Interconnection Security Agreement (ISA)
- + Expand All
- - Collapse All
Yes, someone in your organization must have this title. It is not required that this be a separate position. For instance, someone in the IT department might be designated for this role, in addition to other duties. We require that you schedule security training for that individual, and document a daily security task list (review event logs, patch servers, etc.)
The Interconnection Security Agreement is federally mandated for any system, contractor, agency that touches the federal network. This is a component of the Security Certification and Accreditation process - also federally mandated.
What is the background check? We have done a drug and background check for all tribal employees. Is this all we need to do?
IT personnel should have a Public Trust, Level 5 background check. Below are guidelines for determining the sensitivity levels for various personnel:
|Position Sensitiity Designations/Access Codes||Non-Sensitive Positions||National Security Positions||Public Trust Positions|
|Sensitivity Levels||Level 1 Non-Sensitive||
Level 2 Non-critical Sensitive
|Level 2 Critical Sensitive||Level 2 Special Sensitive||Level 5 Moderate Risk||Level 6 High Risk|
The level of sensitivity of a position should be determined using the position description and the types of data and systems accessed by the employee in the performance of his/her duties. Ultimately, the determination of position sensitivity from an IT perspective is based on the type and degree of harm the individual could cause through misuse of the system. This potential for harm increases as the level of access to sensitive, financial, and/or classified information increases.
Security Awareness Training can be taken at this site:
It is required annually, and must be taken within 60 days of employment
The training for ISSO's should include in-depth coverage of the threats and vulnerabilities related to their systems, techniques for detecting and reacting to incidents, and techniques for implementing Part 8, Chapter 12, "IT Security," Indian Health Service Manual in their environment. The IHS Manual can be found here:
All sites are defined as having an "interconnect" because site users access highly sensitive data across a federal network.
Are any data services offered by IHS such as off line backup or use auditing as required in the "Interconnection Security Agreement"?
Backup and auditing of the patient databases at the Sacramento location is conducted by IHS personnel. Backup and auditing at the sites is the responsibility of the site, but there are excellent Windows operating system tools and open source utilities available.
The National Institute of Standards and Technology (NIST) special publication 800-47, Appendix A, discusses ISA's. The entire NIST 800 series can be found here:
We have a backup and recover system - is this good enough or is there some specific standard needed to comply with the ISA?
Contingency planning is addressed in the NIST document 800-34, which can be found here:
As soon as possible. That having been said, The California Area Office will be doing annual testing in August, 2007 and risk assessment in September, 2007. That would probably be a good target to aim for.
We're not able to discuss the specifics of IHS encryption in an FAQ, but all router to router packets are encrypted. Beyond that, we recommend that file system encryption be implemented at all sites. There are excellent open source tools that are Federal Information Processing Standards (FIPS) compliant available to accomplish this.
How do you suggest we audit/monitor our users? What software should we use and who pays for the software?
Systems Administrators at the sites should take advantage of the built in auditing and monitoring capabilities of the Windows server environment. The principle of "least access" should be implemented so that users are only able to access resources that are required for their work assignments.
Network monitoring at the router level is performed by IHS personnel. Deployment of proprietary monitoring software for the site LAN (your side of the router) is up to the site manager.
Where do we find the awareness training site? How is it used? Is this a web site? Is it a paper test?
Security Awareness Training can be taken at this site:
http://www.isa.ihs.gov/ (If the site is down, there is a paper test.)
It's recommended that a best effort be made to assure that 24/7 contact is possible in the occasion of a security event. Remote sites without cell tower coverage should make home phone number's of responsible individuals known to the CAO IT staff.
An alternate to the System Administrator should be known to the CAO IT staff in the event that the System Administrator is not available. However, it is recommended that the System Administrator develop some method to access the system remotely.
A persistent connection is defined as an uninterrupted stream of IP packets between the site router and the IHS network.
Do you have examples of the disaster recovery plan or the security plan so we have some idea what it should look like?
The NIST 800-34 document provides guidance for Contingency Plans. The NIST 800-18 addresses Security Plans. These documents can be found here:
Templates can be found readily on-line.
Our site hosts our own RPMS database - do we still need to sign an Interconnection Security Agreement?
If your site is on the federal network (in the 161.223.x.x IP range), or you have federal accounts for email or vpn, or in any other way access restricted federal resources, yes.
The NIST 800-61 provides guidance with defining security incidents. It can be found here: