| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 15.0 | Positive Identification Required for Initial System Usage | All users must be positively identified prior to being able to use any computer or communications system resources. | Positive identification ordinarily involves user-IDs and fixed passwords, but may also include confirmation by a known person in the office. The Agency Computer Security Officer will be the decision maker when it comes to a precise definition of "positive identification." The intention of this policy is to ensure that no unauthorized person is given an account on a State of Alaska computer system. As organizations adopt more interconnected systems, this policy becomes increasingly important. For example, a stand-alone departmental local area network poses a relatively limited vulnerability, but when such a LAN is connected to a wide area network, the need for all users to be positively identified is increased. |
| 18.0 | Leaving Sensitive Systems Without Logging-Off | If the computer system to which they are connected are medium or high risk systems, users must not leave their computer unattended for more than half an hour without first logging-out or otherwise locking the computer from unauthorized use. | This policy seeks to prevent unauthorized disclosure of information as well as unauthorized use. Instead of mandating a period of no activity beyond which jobs will be automatically terminated, this policy puts the onus of responsibility on the user. The Agency Computer Security Officer may set the unattended time window to a lower value. Screen savers that require passwords or similar mechanisms are acceptable. |
| 21.0 | Gaining Unauthorized Access Via State Information Systems | Workers using State of Alaska information systems are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. Likewise, workers are prohibited from capturing or otherwise obtaining passwords, encryption keys, or any other access control mechanism which could permit unauthorized access. | The intention of this policy is to clearly establish management's position forbidding hacking (also called cracking) activities via State of Alaska information systems. The policy is written in such a way that it applies to both internal and also external information systems. The policy embraces a wide variety of hacker techniques, including social engineering (where a hacker masquerades as someone else), and password grabbers (which record passwords via wiretap like mechanisms). The words "access control mechanism" include smart cards, dynamic password tokens, and the like. Separately, this policy can be used to discipline, and perhaps terminate, a worker who was hacking via State of Alaska information systems. For related ideas, see the policies entitled "Prohibition Against Testing Information System Controls" and "Tools Used to Break Systems Security Prohibited." |
| 24.0 | Existence of User Access Capabilities Does Not Imply Usage Permission | Users must not read, modify, delete, or copy a file belonging to another user without first obtaining permission from the owner of the file. Unless general user access is clearly provided, the ability to read, modify, delete, or copy a file belonging to another user does not imply permission to actually perform these activities. | The intention of this policy is to define appropriate boundaries around the files maintained by computer users, who often have no file access controls whatsoever. The policy essentially says "Just because you can do it, doesn't mean that you are allowed to do it." The policy makes reference to information owners, which ideally would make decisions about access to certain types of information. Nonetheless, in many situations the owner is by default the user on whose PC the information resides. For a related idea, see the policy entitled "Default to Denial of Access Control Privileges." |
| 25.0 | User-IDs Must Each Uniquely Identify a Single User | Each computer and communication system user-ID must uniquely identify only one user. Shared or group user-IDs are not permitted. | This policy establishes a definitive link between a user-ID and an individual (and in some cases a software process or a computer system). The converse is not necessary, i.e., individual users may have multiple user-IDs. Without unique user-IDs, logs cannot be used to definitively indicate the activities of a particular user. This problem in turn is likely to prevent an organization from taking disciplinary actions or entering into prosecutions for computer abuse; it may also prevent the provision of needed remedial training. Without unique user-IDs, privileges cannot be restricted on a user-by-user basis. If privileges cannot be restricted by user, then it will be very difficult to implement separation of duties, dual control, and other security measures. This is a fundamental policy which underlies many access control policies, procedures, and the like. Nothing in this policy prevents the deployment of systems that make the specific computers involved user-transparent (e.g., client/server systems); for example, users may sign-into a network-based application and not a specific computer system. See the policies entitled "Unique User-ID and Password Required" |
