| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 38.0 | Logs Required on Application Systems Handling Sensitive Information | All production application systems which handle sensitive State of Alaska information must generate logs that show every addition, modification, and deletion to such sensitive information. | The intention behind this policy is to be able to account for all changes to sensitive information like personnel records, strategic plans, and product design specifications. For example, the payroll database in most organizations should have an associated log which shows who updated the payroll amounts and when. This type of information will be very helpful when attempting to investigate and correct problems like errors and fraud. This policy essentially indicates which applications should have associated logs (also called "audit trails"). The log data elements (for example, whether a before-and-after image should be logged) will need to be determined on a case-by-case basis. |
| 39.0 | Inclusion of Security Relevant Events in System Logs | Computer systems handling sensitive, valuable, or critical information must securely log all significant computer security relevant events. Examples of computer security relevant events include: password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software. | This policy is intended to specify which computer systems must have system logs reflecting security relevant events. It is particularly relevant to microcomputers, workstations, local area network servers, client/server systems, and similar small systems that often lack adequate logs. It may be necessary to further specify what constitutes a "security relevant event" in the policy. Note that the policy only requires logs for systems handling sensitive, valuable, or critical information. |
| 40.0 | Required Retention Period of Logs | Logs containing computer security relevant events must be retained for at least three (3) months. During this period, such logs must be secured such that they cannot be modified, and such that they can be read only by authorized persons. These logs are important for error correction, forensic auditing, security breach recovery, and related efforts. | The intention of this policy is to clearly specify the retention period for logs as well as the need for secure storage of logs. The policy can be expanded to define explicitly what events are deemed as "security relevant." There is nothing special about three months; the figure will vary by agency and the nature of the business and the information involved. Be sure to check with internal legal counsel and records management staff about the appropriate time period to retain such records. The retention period for business transactions will generally be much longer than the retention period for security relevant events; a log of security relevant events generally does not contain business transactions. |
| 41.0 | Logs of User-Initiated Security Relevant Activities | To assure that users are held accountable for their actions on State of Alaska computer systems, one or more records tracing security relevant activities to specific users must be securely maintained for a reasonable period of time. | The intention of this policy is to clearly specify that all user-initiated security relevant activities must be logged and retained for a certain period (three months for instance). This information will be helpful to those people in security administration, computer operations, and internal auditing. The information also serves as a deterrent to abusive acts, as well as important information for the "help desk" to use when figuring out the nature of a problem. The policy makes reference to security relevant activities like user changes to file access privileges, user changes to a secret password, and the like. |
| 42.0 | Information to Capture When Computer Crime or Abuse is Suspected | To provide evidence for investigation, prosecution, and disciplinary actions, certain information must be immediately captured whenever it is suspected that a computer crime or abuse has taken place. The relevant information must then be securely stored off-line until such time as the State Computer Security Officer determines that State of Alaska will no longer need the information. The information to be immediately collected includes the current system states, as well as back-up copies of all potentially involved files. | This policy is intended to put systems management on notice that certain information must be captured and securely stored until needed by internal auditors, prosecuters, security administrators, and others. The policy allows evidence to be captured and secured, so that it will later be admissible in court. On the other hand, if the evidence remained on the computer for a certain period, there is a possibility that it could have been modified by unauthorized parties. If the evidence could have been modified, it will not be convincing in the eyes of the court. Note also that the process of capturing information should take place even if there is only a suspected problem. It is better to have this information and then dispose of it if it's not needed, than to not have the information and then be unable to take certain courses of action (such as prosecution). The policy thus makes sure that a snap-shot of the current situation is preserved for later use. |
| 43.0 | Persons Authorized to View Logs | All security, system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. A person is unauthorized if they are not a member of the internal audit staff, systems security staff, systems management staff, or if they do not clearly have a need for such access to perform regular duties. Unauthorized users must obtain written permission from the Agency Computer Security Officer prior to being granted such access. | The intention of this policy is to limit access to all logs--including security, application and system logs--to only those persons who have a bone fide need to have such access. Access by unauthorized persons can reveal user-IDs, transaction specifics, and other information that may be instrumental in fraud, sabotage, and other abuses. If logs are encrypted, they will be exceedingly difficult for unauthorized people to view or modify. In terms of off-site storage, encryption is really the only truly effective way to prevent unauthorized access. Rather than encryption, in less secure environments, use of file access controls may be sufficient. In some circumstances, written permission for access to application logs may be granted by the information owner/sponsor, rather than the Agency Computer Security Officer. This policy assumes that other types of access control will also be in place. |
