| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 15.0 | Positive Identification Required for Initial System Usage | All users must be positively identified prior to being able to use any computer or communications system resources. | Positive identification ordinarily involves user-IDs and fixed passwords, but may also include confirmation by a known person in the office. The Agency Computer Security Officer will be the decision maker when it comes to a precise definition of "positive identification." The intention of this policy is to ensure that no unauthorized person is given an account on a State of Alaska computer system. As organizations adopt more interconnected systems, this policy becomes increasingly important. For example, a stand-alone departmental local area network poses a relatively limited vulnerability, but when such a LAN is connected to a wide area network, the need for all users to be positively identified is increased. |
| 18.0 | Leaving Sensitive Systems Without Logging-Off | If the computer system to which they are connected are medium or high risk systems, users must not leave their computer unattended for more than half an hour without first logging-out or otherwise locking the computer from unauthorized use. | This policy seeks to prevent unauthorized disclosure of information as well as unauthorized use. Instead of mandating a period of no activity beyond which jobs will be automatically terminated, this policy puts the onus of responsibility on the user. The Agency Computer Security Officer may set the unattended time window to a lower value. Screen savers that require passwords or similar mechanisms are acceptable. |
| 21.0 | Gaining Unauthorized Access Via State Information Systems | Workers using State of Alaska information systems are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. Likewise, workers are prohibited from capturing or otherwise obtaining passwords, encryption keys, or any other access control mechanism which could permit unauthorized access. | The intention of this policy is to clearly establish management's position forbidding hacking (also called cracking) activities via State of Alaska information systems. The policy is written in such a way that it applies to both internal and also external information systems. The policy embraces a wide variety of hacker techniques, including social engineering (where a hacker masquerades as someone else), and password grabbers (which record passwords via wiretap like mechanisms). The words "access control mechanism" include smart cards, dynamic password tokens, and the like. Separately, this policy can be used to discipline, and perhaps terminate, a worker who was hacking via State of Alaska information systems. For related ideas, see the policies entitled "Prohibition Against Testing Information System Controls" and "Tools Used to Break Systems Security Prohibited." |
| 32.0 | Prohibition Against Exploiting Systems Security Vulnerabilities | Users must not exploit vulnerabilities or deficiencies in information systems security to damage systems or information, to obtain resources beyond those they have been authorized to obtain, to take resources away from other users, or to gain access to other systems for which proper authorization has not been granted. All such vulnerabilities and deficiencies should be promptly reported to the Agency Computer Security Officer. | The intention of this policy is to make it clear that users must not take advantage of information security vulnerabilities and deficiencies, even if they are aware of such problems. One example of such a problem involves having knowledge of a special password that allows a user to do things they would otherwise not be able to perform. In a broad sense, this policy is saying that users are given only the privileges explicitly granted to them--if they can do something else due to security problems, they are not authorized to take advantage of these problems. As written, the policy includes errors made by systems administrators, for example if a user was given too many privileges. While this example may not involve a control vulnerability, it is decidedly a deficiency associated with the deployment of controls. For related ideas, see the policies entitled "Required Reporting of Information Security Incidents" and "Restricted Use of Diagnostic Test Hardware and Software." |
| 46.0 | Testing for Viruses Prior to Use on State Systems | To prevent infection by computer viruses, workers must not use any externally-provided software from a person or organization other than a known and trusted supplier. The only exception to this is when such software has first been tested and approved by the Agency Computer Security Officer. | The intention of this policy is to keep all software used on State of Alaska systems free from viruses, worms, Trojan horses, and other unauthorized programs. Note that the policy is not restricted to production systems; these unauthorized programs propagate rapidly and make no distinction between production and non-production systems. The policy requires only a negligible amount of extra work associated with the handling of externally-provided software. Normally, users would employ only that software which has been approved for internal use and which is in keeping with existing licenses with vendors. Thus this policy helps restrict the software that users may run. In a roundabout way, the policy also helps to discourage unauthorized copying of software for which State of Alaska does not have a license. Although it does not need to be placed in the policy, the testing performed should always be done on an isolated machine. Some Agencies may want to specify what constitutes a "known and trusted supplier" (ordinarily not an electronic bulletin board, a users group, or some other non-commercial entity). Some Agencies may wish to expand the policy to require that all such testing of externally-supplied software be documented. Some organizations may wish to change the policy such that it requires all specific copies of software provided by non-trusted parties to be tested (rather than one copy, which is then alleged to be the same as other copies provided by the organization). On a separate note, this policy allows users to down-load software from third party systems--it just prohibits them from executing it until it has been properly tested. See the policies entitled "Immediate Reporting of Suspected Computer Virus Infestation." |