| 26.0 | Generic User-IDs Based on Job Function Prohibited | Generic user-IDs based on job function are prohibited. Instead, user-IDs must uniquely identify specific individuals. | The intention of this policy is to prevent systems administrators and other technical staff from creating generic user-IDs based on job titles. This is a short-cut that many technical staff members employ to reduce the overhead associated with changes in worker employment status. With this short-cut, when someone leaves the organization, the password associated the user-ID can simply be changed. The new person who plays the role would employ the new password, while the person who departed would know only the old password. While this approach may sound appealing in theory, there can be difficulties associated with system logs -- which individual's activity do the logs show? Of greater concern is the practice where generic user-IDs are assigned and shared passwords are employed. Individual user accountability (via logs) is very difficult if not impossible to achieve in this environment. Another reason why the generic user-ID approach may be chosen has to do with database management systems, and the delegation of privileges. The same applies to privileges which may be incorporated into so-called "objects" (special programs). In either instance, dropping a user may cause downstream problems with other users or processes. Separately, the use of a generic user-IDs is furthermore ill-advised because it doesn't allow the files in a departed worker's directories to simply exist without modification until they are claimed by others, archived, or deleted. On another point, the policy is written such that group user-IDs cannot be assigned for contracting firms, outsourcing firms, or other third parties. For related ideas, see the policies entitled "Unique User-ID and Password Required" |
| 30.0 | Unbecoming Conduct and the Revocation of Access Privileges | State of Alaska management reserves the right to revoke the privileges of any user at any time. Conduct that interferes with the normal and proper operation of State of Alaska information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted. | The intention of this policy is to put users on notice that they jeopardize their status as authorized users if they engage in the activities described. For example, crashing the system could reasonably be expected to be harmful to other users, and would accordingly subject the perpetrator to disciplinary action including privilege revocation. Rather than specifying all the nasty things that people could do, such as crashing a system, this policy is discreet and high-level. The broadly-stated policy may also give management ample latitude when it comes to making a decision about privilege revocation. Persons who abuse their privileges may also be subject to disciplinary action including civil or criminal legal action. Also see the policies entitled "Default User Privileges and Need for Explicit Approvals" and "Periodic Review and Reauthorization of User Access Privileges." |
| 32.0 | Prohibition Against Exploiting Systems Security Vulnerabilities | Users must not exploit vulnerabilities or deficiencies in information systems security to damage systems or information, to obtain resources beyond those they have been authorized to obtain, to take resources away from other users, or to gain access to other systems for which proper authorization has not been granted. All such vulnerabilities and deficiencies should be promptly reported to the Agency Computer Security Officer. | The intention of this policy is to make it clear that users must not take advantage of information security vulnerabilities and deficiencies, even if they are aware of such problems. One example of such a problem involves having knowledge of a special password that allows a user to do things they would otherwise not be able to perform. In a broad sense, this policy is saying that users are given only the privileges explicitly granted to them--if they can do something else due to security problems, they are not authorized to take advantage of these problems. As written, the policy includes errors made by systems administrators, for example if a user was given too many privileges. While this example may not involve a control vulnerability, it is decidedly a deficiency associated with the deployment of controls. For related ideas, see the policies entitled "Required Reporting of Information Security Incidents" and "Restricted Use of Diagnostic Test Hardware and Software." |
| 41.0 | Logs of User-Initiated Security Relevant Activities | To assure that users are held accountable for their actions on State of Alaska computer systems, one or more records tracing security relevant activities to specific users must be securely maintained for a reasonable period of time. | The intention of this policy is to clearly specify that all user-initiated security relevant activities must be logged and retained for a certain period (three months for instance). This information will be helpful to those people in security administration, computer operations, and internal auditing. The information also serves as a deterrent to abusive acts, as well as important information for the "help desk" to use when figuring out the nature of a problem. The policy makes reference to security relevant activities like user changes to file access privileges, user changes to a secret password, and the like. |
| 45.0 | Notification of Users About Logging of Security Violations | Users must be put on notice about the specific actions that constitute security violations. Users must also be informed that such violations will be logged. Violations will subject users to disciplinary actions up to and including termination and prosecution. | The intention of this policy is to require that all users be clearly informed about the actions which constitute a security violation. To discourage users from engaging in these actions, they should be told that their activities will be logged. Disciplinary action will be very difficult if users have not been told about, and do not clearly understand what is expected of them. Violations will subject users to disciplinary actions up to and including termination and prosecution. Typically these violations would include attempts to compromise controls through password guessing, changing system access controls, as well as other actions such as crashing the system. |
