Identifier
Created
Classification
Origin
04THEHAGUE586
2004-03-10 11:34:00
UNCLASSIFIED
Embassy The Hague
Cable title:
CHEMICAL WEAPONS CONVENTION (CWC): FOURTH SECURITY
how-toThis record is a partial extract of the original cable. The full text of the original cable is not available.
UNCLAS SECTION 01 OF 02 THE HAGUE 000586
SIPDIS
STATE FOR AC/CB, NP/CBM, VC/CCB, L/ACV, IO/S
SECDEF FOR OSD/ISP
JOINT STAFF FOR DD PMA-A FOR WTC
COMMERCE FOR BIS (GOLDMAN)
NSC FOR CHUPA
WINPAC FOR LIEPMAN
E.O. 12958: N/A
TAGS: PARM PREL CWC
SUBJECT: CHEMICAL WEAPONS CONVENTION (CWC): FOURTH SECURITY
AUDIT TEAM, 23-27 FEBRUARY 2004
This is CWC-29-04.
UNCLAS SECTION 01 OF 02 THE HAGUE 000586
SIPDIS
STATE FOR AC/CB, NP/CBM, VC/CCB, L/ACV, IO/S
SECDEF FOR OSD/ISP
JOINT STAFF FOR DD PMA-A FOR WTC
COMMERCE FOR BIS (GOLDMAN)
NSC FOR CHUPA
WINPAC FOR LIEPMAN
E.O. 12958: N/A
TAGS: PARM PREL CWC
SUBJECT: CHEMICAL WEAPONS CONVENTION (CWC): FOURTH SECURITY
AUDIT TEAM, 23-27 FEBRUARY 2004
This is CWC-29-04.
1. The fourth Security Audit Team (SAT-IV) found that the
OPCW Technical Secretariat (TS) had done little to further
secure its IT infrastructure since the 2001 security audit.
The team noted that significant personnel resources have been
directed toward documenting processes and procedures, but few
practical steps have been taken to ensure the safe and secure
handling of information assets at the TS. Additionally, the
SAT-IV noted that paper handling-processes continue to pose a
significant vulnerability, and the ability of the TS to
assess threat levels from the introduction and use of new
technologies is very limited.
2. SAT-IV convened its first session 23 to 27 February 2004
in The Hague and reviewed the TS gap analysis and self
assessment as related to implementation of international
standards organization (ISO) 17799. (Comment: previous SATs
have recommended the adoption of the ISO standard of best
practice, as a notional baseline, but cautioned the TS not to
expend significant resources seeking ISO certification
standards).
3. SAT-IV notes that, as directed by the Office of
Confidentiality and Security (OCS),the TS has devoted
SIPDIS
significant time and manpower resources to documentation of
its information technology (IT) procedures, using as its
justification the previous SAT recommendation to adopt the
ISO standard. In the view of SAT-IV, this effort has done
little to promote the overall security of the TS IT
environment. Much of the documentation produced remains
fragmented, largely due to TS lack of a critically needed IT
asset inventory and risk assessment.
4. The consequences of the OCS documentation effort are
many. First, the Information Systems Branch (ISB) is
producing volumes of systems design and testing documentation
but is not developing needed systems until the documentation
effort is completed. The SCN upgrade and data migration have
been delayed because OCS determined that the necessary
documentation is insufficient and relevant testing has not
been done.
5. The current SCN/Electronic Document Management System
(EDMS) has changed little since 2001, except for a
system-wide installation of new network hardware. (Comment:
this installation appears to have been done over the past
year to year and a half, with network servers being procured
and put into place. The software upgrades remain in planning
and testing.) ISB is developing a test environment and
implementation plan for upgrading the network operating
system, but the actual upgrade has been delayed twice and is
now projected for the April - July 2004 timeframe. The
delays are a consequence of inadequate documentation,
resource limitations (i.e., competing priorities),
modification to inspector laptops, and inadequate evidence of
test results. The upgrade of the operating system to Windows
2000/server, Office 2000/desktop, Unicenter, Info Image, and
SQL 7.0 are seen by both the TS and the SAT-IV as critical to
the enhanced SCN. SAT-IV offered its assistance in testing
the operating system prior to live implementation, and SAT-IV
indicated that this will be a critical component of the
system-wide audit later this year. A list of suggested
automated auditing/testing tools for Windows 2000 environment
will be made available to the TS by the USG member of the
SAT-IV.
6. A system-wide operational audit of the SCN and inspector
laptop environments is proposed for December 2004. Interim
documentation reviews and meetings may be requested by
SAT-IV, depending on implementation schedule for the
operating system upgrade.
