| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 18.0 | Leaving Sensitive Systems Without Logging-Off | If the computer system to which they are connected are medium or high risk systems, users must not leave their computer unattended for more than half an hour without first logging-out or otherwise locking the computer from unauthorized use. | This policy seeks to prevent unauthorized disclosure of information as well as unauthorized use. Instead of mandating a period of no activity beyond which jobs will be automatically terminated, this policy puts the onus of responsibility on the user. The Agency Computer Security Officer may set the unattended time window to a lower value. Screen savers that require passwords or similar mechanisms are acceptable. |
| 21.0 | Gaining Unauthorized Access Via State Information Systems | Workers using State of Alaska information systems are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. Likewise, workers are prohibited from capturing or otherwise obtaining passwords, encryption keys, or any other access control mechanism which could permit unauthorized access. | The intention of this policy is to clearly establish management's position forbidding hacking (also called cracking) activities via State of Alaska information systems. The policy is written in such a way that it applies to both internal and also external information systems. The policy embraces a wide variety of hacker techniques, including social engineering (where a hacker masquerades as someone else), and password grabbers (which record passwords via wiretap like mechanisms). The words "access control mechanism" include smart cards, dynamic password tokens, and the like. Separately, this policy can be used to discipline, and perhaps terminate, a worker who was hacking via State of Alaska information systems. For related ideas, see the policies entitled "Prohibition Against Testing Information System Controls" and "Tools Used to Break Systems Security Prohibited." |
| 23.0 | Privilege Restriction Based on legitimate business need | The computer and communications system privileges of all users, systems, and programs must be restricted based on a legitmate business need. | The intention of this policy is to prevent the granting of excessive privileges to users. Excessive privileges often allow users to perform abusive and unauthorized acts, such as viewing private information belonging to other users. Excessive privileges may also allow users to commit errors which have serious consequences, such as bringing a communications server down during business hours. Borrowed from the military, the need-to-know approach is a fundamental idea underlying nearly all commercial access control systems. |
| 30.0 | Unbecoming Conduct and the Revocation of Access Privileges | State of Alaska management reserves the right to revoke the privileges of any user at any time. Conduct that interferes with the normal and proper operation of State of Alaska information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted. | The intention of this policy is to put users on notice that they jeopardize their status as authorized users if they engage in the activities described. For example, crashing the system could reasonably be expected to be harmful to other users, and would accordingly subject the perpetrator to disciplinary action including privilege revocation. Rather than specifying all the nasty things that people could do, such as crashing a system, this policy is discreet and high-level. The broadly-stated policy may also give management ample latitude when it comes to making a decision about privilege revocation. Persons who abuse their privileges may also be subject to disciplinary action including civil or criminal legal action. Also see the policies entitled "Default User Privileges and Need for Explicit Approvals" and "Periodic Review and Reauthorization of User Access Privileges." |
| 31.0 | Prohibitions Against Testing Information System Controls | Workers must not test, or attempt to compromise State of Alaska computer security system controls unless specifically approved in advance and in writing by the State Computer Security Officer and the appropriate Agency Computer Security Officer. | When users to attempt to break controls, this fosters an "attack ethic," i.e., an environment where it is acceptable for workers to attempt to break system controls. This policy eliminates an often invoked excuse for computer crimes, as the perpetrators may say that they were merely "testing the control system so as to be able to improve it." Of course, internal auditors already have this approval (in their departmental mission statement), and they should continue to test controls. While there is merit to regularly testing controls to illuminate weaknesses, this activity needs to be strictly controlled and performed in a confidential manner (lest the results be exploited by employees and others). This policy also prohibits "tiger team attacks" (also known as "penetration attacks") unless approved in advance by management. See also "Prohibition Against Exploiting Systems Security Vulnerabilities" |
| 32.0 | Prohibition Against Exploiting Systems Security Vulnerabilities | Users must not exploit vulnerabilities or deficiencies in information systems security to damage systems or information, to obtain resources beyond those they have been authorized to obtain, to take resources away from other users, or to gain access to other systems for which proper authorization has not been granted. All such vulnerabilities and deficiencies should be promptly reported to the Agency Computer Security Officer. | The intention of this policy is to make it clear that users must not take advantage of information security vulnerabilities and deficiencies, even if they are aware of such problems. One example of such a problem involves having knowledge of a special password that allows a user to do things they would otherwise not be able to perform. In a broad sense, this policy is saying that users are given only the privileges explicitly granted to them--if they can do something else due to security problems, they are not authorized to take advantage of these problems. As written, the policy includes errors made by systems administrators, for example if a user was given too many privileges. While this example may not involve a control vulnerability, it is decidedly a deficiency associated with the deployment of controls. For related ideas, see the policies entitled "Required Reporting of Information Security Incidents" and "Restricted Use of Diagnostic Test Hardware and Software." |
