| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 35.0 | Reporting Changes in User Duties to Systems Security Administration | Management must promptly report all significant changes in end-user duties or employment status to the computer system security administrators handling the user-IDs of the affected persons. | The intention behind this policy is to support the notion of least privilege. End-user privileges must promptly be turned off if an individual has been terminated, transferred, promoted, put on leave without pay, or otherwise no longer in the same position. Systems security administrators don't generally know about these changes unless they receive notification from the involved managers (or alternately from the Human Resources Department). A separate but related policy requiring that all such status-change information be kept in strict confidence is advisable because a terminated employee may bring a defamation of character lawsuit. This policy may be particularly useful when it comes time to establish standard procedures for notifying administrators about worker status changes. See the related policies entitled "Changing Physical Access Control Codes on Worker Termination" and "Transfer of Information Custodian Duties After Employee Terminations." |
| 36.0 | Maintenance of Master User-ID and Privilege Database | So that their privileges may be expediently revoked on short notice, records reflecting all the computer systems on which users have user-IDs must be kept up-to-date. | The intention behind this policy is to make sure that all user-IDs that an employee (or consultant, contractor, temporary, etc.) uses can be readily identified and the associated privileges quickly revoked. This will, for instance, be useful when an employee has been shown to be embezzling, in which case all user-IDs should be shut down immediately. Even when less dramatic changes in user status take place, such a database can be very helpful in determining which systems security administrators should be notified. Also see the policies entitled "Naming Standard for a Single User-ID Used on All Platforms." |
| 37.0 | Transfer of Information Custodian Duties After Employee Terminations | When a worker leaves any position with the State of Alaska, both computer resident files and paper files must be promptly reviewed by their immediate manager to determine who should become the custodian of such files, and/or the appropriate methods to be used for file disposal. The computer user's manager must then promptly reassign the computer user's duties as well as specifically delegate responsibility for information formerly in the computer user's possession. | The intention behind this policy is to clearly and expediently transfer custodian responsibilities, and thereby to ensure that security measures are maintained in minimally acceptable ways. The reassignment of duties process is especially important if the files contain sensitive, critical, or valuable information. This policy also implicitly puts employees on notice that their files will be examined by others after they leave the organization. Additionally, with this policy, managers are put on notice that they are responsible for the proper handling of a departed worker's information. The policy helps to avoid fraud, sabotage, and other abuses, which frequently take place when no specific person has responsibility for a certain area (perpetrators often take advantage of the confusion surrounding the departure of an employee). See the policies entitled "Changing Physical Access Control Codes on Worker Termination" |
| 132.0 | Changing Physical Access Control Codes on Worker Termination | In the event that a worker is terminating their relationship with the State of Alaska, all physical security access codes known by the worker must be deactivated or changed. For example, the serial number recorded on a magnetic stripe attached to an identification badge must be changed before the badge is reissued to another worker. | This policy is intended to eliminate any confusion about the identity of the person who is using an access code. The policy may also prevent a terminated worker from using a copy of the access mechanism (like a magnetic card) to gain unauthorized entry to State of Alaska work areas. This objective is particularly important if the worker is disgruntled and potentially vengeful. The policy makes mention of "access codes known by the worker," and accordingly includes both those systems where the code is known only by the user as well as those systems where several people know the code (also known as "lockwords"). This broad scope implies another objective of the policy--to keep the terminated worker from gaining access to State of Alaska premises, and committing some crime or abusive act, in a manner that might look like it was perpetrated by an authorized worker. |
| 138.0 | Install And Monitor Intrusion Detection Systems | To allow the State of Alaska to promptly respond to attacks, all primary ingress points from the Internet to the State network must be running an intrusion detection system approved by and implemented with the concurrence of the State Computer Security Officer. | The term "primary" refers to the major connections that carry the bulk of legitimate traffic to and from the Internet. Intrusion detection systems are different from vulnerability identification systems. The former provides an alert system telling staff when the defenses have been breached. The latter tells staff what needs fixing in order to bolster the defenses. Typically an intrusion detection system will feed a network management system (NMS) or some other notification system that will immediately alert those who are in a position to do something. For example, members of a Computer Emergency Response Team (CERT) can get into action based on pager alerts from an intrusion detection system. This policy helps to ensure that all systems on the periphery of an internal network have adequate intrusion detection systems. The State Computer Security Officer is responsible for approving an IDS product and for ensuring that it is installed and implemented in a fashion that protects State of Alaska resources. |
| 139.0 | Assign Explicit Responsibility For Information Security Tasks | Specific information security responsibilities must be incorporated into all worker job descriptions if such workers have access to sensitive, valuable, or critical information. | The time has come to stop saying that information security is everyone's responsibility, but at the same time ignoring the need to specifically assign responsibility to certain people. This policy is intended to create clearity about what is expected of all people who have access to sensitive, valuable, or critical information. Included within the scope of this policy are end-users, who often believe that they have no responsibilities in the information security area. In reality, end-users are on the front line in the battle against intruders, viruses, and other information security problems. Today's information security environment involves the distribution of information not only to end-user desktop computers, but also to workers' homes, to outsourcing firm's premises, to strategic partners' premises, and to other locations. These and other people must cohesively work together as a team in order to achieve genuine information security. This can only be done if the responsibilities of each are explicitly assigned. |
| 141.0 | All security incident information must be tracked by the affected ACSO and forwarded to the SCSO | All security incident related information, such as viruses and hacks, must be tracked by the affected Agency Computer Security Officer. Information gathered by the Agency must be passed along as soon as possible to the State Computer Security Officer. | The intent of this policy is to ensure that all information gathered during a security incident makes it to the central security office. It is important that there be a single point of contact on security that can look for patterns and systemic vulnerabilities. While an individual agency my see a specific security incident as minor, when combined with incidents from other agencies patterns of attack may become clearer. The key here is the need for good communication between the State Computer Security Officer and the various Agency Computer Security Officers. |