| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 75.0 | Required Actions Following Suspected System Intrusion | Whenever a systems administrator has good reason to believe that a information security system has been compromised, the involved computer must be immediately removed from all networks. The systems administrator must then examine the system and take appropriate actions (such as password changes and virus scans) before restoring the system to the network. The current system log must also be copied to separate data storage media. | This policy seeks to establish the minimum actions that systems administrators must take in response to a system intrusion and related problems. All too often systems administrators get pressure from user management not to disconnect from an internal network, not to check to see which files have changed, and not to reestablish a reliable access control system. This policy overrides user management wishes, requiring these essential steps to be performed. For related ideas, see the policies entitled "Password Changes After Compromise of a Computer System," and "Required Retention Period of Logs." |
| 110.0 | Required Reporting of Information Security Incidents | All suspected information security incidents must be reported as quickly as possible to the Agency Computer Security Officer. | This policy is intended to require that all problems and violations are promptly brought to the attention of those who can actually do something about them. If problems and violations go unreported, they may lead to much greater losses for the organization than would have been incurred, had the problems been reported right away. Also see the policies entitled "Internal Reporting of Information Security Violations & Problems," and "Information Security Alert System" |
| 112.0 | Centralized Reporting of Information Security Problems | All known vulnerabilities -- in addition to all suspected or known violations -- must be communicated in an expeditious and confidential manner to the State Computer Security Officer. Unauthorized disclosures of State of Alaska information must additionally be reported to the involved information owners. Reporting security violations, problems, or vulnerabilities to any party outside State of Alaska (except external auditors) without prior written approval from the remarks is strictly prohibited. | This policy is intended to establish that the State Computer Security Officer is the focal point for all reports of vulnerabilities, violations and other security problems. Unless there is centralized reporting, no loss history can be compiled, no loss analysis can be conducted, and no related decision-making can be performed. Centralized reporting is also useful for the mobilization of a computer emergency response team (CERT), an organization-wide contingency plan, and other important defensive resources. The policy is also helpful because it alleviates the reporting party's concerns about short-circuiting the chain of command; without a policy like this, local managers may get upset because problem reports make them look bad and they didn't get a chance to stop the reporting process from reaching top management. The policy is also helpful because it indicates what needs to be communicated and to whom. |
| 113.0 | Interference with Reporting of Information Security Problems | Any attempt to interfere with, prevent, obstruct, or dissuade a staff member in their efforts to report a suspected information security problem or violation is strictly prohibited and cause for disciplinary action. Any form of retaliation against an individual reporting or investigating information security problems or violations is also prohibited and cause for disciplinary action. | This policy attempts to encourage workers who wish to report an information security problem or violation, yet are concerned that they may find it difficult, problematic, or otherwise ill-advised. These "whistle blowers" often are concerned that their own immediate management will penalize them for reporting problems or violations. This policy attempts to foster a perspective that is in the best interest of the State of Alaska that all security problems be reported and that it is against this policy for anyone to interfere with the reporting, even if the report may make someone "look bad". |
| 114.0 | Protection of Workers Who Report Information Security Problems | State of Alaska will protect workers who report in good faith what they believe to be a violation of laws or regulations, or conditions that could jeopardize the health or safety of other workers. This means that such workers will not be terminated, threatened, or discriminated against because they report what they perceive to be a wrongdoing or dangerous situation. Before taking any other action, these workers must report the problem to their manager or the Agency Computer Security Officer, and then give the organization time to remedy the situation. | The intention of this policy is to assure workers who are considering reporting problems that the organization will protect them. This should encourage workers to make reports when they may otherwise have been deterred by the potential adverse consequences. This policy does not prohibit external reporting -- it only states that the problem should first be internally reported. The policy is deliberately defined in a broad manner so that it includes information security problems; it also includes physical security problems as well as worker safety problems. For a related idea, see the policy entitled "External Reporting of Information Security Violations." |
