| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 59.0 | Release of Systems Documentation to Third Parties | Prior to being released to third parties, all documentation that describes State of Alaska systems or systems procedures must be reviewed by the Agency Computer Security Officer to ensure that confidential information is not being inadvertently disclosed. | It is important to communicate to workers that documentation, not just business records, may warrant restricted dissemination procedures. This policy puts staff on notice that they are not to release internal systems documentation without prior approval. The approval could also be provided by the Information Systems Department manager, legal counsel, or some other manager. This policy is also called for because many system crackers/hackers use so-called "social engineering" (also known as "conning") to get information about internal systems, which in turn allows them to break into these systems. If employees are on notice that such information is not to be distributed to outsiders without prior permission, it is less likely that they will fall for such ploys. |
| 60.0 | Information as an Important State of Alaska asset | Information is an important State of Alaska asset. Accurate, timely, relevant, and properly protected information is absolutely essential to State of Alaska's business. To ensure that information is properly handled, all accesses to, uses of, and processing of State of Alaska information must be consistent with State of Alaska information systems related policies and standards. | This general policy helps to set the context for a number of other information security policies. Such a statement is frequently incorporated into the first set of policies as well as summary material oriented towards users and members of the management team. It is necessary for these people to appreciate how information has become a critical factor of production in modern business--only then can they appreciate the pressing need for information security. The intention of this policy is thus to motivate the need for information security measures and to contextualize the use of information systems in modern organizations. |
| 61.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the Agency Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as security auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive. Likewise, users should not have a protocol analyzer (a "sniffer") in their possession because it can be used to perform actions such as a wiretap, password reading, and unauthorized data viewing. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they may be disciplined or terminated. Also see the policies "Prohibition Against Testing Information System Controls," and "Disclosure of Information About Information System Vulnerabilities" |
| 62.0 | Handling of Third Party Confidential and Proprietary Information | Unless specified otherwise by contract, all confidential or proprietary information that has been entrusted to State of Alaska by a third party must be protected as though it was State of Alaska confidential information. | In many cases the people handling third party information do not have access to the contracts which define agreed-upon procedures for handling information entrusted to State of Alaska. This policy by default assigns a classification of "confidential" to all such information. |
| 63.0 | Software and/or Data Exchanges with Third Parties Require Agreements | Exchanges of software and/or data between State of Alaska and any third party may not proceed unless a written agreement has first been signed. Such an agreement must specify the terms of the exchange, as well as the ways in which the software and/or data is to be handled and protected. This policy does not cover release of information designated as public. | The intention of this policy is to prevent misunderstandings about the use of and protection of State of Alaska proprietary or sensitive information. For example, an agency and a consultant exchange mailing lists, it could be specified in writing that the lists are to be used once only (or whatever other arrangements have been established). Having a written contract also provides some assurance that controls will be used to prevent the information from being disclosed to unauthorized third parties and from being used for purposes other than those originally intended. Because it encourages some restraint associated with the dissemination of information, this policy is relevant to electronic mail and the Internet. |
| 64.0 | Disclosure of Information on State Systems to Law Enforcement | By making use of State of Alaska systems, users consent to allow all information they store on State of Alaska systems to be divulged to law enforcement at the discretion of State of Alaska management. | This policy puts users on notice that they should not have an expectation of privacy with respect to State of Alaska systems. It also puts users on notice that no search warrant will be necessary before law enforcement agents gain access to information they store on State of Alaska systems. Management may wish to reveal certain information (such as electronic mail logs) to law enforcement; this could be appropriate if management discovered the use of its computing facilities to conduct drug deals or some other illegal activity. Like the policy entitled "Right of Management to Examine Data Stored on State of Alaska Systems," this policy helps to manage user expectations, making sure that users understand they do not have normal privacy protections applicable to public communications carriers (like the phone company). For Third Parties this applies to any data or data systems that contain State of Alaska data. For the Third Parties this does not include proprietary and company confidential information but only pertains to the portions that are relevant to work performed for the State of Alaska. Also see the policy entitled "Disclosure of Private Information to Third Parties" and "Electronic Mail Messages Are Company Records." |
