| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 30.0 | Unbecoming Conduct and the Revocation of Access Privileges | State of Alaska management reserves the right to revoke the privileges of any user at any time. Conduct that interferes with the normal and proper operation of State of Alaska information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted. | The intention of this policy is to put users on notice that they jeopardize their status as authorized users if they engage in the activities described. For example, crashing the system could reasonably be expected to be harmful to other users, and would accordingly subject the perpetrator to disciplinary action including privilege revocation. Rather than specifying all the nasty things that people could do, such as crashing a system, this policy is discreet and high-level. The broadly-stated policy may also give management ample latitude when it comes to making a decision about privilege revocation. Persons who abuse their privileges may also be subject to disciplinary action including civil or criminal legal action. Also see the policies entitled "Default User Privileges and Need for Explicit Approvals" and "Periodic Review and Reauthorization of User Access Privileges." |
| 31.0 | Prohibitions Against Testing Information System Controls | Workers must not test, or attempt to compromise State of Alaska computer security system controls unless specifically approved in advance and in writing by the State Computer Security Officer and the appropriate Agency Computer Security Officer. | When users to attempt to break controls, this fosters an "attack ethic," i.e., an environment where it is acceptable for workers to attempt to break system controls. This policy eliminates an often invoked excuse for computer crimes, as the perpetrators may say that they were merely "testing the control system so as to be able to improve it." Of course, internal auditors already have this approval (in their departmental mission statement), and they should continue to test controls. While there is merit to regularly testing controls to illuminate weaknesses, this activity needs to be strictly controlled and performed in a confidential manner (lest the results be exploited by employees and others). This policy also prohibits "tiger team attacks" (also known as "penetration attacks") unless approved in advance by management. See also "Prohibition Against Exploiting Systems Security Vulnerabilities" |
| 32.0 | Prohibition Against Exploiting Systems Security Vulnerabilities | Users must not exploit vulnerabilities or deficiencies in information systems security to damage systems or information, to obtain resources beyond those they have been authorized to obtain, to take resources away from other users, or to gain access to other systems for which proper authorization has not been granted. All such vulnerabilities and deficiencies should be promptly reported to the Agency Computer Security Officer. | The intention of this policy is to make it clear that users must not take advantage of information security vulnerabilities and deficiencies, even if they are aware of such problems. One example of such a problem involves having knowledge of a special password that allows a user to do things they would otherwise not be able to perform. In a broad sense, this policy is saying that users are given only the privileges explicitly granted to them--if they can do something else due to security problems, they are not authorized to take advantage of these problems. As written, the policy includes errors made by systems administrators, for example if a user was given too many privileges. While this example may not involve a control vulnerability, it is decidedly a deficiency associated with the deployment of controls. For related ideas, see the policies entitled "Required Reporting of Information Security Incidents" and "Restricted Use of Diagnostic Test Hardware and Software." |
| 82.0 | Misrepresentation of Identity on Electronic Communication Systems | Misrepresenting, obscuring, suppressing, or replacing a user's identity on an electronic communications system is forbidden. The user name, electronic mail address, organizational affiliation, and related information included with messages or postings must reflect the actual originator of the messages or postings. | The intention of this policy is to put users on notice that they may not misrepresent their identity on electronic communication systems, even for practical jokes or other humor. The scope of the policy is deliberately broad (specifically "electronic communication systems") so that it includes telephone systems as well as electronic mail systems. Note that this policy does not require all the routing information on an electronic mail message to be maintained, only the originator's identity. Separately, under this policy, the use of another person's user-ID is a policy violation (and technically electronic forgery). This policy assumes that no group user-IDs have been assigned; in other words, each user should have one or more personal user-IDs. |
| 135.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the State Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. This policy applies to all State of Alaska computer systems, premises and devices connected to any State of Alaska network system. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as EDP auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools in such a way that they could be used to compromise any State of Alaska system. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive at work. Likewise, users should not have a Sniffer(TM) in their possession because it can be used to perform a wiretap. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they are in violation of the policy. Note that this policy does not prohibit an employee from using such tools on a home computer unless that computer is configured to access any State of Alaska data system. The policy is not intended to prohibit any authorized user from accessing State of Alaska web or e-mail services. Also see the policies "Prohibition Against Testing Information System Controls," "Disclosure of Information About Information System Vulnerabilities." |