Maintain Situational AwarenessIncluded in the IA controls assigned to all DoD ISs are IA controls related to configuration and vulnerability management, performance monitoring, and periodic independent evaluations (e.g., penetration testing). The IAM continuously monitors the system or information environment for security-relevant events and configuration changes that negatively impact IA posture and periodically assesses the quality of IA controls implementation against performance indicators such as security incidents, feedback from external inspection agencies (e.g., IG DoD, Government Accountability Office (GAO)), exercises, and operational evaluations. In addition the IAM may, independently or at the direction of the CA or DAA, schedule a revalidation of any or all IA controls at any time. Reference (a) requires revalidation of a select number of IA controls at least annually. (DoD 8510.01, 6.3.4.1)

**the messed up thing about these emails is that even if some of them happen to be true, there are so many that are fake that no one believes ANY of them**

Nana Ofori
reply-tooforinana2007@yahoo.cn,

toundisclosed-recipients,

dateTue, Feb 19, 2008 at 9:33 AM
subjectFrom: Mr. Ofori Nana
mailed-bysapo.pt

hide details Feb 19 (2 days ago) Reply

From: Mr. Ofori Nana

Hello,

Please pardon me for not having the liberty of knowing your mindset before writing you this letter without any formal introduction. I am Ofori Nana, the Manager of International commercial Bank, Dansoman, Ghana.

I write to solicit for your partnership in claiming the amount of
US$5.3M from an account at our Head Office. The aforementioned money is my part from a Gold Mining project that I helped finance influentially.

However, due to the fact that I am a government worker, I wont be allowed to lay claim to the funds. So I am compelled to ask that you to stand on my behalf and receive this money into any account that is solely controlled by you. Am ready to compensate you with as much as 40% as gratification for being my partner in the transaction. I guarantee you that this fund release will be carried out legally and officially so as to avoid any hitches or problems in future.

If you will work with me then let me hear from you soonest.

Yours Truly,

Mr. Ofori Nana.

PUBLIC SAFETY ANOUNCEMENT
DO NOT send personal information to this address:
toxinsheng45@yahoo.com.hk

MR MOU XINSHENG
reply-toxinsheng45@yahoo.com.hk,

toundisclosed-recipients,

dateFeb 11, 2008 9:44 PM
subjectRe:Hello

hide details Feb 11 (8 days ago) Reply

Hello,

I want to solicit your attention to recieve money on my behalf.I will send
you the full details and more information about myself and the
funds.please ensure you reply me via my personal email:
xinsheng45@yahoo.com.hk

Thank you,
Mou Xinsheng.

How do I know this is a scam?

1) The IRS does not care enough to send me, you or Jesus Christ himself a personalized email about a tax refund.

2) The IRS seal in this scam email is linked from Wikipedia *indicating that whoever made this is a hilariously stupid scammer*

3) Found this link in the email’s “Click here”: http://www.terast.co.jp

I hope the U.S. IRS is tracking this idiot.

reply-toservice-refundtax@refirs.gov,

to
date Feb 17, 2008 4:56 PM
subject Tax refund – Online form

hide details Feb 17 (1 day ago) Reply

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $480.23.
Please submit the tax refund request and allow us 3-6 days in order to
process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Note: For security reasons, we will record your ip-address, the date and time.
Deliberate wrong inputs are criminally pursued and indicated.