| 49.0 | Approved Virus Checking Programs Required on PCs and Servers | Virus checking programs approved by the Agency Computer Security Officer must be continuously enabled on all servers and personal computers. | This policy doesn't make distinctions between integrity checkers, virus screening packages, virus behavior detection packages, and the like. Instead, it relies on the iAgency Computer Security Officer to identify one or more standard virus detection software packages. The emphasis is on networked machines because a virus or similar program can propagate much faster in a networked environment than it can in a stand-alone computing environment. The policy focuses on small systems because these are the computers which are most often hit by virus infections, not mainframes and other large-scale systems. For related ideas, see "Testing for Viruses Prior to Use on State Systems" and "Immediate Reporting of Suspected Computer Virus Infestation" |
| 54.0 | Restricted Use of Diagnostic Test Hardware and Software | Diagnostic test hardware and software, such as communications line monitors and network sniffers, must be used only by authorized personnel for testing and development purposes. Access to such hardware and software must be strictly controlled. | Diagnostic test hardware and software can be used to insert spurious messages on a communications line so that a fraud may be perpetrated. The tools may also allow people to read communications line traffic that they would otherwise not be able to examine. These wiretapping tools have, for instance, been used to capture readable passwords which are then later used to gain unauthorized system access. The intention of this policy is thus to restrict the use of such powerful tools to troubleshooting and other authorized business activities. The policy gives local management significant leeway in determining the ways in which they secure these hardware and software tools. For instance, some managers will require that line monitor devices be locked in a closet, while others will be satisfied with the use of a metal key to activate and deactivate the device. There is a greater need for this policy in those environments using fixed passwords (rather than dynamic passwords) for system access control. |
| 59.0 | Release of Systems Documentation to Third Parties | Prior to being released to third parties, all documentation that describes State of Alaska systems or systems procedures must be reviewed by the Agency Computer Security Officer to ensure that confidential information is not being inadvertently disclosed. | It is important to communicate to workers that documentation, not just business records, may warrant restricted dissemination procedures. This policy puts staff on notice that they are not to release internal systems documentation without prior approval. The approval could also be provided by the Information Systems Department manager, legal counsel, or some other manager. This policy is also called for because many system crackers/hackers use so-called "social engineering" (also known as "conning") to get information about internal systems, which in turn allows them to break into these systems. If employees are on notice that such information is not to be distributed to outsiders without prior permission, it is less likely that they will fall for such ploys. |
| 60.0 | Information as an Important State of Alaska asset | Information is an important State of Alaska asset. Accurate, timely, relevant, and properly protected information is absolutely essential to State of Alaska's business. To ensure that information is properly handled, all accesses to, uses of, and processing of State of Alaska information must be consistent with State of Alaska information systems related policies and standards. | This general policy helps to set the context for a number of other information security policies. Such a statement is frequently incorporated into the first set of policies as well as summary material oriented towards users and members of the management team. It is necessary for these people to appreciate how information has become a critical factor of production in modern business--only then can they appreciate the pressing need for information security. The intention of this policy is thus to motivate the need for information security measures and to contextualize the use of information systems in modern organizations. |
| 61.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the Agency Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as security auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive. Likewise, users should not have a protocol analyzer (a "sniffer") in their possession because it can be used to perform actions such as a wiretap, password reading, and unauthorized data viewing. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they may be disciplined or terminated. Also see the policies "Prohibition Against Testing Information System Controls," and "Disclosure of Information About Information System Vulnerabilities" |
| 62.0 | Handling of Third Party Confidential and Proprietary Information | Unless specified otherwise by contract, all confidential or proprietary information that has been entrusted to State of Alaska by a third party must be protected as though it was State of Alaska confidential information. | In many cases the people handling third party information do not have access to the contracts which define agreed-upon procedures for handling information entrusted to State of Alaska. This policy by default assigns a classification of "confidential" to all such information. |
| 63.0 | Software and/or Data Exchanges with Third Parties Require Agreements | Exchanges of software and/or data between State of Alaska and any third party may not proceed unless a written agreement has first been signed. Such an agreement must specify the terms of the exchange, as well as the ways in which the software and/or data is to be handled and protected. This policy does not cover release of information designated as public. | The intention of this policy is to prevent misunderstandings about the use of and protection of State of Alaska proprietary or sensitive information. For example, an agency and a consultant exchange mailing lists, it could be specified in writing that the lists are to be used once only (or whatever other arrangements have been established). Having a written contract also provides some assurance that controls will be used to prevent the information from being disclosed to unauthorized third parties and from being used for purposes other than those originally intended. Because it encourages some restraint associated with the dissemination of information, this policy is relevant to electronic mail and the Internet. |