| 44.0 | Regular and Prompt Review of System Logs | To allow proper remedial action, computer operations or information security staff must review records reflecting security relevant events in a periodic and timely manner. | The intention of this policy is to require that computer operations or information security staff promptly review logs. This review process can be greatly facilitated if the logs produce exception reports indicating items of a suspicious nature in need of follow-up. To ask a person to go through a log reflecting all system events on a busy multi-user system is like asking them to find a "needle in a haystack." Prompt review of logs might, for example, be important if there was a hacker who was attempting to guess passwords via a dial-up line. If the logs were never reviewed, and if there were no other mechanism (like pager alerts) to notify the people who could do something about it, the organization may never have become aware of the attacks. If the attacks were not stopped--or at least discouraged by telling the hacker that they are being closely monitored--the hacker may be encouraged to continue. Likewise, the chronological window for taking remedial action (such as stopping an employee from making copies of personell records) closes quickly unless corrective steps are promptly initiated. In some environments, such as electronic funds transfer systems, the window in which adjustments must be made is very slim (a few days). In environments such as this, the time frame for log review may also be included in an agency specific policy. The policy could be expanded to include application logs, in which case user management or information owners/sponsors may be involved in the review process. |
| 45.0 | Notification of Users About Logging of Security Violations | Users must be put on notice about the specific actions that constitute security violations. Users must also be informed that such violations will be logged. Violations will subject users to disciplinary actions up to and including termination and prosecution. | The intention of this policy is to require that all users be clearly informed about the actions which constitute a security violation. To discourage users from engaging in these actions, they should be told that their activities will be logged. Disciplinary action will be very difficult if users have not been told about, and do not clearly understand what is expected of them. Violations will subject users to disciplinary actions up to and including termination and prosecution. Typically these violations would include attempts to compromise controls through password guessing, changing system access controls, as well as other actions such as crashing the system. |
| 49.0 | Approved Virus Checking Programs Required on PCs and Servers | Virus checking programs approved by the Agency Computer Security Officer must be continuously enabled on all servers and personal computers. | This policy doesn't make distinctions between integrity checkers, virus screening packages, virus behavior detection packages, and the like. Instead, it relies on the iAgency Computer Security Officer to identify one or more standard virus detection software packages. The emphasis is on networked machines because a virus or similar program can propagate much faster in a networked environment than it can in a stand-alone computing environment. The policy focuses on small systems because these are the computers which are most often hit by virus infections, not mainframes and other large-scale systems. For related ideas, see "Testing for Viruses Prior to Use on State Systems" and "Immediate Reporting of Suspected Computer Virus Infestation" |
| 52.0 | Removal of All Unauthorized Access Paths in Production Software | Prior to moving software which has been developed in-house to production status, programmers and other technical staff must remove all special access paths so that access may only be obtained via normal secured channels. This means that all trap doors and other short-cuts that could be used to compromise security must be removed. Likewise, all system privileges needed for development efforts but not required for normal production activities must be removed. | The intention of this policy is to put programmers and other system developers on notice that they must eliminate all pathways which could be used to compromise security. An example justifying this policy involved the log-in program for what used to be called ARPANET (now Internet); the developers had a special password which allowed them to gain privileged access to any log-in program without having first been granted access by the system's management. This is exactly the type of access pathway that should be eliminated prior to placing systems in production status. Although programmers may only want to save themselves time at some point in the future, by leaving such unauthorized pathways in production systems, they also create pathways that can be exploited by unauthorized parties. The policy also implicitly requires all special access paths to be disclosed in documentation. This policy is particularly relevant to those environments in which end-users are doing their own programming (client-server computing, local area networks, PCs, and the like) because these new programmers may not be familiar with traditional systems development approaches. Also see the policy entitled "Prohibition Against Trap Doors To Circumvent Access Controls." |