| 34.0 | Administrative Security Management for All Networked Computers | Configurations and set-up parameters on all computers attached to the State of Alaska network must comply with State of Alaska security management policies and standards. | The intention of this policy is to clearly state that all LAN administrators, mainframe access control package administrators, and the like must consistently abide by internal security management policies and standards. Often these administrators are tempted to do things their own way, perhaps inadvertently opening an unauthorized access pathway to connected machines. This policy may at first seem unnecessary; some people may think that everyone else knows that the weakest link in a chain will be the first to break. But there is merit to stating this idea in writing, perhaps giving management something else to use when attempting to get administrators to abide by internal policies and standards. |
| 35.0 | Reporting Changes in User Duties to Systems Security Administration | Management must promptly report all significant changes in end-user duties or employment status to the computer system security administrators handling the user-IDs of the affected persons. | The intention behind this policy is to support the notion of least privilege. End-user privileges must promptly be turned off if an individual has been terminated, transferred, promoted, put on leave without pay, or otherwise no longer in the same position. Systems security administrators don't generally know about these changes unless they receive notification from the involved managers (or alternately from the Human Resources Department). A separate but related policy requiring that all such status-change information be kept in strict confidence is advisable because a terminated employee may bring a defamation of character lawsuit. This policy may be particularly useful when it comes time to establish standard procedures for notifying administrators about worker status changes. See the related policies entitled "Changing Physical Access Control Codes on Worker Termination" and "Transfer of Information Custodian Duties After Employee Terminations." |
| 36.0 | Maintenance of Master User-ID and Privilege Database | So that their privileges may be expediently revoked on short notice, records reflecting all the computer systems on which users have user-IDs must be kept up-to-date. | The intention behind this policy is to make sure that all user-IDs that an employee (or consultant, contractor, temporary, etc.) uses can be readily identified and the associated privileges quickly revoked. This will, for instance, be useful when an employee has been shown to be embezzling, in which case all user-IDs should be shut down immediately. Even when less dramatic changes in user status take place, such a database can be very helpful in determining which systems security administrators should be notified. Also see the policies entitled "Naming Standard for a Single User-ID Used on All Platforms." |
| 37.0 | Transfer of Information Custodian Duties After Employee Terminations | When a worker leaves any position with the State of Alaska, both computer resident files and paper files must be promptly reviewed by their immediate manager to determine who should become the custodian of such files, and/or the appropriate methods to be used for file disposal. The computer user's manager must then promptly reassign the computer user's duties as well as specifically delegate responsibility for information formerly in the computer user's possession. | The intention behind this policy is to clearly and expediently transfer custodian responsibilities, and thereby to ensure that security measures are maintained in minimally acceptable ways. The reassignment of duties process is especially important if the files contain sensitive, critical, or valuable information. This policy also implicitly puts employees on notice that their files will be examined by others after they leave the organization. Additionally, with this policy, managers are put on notice that they are responsible for the proper handling of a departed worker's information. The policy helps to avoid fraud, sabotage, and other abuses, which frequently take place when no specific person has responsibility for a certain area (perpetrators often take advantage of the confusion surrounding the departure of an employee). See the policies entitled "Changing Physical Access Control Codes on Worker Termination" |
| 45.0 | Notification of Users About Logging of Security Violations | Users must be put on notice about the specific actions that constitute security violations. Users must also be informed that such violations will be logged. Violations will subject users to disciplinary actions up to and including termination and prosecution. | The intention of this policy is to require that all users be clearly informed about the actions which constitute a security violation. To discourage users from engaging in these actions, they should be told that their activities will be logged. Disciplinary action will be very difficult if users have not been told about, and do not clearly understand what is expected of them. Violations will subject users to disciplinary actions up to and including termination and prosecution. Typically these violations would include attempts to compromise controls through password guessing, changing system access controls, as well as other actions such as crashing the system. |