Regards,
Internal Revenue Service

Copyright 2008, Internal Revenue Service U.S.A. All rights reserved

****If you have received this email on “Yahoo Awards” with the following information it is likely that it is not actually from Yahoo. It is a very poorly conconcted plan to get your personal information****

YAHOO AWARDS CENTER
From The Desk Of The Manager
International Promotion/Yahoo Award Center
124, Stockport Road, Longsight,
London M60 2DB- United Kingdom
This is to inform you that you have won a prize of Four Hundred, Twenty Thousand Pounds(420,000.00) for the month of January, 2008 Prize promotion which is organized by the YAHOO AWARDS & WINDOWS LIVE. YAHOO collects all the email addresses of the people that are active online, among the millions that subscribed to Yahoo and Hotmail and few from other E-mail providers. Twenty Six people are selected monthly to benefit from this promotion and you are one of the selected winners.
PAYMENT OF PRIZE AND CLAIM
Winners shall be paid in accordance with his/her Settlement Center. Yahoo Prize Award must be claimed not later than 15 days from date of Draw Notification. Any prize not claimed within this period will be forfeited. Stated below are your identification numbers:
BATCH NUMBER: MFI/06/APA-43658
REFERENCE NUMBER: 2006234522
PIN: 1206
These numbers fall within the U.K Location file, you are requested to contact our fiduciary agent in U.K and send your winning identification numbers to him. Below you will find a Documentation Form, requesting your required particulars.
YAHOO ONLINE DOCUMENTATION FORM
FULL NAMES: _______________________________________________________
ADDRESS: _______________________________________________________
CITY:_______________________ STATE: _______________________ ZIP: ______
PHONE AND FAX NUMBER: ____________________________________________
COUNTRY: ___________________________________________
SEX: _____________AGE: __________ MARITAL STATUS: __________________
OCCUPATION:_________________________________________________________
EMAIL ADDRESS: ____________________________________________________
NATIONALITY: _______________________________________________
You are required to fill and submit the above particulars to our Overseas Claim/U.K Payment Unit with the email address below
Overseas Claims/Exchange Online Payment Unit
Contact Person: Name: Mr. Gary Paul
Tel: 44 704-570-5106
Fax: 44 870-916-0275
Email: maill2winers@yahoo.co.uk
CONGRATULATIONS!!!
At your disposal, we remain blessed.
Yours in service,
YAHOO AWARD PROMOTIONS

Remove from Credit Card and Insurance Mailing Lists

The Fair Credit Reporting act of 1997 allows for consumers to stop unsolicted credit card & insurance offers. It puts more responsibility of customer privacy on the business that collected the sensitive data in the first place.

In order to use the strength of the law you must take action. Write or call the credit bureaus and request removal of your name and address from those lists. Here are the credit bureaus’ contact information:

Trans Union
P.O. Box 736
Springfield, PA 19064-0736
Telephone: (800) 680-7293

Experian (used to be TRW)
P.O. Box 949
Allen, TX 75013
Telephone: (800) 353-0809

Equifax
P.O. Box 105139
Atlanta, GA 30374-5139
Telephone: (800) 556-4711

Once you make the request they have 5 days to notify all national credit agencies. Your name will then be dropped from their mailing list for two years.

Remove your name from mailing lists permanently

To remove your name from mailing lists permanently ask the credit bureau to send you an “election form.”

To receive a credit report contact the following:

Experian (formerly TRW)
(800) 682-7654

Equifax
(800) 685-1111

Trans Union
(800) 916-8800

To Stop “Junk Mail”

Contact the Direct Marketing Association (DMA).

Mail Preference Service
PO Box 9008
Farmingdale NY 11735-9008

Telephone Preference Service (telemarketing)
PO Box 9014
Farmingdale NY 11735-9014

With a request (written) your name will by removed from their mailing lists.

I’m not sure there is a way to remove your name from all email mailing lists at once. But one thing you want to NOT do is put your email address on a website. If you want customers to get to your via email but don’t want the spam and scams that come with, use a contact form or something like this elamb.security(at)gmail(dot)com – this makes it so spam emails can’t automatically grab your email from the Internet, a common spammer tactic.

Product Definition. The High Level Operational Concept Graphic describes a mission and highlights main operational nodes (see OV-2 definition) and interesting or unique aspects of operations. It provides a description of the interactions between the subject architecture and its environment, and between the architecture and external systems. A textual description accompanying the graphic is crucial. Graphics alone are not sufficient for capturing the necessary architecture data.