| 64.0 | Disclosure of Information on State Systems to Law Enforcement | By making use of State of Alaska systems, users consent to allow all information they store on State of Alaska systems to be divulged to law enforcement at the discretion of State of Alaska management. | This policy puts users on notice that they should not have an expectation of privacy with respect to State of Alaska systems. It also puts users on notice that no search warrant will be necessary before law enforcement agents gain access to information they store on State of Alaska systems. Management may wish to reveal certain information (such as electronic mail logs) to law enforcement; this could be appropriate if management discovered the use of its computing facilities to conduct drug deals or some other illegal activity. Like the policy entitled "Right of Management to Examine Data Stored on State of Alaska Systems," this policy helps to manage user expectations, making sure that users understand they do not have normal privacy protections applicable to public communications carriers (like the phone company). For Third Parties this applies to any data or data systems that contain State of Alaska data. For the Third Parties this does not include proprietary and company confidential information but only pertains to the portions that are relevant to work performed for the State of Alaska. Also see the policy entitled "Disclosure of Private Information to Third Parties" and "Electronic Mail Messages Are Company Records." |
| 85.0 | Dial-Up Connections Must Utilize an Access Control Point | All inbound dial-up lines connected to State of Alaska internal networks must pass through an additional access control point before users can reach a log-in banner. The access control point can be a firewall or other security device suitably configured to only restrict unauthorized activities. | The intention of this policy is to restrict dial-in connections with authorized parties such as consultants, travelling executives, and technicians working from home (telecommuters). Some organizations may allow extended user authentication systems (smart cards with dynamic passwords, dial-back modems, etc.) to be used. The advantage to this process is that users would not be required to log-in twice; the approach is therefore consistent with the notion of single-sign-on. In part this policy is an acknowledgement that traditional fixed password systems do not provide adequate security--at least when used the way that so many firms have implemented them. Acknowledging this, a two-layer approach provides additional security. This policy seeks to directly address dial-up modems that some users may have placed on their desks, that can in turn be used to gain direct access to a local area network (LAN). Also see the policy entitled "Restriction of Third Party Dial-Up Privileges," |
| 130.0 | Security Responsibilities for Real-Time Connections with Third Parties | Before any third party users are permitted to reach State of Alaska systems via real-time computer connections, specific written approval of both the State Computer Security Officer and the Agency Computer Security Officer is required. Requests for approvals must specify the security related responsibilities of State of Alaska, the security related responsibilities of the common carrier (if used), and the security related responsibilities of all other involved third parties. These responsibility statements must also address the liability exposures of the involved parties. | The purpose of this policy is to prevent real-time (as opposed to store-and-forward) connections of State of Alaska systems with third parties unless these have been shown to be adequately secure. This policy would for instance prevent consultants form having access to confidential data unless security issues had previously been examined, and approved controls had been properly implemented. Only after clearly specifying security responsibilities can the State of Alaska determine whether they want to accept the risks that the connection presents. The policy would allow internal users to employ out-bound dial-up systems to access third party electronic mail services and on-line database retrieval services without the need for a security evaluation and approval process. This policy would also allow Internet electronic mail connections because these are store-and-forward (not real-time) connections. Also see the policy entitled "Internet Connections Require Approved Firewalls." |
| 140.0 | Encryption of Network Traffic | All Network Traffic that Passes Between State of Alaska Local Area Networks and that Traverse Public Networks Must Employ Strong Encryption. | Portions of the State of Alaska Wide Area Network make use of public networks, such as a telephone utilities lines. The intent of this policy is to ensure that all traffic that could be observed by tools such as packet analyzers is encrypted. While the State can ensure that it’s employees respect the privacy and security of data transmissions, the same cannot be said for unknown Telco employees. Encryption is the only mechanism available to secure data transmitted over lines that the State does not control. Note that this policy specifically calls for encryption, which is not the same as hashing or encapsulating. |
| 143.0 | Restricted Access to Network Traffic Encryption Keys | Access to keys used to encrypt network traffic must be restricted on a need-to-know basis. The State Computer Security Officer must approve all parties who have access to encryption keys. | Encryption is the primary bastion against eavesdropping and wire tapping, particularly in a converged network that will carry both data and voice. The intent of this policy is to prevent the wide spread dissemination of the keys used to encrypt network traffic. It is crucial that only those with an absolutely critical need have access to the encryption keys used on State of Alaska network transport. The State Computer Security Officer must maintain the comprehensive list of those with the encryption keys and approve any change to the list. Any variation from this policy is a dangerous violation of the State of Alaska security policy. |