| 54.0 | Restricted Use of Diagnostic Test Hardware and Software | Diagnostic test hardware and software, such as communications line monitors and network sniffers, must be used only by authorized personnel for testing and development purposes. Access to such hardware and software must be strictly controlled. | Diagnostic test hardware and software can be used to insert spurious messages on a communications line so that a fraud may be perpetrated. The tools may also allow people to read communications line traffic that they would otherwise not be able to examine. These wiretapping tools have, for instance, been used to capture readable passwords which are then later used to gain unauthorized system access. The intention of this policy is thus to restrict the use of such powerful tools to troubleshooting and other authorized business activities. The policy gives local management significant leeway in determining the ways in which they secure these hardware and software tools. For instance, some managers will require that line monitor devices be locked in a closet, while others will be satisfied with the use of a metal key to activate and deactivate the device. There is a greater need for this policy in those environments using fixed passwords (rather than dynamic passwords) for system access control. |
| 59.0 | Release of Systems Documentation to Third Parties | Prior to being released to third parties, all documentation that describes State of Alaska systems or systems procedures must be reviewed by the Agency Computer Security Officer to ensure that confidential information is not being inadvertently disclosed. | It is important to communicate to workers that documentation, not just business records, may warrant restricted dissemination procedures. This policy puts staff on notice that they are not to release internal systems documentation without prior approval. The approval could also be provided by the Information Systems Department manager, legal counsel, or some other manager. This policy is also called for because many system crackers/hackers use so-called "social engineering" (also known as "conning") to get information about internal systems, which in turn allows them to break into these systems. If employees are on notice that such information is not to be distributed to outsiders without prior permission, it is less likely that they will fall for such ploys. |
| 60.0 | Information as an Important State of Alaska asset | Information is an important State of Alaska asset. Accurate, timely, relevant, and properly protected information is absolutely essential to State of Alaska's business. To ensure that information is properly handled, all accesses to, uses of, and processing of State of Alaska information must be consistent with State of Alaska information systems related policies and standards. | This general policy helps to set the context for a number of other information security policies. Such a statement is frequently incorporated into the first set of policies as well as summary material oriented towards users and members of the management team. It is necessary for these people to appreciate how information has become a critical factor of production in modern business--only then can they appreciate the pressing need for information security. The intention of this policy is thus to motivate the need for information security measures and to contextualize the use of information systems in modern organizations. |
| 61.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the Agency Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as security auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive. Likewise, users should not have a protocol analyzer (a "sniffer") in their possession because it can be used to perform actions such as a wiretap, password reading, and unauthorized data viewing. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they may be disciplined or terminated. Also see the policies "Prohibition Against Testing Information System Controls," and "Disclosure of Information About Information System Vulnerabilities" |
| 62.0 | Handling of Third Party Confidential and Proprietary Information | Unless specified otherwise by contract, all confidential or proprietary information that has been entrusted to State of Alaska by a third party must be protected as though it was State of Alaska confidential information. | In many cases the people handling third party information do not have access to the contracts which define agreed-upon procedures for handling information entrusted to State of Alaska. This policy by default assigns a classification of "confidential" to all such information. |
| 63.0 | Software and/or Data Exchanges with Third Parties Require Agreements | Exchanges of software and/or data between State of Alaska and any third party may not proceed unless a written agreement has first been signed. Such an agreement must specify the terms of the exchange, as well as the ways in which the software and/or data is to be handled and protected. This policy does not cover release of information designated as public. | The intention of this policy is to prevent misunderstandings about the use of and protection of State of Alaska proprietary or sensitive information. For example, an agency and a consultant exchange mailing lists, it could be specified in writing that the lists are to be used once only (or whatever other arrangements have been established). Having a written contract also provides some assurance that controls will be used to prevent the information from being disclosed to unauthorized third parties and from being used for purposes other than those originally intended. Because it encourages some restraint associated with the dissemination of information, this policy is relevant to electronic mail and the Internet. |