--------------
RDBMS Development Efforts
--------------
7. The RDBMS development remains in a planning and
documentation stage. Functional, technical, and security
requirements are being drafted and coordinated among ISB,
OCS, VER/DEB, and the development contractor. An expanded
functional database has been proposed which would include
declaration processing, declaration redaction, document
tracking, inspectable site selection, and generation of a
variety of reports. A working prototype is expected in late
2004, and will be available for SAT-IV evaluation.
8. Ito sends.
SOBEL
SIPDIS
STATE FOR AC/CB, NP/CBM, VC/CCB, L/ACV, IO/S
SECDEF FOR OSD/ISP
JOINT STAFF FOR DD PMA-A FOR WTC
COMMERCE FOR BIS (GOLDMAN)
NSC FOR CHUPA
WINPAC FOR LIEPMAN
E.O. 12958: N/A
TAGS: PARM PREL CWC
SUBJECT: CHEMICAL WEAPONS CONVENTION (CWC): FOURTH SECURITY
AUDIT TEAM, 23-27 FEBRUARY 2004
This is CWC-29-04.
1. The fourth Security Audit Team (SAT-IV) found that the
OPCW Technical Secretariat (TS) had done little to further
secure its IT infrastructure since the 2001 security audit.
The team noted that significant personnel resources have been
directed toward documenting processes and procedures, but few
practical steps have been taken to ensure the safe and secure
handling of information assets at the TS. Additionally, the
SAT-IV noted that paper handling-processes continue to pose a
significant vulnerability, and the ability of the TS to
assess threat levels from the introduction and use of new
technologies is very limited.
2. SAT-IV convened its first session 23 to 27 February 2004
in The Hague and reviewed the TS gap analysis and self
assessment as related to implementation of international
standards organization (ISO) 17799. (Comment: previous SATs
have recommended the adoption of the ISO standard of best
practice, as a notional baseline, but cautioned the TS not to
expend significant resources seeking ISO certification
standards).
3. SAT-IV notes that, as directed by the Office of
Confidentiality and Security (OCS),the TS has devoted
SIPDIS
significant time and manpower resources to documentation of
its information technology (IT) procedures, using as its
justification the previous SAT recommendation to adopt the
ISO standard. In the view of SAT-IV, this effort has done
little to promote the overall security of the TS IT
environment. Much of the documentation produced remains
fragmented, largely due to TS lack of a critically needed IT
asset inventory and risk assessment.
4. The consequences of the OCS documentation effort are
many. First, the Information Systems Branch (ISB) is
producing volumes of systems design and testing documentation
but is not developing needed systems until the documentation
effort is completed. The SCN upgrade and data migration have
been delayed because OCS determined that the necessary
documentation is insufficient and relevant testing has not
been done.
5. The current SCN/Electronic Document Management System
(EDMS) has changed little since 2001, except for a
system-wide installation of new network hardware. (Comment:
this installation appears to have been done over the past
year to year and a half, with network servers being procured
and put into place. The software upgrades remain in planning
and testing.) ISB is developing a test environment and
implementation plan for upgrading the network operating
system, but the actual upgrade has been delayed twice and is
now projected for the April - July 2004 timeframe. The
delays are a consequence of inadequate documentation,
resource limitations (i.e., competing priorities),
modification to inspector laptops, and inadequate evidence of
test results. The upgrade of the operating system to Windows
2000/server, Office 2000/desktop, Unicenter, Info Image, and
SQL 7.0 are seen by both the TS and the SAT-IV as critical to
the enhanced SCN. SAT-IV offered its assistance in testing
the operating system prior to live implementation, and SAT-IV
indicated that this will be a critical component of the
system-wide audit later this year. A list of suggested
automated auditing/testing tools for Windows 2000 environment
will be made available to the TS by the USG member of the
SAT-IV.
6. A system-wide operational audit of the SCN and inspector
laptop environments is proposed for December 2004. Interim
documentation reviews and meetings may be requested by
SAT-IV, depending on implementation schedule for the
operating system upgrade.
--------------
RDBMS Development Efforts
--------------
7. The RDBMS development remains in a planning and
documentation stage. Functional, technical, and security
requirements are being drafted and coordinated among ISB,
OCS, VER/DEB, and the development contractor. An expanded
functional database has been proposed which would include
declaration processing, declaration redaction, document
tracking, inspectable site selection, and generation of a
variety of reports. A working prototype is expected in late
2004, and will be available for SAT-IV evaluation.
8. Ito sends.
SOBEL