| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 27.0 | Restriction of Third Party Dial-Up Privileges | Third party vendors must only be given in-bound dial-up maintenance privileges when the system manager determines that they have legitimate business need. These privileges should be enabled only for the time period required to accomplish approved tasks. The Agency Computer Security Officer may modify this requirement on a case by case basis to satisfy a legitimate business need. Exemptions to this policy should not violate "Extended User Authentication Systems Required for Dial-Up Lines". | Dial-up maintenance privileges have been used by a number of hackers, crackers, and other system attackers to gain unauthorized access to systems. It is ill-advised to leave dial-up ports, such as those used by vendors for remote maintenance, open and available if they are not needed. The intention of this policy is to keep maintenance ports turned off, and keep third parties off the system unless they have first obtained approval from State of Alaska management. Having a formal approval process will also discourage--if not prevent--others from attempting to masquerade as though they are a vendor representative as a way to get onto a system. The use of the word "in-bound" in the policy provides an exemption for sophisticated maintenance systems that automatically dial (out-bound) the vendor's system when they detect a problem. Also see the policies entitled "Extended User Authentication Systems Required for Dial-Up Lines" and "Dial-Up Connections Must Always Utilize Firewalls." |
| 85.0 | Dial-Up Connections Must Utilize an Access Control Point | All inbound dial-up lines connected to State of Alaska internal networks must pass through an additional access control point before users can reach a log-in banner. The access control point can be a firewall or other security device suitably configured to only restrict unauthorized activities. | The intention of this policy is to restrict dial-in connections with authorized parties such as consultants, travelling executives, and technicians working from home (telecommuters). Some organizations may allow extended user authentication systems (smart cards with dynamic passwords, dial-back modems, etc.) to be used. The advantage to this process is that users would not be required to log-in twice; the approach is therefore consistent with the notion of single-sign-on. In part this policy is an acknowledgement that traditional fixed password systems do not provide adequate security--at least when used the way that so many firms have implemented them. Acknowledging this, a two-layer approach provides additional security. This policy seeks to directly address dial-up modems that some users may have placed on their desks, that can in turn be used to gain direct access to a local area network (LAN). Also see the policy entitled "Restriction of Third Party Dial-Up Privileges," |
| 86.0 | External Network Connections Require Firewalls | All in-bound connections to State of Alaska networks must pass through an additional access control point (such as a firewall, VPN, or access server) before users can reach protected State of Alaska computer resources.. | This policy is intended to make sure that the periphery of an internal network always has strong access control mechanisms. If the boundaries to a network cannot be protected, then the controls inside the network may be superfluous. Examples would be a thrid party broadband device (cable modem or DSL) or a wireless access point located inside the State network. Separately, this policy requires all external real-time connections to have a firewall or comparable security system. Also see the policy entitled "Positive Identification Required for Initial System Usage" |
| 87.0 | Internet Connections Require Approved Firewalls | All connections between State of Alaska internal networks and the Internet (or any other publicly-accessible computer network) must include an approved firewall and related access controls. | This policy is intended to prevent departments, divisions, and other organizational units from establishing their own connections to the Internet, or for that matter, any other external computer network. This policy mandates a standard way to make connections between internal networks and external networks. Consistency in network access controls is absolutely essential if effective security is going to be achieved. Without this policy, various parts of an organization are likely to establish their own external connections, and often these connections will lack adequate security; these connections may later be used by outsiders to gain unauthorized access to internal networks. For related ideas, see the policies entitled "Restriction of Third Party Dial-Up Privileges," "Large Networks Must Be Divided into Separate Domains," |
| 88.0 | Direct Network Connections With Outside Organizations | The establishment of a direct connection between State of Alaska systems and computers at external organizations, via the Internet or any other public network, is prohibited unless this connection has first been approved by the Agency Computer Security Officer. | Encryption Tunnels, such as VPNs, may be useful in certain circumstances but they introduce additional security risks. This policy requires that users obtain approval of the information security manager or some other person responsible for information security before they establish such connections. Before approving such connections, a number of questions need to be answered, specifically: "Who will be able to access State of Alaska systems?", "What information on State of Alaska systems will be available to them?", "What logging systems will track the activity of these outsiders?", "What is the real business need underlying this type of a connection?", and "Is there another way that we can achieve the desired productivity without introducing additional information security vulnerabilities?" For related ideas, see the policies entitled "Restriction of Third Party Dial-Up Privileges," "Large Networks Must Be Divided into Separate Domains" |
| 89.0 | Security Requirements for Work at Home Arrangements | Work at home (telecommuting) arrangements are a management option, not a universal employee benefit. Permission to telecommute is the decision of the involved employee's manager. Before a telecommuting arrangement can begin, this manager must be satisfied that an alternative worksite (such as a home office) is appropriate for the State of Alaska work performed by the involved employee. Security factors that must be evaluated and approved by the Agency Computer Security Officer before authorizing telecommuting include: Virus scanning, Firewall, VPN, Data backup and Physical Security. | Discussions about "alternative worksites" (notably home offices) have become more prevalent in the last few years. Whenever these arrangements are being considered it is important to consider what happens to State of Alaska physical assets (such as computers) as well as information assets. See also the policies "Dial-Up Connections Must Utilize an Access Control Point", " External Network Connections Require Firewalls", and "Internet Connections Require Approved Firewalls" |