| 64.0 | Disclosure of Information on State Systems to Law Enforcement | By making use of State of Alaska systems, users consent to allow all information they store on State of Alaska systems to be divulged to law enforcement at the discretion of State of Alaska management. | This policy puts users on notice that they should not have an expectation of privacy with respect to State of Alaska systems. It also puts users on notice that no search warrant will be necessary before law enforcement agents gain access to information they store on State of Alaska systems. Management may wish to reveal certain information (such as electronic mail logs) to law enforcement; this could be appropriate if management discovered the use of its computing facilities to conduct drug deals or some other illegal activity. Like the policy entitled "Right of Management to Examine Data Stored on State of Alaska Systems," this policy helps to manage user expectations, making sure that users understand they do not have normal privacy protections applicable to public communications carriers (like the phone company). For Third Parties this applies to any data or data systems that contain State of Alaska data. For the Third Parties this does not include proprietary and company confidential information but only pertains to the portions that are relevant to work performed for the State of Alaska. Also see the policy entitled "Disclosure of Private Information to Third Parties" and "Electronic Mail Messages Are Company Records." |
| 65.0 | Privacy Expectations and Information Stored on State Systems | At any time and without prior notice, State of Alaska management reserves the right to examine archived electronic mail, personal file directories, hard disk drive files, and other information stored on State of Alaska information systems. This examination is performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of State of Alaska information systems. | The intention of this policy is to put computer users on notice that the information they store, transmit, or otherwise process via State of Alaska information systems is subject to management review. This will encourage them to use such information systems for business purposes only. It will also help to deter unethical or illegal activities such as down-loading pornography from the Internet, and then storing such information on a State of Alaska computer hard disk drive. See the policies entitled "Privacy Expectations and Electronic Mail," |
| 67.0 | No Blanket Monitoring of Employee Communications | In general terms, State of Alaska does not engage in blanket monitoring of employee communications. It does, however, reserve the right to monitor, access, retrieve, read, and/or disclose employee communications when: (a) a legitimate business need exists that cannot be satisfied by other means, (b) the involved employee is unavailable and timing is critical to a business activity, (c) there is reasonable cause to suspect criminal activity or policy violation, or (d) monitoring is required by law, regulation, or third-party agreement. | The intention of this policy is to put employees on notice that their communications may be monitored under certain circumstances. The policy also seeks to assure employees that a "big brother" style blanket monitoring process does not exist, and the right to monitor will be used judiciously and only when a legitimate business need exists. For a related idea, see the policy entitled "Privacy Expectations and Information Stored on State of Alaska Systems." |
| 69.0 | Monitoring of Electronic Mail Messages | Messages sent over State of Alaska internal electronic mail systems are not subject to the privacy provisions of the Electronic and Communications Privacy Act of 1986 (which prohibits wiretapping), and therefore may be read by State of Alaska management and system administrators. | This policy makes it clear that management and technical staff may read worker electronic mail messages when management authorizes it. By the same token, technical staff may not monitor e-mail without authorization. Also see the policy entitled "Privacy Expectations and Electronic Mail." |
| 72.0 | Information With Multiple Risk Categories On Single System | If a computer system contains information with varying risk categories, the controls used must reflect the highest risk information on the system. | The intention of this policy is to make sure that sensitive information is not improperly disclosed because it is on the same system as other less sensitive information. Separately, this policy would for example indicate that the operating system's access control mechanisms must be strong enough to protect the most sensitive information on the system; this means that all the other types of information must bear the overhead of this most sensitive type of information. |
| 74.0 | Organization and Maintenance of Computer Emergency Response Team | The State must organize and maintain a computer emergency response team (CERT) that will provide accelerated problem notification, damage control, and problem correction services in the event of computer related emergencies such as virus infestations, hacker break-ins, and the like. | The classic CERT that has been the model for many in-house CERTs can be found at Carnegie Mellon University, in Pittsburgh, Pennsylvania, USA; their e-mail address is cert@cert.org. The Carnegie Mellon CERT assists users of the Internet network, while other CERTs coordinate investigations and problem eradication efforts on an international basis. By formally defining an in-house CERT, an organization becomes better prepared to deal with security-related contingencies. Use of an in-house CERT also reduces the probability that problems will become public knowledge. The intention of this policy is thus to require that Data Processing or related technical management set-up and support a CERT. Also see the policies entitled "Internal Reporting of Information Security Violations & Problems," and "Information Security Alert System." |
| 77.0 | Update & Test Information Systems Contingency Plans | For computer and communications systems, management must prepare, periodically update, and regularly test contingency plans. These plans must provide for the continued operation of critical systems in the event of an interruption or degradation of service. | In this context, the words "contingency plans" apply to both emergencies as well as disasters. In the course of preparing contingency plans, organizations should go through what is called a business impact analysis, which examines the effects of various loss scenarios. For example, if a bomb were to go off in a computer center, what would the impact be? Only when the impacts are determined and ranked by priority, can contingency planning resources be allocated efficiently, and can a logical contingency plan be prepared. This policy is intended to mandate the regular update and testing of contingency plans. The information systems field moves so fast that updates are required at the very least annually, and very often more frequently. Of course, other types of contingency plans will also be needed. For example, if a bomb goes off in an organization's headquarters building, then personnel will need another set of offices if the organization's work is going to continue. This backup office space would generally be covered in a facilities contingency plan. Also see the policy entitled "Annual Information Security Planning Process Required." |