| 54.0 | Restricted Use of Diagnostic Test Hardware and Software | Diagnostic test hardware and software, such as communications line monitors and network sniffers, must be used only by authorized personnel for testing and development purposes. Access to such hardware and software must be strictly controlled. | Diagnostic test hardware and software can be used to insert spurious messages on a communications line so that a fraud may be perpetrated. The tools may also allow people to read communications line traffic that they would otherwise not be able to examine. These wiretapping tools have, for instance, been used to capture readable passwords which are then later used to gain unauthorized system access. The intention of this policy is thus to restrict the use of such powerful tools to troubleshooting and other authorized business activities. The policy gives local management significant leeway in determining the ways in which they secure these hardware and software tools. For instance, some managers will require that line monitor devices be locked in a closet, while others will be satisfied with the use of a metal key to activate and deactivate the device. There is a greater need for this policy in those environments using fixed passwords (rather than dynamic passwords) for system access control. |
| 58.0 | Install Latest Patches On Systems Located On Network Periphery | All State of Alaska networked production systems must have an adequately staffed process for expediently and regularly reviewing all newly released systems software patches, bug fixes, and upgrades. This process must also include procedures to promptly install these patches, bug fixes, and upgrades as necessary to all machines interfacing the Internet and other public networks. | The objective of this policy is to ensure that systems administrators and others are promptly updating systems software on those systems that interface with public networks like the Internet. If systems software is not promptly updated, then intruders will be able to run vulnerability identification software to identity systems susceptible to publicized exploits. This means that terrorists, hackers, virus writers and others are now using computers to identify those systems that could be breached. If network-connected systems don't have the latest software that incorporates security bug fixes, patches, and upgrades, in a matter of only a few days these systems will be identified and soon thereafter penetrated. In the years ahead, system-updating process will be increasingly performed without human intervention with the aid of automated software distribution systems. In the meanwhile, it is often a tedious but nonetheless vitally important process. |
| 61.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the Agency Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as security auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive. Likewise, users should not have a protocol analyzer (a "sniffer") in their possession because it can be used to perform actions such as a wiretap, password reading, and unauthorized data viewing. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they may be disciplined or terminated. Also see the policies "Prohibition Against Testing Information System Controls," and "Disclosure of Information About Information System Vulnerabilities" |
| 77.0 | Update & Test Information Systems Contingency Plans | For computer and communications systems, management must prepare, periodically update, and regularly test contingency plans. These plans must provide for the continued operation of critical systems in the event of an interruption or degradation of service. | In this context, the words "contingency plans" apply to both emergencies as well as disasters. In the course of preparing contingency plans, organizations should go through what is called a business impact analysis, which examines the effects of various loss scenarios. For example, if a bomb were to go off in a computer center, what would the impact be? Only when the impacts are determined and ranked by priority, can contingency planning resources be allocated efficiently, and can a logical contingency plan be prepared. This policy is intended to mandate the regular update and testing of contingency plans. The information systems field moves so fast that updates are required at the very least annually, and very often more frequently. Of course, other types of contingency plans will also be needed. For example, if a bomb goes off in an organization's headquarters building, then personnel will need another set of offices if the organization's work is going to continue. This backup office space would generally be covered in a facilities contingency plan. Also see the policy entitled "Annual Information Security Planning Process Required." |
| 82.0 | Misrepresentation of Identity on Electronic Communication Systems | Misrepresenting, obscuring, suppressing, or replacing a user's identity on an electronic communications system is forbidden. The user name, electronic mail address, organizational affiliation, and related information included with messages or postings must reflect the actual originator of the messages or postings. | The intention of this policy is to put users on notice that they may not misrepresent their identity on electronic communication systems, even for practical jokes or other humor. The scope of the policy is deliberately broad (specifically "electronic communication systems") so that it includes telephone systems as well as electronic mail systems. Note that this policy does not require all the routing information on an electronic mail message to be maintained, only the originator's identity. Separately, under this policy, the use of another person's user-ID is a policy violation (and technically electronic forgery). This policy assumes that no group user-IDs have been assigned; in other words, each user should have one or more personal user-IDs. |
