustrating or disclosing facility infrastructure or vulnerabilities, such as blueprints and schematics Information that could threaten Operations Security (OPSEC), such as indicators of government intentions, capabilities, operations, or activities Another example of FOUO is system security data. System security data consists of threat assessments, system security plans, contingency plans risk management plans etc. Other examples of FOUO are reviews or reports illustrating or disclosing facility infrastructure or vulnerabilities. Information that could threaten Operations Security (OPSEC). Some examples include indicators of government intentions, capabilities, operations, or activities.

10 Who can designate information as FOUO?
Any USCG employee may designate/mark information as FOUO as long as it falls into one or more of the 11 categories: (As described in DHS MD ) Officials occupying supervisory or managerial positions may designate information originating under their jurisdiction as FOUO if information does not meet any of the 11 categories on determining FOUO. Any USCG employee may designate or mark information as FOUO as long as it fall into one or more of the 11 categories as described in DHS Management Directive However, only officials occupying supervisory or managerial positions may designee information originating under their jurisdiction as FOUO if the information does not meet the 11 categories.

11 General Handling Procedures
Types of FOUO may be more sensitive than others; i.e., Information that could: Reveal sensitive sources and methods of operations Cause loss of life of an informant Compromise an important law enforcement operation Determining safeguards in excess of the minimum Use sound judgment, coupled with evaluating the risk, vulnerabilities, and potential damage to personnel or property as the basis There are several types of FOUO that are more sensitive than other types of information. An example is Drug Enforcement Agency information. The information may be unclassified by it self however combining pieces of information together could reveal sensitive sources and methods of operation. It is important to evaluate the risk, vulnerability, and potential damage to personnel or property when determining safeguarding in excess of the minimum as were going to discuss.

12 Marking FOUO Information
For Official Use Only SECRET FOR OFFICIAL USE ONLY CONFIDENTIAL Classification of Information Information designated as FOUO will be sufficiently marked so that persons having access to it are aware of its sensitivity and protection requirements. 1 TITLE PAGE For Official Use Only (FOUO) 3 OFFICIAL USE ONLY 2 FIRST PAGE and INTERNAL PAGES – Mark “FOR OFFICIAL USE ONLY” FRONT COVER, TITLE PAGE, and OUTSIDE BACK COVER – Mark the bottom “FOR OFFICIAL USE ONLY” SAMPLE DEPARTMENT Of HOMELAND SECURITY June 1, 2005 Classification of Information FOUO will be marked, as a minimum, on the bottom of every page to include the front and back covers of multi-page documents.

13 Marking FOUO Information
Marked For Official Use only to alert holder or viewer For Official Use Only For Official use Only Material other than paper documents (e.g. slides, computer media, films, etc.) shall bear markings which alert the holder or viewer that the materials contains FOUO information

14 Expanded Markings for Non-USCG Holders
WARNING: This document is FOR OFFICIAL USE ONLY (FOUO). It contains information exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is also controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid “need-to-know” without prior approval of an authorized DHS official.. For Official use Only FOUO documents and material transmitted outside DOD must bear an expanded marking on the face of the document Question: Why do we have to expand and explain the meaning of the marking FOUO? Doesn’t everyone know what FOUO means? [so that non-DOD holders understand how to protect the information.] Warning: This document is For Official Use Only…..

15 Declassification markings are not applicable.
Duration FOUO retains the designation until determined otherwise by someone with jurisdiction over the information. Declassification markings are not applicable. Remember, FOUO retains the designation until determined otherwise by someone with jurisdiction.

16 Access Access is based on “Need-To-Know”
Where there is an uncertainty about the requestor’s need-to-know The holder of the information will request dissemination instructions from their next-level supervisor or the information's originator. Security clearance is not required for access to FOUO information So how do I determine access? Access is based on a “need-to-know”. This means that you the holder of the information have to make a determination that the prospective recipient requires access to that information in order to perform or assist in a lawful and authorized governmental function; in another words - official duties. When in doubt ask your immediate supervisor or contact the security office. Remember – a security clearance is “not” required for access to FOUO information.

