REG NASA-LLIS-1464-2003 Lessons Learned Accident Investigations Information Technology (IT) Security Constraints and Policy Governing IT system support to Major Mishap Investigatio.pdf

1、Lessons Learned Entry: 1464Lesson Info:a71 Lesson Number: 1464a71 Lesson Date: 2003-08-31a71 Submitting Organization: JSCa71 Submitted by: David LengyelSubject: Accident Investigations/Information Technology (IT) Security Constraints and Policy Governing IT system support to Major Mishap Investigati

2、ons. Abstract: Clear IT security policies, consistent across all NASA Centers, need to be in place for care and management of ITAR, export control, and investigation sensitive information to avoid complications, cost, and delay.Description of Driving Event: On February 1, 2003 there was a NASA polic

3、y void concerning IT security requirements for web-based systems hosting ITAR and export controlled data. The NASA CIO deferred the policy to each Center CIO (in apparent contradiction of the “One NASA” vision), creating an inconsistent and confusing rule-set. The NASA CIO declined to clarify the ne

4、ed for two-factor-strong user authentication. Applications held to the higher standard of two-factor-strong user authentication requirements resulted in administrative burdens, hardware and software complications, cost, and delay.Lesson(s) Learned: It is critical that NASA has in-place, clear and co

5、nsistent IT security policies across all NASA centers as it relates to the care and management of ITAR, export control and investigation sensitive information.Recommendation(s): NASA must: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-a71 Implement

6、 clear and consistent IT security policies across all NASA Centers as it relates to the care and management of ITAR, export control, and investigation sensitive information. Evidence of Recurrence Control Effectiveness: TBD NASA ResponseDocuments Related to Lesson: Agency Contingency Action Plan for

7、 Space Flight OperationsMission Directorate(s): a71 Space Operationsa71 Exploration SystemsAdditional Key Phrase(s): a71 Accident Investigationa71 Administration/Organizationa71 Computersa71 Configuration Managementa71 Information Technology/Systemsa71 NASA Standardsa71 Policy & Planninga71 Safety & Mission Assurancea71 SecurityAdditional Info: Approval Info: a71 Approval Date: 2004-06-16a71 Approval Name: Ronald Montaguea71 Approval Organization: JSCa71 Approval Phone Number: 281-483-8576Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-