"Commanders and managers implement the computer security program in their command or activity
to ensure that systems are operated within the requirements of this regulation."
"Manager," as used here, refers to a civilian in charge; it does not mean the "security
Computer security is a "command responsibility," but not only a company or battalion commander is
responsible for computer security. Anybody in a command, management, leadership, or supervisory
position is responsible for this security.
What does "command responsibility" mean? According to paragraph 1-3, FM 101-5, The commander
alone is responsible for all that his unit does or fails to do. He cannot delegate this responsibility.
The final decision, as well as the final responsibility, remains with the commander."
The commander has overall responsibility, but he can't personally do everything and must rely on
certain people in the unit to assist him in fulfilling these duties. Commanders routinely delegate
certain tasks to subordinates, such as appointing a security manager to take care of classified
material. For computer security, the commander or manager appoints individuals to the following
positions to assist him:
Part J: Security Officers
The Information System Security Officer (ISSO). The ISSO takes care of the commander's computers
and their related security requirements, just like the security manager takes care of the commanders
classified material and its related security requirements.
The ISSO is clearly a key position in the unit, however, AR 380-19 does not specify a minimum rank
or grade requirement for an ISSO. Anybody can be appointed as an ISSO, as long as the commander
considers that individual to be qualified to do the job. And, of course, the ISSO must have an
appropriate security clearance.
Paragraph 1 -6d(3), AR 380-19, says that "For each computer or group of computers, there will be an
ISSO appointed by the commander or manager of the activity operating the computer. The same
ISSO may be appointed for multiple computer systems, particularly in the environment of small
computers, local area networks, or small systems ....."
The Terminal Area Security Officer (TASO). The commander or manager may also have to appoint a
TASO, or several TASOs. Paragraph 1-6d(5), AR 380-19, says that "For each terminal or contiguous
group of terminals not under the direct control of an ISSO, there will be a TASO."
A terminal, is "a device in a computer system that performs input or output operations." Terminals
are connected to a computer system by a "communications channel" along which signals may flow,
like a telephone line or a cable. Terminals are used by computer users to enter (input) data into the
computer and to get (output) data out the computer.
"Remote" terminals are located away from the computer itself, in a different room in the building,
in a different building, or on a completely different installation. There might be a single remote