Data Security

Per the Federal Information Security Management Act and provisions of mandatory Federal Information Processing Standards (FIPS) 199 and NIST Security Plan 800-60, NORC’s Data Enclave system impact levels have been determined as follows:

• Employee Security Requirements. All NORC Data Enclave employees must undergo annual IT security awareness training in DOC IT policies, procedures, computer ethics, and best practices, in accordance with DOC IT Security Program Policy, section 3.13.
• Rules of Behavior Requirements. NORC is in compliance with DOC IT Security Program Policy, section 4.5 and the NIST IT Security Management Handbook, including section 8.3 regarding policy on rules of behavior. The NIST Policy on IT Resources Access and Use must be followed for rules of behavior for this system, Users must have received and signed the rules of behavior prior to receiving authorization to access this system. All NORC employees must sign a Confidentiality/Professional Ethics statement. NIST staff and all external researchers also must sign a confidentiality statement.
• Nondisclosure Agreements. In addition to internal NORC confidentiality and ethics statements, all NORC Data Enclave employees must sign project specific Non-disclosure Agreements as specified in Commerce Acquisition Regulation (CAR) 1352.209-72, Restrictions Against Disclosures. 
• IT System Security Requirements. NORC is its 3rd year of operating under a NIST-approved System Certification and Accreditation (C & A) package, including IT Security Plan and a system certification test plan, as outlined in DOC IT Security Program Policy, Section 6.5.2. NORC's Data Enclave IT Security Plan is fully compliant with the Federal Information Security Management Act, provisions of mandatory Federal Information Processing Standards (FIPS), and meets all of NIST's IT, data, system and physical security requirements.
• Applicable Laws and Regulations Affecting Data Enclave. The system is subject to the DOC IT Security Program Policy and Minimum Implementation Standards along with the IT security laws and federal regulations noted in Appendix A of that document including:
  • Public Law 107-347 E-Government Act of 2002 (FISMA included) 
  • Public Law 200-253 Computer Security Act of 1987
  •  OMB Circular No. A-130 , Appendix III, Security of Automated Information Resources
  • Department of Commerce Administrative Orders and
  • NIST Administrative Manual Chapter 11.02 and the NIST IT Security Management Handbook.
  • Public Law 107-347 E-Government Act of 2002, Title V: Confidentiality Information Protection and Statistical Efficiency Act (CIPSEA).
• Network Connectivity Requirements. There are no direct connections between NORC’s facilities and NIST/ATP, except as described under Access Controls by remote access.  In addition, there are no other interconnections other than those identified in the IT Security Plan documentation and accompanied by the system diagrams. All system connectivity is via TCP/IP across the NORC Network Infrastructure.  The Network Infrastructure systems provide all services for physical cabling, network frame synchronization/flow control/error checking, routing, switching, DNS, and remote dial-in access. 
• Remote Access Requirements. Remote connections to NORC internal resources (i.e., telecommuting, travel, etc.) are made via Virtual Private Network (VPN) Secure Client/Secure Sockets Layer (SSL) Remote Access services, all of which are managed as part of the NORC Network Security system.
• Physical Access Authorizations. NORC develops and maintains current lists of personnel with authorized access to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and issues appropriate credentials (e.g., badges, identification cards, smart cards).  Designated officials within the organization review and approve the access list and authorization credentials annually.
• Access to restricted areas is granted only after
  • The request is made through individual's manager
  • The request has been approved by the manager
• Employees possess access cards, and these cards are deactivated immediately if not surrendered on the final day of employment.
• Access cards for all general purpose areas are issued by the Facilities department.
• Based on approval, access to restricted areas, like data centers, is activated by the Infrastructure and Systems Operations (ISO).
• All entry points into all buildings and restricted areas are controlled by access control cards.
• Access control cards are issued in accordance with Physical Access Authorizations.
• Physical keys (for data centers and access to general space; i.e., access control card areas) are not widely distributed.  Keys are meant to be used only in the event of a failure of the proximity software used to control access to spaces.
• Only “super” users have keys (i.e., Director of Facilities, ISO representative).
• The following points on the 14th and 16th floors of the One North State Street (Chicago) facility are monitored by a closed circuit video system:
  • Lobby doors
  • Back exits
  • Fire escapes
  • Hallways into anywhere equipment is stored
  • Between the east (phone shop) and west (IT Department) sides of the 14th floor.
  • Entrances to data centers.
• The closed circuit video system uses digital cameras and is recorded by a digital media system.
• The closed circuit video system is set-up to record based on motion detection.
• Recordings are made to a 300 GB hard drive, which allows for 1-2 months of recording.
• The oldest recordings are recorded over first when space runs out on the hard drive.
• Currently there are 25 days of video available at any given time.
• The Facilities department is responsible for the issuing of access control cards and the implementation and maintenance of the closed circuit video system.