17 Dissemination Take precautions to prevent unauthorized access
FOUO will not be disseminated orally, visually, or electronically to unauthorized personnel Disseminate to other agencies as determined necessary for official business: Federal, state, tribal, local government, law enforcement officials Establish a “Need-To-Know” When requested by an official from another government agency and there’s no coordinated official governmental activity, a written request will be made to the applicable USCG program office for release determination As an employee of USCG you must take precautions to prevent unauthorized access of FOUO. Do not disseminated FOUO orally, visually, or electronically to unauthorized personnel. Disseminate to other agencies such as Federal, state, tribal, local government, law enforcement officials as determined necessary for Official Business. As discussed in an earlier slide remember to establish a “Need-to-know” when requested by an official from another government agency. Where FOUO info is requested by an official of another agency and there’s no coordinated or other official governmental activity, a written request will be made from the requesting agency to the applicable USCG program office for release determination (see DHS MD H.6).

18 Dissemination Discussing FOUO over non-secure methods
Use of a Secure Telephone Unit (STU III) or Secure Telephone Equipment (STE) is encouraged, but not required Avoid discussing FOUO over non-secure means if possible. Be aware of your surroundings when discussing FOUO. STU or STE are encouraged but not required.

19 Keep under personal control
Safeguarding During working hours Keep under personal control Use FOUO coversheets Turn the document over Minimize access How do I safeguard FOUO information during working hours? Keep it under personal control which means the use of FOUO coversheets. Another way to protect the information is by merely turning the document over. Or just minimizing access to an unauthorized recipient.

20 Safeguarding After working hours
Store in a locked file cabinet, locked desk drawer, or locked overhead storage compartment Store in a room or area that has sufficient access control measures to afford adequate protection to prevent unauthorized access such as a locked room or area with a guard, cipher lock, or card reader How do I store FOUO after duties hours? It’s a good idea to store the material in a locked file cabinet, locked desk drawer, or locked overhead storage compartment when not in use. Store in a room or area that has sufficient access control measures to afford adequate protection to prevent unauthorized access such as a locked room or area with a guard, cipher lock, or card reader.

21 Safeguarding Information Technology systems that store FOUO:
Will be certified and accredited for operation Laptop computers and other media containing FOUO will be stored and protected to prevent loss, theft, unauthorized access and disclosure Consult DHS Information Technology Security Program Handbook for Sensitive Systems, Publication 4300A, for more information Information Technology systems that store FOUO will be certified and accredited for the operation. Laptop computers and other media containing FOUO will also be accredited. Make sure to stored and protected your computer to prevent loss, theft, unauthorized access and disclosure. Consult DHS Information Technology Security Program Handbook for Sensitive Systems, Publication 4300A, for more information.

22 Internet/Intranet FOUO will not be posted on a USCG or any other internet (public) website FOUO may be posted on the USCG intranet or other government controlled network Remember that access to the information is on a “need-to-know” basis. The official must determine that the information applies to all personnel in an official capacity FOUO will not be sent to personal accounts The internet and or intranet poses many problems. Remember FOUO will not be posted on any USCG or other internet (public) websites. However, FOUO may be posted on the USCG intranet or other government controlled network. Remember as discussed earlier, access to FOUO information is on a “need-to-know basis”. If you are posting FOUO on the intranet, the official must determine that the information applies to “all” personnel in an official capacity. When in doubt contact your cognizant security manager or the Office of Security Policy and Management (CG-861). FOUO will not be sent to personal accounts at any time.

23 Transmission Transmission within the U.S. and its territories:
Placed in a single opaque envelope or container and sealed to prevent inadvertent opening and to show evidence of tampering Mailed -US Postal Service (First class mail) Overnight - Accountable commercial delivery service (e.g. FedEx, United Parcel Service, etc.) Inter-office mail system – is authorized provided it is afforded sufficient protection to prevent unauthorized access (e.g., sealed envelope) We have discussed storage now lets talk about transmission and transportation of FOUO within the U.S. and its Territories. Before we transmit FOUO information it must be placed in a single opaque envelope or container and sealed to prevent inadvertent opening and to show evidence of tampering. When we mail FOUO we must use US Postal Service (First class mail). Using overnight mail we must use an accountable commercial delivery service such as FedEx, United Parcel Service, etc. When using an inter-office mail system we have to make sure it affords sufficient protection to prevent unauthorized access (e.g., coversheet, sealed envelop. etc.).

