| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 46.0 | Testing for Viruses Prior to Use on State Systems | To prevent infection by computer viruses, workers must not use any externally-provided software from a person or organization other than a known and trusted supplier. The only exception to this is when such software has first been tested and approved by the Agency Computer Security Officer. | The intention of this policy is to keep all software used on State of Alaska systems free from viruses, worms, Trojan horses, and other unauthorized programs. Note that the policy is not restricted to production systems; these unauthorized programs propagate rapidly and make no distinction between production and non-production systems. The policy requires only a negligible amount of extra work associated with the handling of externally-provided software. Normally, users would employ only that software which has been approved for internal use and which is in keeping with existing licenses with vendors. Thus this policy helps restrict the software that users may run. In a roundabout way, the policy also helps to discourage unauthorized copying of software for which State of Alaska does not have a license. Although it does not need to be placed in the policy, the testing performed should always be done on an isolated machine. Some Agencies may want to specify what constitutes a "known and trusted supplier" (ordinarily not an electronic bulletin board, a users group, or some other non-commercial entity). Some Agencies may wish to expand the policy to require that all such testing of externally-supplied software be documented. Some organizations may wish to change the policy such that it requires all specific copies of software provided by non-trusted parties to be tested (rather than one copy, which is then alleged to be the same as other copies provided by the organization). On a separate note, this policy allows users to down-load software from third party systems--it just prohibits them from executing it until it has been properly tested. See the policies entitled "Immediate Reporting of Suspected Computer Virus Infestation." |
| 49.0 | Approved Virus Checking Programs Required on PCs and Servers | Virus checking programs approved by the Agency Computer Security Officer must be continuously enabled on all servers and personal computers. | This policy doesn't make distinctions between integrity checkers, virus screening packages, virus behavior detection packages, and the like. Instead, it relies on the iAgency Computer Security Officer to identify one or more standard virus detection software packages. The emphasis is on networked machines because a virus or similar program can propagate much faster in a networked environment than it can in a stand-alone computing environment. The policy focuses on small systems because these are the computers which are most often hit by virus infections, not mainframes and other large-scale systems. For related ideas, see "Testing for Viruses Prior to Use on State Systems" and "Immediate Reporting of Suspected Computer Virus Infestation" |
| 54.0 | Restricted Use of Diagnostic Test Hardware and Software | Diagnostic test hardware and software, such as communications line monitors and network sniffers, must be used only by authorized personnel for testing and development purposes. Access to such hardware and software must be strictly controlled. | Diagnostic test hardware and software can be used to insert spurious messages on a communications line so that a fraud may be perpetrated. The tools may also allow people to read communications line traffic that they would otherwise not be able to examine. These wiretapping tools have, for instance, been used to capture readable passwords which are then later used to gain unauthorized system access. The intention of this policy is thus to restrict the use of such powerful tools to troubleshooting and other authorized business activities. The policy gives local management significant leeway in determining the ways in which they secure these hardware and software tools. For instance, some managers will require that line monitor devices be locked in a closet, while others will be satisfied with the use of a metal key to activate and deactivate the device. There is a greater need for this policy in those environments using fixed passwords (rather than dynamic passwords) for system access control. |