| 89.0 | Security Requirements for Work at Home Arrangements | Work at home (telecommuting) arrangements are a management option, not a universal employee benefit. Permission to telecommute is the decision of the involved employee's manager. Before a telecommuting arrangement can begin, this manager must be satisfied that an alternative worksite (such as a home office) is appropriate for the State of Alaska work performed by the involved employee. Security factors that must be evaluated and approved by the Agency Computer Security Officer before authorizing telecommuting include: Virus scanning, Firewall, VPN, Data backup and Physical Security. | Discussions about "alternative worksites" (notably home offices) have become more prevalent in the last few years. Whenever these arrangements are being considered it is important to consider what happens to State of Alaska physical assets (such as computers) as well as information assets. See also the policies "Dial-Up Connections Must Utilize an Access Control Point", " External Network Connections Require Firewalls", and "Internet Connections Require Approved Firewalls" |
| 113.0 | Interference with Reporting of Information Security Problems | Any attempt to interfere with, prevent, obstruct, or dissuade a staff member in their efforts to report a suspected information security problem or violation is strictly prohibited and cause for disciplinary action. Any form of retaliation against an individual reporting or investigating information security problems or violations is also prohibited and cause for disciplinary action. | This policy attempts to encourage workers who wish to report an information security problem or violation, yet are concerned that they may find it difficult, problematic, or otherwise ill-advised. These "whistle blowers" often are concerned that their own immediate management will penalize them for reporting problems or violations. This policy attempts to foster a perspective that is in the best interest of the State of Alaska that all security problems be reported and that it is against this policy for anyone to interfere with the reporting, even if the report may make someone "look bad". |
| 114.0 | Protection of Workers Who Report Information Security Problems | State of Alaska will protect workers who report in good faith what they believe to be a violation of laws or regulations, or conditions that could jeopardize the health or safety of other workers. This means that such workers will not be terminated, threatened, or discriminated against because they report what they perceive to be a wrongdoing or dangerous situation. Before taking any other action, these workers must report the problem to their manager or the Agency Computer Security Officer, and then give the organization time to remedy the situation. | The intention of this policy is to assure workers who are considering reporting problems that the organization will protect them. This should encourage workers to make reports when they may otherwise have been deterred by the potential adverse consequences. This policy does not prohibit external reporting -- it only states that the problem should first be internally reported. The policy is deliberately defined in a broad manner so that it includes information security problems; it also includes physical security problems as well as worker safety problems. For a related idea, see the policy entitled "External Reporting of Information Security Violations." |
| 117.0 | Required Investigation Following Computer Crimes | Whenever evidence clearly shows that State of Alaska has been victimized by a computer or communications crime, a thorough investigation must be performed. This investigation must provide sufficient information so that management can take steps to ensure that: (1) such incidents cannot reasonably take place again, and (2) effective security measures have been reestablished. | This policy is intended to make sure that appropriate action is taken in response to computer or communications system crimes. Too often there is an inclination to "sweep" the whole affair "under the rug." To prevent the potential supression of information about vulnerabilities (often because it could be embarrasing to someone), this policy requires that an investigation be started. In most instances, department and other local management will not have the expertise to carry out such a sophisticated investigation. Thus, the policy indirectly requires these managers to contact the Agency Computer Security Officer and the State Computer Security Officer. The policy also helps guard against lawsuits alleging that management did not take care of problems even though they were "on notice" that security problems existed. Also see the policy entitled "Confidentiality of Internal Investigations Information" |
| 120.0 | Information Security is Overhead, Not a Charge-Back Item | Information security products and services are provided through Administration overhead budgets, and must not be charged-back to each agency. | This policy is intended to encourage the allocation of sufficient funds for information security within the State of Alaska. When charge-back systems are used to transfer the costs for information security, all too often unit managers will decide to reduce or eliminate information security. This is not a serious problem if each unit has independent and unconnected information systems, but if they are connected via a network (as they increasingly are), consistency is absolutely required if adequate security is to be achieved. Thus, by providing a central overhead budget, the compliance with internal information security standards is significantly enhanced. Separate organizational units can still go their own way with special approval -- if they wish to pay for custom systems. This policy helps ensure that all units have sufficient controls, no matter what their budget. This policy addresses one of the organizational design issues that often conspires to render information security ineffective, impotent, and/or irrelevant. |
