Comply With DCID 6/3 Intelligence Information IS Security Standards
The Director of Central Intelligence Directive 6/3 Manual imposes strict controls for the protection of information systems containing intelligence data. It requires that information systems with access to such data be classified according to a specific High Confidentiality Level-of-Concern, and retain activity logs over a period of five years.
The DCID 6/3 guidelines also specify log monitoring, auditing, and reporting requirements. Among them is the automated creation of audit trails on security-relevant activities, their analysis on a weekly basis, and their protection against unauthorized access.
A Platform for Protecting Intelligence Data
SenSage provides agencies and contractors with the most flexible and cost effective means of meeting the auditing requirements under DCID 6/3.
A unified data management platform consolidates the audit trails of all applications, and scales easily to meet the changing needs of the enterprise. It is capable of supporting the thousands or millions of records per day from hosts, network servers, routers, databases and applications, which must be retained for a period of up to five years.
| Audit/Protect Level | Requirements Addressed by SenSage |
| Audit 1, PL1, PL2, PL3, PL4, PL5 | Collect audit logs from all security-relevant information systems. Protect all audit trails from tampering. Retain all audit trails for at least 5 years. Perform at least weekly review of audit trails:
|
| Audit 2, Audit 5, PL2, PL3, PL4 | Support individual accountability, ability to audit user-level activity. Allow periodic IS security testing by the ISSO or ISSM via intrusion/attack detection & monitoring tools. |
| Audit 3, PL2/3/4/5 | Use audit reduction and analysis tools. |
| Audit 5, PL3, PL4 | Maintain individual accountability (i.e. unique identification of each user and association of that identity with all auditable actions taken by that individual). Support periodic IS security testing by the ISSO or ISSM via intrusion/attack detection and monitoring tools. These tools shall build upon audit reduction and analysis tools to aid the ISSO or ISSM in the monitoring and detection of suspicious, intrusive, or attack-like behavior patterns. |
| Audit 6 PL4, PL5 | Enforce the capability to audit changes in security labels. Implement the capability to audit accesses or attempt accesses to objects or data whose labels are inconsistent with user privileges. Enforce the capability to audit all program initiations, information downgrades and overrides, and all other security-relevant events, (including identified events that may be used in the exploitation of covert channels). Shutdown system in the event of an audit failure, unless an alternative audit capacity exists. |
| Audit 7, PL4 | Implement system capability to monitor occurrences of, or accumulation of, auditable events that may indicate an imminent violation of security policies. Enforce system capability to notify the ISSO or ISSM of suspicious events and take the least-disruptive action to terminate the suspicious event. |
| Audit 8, PL5 | Maintain individual accountability (i.e. unique identification of each user and association of that identity with all auditable actions taken by that individual. Support at least monthly testing by the ISSO or ISSM via intrusion attack detection and monitoring tools: These tools shall build upon audit reduction ad analysis tools to aid the ISSO or ISSM monitor and detect suspicious; intrusive, or attack-like behavior patterns. |
| Audit 9, PL5 | Enforce system capability to monitor, in real-time; occurrences of; or accumulation of; auditable events that may indicate an imminent violation of security policies. Enforce system capability to notify the ISSO of suspicious events and take the least-disruptive action to terminate the suspicious event. |