| 103.0 | Required Procedures for Personal Computer Modems in Autoanswer Mode | Users must not leave modems connected to personal computers in autoanswer mode without Agency Computer Security Officer review and authorization. | Modems left in auto-answer mode expose the organization to unauthorized visitors, especially when these modem connections have no access control system. This problem is particularly serious if the PC is connected to an internal network. Rather than prohibiting the use of modems, or even requiring the use of dynamic password systems, this policy relies on the awareness and judgement of the ACSO to approve and monitor the useage of auto-answer modems. See also "Dial-Up Connections Must Utilize an Access Control Point" |
| 107.0 | Telecommuter Remote System Information Security Procedures | As a condition of continued employment, telecommuters agree to abide by all remote system security procedures. These include, but are not limited to, compliance with software license agreements, performance of regular back-ups, and anti-virus software. | The intention of this policy to make telecommuters aware of the procedures they must perform on a day-to-day basis. If an agency is going to permit its sensitive information to be used in remote locations that cannot be easily supervised, it is reasonable for it to insist that certain security precautions be observed. Because telecommuting introduces new risks, a more stringent and specially-documented policy dealing with telecommuters may be set by the Agency Computer Security Officer on a case by case basis. This policy is also appropriate for workers which are not -- properly speaking -- telecommuters, but who nonetheless take organizational information to their home or on business trips. |
| 108.0 | Right To Conduct Inspections of Telecommuter Environments | State of Alaska maintains the right to conduct inspections of telecommuter offices with one or more days advance notice. | The intention of this policy is to put telecommuters on notice that State of Alaska representatives may conduct inspections of their home offices. This will help ensure that telecommuters observe both safety and security policies and procedures. In return for permitting employees to telecommute, State of Alaska has the right to conduct inspections of its property kept in the houses of telecommuters. Thus, by conducting inspections, State of Alaska management is carrying out it's duty to protect State of Alaska assets. It is only because the home is generally the domain of the employee that such a right to inspect must be clearly communicated and/or negotiated. The policy allows multiple follow-up inspections to correct deficiencies that were detected during prior visits. |
| 130.0 | Security Responsibilities for Real-Time Connections with Third Parties | Before any third party users are permitted to reach State of Alaska systems via real-time computer connections, specific written approval of both the State Computer Security Officer and the Agency Computer Security Officer is required. Requests for approvals must specify the security related responsibilities of State of Alaska, the security related responsibilities of the common carrier (if used), and the security related responsibilities of all other involved third parties. These responsibility statements must also address the liability exposures of the involved parties. | The purpose of this policy is to prevent real-time (as opposed to store-and-forward) connections of State of Alaska systems with third parties unless these have been shown to be adequately secure. This policy would for instance prevent consultants form having access to confidential data unless security issues had previously been examined, and approved controls had been properly implemented. Only after clearly specifying security responsibilities can the State of Alaska determine whether they want to accept the risks that the connection presents. The policy would allow internal users to employ out-bound dial-up systems to access third party electronic mail services and on-line database retrieval services without the need for a security evaluation and approval process. This policy would also allow Internet electronic mail connections because these are store-and-forward (not real-time) connections. Also see the policy entitled "Internet Connections Require Approved Firewalls." |
| 142.0 | Users may not connect a modem to any phone system on a network-connected machine without authorization. | No computer user may connect a modem to a phone line if the computer with the modem is attached to a State of Alaska computer network without Agency Computer Security Officer approval. | One of the largest potential security holes in the State of Alaska network is the use of uncontrolled modems. If the computer with the modem is on a State network it is possible for a hacker to use the trusted computer with the modem to gain access to State computer resources and data. It is probable that the legitimate user of the computer would appear in security logs as the party performing the hack. This policy is intended to protect both the State of Alaska resources and legitimate State computer users. It is the role of the Agency Computer Security Officer to ensure that any modems in use within their Agency of responsibility conform to the State of Alaska security policies. |
| 146.0 | Agencies will ensure VPN technologies meet State of Alaska Security Policy | The Agency running an encrypted remote login service will ensure that the VPN technology it has deployed meets the requirements set forth by the State Computer Security Officer, for cipher strength, key length, key expiration, key revocation and timeouts. | |
| 147.0 | Remote login connections to State of Alaska networks will utilize a connection timeout. | All remote logins to the State of Alaska networks, i.e. those connections that are not directly and full time on-line with a State LAN, will timeout after a time period specified by the State Computer Security Officer. | This policy is intent upon preventing a remote user from logging into a computer system on a State of Alaska protected network and inadvertently leaving their remote connection active. The Agency or State Computer Security Officer shall ensure that remotely accessible computer systems will employ a watchdog connection timeout to prevent connections from remaining active after they are no longer required. The State Computer Security Officer is responsible for determining the maximum timeout value to be used. |
| 149.0 | All External Connections Reviewed Annually | The State Computer Security Officer will conduct, at a minimum, an annual review of the external connections to the State of Alaska network. Agency Computer Security Officers will provide an accurate listing of all external connections to facilitate the review. This listing will include the agency involved, inception date, any involved third parties, contact information for both, security category of the connection and a brief business justification of why the connection needs to exist. | This policy is intended to apply to external connections provided by the agencies participating in the state’s network arrangements, such as dial-up connections or wireless. A policy such as this can help spur the creation of a comprehensive managed list of external connections. Agency provided external connections are a likely path for unwelcome intrusion. The risk of such connections mandate that the agency not only adhere closely to relevant security policies, but to also initiate practices of diligent, centralized management of such connections. Such practices make annual review a routine but necessary exercise. Under this policy, a violation would be the existence of an undocumented external connection. |