| 116.0 | Immediate Reporting of Suspected Computer Virus Infestation | Computer viruses, worms, trojans and other malicious code can spread quickly and need to be eradicated as soon as possible to limit serious damage to computers and data. Accordingly, if workers report a computer virus infestation to the Agency Computer Security Officer immediately after it is noticed, even if their negligence was a contributing factor, no disciplinary action will be taken. The only exception to this early reporting amnesty will be those circumstances where a worker knowingly caused a computer virus to be introduced into State of Alaska systems. However, if a report of a known infestation is not promptly made, and if an investigation reveals that certain workers were aware of the infestation, these workers may be subject to disciplinary action. | This policy is intended to encourage quick reporting of viruses, which is essential if their growth is to be limited and consequential losses are to be contained. A notable aspect of the policy is that disciplinary action may be taken if there is a delay in reporting a problem. Because even minutes can make a great difference when it comes to the propagation of computer viruses, the word "immediately" was used in the policy. Of course, if a worker has written a virus and let it loose on State of Alaska computers, then this should still be cause for disciplinary action, even if the employee did call the Information Security Department promptly after it got out of hand. The policy, as written, does not stop such a disciplinary action because it refers to "negligence" rather than a deliberate malicious act. Also see the policies "Testing for Viruses Prior to Use on State of Alaska Systems" and "Internal Reporting of Information Security Violations & Problems." |
| 119.0 | Annual Analysis of Information Security Violations & Problems | An annual analysis of reported information security problems and violations must be prepared by the State Computer Security Officer. | The intention of this policy is to require the State Computer Security Officer to prepare a status report of losses and problems encountered. Such a historical analysis is helpful when performing risk assessments, when preparing job performance evaluations, and also when preparing budgets and project plans for the coming year. Although it may sound like more work for often-overworked information security staff, this policy can help establish and maintain a regular communication path with top management. Notice that the methodology for performing such analyses is not mentioned so as to give the Security Officer the leeway to change its approach as it becomes more sophisticated. Items that at a minimum must be reviewed include: User Authentication; Incidents such as virus infestation; Security problems with vendors. Specific information that could assist hackers, such as IP address or open ports, should not be included in the annual report if the report is to be made public. Also see the policies entitled "Required Investigation Following Computer Crimes" and "Retention of Information Security Violation & Problem Information." |
| 120.0 | Information Security is Overhead, Not a Charge-Back Item | Information security products and services are provided through Administration overhead budgets, and must not be charged-back to each agency. | This policy is intended to encourage the allocation of sufficient funds for information security within the State of Alaska. When charge-back systems are used to transfer the costs for information security, all too often unit managers will decide to reduce or eliminate information security. This is not a serious problem if each unit has independent and unconnected information systems, but if they are connected via a network (as they increasingly are), consistency is absolutely required if adequate security is to be achieved. Thus, by providing a central overhead budget, the compliance with internal information security standards is significantly enhanced. Separate organizational units can still go their own way with special approval -- if they wish to pay for custom systems. This policy helps ensure that all units have sufficient controls, no matter what their budget. This policy addresses one of the organizational design issues that often conspires to render information security ineffective, impotent, and/or irrelevant. |
| 122.0 | delete delete delete Overview of Tasks Performed by Computer Security Officers, both State and Agency | The Computer Security Officers are responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. The focus of these activities is on information, no matter what form it takes, no matter what technology is used to handle it, no matter where it resides, and no matter which people possess it. | One intention of this policy is to make it clear that the Computer Security Officers have organization-wide responsibility. Another intention is to clearly emphasize that the Computer Security Officers focuses on information per se, not on computers (it should no longer be called the "Computer Security Department"). Although it may organizationally report to the Chief Information Officer (CIO) of a large subsidiary or the Director of the Information Technology Department, the Information Security Department needs to be clearly seen as an authority throughout the organization. Another purpose of this policy is to clearly communicate to workers what the Information Security Department actually does. Many workers have an erroneous view that the Information Security Department will do everything related to information security, and that they need not be involved. The tasks outlined in the policy should be modified to reflect the organizational structure and design at State of Alaska. For example, the policy could be expanded to include investigations, compliance review, and other activities. Some organizations would prefer to put the material found in this policy in a mission statement (or charter) rather than a policy. Also see the policies entitled "Centralized Responsibility for Information Security," "Information Security is Every Worker's Duty," "Information Security Department Mission Supports State of Alaska Goals," and "Specific Tasks Performed by the Information Security Department." A: E; E: LMH. |