| 122.0 | delete delete delete Overview of Tasks Performed by Computer Security Officers, both State and Agency | The Computer Security Officers are responsible for establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. The focus of these activities is on information, no matter what form it takes, no matter what technology is used to handle it, no matter where it resides, and no matter which people possess it. | One intention of this policy is to make it clear that the Computer Security Officers have organization-wide responsibility. Another intention is to clearly emphasize that the Computer Security Officers focuses on information per se, not on computers (it should no longer be called the "Computer Security Department"). Although it may organizationally report to the Chief Information Officer (CIO) of a large subsidiary or the Director of the Information Technology Department, the Information Security Department needs to be clearly seen as an authority throughout the organization. Another purpose of this policy is to clearly communicate to workers what the Information Security Department actually does. Many workers have an erroneous view that the Information Security Department will do everything related to information security, and that they need not be involved. The tasks outlined in the policy should be modified to reflect the organizational structure and design at State of Alaska. For example, the policy could be expanded to include investigations, compliance review, and other activities. Some organizations would prefer to put the material found in this policy in a mission statement (or charter) rather than a policy. Also see the policies entitled "Centralized Responsibility for Information Security," "Information Security is Every Worker's Duty," "Information Security Department Mission Supports State of Alaska Goals," and "Specific Tasks Performed by the Information Security Department." A: E; E: LMH. |
| 123.0 | Specific Tasks Performed by the Computer Security Officers, both State and Agency | The Computer Security Officers must provide the direction and technical expertise to ensure that State of Alaska's information is properly protected. This includes consideration of the confidentiality, integrity, and availability of both information and the systems that handle it. The Officers will act as liaisons on information security matters between all State of Alaska entities, and must be the focal point for all information security activities throughout the State of Alaska. The Officers must perform risk assessments, prepare action plans, evaluate vendor products, participate with in-house system development projects, assist with control implementations, investigate information security breaches, and perform other activities which are necessary to assure a secure information handling environment. | The intention of this policy is to provide specific information about the responsibilities of the Computer Security Officers. Because information security is a new field, many workers will be unclear about the duties of and the contribution to be made by an Information Security Department. This policy can help to eliminate arguments about and focus the work of the Computer Security Officers. |
| 124.0 | Annual Information Security Planning Process Required | Working in conjunction with the responsible management, the Information Computer Security Officers must annually prepare plans for the improvement of information security on all major State of Alaska information systems. | The intention of this policy is to require Agency Computer Security Officers and the State Computer Security Officer, to annually prepare a formal plan for improving information security. So much of the work in the information security field is "putting out fires" (handling urgent problems) that information security people need to periodically step back and take another look at what is now being done and what should be done. In other words, this policy requires that staff focus on what's important, not just what's urgent. Separately, this policy communicates that not only should information security people prepare the annual plan, but management should also participate. The policy also indirectly supports the periodic performance of a risk assessment (risk analysis); without specific knowledge of the current risks and vulnerabilities, an organization cannot prepare information security plans that truly respond to its unique business needs. Also see the policies entitled "Preparation and Maintenance of Computer Disaster Recovery Plans," "Preparation and Maintenance of Computer Emergency Response Plans," and "Annual Analysis of Information Security Violations & Problems." |
| 125.0 | Designated Agency Computer Security Officer | Every State of Alaska entitiy that maintains a computer network must have a designated Security Officer. The Security Officer is responsible for defining user privileges, monitoring access control logs, coordinating with the State Computer Security Officer and performing similar activities. | The intention of this policy is to make sure that a specific person is designated as the one responsible for security. When it is not clear who is responsible for security, often security tasks get neglected, and as a result the organization is unduly exposed to various problems. All computer systems that handle sensitive, critical, or valuable information should have some sort of access control system. Most often this will involve fixed passwords, but other technologies may also be used. There is no requirement that security officers do their job full-time; part-time security officers are often used in smaller organizations or for those systems which are managed by departments or other decentralized organizational units. Also see the policy entitled "Designated State Computer Security Officer." |