| 116.0 | Immediate Reporting of Suspected Computer Virus Infestation | Computer viruses, worms, trojans and other malicious code can spread quickly and need to be eradicated as soon as possible to limit serious damage to computers and data. Accordingly, if workers report a computer virus infestation to the Agency Computer Security Officer immediately after it is noticed, even if their negligence was a contributing factor, no disciplinary action will be taken. The only exception to this early reporting amnesty will be those circumstances where a worker knowingly caused a computer virus to be introduced into State of Alaska systems. However, if a report of a known infestation is not promptly made, and if an investigation reveals that certain workers were aware of the infestation, these workers may be subject to disciplinary action. | This policy is intended to encourage quick reporting of viruses, which is essential if their growth is to be limited and consequential losses are to be contained. A notable aspect of the policy is that disciplinary action may be taken if there is a delay in reporting a problem. Because even minutes can make a great difference when it comes to the propagation of computer viruses, the word "immediately" was used in the policy. Of course, if a worker has written a virus and let it loose on State of Alaska computers, then this should still be cause for disciplinary action, even if the employee did call the Information Security Department promptly after it got out of hand. The policy, as written, does not stop such a disciplinary action because it refers to "negligence" rather than a deliberate malicious act. Also see the policies "Testing for Viruses Prior to Use on State of Alaska Systems" and "Internal Reporting of Information Security Violations & Problems." |
| 117.0 | Required Investigation Following Computer Crimes | Whenever evidence clearly shows that State of Alaska has been victimized by a computer or communications crime, a thorough investigation must be performed. This investigation must provide sufficient information so that management can take steps to ensure that: (1) such incidents cannot reasonably take place again, and (2) effective security measures have been reestablished. | This policy is intended to make sure that appropriate action is taken in response to computer or communications system crimes. Too often there is an inclination to "sweep" the whole affair "under the rug." To prevent the potential supression of information about vulnerabilities (often because it could be embarrasing to someone), this policy requires that an investigation be started. In most instances, department and other local management will not have the expertise to carry out such a sophisticated investigation. Thus, the policy indirectly requires these managers to contact the Agency Computer Security Officer and the State Computer Security Officer. The policy also helps guard against lawsuits alleging that management did not take care of problems even though they were "on notice" that security problems existed. Also see the policy entitled "Confidentiality of Internal Investigations Information" |
| 118.0 | Retention of Information Security Violation and Problem Information by the State Computer Security Officer | Information describing all reported information security problems and violations must be retained for a period of three (3) years. | The intention of this policy is to put everyone on notice that certain important information security related information must not be destroyed. The information referred to in the policy is helpful when doing risk assessments, when planning information security projects, and when developing budgets. It may also be useful for prosecution or disciplinary actions. The policy applies to computer logs and internal correspondence, as well as notes from investigations. Also see the policies entitled "Annual Analysis of Information Security Violations & Problems" and "External Reporting of Information Security Violations." |
| 119.0 | Annual Analysis of Information Security Violations & Problems | An annual analysis of reported information security problems and violations must be prepared by the State Computer Security Officer. | The intention of this policy is to require the State Computer Security Officer to prepare a status report of losses and problems encountered. Such a historical analysis is helpful when performing risk assessments, when preparing job performance evaluations, and also when preparing budgets and project plans for the coming year. Although it may sound like more work for often-overworked information security staff, this policy can help establish and maintain a regular communication path with top management. Notice that the methodology for performing such analyses is not mentioned so as to give the Security Officer the leeway to change its approach as it becomes more sophisticated. Items that at a minimum must be reviewed include: User Authentication; Incidents such as virus infestation; Security problems with vendors. Specific information that could assist hackers, such as IP address or open ports, should not be included in the annual report if the report is to be made public. Also see the policies entitled "Required Investigation Following Computer Crimes" and "Retention of Information Security Violation & Problem Information." |
| 137.0 | Confidentiality of Internal Investigations Information | Until charges are pressed or disciplinary action taken, all investigations of alleged criminal or abusive conduct must be kept strictly confidential to preserve the reputation of the suspected party. | Beyond the objective stated in the policy, this policy helps reduce the probability that State of Alaska will be hit with a lawsuit alleging defamation of character. The intention of the policy is to clearly define the point in time when it becomes permissible to disclose information about employee investigations. One desirable aspect of this policy is that investigations which do not result in prosecution (pressing charges) or disciplinary action will never be disclosed (declassified). If the employee never knew about the investigation, then they can remain as a worker in good standing. On the other hand, if the employee heard about an investigation in process that later turned out to be inappropriate, they may become disgruntled or soon leave the organization. The policy mentions the "reputation" of the individual rather than staying out of legal trouble because the dignity of the individual is a more noble goal, and because it is taken for granted that management wants to operate within the confines of the law. Also see the policy entitled "Required Investigation Following Computer Crimes." |