| 123.0 | Specific Tasks Performed by the Computer Security Officers, both State and Agency | The Computer Security Officers must provide the direction and technical expertise to ensure that State of Alaska's information is properly protected. This includes consideration of the confidentiality, integrity, and availability of both information and the systems that handle it. The Officers will act as liaisons on information security matters between all State of Alaska entities, and must be the focal point for all information security activities throughout the State of Alaska. The Officers must perform risk assessments, prepare action plans, evaluate vendor products, participate with in-house system development projects, assist with control implementations, investigate information security breaches, and perform other activities which are necessary to assure a secure information handling environment. | The intention of this policy is to provide specific information about the responsibilities of the Computer Security Officers. Because information security is a new field, many workers will be unclear about the duties of and the contribution to be made by an Information Security Department. This policy can help to eliminate arguments about and focus the work of the Computer Security Officers. |
| 124.0 | Annual Information Security Planning Process Required | Working in conjunction with the responsible management, the Information Computer Security Officers must annually prepare plans for the improvement of information security on all major State of Alaska information systems. | The intention of this policy is to require Agency Computer Security Officers and the State Computer Security Officer, to annually prepare a formal plan for improving information security. So much of the work in the information security field is "putting out fires" (handling urgent problems) that information security people need to periodically step back and take another look at what is now being done and what should be done. In other words, this policy requires that staff focus on what's important, not just what's urgent. Separately, this policy communicates that not only should information security people prepare the annual plan, but management should also participate. The policy also indirectly supports the periodic performance of a risk assessment (risk analysis); without specific knowledge of the current risks and vulnerabilities, an organization cannot prepare information security plans that truly respond to its unique business needs. Also see the policies entitled "Preparation and Maintenance of Computer Disaster Recovery Plans," "Preparation and Maintenance of Computer Emergency Response Plans," and "Annual Analysis of Information Security Violations & Problems." |
| 125.0 | Designated Agency Computer Security Officer | Every State of Alaska entitiy that maintains a computer network must have a designated Security Officer. The Security Officer is responsible for defining user privileges, monitoring access control logs, coordinating with the State Computer Security Officer and performing similar activities. | The intention of this policy is to make sure that a specific person is designated as the one responsible for security. When it is not clear who is responsible for security, often security tasks get neglected, and as a result the organization is unduly exposed to various problems. All computer systems that handle sensitive, critical, or valuable information should have some sort of access control system. Most often this will involve fixed passwords, but other technologies may also be used. There is no requirement that security officers do their job full-time; part-time security officers are often used in smaller organizations or for those systems which are managed by departments or other decentralized organizational units. Also see the policy entitled "Designated State Computer Security Officer." |
| 126.0 | delete delete delete Back-Up Security Administrator Must Be Designated and Trained | Every multi-user State of Alaska system with an access control system must have a designated employee who is responsible for user-ID assignment and user access privilege control. This systems administrator must also have a designated and trained back-up employee who can fill-in when necessary. | This policy is intended to prevent awkward situations where a security administrator does not have a designated and/or trained back-up person, in which case business activity may be impaired or interrupted. Separately, if a back-up administrator is ready to fill-in for a regular administrator, then it is unlikely that security systems will need to be compromised in order to continue necessary business activity. Note that both the regular and the back-up persons should be employees; this is because employees are generally more loyal and most often have a longer tenure with State of Alaska than contractors, consultants, temporaries, and the like. Furthermore, this policy can be used to obtain both necessary staffing and training resources. On another note, this policy assumes that the words "access control system" have been defined elsewhere; generally these words mean a fixed password user identification system with associated user access privilege controls, but many other options such as dynamic password tokens are also available. Also see the policy entitled "Designated Security Administrator for All Multi-User Systems." A: T; E: LMH. |
| 127.0 | The State Computer Security Officer Must Maintain and Update the State of Alaska Security Policy | The State Computer Security Officer must prepare, maintain, and disseminate the State of Alaska Security Policy which concisely describes State of Alaska information security policies. | The objective of this policy is to require the State Computer Security Officer to prepare and maintain the security policies of the State of Alaska. Without specific policies on information security, the State may have a difficult time securing it's networked data systems. Likewise, without specific written policies, the authority to conduct awareness and training efforts may be problematic. The State Computer Security Officer must ensure that all State of Alaska computer users are aware of and have convenient access to any necessary materials required to maintain information security. |