| 65.0 | Privacy Expectations and Information Stored on State Systems | At any time and without prior notice, State of Alaska management reserves the right to examine archived electronic mail, personal file directories, hard disk drive files, and other information stored on State of Alaska information systems. This examination is performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of State of Alaska information systems. | The intention of this policy is to put computer users on notice that the information they store, transmit, or otherwise process via State of Alaska information systems is subject to management review. This will encourage them to use such information systems for business purposes only. It will also help to deter unethical or illegal activities such as down-loading pornography from the Internet, and then storing such information on a State of Alaska computer hard disk drive. See the policies entitled "Privacy Expectations and Electronic Mail," |
| 70.0 | Notification of Suspected Loss or Disclosure of Sensitive Information | If secret, confidential, or private data is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, its owner and the Agency Computer Security Officer must be notified immediately. | Prompt notification of loss or disclosure is a necessary precursor to performing effective damage control. For instance, if information about a new but not yet released RFP has been mistakenly disclosed to a vendor, then the date for the official announcement may need to be changed. The intention of the policy is therefore to require that all workers report all losses or disclosures of sensitive information. |
| 71.0 | Disclosure of Information System Vulnerabilities | Details about information system vulnerabilities, such as the details of a recent system security breach, must NOT be distributed to persons who do not have a demonstrable need-to-know. | The intention of this policy is to let those few people, who have access to details about information system vulnerabilities, know that disclosure should be strictly controlled. If vulnerability information were to fall into the hands of unauthorized parties, these people could use it to compromise the organization's systems. These unauthorized parties could also use it to blackmail (extort) or publicly embarrass the organization. The vulnerability information may also erode the confidence that users and management have in the Information Systems Department, and for this reason should also be restricted. |
| 72.0 | Information With Multiple Risk Categories On Single System | If a computer system contains information with varying risk categories, the controls used must reflect the highest risk information on the system. | The intention of this policy is to make sure that sensitive information is not improperly disclosed because it is on the same system as other less sensitive information. Separately, this policy would for example indicate that the operating system's access control mechanisms must be strong enough to protect the most sensitive information on the system; this means that all the other types of information must bear the overhead of this most sensitive type of information. |
| 83.0 | Large Networks Must Be Divided into Separate Domains | Each Agency network must, at a minimum, have a separately-defined logical domain. Each domain must be protected with suitable security perimeters and access control mechanisms. | This policy requires network management staff to review access controls between Agencies on the State of Alaska WAN. While each logical domain need not include a separate access control mechanism, management needs to justify this decision (hence the use of the word "suitable" in the policy). All too often large networks allow users to roam all over the network without encountering any barriers whatsoever. The logical domains referred to in the policy might be the individual Agencies or their internal organizational units (such as an accounts payable department), activities (such as Teacher Certification), or locations (such as a headquarters building) . The barriers may be implemented with communications front-ends, routers, gateways, firewalls, and other network components that include access controls. The most common method used to restrict access to parts of a network is passwords, although other mechanisms like encryption can also be employed. Also see the policies entitled "Dial-Up Connections Must Always Utilize Firewalls," and "Positive Identification Required for Initial System Usage." |
| 133.0 | Internal Network Addresses Must Not Be Publicly Released | The internal addresses, configurations, and related system design information for State of Alaska networked computer systems must be restricted such that both systems and users outside the internal network cannot access this information without explicit management approval. | This conservative policy seeks to prevent hackers and other unauthorized parties from obtaining information about State of Alaska's internal network and connected systems. The idea behind this restriction is that attacks will be made significantly more difficult if this information is not readily obtainable. The more that an attacker knows about internal configurations the greater the chances that they will be able to obtain unauthorized entry. With many Internet firewalls, internal electronic mail address information is shared with machines outside the network, inadvertently revealing a target for future attacks. This policy also requires that system administrators responsible for firewalls establish access control restrictions such that commands like PING cannot be used by external parties to gather information on machines connected to the internal network. Also see the policy entitled "Release of Systems Documentation to Third Parties" |