Product Purpose. The purpose of OV-1 is to provide a quick, high- level description of what the architecture is supposed to do, and how it is supposed to do it. This product can be used to orient and focus detailed discussions. Its main utility is as a facilitator of human communication, and it is intended for presentation to high-level decision makers.

Product Detailed Description. OV-1 consists of a graphical executive summary for a given architecture with accompanying text. The product identifies the mission/domain covered in the architecture and the viewpoint reflected in the architecture. OV-1 should convey, in simple terms, what the architecture is about and an idea of the players and operations involved.

The content of OV-1 depends on the scope and intent of the architecture, but in general it describes the business processes or missions, high- level operatio ns, organizations, and geographical distribution of assets. The product should frame the operational concept (what happens, who does what, in what order, to accomplish what goal) and highlight interactions to the environment and other external systems.

During the course of developing an architecture, several versions of this product may be produced. An initial version may be produced to focus the effort and illustrate its scope. After other products within the architecture’s scope have been developed and verified, another version of this product may be produced to reflect adjustments to the scope and other architecture details that may have been identified as a result of the architecture development. After the architecture has been used for its intended purpose and the appropriate analysis has been completed, yet another version may be produced to summarize these findings to present them to high- level decision makers.

OV-1 is the most general of the architecture products and the most flexible in format. Because the format is freeform and variable, no template is shown for this product. However, the product usually consists of one or more graphics (or possibly a movie), as needed, as well as explanatory text.

Difference between DITSCAP and DIACAP ATO:

Although the acronym “ATO” was used in DITSCAP and is now being used in the DIACAP process, the DIACAP ATO is “Authority to Operate” and replaces the DITSCAP “Approval to Operate”. The essential meaning is the same. An ATO is still a statement that marks a formal Accreditation Decision issued by the DAA.

E2.2. Accreditation Decision. A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. (DOD 8510.01)

E2.8. Authorization to Operate (ATO). Authorization granted by a DAA for a DoD IS to process, store, or transmit information. An ATO indicates a DoD IS has adequately implemented all assigned IA controls to the point where residual risk is acceptable to the DAA. ATOs may be issued for up to 3 years. (DOD 8510.01)

E2.19. Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DOD 8510.01)

Connection to the NIPRNet/GIG:

To connect to the Global Information Grid (which includes the NIPRNet/SIPRNet) an Approval To Connect is need.

Authority to Connect (ATC). The ATC defines the customer’s connection boundaries as accepted by the DISN SIPRNET Management and reflects the completion of a successful network vulnerability assessment by the DISA SCAO. CJCSI 6211.02B 31 July 2003

Interim Approval to Connect (IATC). The IATC defines the customer’s connection boundaries as accepted by the DISN SIPRNET Management. CJCSI 6211.02B 31 July 2003

Register the System with DoD IA Component

Each branch of the military has an IA component. Each of the US Armed Services have a division under their respective chief information officer’s responsible for all computers, communications and networks in a given military branch. These communications divisions will house the Information Assurance component responsible for the DIACAP tasks.

Table 1. DoD IA Components

*more on Army NETCOM

Its important to get registered as soon as possible, because the DIACAP process (as with any certification & accreditation process) can take well over from six months to accomplish.

Role of the IA Component

Within the DIACAP Team, the IA Component’s role will likely be the “Certifying Authority” which is responsible for the final validation of security controls. This role is powerful in that it will determine whether or not the system is certified. The designated accreditation authority (DAA) listens the the recommendation of the CA. If the CA validates, the DAA will accredit. Also, the DAA can actually be within the IA Component, depending on the Mission Assurance Category (MAC) level (ref: USAF IT Lean/SISSU guidelines, this may differ within Army & DON).