| 128.0 | Involvement of Agency Information Security staff | All information security problems must be handled with the involvement and cooperation of Agency information security staff. The use of external consultants, computer security response teams, or other outsiders is specifically prohibited unless these have been approved by the State Computer Security Officer. | This policy helps keep security problems inside the organization, lessening the probability that they will become known to unauthorized parties. The policy also fosters the use of the in-house information security group rather than alternative suppliers of information security services. It thus keeps costs down and also assures that in-house policies, standards, methods, and the like will be consistently applied. Although this policy does not require that all work be done by a central in-house information security group, it does require the group's approval. Outsourcing is therefore still an option, particularly when there are not enough in-house staff members to handle a certain project. |
| 129.0 | Designated State Computer Security Officer with Uncontested Statewide Authority | The State of Alaska must establish and support a Computer Security Officer placed in the organizational structure in such a position that they have the authority to enforce security policies and oversee information security practices. | The intention of this policy is to ensure that the State Computer Security Officer can be effective. The State Computer Security Officer must have uncontested authority over information security issues. This position must be more than a figurehead with no real authority. The policy is particularly important as the duties of the Agency Computer Security Officers are typically assigned on a part-time basis to workers performing other functions. The State Computer Security Officer must work with the Agency Computer Security Officers, support their activities and provide technical guidance. Other duties typical of the State Computer Security Officer are to prepare annual reports, coordinate the response to incidents, act as a central spokesperson to the user community on information security issues, and coordinate the flow of information among Agency Computer Security Officers. Also see the policy entitled "Designated Agency Computer Security Officer." |
| 130.0 | Security Responsibilities for Real-Time Connections with Third Parties | Before any third party users are permitted to reach State of Alaska systems via real-time computer connections, specific written approval of both the State Computer Security Officer and the Agency Computer Security Officer is required. Requests for approvals must specify the security related responsibilities of State of Alaska, the security related responsibilities of the common carrier (if used), and the security related responsibilities of all other involved third parties. These responsibility statements must also address the liability exposures of the involved parties. | The purpose of this policy is to prevent real-time (as opposed to store-and-forward) connections of State of Alaska systems with third parties unless these have been shown to be adequately secure. This policy would for instance prevent consultants form having access to confidential data unless security issues had previously been examined, and approved controls had been properly implemented. Only after clearly specifying security responsibilities can the State of Alaska determine whether they want to accept the risks that the connection presents. The policy would allow internal users to employ out-bound dial-up systems to access third party electronic mail services and on-line database retrieval services without the need for a security evaluation and approval process. This policy would also allow Internet electronic mail connections because these are store-and-forward (not real-time) connections. Also see the policy entitled "Internet Connections Require Approved Firewalls." |
| 135.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the State Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. This policy applies to all State of Alaska computer systems, premises and devices connected to any State of Alaska network system. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as EDP auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools in such a way that they could be used to compromise any State of Alaska system. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive at work. Likewise, users should not have a Sniffer(TM) in their possession because it can be used to perform a wiretap. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they are in violation of the policy. Note that this policy does not prohibit an employee from using such tools on a home computer unless that computer is configured to access any State of Alaska data system. The policy is not intended to prohibit any authorized user from accessing State of Alaska web or e-mail services. Also see the policies "Prohibition Against Testing Information System Controls," "Disclosure of Information About Information System Vulnerabilities." |
| 137.0 | Confidentiality of Internal Investigations Information | Until charges are pressed or disciplinary action taken, all investigations of alleged criminal or abusive conduct must be kept strictly confidential to preserve the reputation of the suspected party. | Beyond the objective stated in the policy, this policy helps reduce the probability that State of Alaska will be hit with a lawsuit alleging defamation of character. The intention of the policy is to clearly define the point in time when it becomes permissible to disclose information about employee investigations. One desirable aspect of this policy is that investigations which do not result in prosecution (pressing charges) or disciplinary action will never be disclosed (declassified). If the employee never knew about the investigation, then they can remain as a worker in good standing. On the other hand, if the employee heard about an investigation in process that later turned out to be inappropriate, they may become disgruntled or soon leave the organization. The policy mentions the "reputation" of the individual rather than staying out of legal trouble because the dignity of the individual is a more noble goal, and because it is taken for granted that management wants to operate within the confines of the law. Also see the policy entitled "Required Investigation Following Computer Crimes." |