24 Transmission Facsimile - by secure communications, whenever practical but not required Coordinate with the recipient to ensure the materials faxed will not be left unattended or subject to possible unauthorized disclosure –should be protected by encryption or transmitted within secure communication systems If impractical or unavailable, FOUO may be transmitted over regular channels. Using “Password Protect Attachment” is encouraged Sending FOUO via facsimile is approved however the use of secure communications is encouraged whenever practical but not required. Make sure to coordinate with the recipient to ensure the materials faxed will not be left unattended or subject to possible unauthorized disclosure. – FOUO transmitted via should be protected by encryption or transmitted within secure communication systems. If impractical or unavailable, FOUO may be transmitted over regular channels. Use password protect attachment is encouraged.

25 Destruction Methods of destruction
“Paper Products” will be destroyed by shredding, burning, pulping, pulverizing Discard the pieces in regular trash or recycle receptacles Contact your local security personnel for additional guidance Electronic Media Sanitizing by overwriting or degaussing Contact your local IT security personnel for additional guidance The destruction of FOUO is very important. Some of the methods of destruction of “Hard Copy and Paper Products” include shredding, burning, pulping, pulverizing and discarding the pieces in regular trash or recycle receptacles. The destruction of Electronic Media include sanitizing by overwriting or degaussing. Please contact your local IT security personnel for additional guidance.

26 Incident Reporting Report loss or compromise, suspected compromise, or unauthorized disclosure of FOUO to the local security official. Incidents involving USCG IT systems will be reported to the Computer Incident Response Center Loss or compromise, suspected compromise, or unauthorized disclosure of FOUO must be reported to the originator of the information and to the local security official. Report any incidents involving USCG IT systems to the Computer Incident Response Center.

27 Let’s check your knowledge!

28 Information that requires additional controls and protective measures
What is Sensitive But Unclassified information? Information that requires additional controls and protective measures

29 True or False FOUO can be transmitted via Parcel Service (UPS). True

30 False. The determination is made by the “holder” of the information.
True or False Access to FOUO is determined by the recipient of the information. False. The determination is made by the “holder” of the information.

31 What are the proper destruction methods for SBU Information?
Burning, Shredding, Pulping, and Pulverizing beyond recognition then disposing into regular trash

32 Summary Sensitive But Unclassified (SBU) information definition
SBU information marking Safeguarding SBU information Destroying SBU information Incidents involving SBU information. In summary we have defined the term “Sensitive But Unclassified (SBU)” information. Sensitive But Unclassified (SBU) is not classified information but rather other types of information that require additional controls and protective measures. We identify the different types of Sensitive But Unclassified information that as employee of DHS you may come in contact with such as FOUO, LES, PCII, NSI, etc. You can describe the protection requirements for each category of Sensitive But Unclassified information as discussed as well as identify the proper destruction techniques for FOUO. Finally, you now know how to report incidents involving SBU information.

33 Information Security Specialist
QUESTIONS? POINT OF CONTACT: Judy Petsch, CISSP Information Security Specialist

Download ppt "Sensitive But Unclassified (SBU) Information"

Similar presentations

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security Solutions Group

Security Solutions Group
Department of the Navy Information Security Program

Department of the Navy Information Security Program
Office of Security Security Education Refresher Briefing

Office of Security Security Education Refresher Briefing
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.

1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
HOW TO PREPARE FOR A NATIONAL SECURITY INFORMATION INSPECTION 1 SECRET Updated 09/27/11 Security is Everyone's Responsibility – See Something, Say Something!

HOW TO PREPARE FOR A NATIONAL SECURITY INFORMATION INSPECTION 1 SECRET Updated 09/27/11 Security is Everyone's Responsibility – See Something, Say Something!
UNCLASSIFIED1 COMSEC BRIEFING Having been selected to perform duties which will require access to classified COMSEC information, it is essential you be.

UNCLASSIFIED1 COMSEC BRIEFING Having been selected to perform duties which will require access to classified COMSEC information, it is essential you be.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.

ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.

Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Record Management Medical Center Administrative Group Fall Symposium November 15, 2000 University Audit.

1 Record Management Medical Center Administrative Group Fall Symposium November 15, 2000 University Audit.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Section Three: Protection of Controlled Unclassified Information Note: All classified markings contained within this.

Section Three: Protection of Controlled Unclassified Information Note: All classified markings contained within this.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google