IA Component’s IT Portfolio

DoD IT portfolio management (DoDD 8115.01) requires that each of the branches report to the DoD the status of IT systems.  Each branches IA Component has a Enterprise Mission Assurance Support Service (eMASS).  You will likely be tasked with entering your system into that database.  This is what is essentially meant by register the system with the DoD IA Component.

More on DoD IT portfolio management & eMASS

• Architecture Project Identification
  • Name
  • Architect
  • Organization Developing the Architecture
  • Assumptions and Constraints
  • Approval Authority
  • Date Completed
  • Level of Effort and Projected and Actual Costs to Develop the Architecture
• Scope: Architecture View(s) and Products Identification
  • Views and Products Developed
  • Time Frames Addressed
  • Organizations Involved
• Purpose and Viewpoint
  • Purpose, Analysis, Questions to be Answered by Analysis of the Architecture
  • From Whose Viewpoint the Architecture is Developed
• Context
  • Mission
  • Doctrine, Goals, and Vision
  • Rules, Criteria, and Conventions Followed
  • Tasking for Architecture Project and Linkages to Other Architectures
• Tools and File Formats Used
• Findings
  • Analysis Results
  • Recommendations

AV-1 Example

Product Definition. The Overview and Summary Information provides executive- level summary information in a consistent form that allows quick reference and comparison among architectures. AV-1 includes assumptions, constraints, and limitations that may affect high-level decision processes involving the architecture.

Product Purpose. AV-1 contains sufficient textual information to enable a reader to select one architecture from among many to read in more detail. AV-1 serves two additional purposes. In the initial phases of architecture development, it serves as a planning guide. Upon completion of an architecture, AV-1 provides summary textual information concerning the architecture.

Product Detailed Description. The AV-1 product comprises a textual executive summary of a given architecture and documents the following descriptions.

Architecture Project Identification identifies the architecture project name, the architect, and the organization developing the architecture. It also includes assumptions and constraints, identifies the approving authority and the completion date, and records the level of effort and costs (projected and actual) required to develop the architecture.

Scope identifies the views and products that have been developed and the temporal nature of the architecture, such as the time frame covered, whether by specific years or by designations such as current, target, transitional, and so forth. Scope also identifies the organizations that fall within the scope of the architecture.

Purpose and Viewpoint explains the need for the architecture, what it should demonstrate, the types of analyses (e.g., Activity-Based Costing) that will be applied to it, who is expected to perform the analyses, what decisions are expected to be made on the basis of an analysis, who is expected to make those decisions, and what actions are expected to result. The viewpoint from which the architecture is developed is identified (e.g., planner or decision maker).

Context describes the setting in which the architecture exists. It includes such things as mission, doctrine, relevant goals and vision statements, concepts of operation, scenarios, information assurance context (e.g., types of system data to be protected, such as classified or sensitive but unclassified, and expected information threat environment), other threats and environmental conditions, and geographical areas addressed, where applicable. Context also identifies authoritative sources for the rules, criteria, and conventions that were followed. (See Universal Reference Resources [URR] section in the Deskbook for examples of authoritative sources.) The tasking for the architecture project and known or anticipated linkages to other architectures are identified.

Tools and File Formats Used identifies the tool suite used to develop the architecture and file names and formats for the architecture and each product.

Findings states the findings and recommendations that have been developed based on the architecture effort. Examples of findings include identification of shortfalls, recommended system implementations, and opportunities for technology insertion.

During the course of developing an architecture, several versions of this product may be produced. An initial version may focus the effort and document its scope, the organizations involved, and so forth. After other products within the architecture’s scope have been developed and verified, another version may be produced to document adjustments to the scope and to other architecture aspects that may have been identified as a result of the architecture development. After the architecture has been used for its intended purpose, and the appropriate analysis has been completed, yet another version may be produced to summarize these findings for the highlevel decision makers. In this version, the AV-1 product, along with a corresponding graphic in the form of an OV-1 product, serve as the executive summary for the architecture.