| 126.0 | delete delete delete Back-Up Security Administrator Must Be Designated and Trained | Every multi-user State of Alaska system with an access control system must have a designated employee who is responsible for user-ID assignment and user access privilege control. This systems administrator must also have a designated and trained back-up employee who can fill-in when necessary. | This policy is intended to prevent awkward situations where a security administrator does not have a designated and/or trained back-up person, in which case business activity may be impaired or interrupted. Separately, if a back-up administrator is ready to fill-in for a regular administrator, then it is unlikely that security systems will need to be compromised in order to continue necessary business activity. Note that both the regular and the back-up persons should be employees; this is because employees are generally more loyal and most often have a longer tenure with State of Alaska than contractors, consultants, temporaries, and the like. Furthermore, this policy can be used to obtain both necessary staffing and training resources. On another note, this policy assumes that the words "access control system" have been defined elsewhere; generally these words mean a fixed password user identification system with associated user access privilege controls, but many other options such as dynamic password tokens are also available. Also see the policy entitled "Designated Security Administrator for All Multi-User Systems." A: T; E: LMH. |
| 127.0 | The State Computer Security Officer Must Maintain and Update the State of Alaska Security Policy | The State Computer Security Officer must prepare, maintain, and disseminate the State of Alaska Security Policy which concisely describes State of Alaska information security policies. | The objective of this policy is to require the State Computer Security Officer to prepare and maintain the security policies of the State of Alaska. Without specific policies on information security, the State may have a difficult time securing it's networked data systems. Likewise, without specific written policies, the authority to conduct awareness and training efforts may be problematic. The State Computer Security Officer must ensure that all State of Alaska computer users are aware of and have convenient access to any necessary materials required to maintain information security. |
| 128.0 | Involvement of Agency Information Security staff | All information security problems must be handled with the involvement and cooperation of Agency information security staff. The use of external consultants, computer security response teams, or other outsiders is specifically prohibited unless these have been approved by the State Computer Security Officer. | This policy helps keep security problems inside the organization, lessening the probability that they will become known to unauthorized parties. The policy also fosters the use of the in-house information security group rather than alternative suppliers of information security services. It thus keeps costs down and also assures that in-house policies, standards, methods, and the like will be consistently applied. Although this policy does not require that all work be done by a central in-house information security group, it does require the group's approval. Outsourcing is therefore still an option, particularly when there are not enough in-house staff members to handle a certain project. |
| 129.0 | Designated State Computer Security Officer with Uncontested Statewide Authority | The State of Alaska must establish and support a Computer Security Officer placed in the organizational structure in such a position that they have the authority to enforce security policies and oversee information security practices. | The intention of this policy is to ensure that the State Computer Security Officer can be effective. The State Computer Security Officer must have uncontested authority over information security issues. This position must be more than a figurehead with no real authority. The policy is particularly important as the duties of the Agency Computer Security Officers are typically assigned on a part-time basis to workers performing other functions. The State Computer Security Officer must work with the Agency Computer Security Officers, support their activities and provide technical guidance. Other duties typical of the State Computer Security Officer are to prepare annual reports, coordinate the response to incidents, act as a central spokesperson to the user community on information security issues, and coordinate the flow of information among Agency Computer Security Officers. Also see the policy entitled "Designated Agency Computer Security Officer." |
| 132.0 | Changing Physical Access Control Codes on Worker Termination | In the event that a worker is terminating their relationship with the State of Alaska, all physical security access codes known by the worker must be deactivated or changed. For example, the serial number recorded on a magnetic stripe attached to an identification badge must be changed before the badge is reissued to another worker. | This policy is intended to eliminate any confusion about the identity of the person who is using an access code. The policy may also prevent a terminated worker from using a copy of the access mechanism (like a magnetic card) to gain unauthorized entry to State of Alaska work areas. This objective is particularly important if the worker is disgruntled and potentially vengeful. The policy makes mention of "access codes known by the worker," and accordingly includes both those systems where the code is known only by the user as well as those systems where several people know the code (also known as "lockwords"). This broad scope implies another objective of the policy--to keep the terminated worker from gaining access to State of Alaska premises, and committing some crime or abusive act, in a manner that might look like it was perpetrated by an authorized worker. |