| 138.0 | Install And Monitor Intrusion Detection Systems | To allow the State of Alaska to promptly respond to attacks, all primary ingress points from the Internet to the State network must be running an intrusion detection system approved by and implemented with the concurrence of the State Computer Security Officer. | The term "primary" refers to the major connections that carry the bulk of legitimate traffic to and from the Internet. Intrusion detection systems are different from vulnerability identification systems. The former provides an alert system telling staff when the defenses have been breached. The latter tells staff what needs fixing in order to bolster the defenses. Typically an intrusion detection system will feed a network management system (NMS) or some other notification system that will immediately alert those who are in a position to do something. For example, members of a Computer Emergency Response Team (CERT) can get into action based on pager alerts from an intrusion detection system. This policy helps to ensure that all systems on the periphery of an internal network have adequate intrusion detection systems. The State Computer Security Officer is responsible for approving an IDS product and for ensuring that it is installed and implemented in a fashion that protects State of Alaska resources. |
| 139.0 | Assign Explicit Responsibility For Information Security Tasks | Specific information security responsibilities must be incorporated into all worker job descriptions if such workers have access to sensitive, valuable, or critical information. | The time has come to stop saying that information security is everyone's responsibility, but at the same time ignoring the need to specifically assign responsibility to certain people. This policy is intended to create clearity about what is expected of all people who have access to sensitive, valuable, or critical information. Included within the scope of this policy are end-users, who often believe that they have no responsibilities in the information security area. In reality, end-users are on the front line in the battle against intruders, viruses, and other information security problems. Today's information security environment involves the distribution of information not only to end-user desktop computers, but also to workers' homes, to outsourcing firm's premises, to strategic partners' premises, and to other locations. These and other people must cohesively work together as a team in order to achieve genuine information security. This can only be done if the responsibilities of each are explicitly assigned. |
| 141.0 | All security incident information must be tracked by the affected ACSO and forwarded to the SCSO | All security incident related information, such as viruses and hacks, must be tracked by the affected Agency Computer Security Officer. Information gathered by the Agency must be passed along as soon as possible to the State Computer Security Officer. | The intent of this policy is to ensure that all information gathered during a security incident makes it to the central security office. It is important that there be a single point of contact on security that can look for patterns and systemic vulnerabilities. While an individual agency my see a specific security incident as minor, when combined with incidents from other agencies patterns of attack may become clearer. The key here is the need for good communication between the State Computer Security Officer and the various Agency Computer Security Officers. |
| 142.0 | Users may not connect a modem to any phone system on a network-connected machine without authorization. | No computer user may connect a modem to a phone line if the computer with the modem is attached to a State of Alaska computer network without Agency Computer Security Officer approval. | One of the largest potential security holes in the State of Alaska network is the use of uncontrolled modems. If the computer with the modem is on a State network it is possible for a hacker to use the trusted computer with the modem to gain access to State computer resources and data. It is probable that the legitimate user of the computer would appear in security logs as the party performing the hack. This policy is intended to protect both the State of Alaska resources and legitimate State computer users. It is the role of the Agency Computer Security Officer to ensure that any modems in use within their Agency of responsibility conform to the State of Alaska security policies. |
| 150.0 | Restrictions on Tiger Team Activities and Release of Findings | Only the State Computer Security Officer may authorize Tiger Team activities and the release of their findings. | A Tiger Team is a group that attempts to break in to a computer network or otherwise access secured computing services using hacker style techniques. Tiger Team activities, by definition, attempt to compromise security. For this reason it is important that they only be done when necessary and with the authorization of the State Computer Security Officer. It is equally important that any results of a Tiger Team be kept confidential and be released only to the affected Agency Computer Security Officer or others on a need to know basis. |
| 151.0 | Agencies can write their own security policy as long as they are no less stringent than these | An Agency may develop a Security Policy but it must not subject the State to reduced security. | Some Agencies may find that the officially adopted State of Alaska Security Policy is inadequate for their needs. An agency may develop a policy but it is critical that the alternate Security Policy be no less stringent than the official policy. For an Agency to develop and adopt their own Security Policy it must be reviewed and approved by the State Computer Security Officer. |
| 152.0 | Annual Review of Computer Security Officers | An independent third party must perform an annual review of all Computer Security Officers to ensure they are enforcing the State of Alaska security policies and using industry standard best practices. The results of the reviews will be provided to the Commissioner of Administration and are to remain confidential. | The role of Computer Security Officers, both Agency and State, are vital to the implementation of the State of Alaska Security Policy. Security officers are responsible for ensuring the continued functioning of State networks in a secure fashion. An independent review must be performed so that that State can be assured that someone is "watching the watchers". |