| 139.0 | Assign Explicit Responsibility For Information Security Tasks | Specific information security responsibilities must be incorporated into all worker job descriptions if such workers have access to sensitive, valuable, or critical information. | The time has come to stop saying that information security is everyone's responsibility, but at the same time ignoring the need to specifically assign responsibility to certain people. This policy is intended to create clearity about what is expected of all people who have access to sensitive, valuable, or critical information. Included within the scope of this policy are end-users, who often believe that they have no responsibilities in the information security area. In reality, end-users are on the front line in the battle against intruders, viruses, and other information security problems. Today's information security environment involves the distribution of information not only to end-user desktop computers, but also to workers' homes, to outsourcing firm's premises, to strategic partners' premises, and to other locations. These and other people must cohesively work together as a team in order to achieve genuine information security. This can only be done if the responsibilities of each are explicitly assigned. |
| 141.0 | All security incident information must be tracked by the affected ACSO and forwarded to the SCSO | All security incident related information, such as viruses and hacks, must be tracked by the affected Agency Computer Security Officer. Information gathered by the Agency must be passed along as soon as possible to the State Computer Security Officer. | The intent of this policy is to ensure that all information gathered during a security incident makes it to the central security office. It is important that there be a single point of contact on security that can look for patterns and systemic vulnerabilities. While an individual agency my see a specific security incident as minor, when combined with incidents from other agencies patterns of attack may become clearer. The key here is the need for good communication between the State Computer Security Officer and the various Agency Computer Security Officers. |
| 143.0 | Restricted Access to Network Traffic Encryption Keys | Access to keys used to encrypt network traffic must be restricted on a need-to-know basis. The State Computer Security Officer must approve all parties who have access to encryption keys. | Encryption is the primary bastion against eavesdropping and wire tapping, particularly in a converged network that will carry both data and voice. The intent of this policy is to prevent the wide spread dissemination of the keys used to encrypt network traffic. It is crucial that only those with an absolutely critical need have access to the encryption keys used on State of Alaska network transport. The State Computer Security Officer must maintain the comprehensive list of those with the encryption keys and approve any change to the list. Any variation from this policy is a dangerous violation of the State of Alaska security policy. |
| 149.0 | All External Connections Reviewed Annually | The State Computer Security Officer will conduct, at a minimum, an annual review of the external connections to the State of Alaska network. Agency Computer Security Officers will provide an accurate listing of all external connections to facilitate the review. This listing will include the agency involved, inception date, any involved third parties, contact information for both, security category of the connection and a brief business justification of why the connection needs to exist. | This policy is intended to apply to external connections provided by the agencies participating in the state’s network arrangements, such as dial-up connections or wireless. A policy such as this can help spur the creation of a comprehensive managed list of external connections. Agency provided external connections are a likely path for unwelcome intrusion. The risk of such connections mandate that the agency not only adhere closely to relevant security policies, but to also initiate practices of diligent, centralized management of such connections. Such practices make annual review a routine but necessary exercise. Under this policy, a violation would be the existence of an undocumented external connection. |
| 150.0 | Restrictions on Tiger Team Activities and Release of Findings | Only the State Computer Security Officer may authorize Tiger Team activities and the release of their findings. | A Tiger Team is a group that attempts to break in to a computer network or otherwise access secured computing services using hacker style techniques. Tiger Team activities, by definition, attempt to compromise security. For this reason it is important that they only be done when necessary and with the authorization of the State Computer Security Officer. It is equally important that any results of a Tiger Team be kept confidential and be released only to the affected Agency Computer Security Officer or others on a need to know basis. |
| 151.0 | Agencies can write their own security policy as long as they are no less stringent than these | An Agency may develop a Security Policy but it must not subject the State to reduced security. | Some Agencies may find that the officially adopted State of Alaska Security Policy is inadequate for their needs. An agency may develop a policy but it is critical that the alternate Security Policy be no less stringent than the official policy. For an Agency to develop and adopt their own Security Policy it must be reviewed and approved by the State Computer Security Officer. |
| 152.0 | Annual Review of Computer Security Officers | An independent third party must perform an annual review of all Computer Security Officers to ensure they are enforcing the State of Alaska security policies and using industry standard best practices. The results of the reviews will be provided to the Commissioner of Administration and are to remain confidential. | The role of Computer Security Officers, both Agency and State, are vital to the implementation of the State of Alaska Security Policy. Security officers are responsible for ensuring the continued functioning of State networks in a secure fashion. An independent review must be performed so that that State can be assured that someone is "watching the watchers". |