| 46.0 | Testing for Viruses Prior to Use on State Systems | To prevent infection by computer viruses, workers must not use any externally-provided software from a person or organization other than a known and trusted supplier. The only exception to this is when such software has first been tested and approved by the Agency Computer Security Officer. | The intention of this policy is to keep all software used on State of Alaska systems free from viruses, worms, Trojan horses, and other unauthorized programs. Note that the policy is not restricted to production systems; these unauthorized programs propagate rapidly and make no distinction between production and non-production systems. The policy requires only a negligible amount of extra work associated with the handling of externally-provided software. Normally, users would employ only that software which has been approved for internal use and which is in keeping with existing licenses with vendors. Thus this policy helps restrict the software that users may run. In a roundabout way, the policy also helps to discourage unauthorized copying of software for which State of Alaska does not have a license. Although it does not need to be placed in the policy, the testing performed should always be done on an isolated machine. Some Agencies may want to specify what constitutes a "known and trusted supplier" (ordinarily not an electronic bulletin board, a users group, or some other non-commercial entity). Some Agencies may wish to expand the policy to require that all such testing of externally-supplied software be documented. Some organizations may wish to change the policy such that it requires all specific copies of software provided by non-trusted parties to be tested (rather than one copy, which is then alleged to be the same as other copies provided by the organization). On a separate note, this policy allows users to down-load software from third party systems--it just prohibits them from executing it until it has been properly tested. See the policies entitled "Immediate Reporting of Suspected Computer Virus Infestation." |
| 49.0 | Approved Virus Checking Programs Required on PCs and Servers | Virus checking programs approved by the Agency Computer Security Officer must be continuously enabled on all servers and personal computers. | This policy doesn't make distinctions between integrity checkers, virus screening packages, virus behavior detection packages, and the like. Instead, it relies on the iAgency Computer Security Officer to identify one or more standard virus detection software packages. The emphasis is on networked machines because a virus or similar program can propagate much faster in a networked environment than it can in a stand-alone computing environment. The policy focuses on small systems because these are the computers which are most often hit by virus infections, not mainframes and other large-scale systems. For related ideas, see "Testing for Viruses Prior to Use on State Systems" and "Immediate Reporting of Suspected Computer Virus Infestation" |
| 54.0 | Restricted Use of Diagnostic Test Hardware and Software | Diagnostic test hardware and software, such as communications line monitors and network sniffers, must be used only by authorized personnel for testing and development purposes. Access to such hardware and software must be strictly controlled. | Diagnostic test hardware and software can be used to insert spurious messages on a communications line so that a fraud may be perpetrated. The tools may also allow people to read communications line traffic that they would otherwise not be able to examine. These wiretapping tools have, for instance, been used to capture readable passwords which are then later used to gain unauthorized system access. The intention of this policy is thus to restrict the use of such powerful tools to troubleshooting and other authorized business activities. The policy gives local management significant leeway in determining the ways in which they secure these hardware and software tools. For instance, some managers will require that line monitor devices be locked in a closet, while others will be satisfied with the use of a metal key to activate and deactivate the device. There is a greater need for this policy in those environments using fixed passwords (rather than dynamic passwords) for system access control. |
| 60.0 | Information as an Important State of Alaska asset | Information is an important State of Alaska asset. Accurate, timely, relevant, and properly protected information is absolutely essential to State of Alaska's business. To ensure that information is properly handled, all accesses to, uses of, and processing of State of Alaska information must be consistent with State of Alaska information systems related policies and standards. | This general policy helps to set the context for a number of other information security policies. Such a statement is frequently incorporated into the first set of policies as well as summary material oriented towards users and members of the management team. It is necessary for these people to appreciate how information has become a critical factor of production in modern business--only then can they appreciate the pressing need for information security. The intention of this policy is thus to motivate the need for information security measures and to contextualize the use of information systems in modern organizations. |
| 61.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the Agency Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as security auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive. Likewise, users should not have a protocol analyzer (a "sniffer") in their possession because it can be used to perform actions such as a wiretap, password reading, and unauthorized data viewing. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they may be disciplined or terminated. Also see the policies "Prohibition Against Testing Information System Controls," and "Disclosure of Information About Information System Vulnerabilities" |
| 62.0 | Handling of Third Party Confidential and Proprietary Information | Unless specified otherwise by contract, all confidential or proprietary information that has been entrusted to State of Alaska by a third party must be protected as though it was State of Alaska confidential information. | In many cases the people handling third party information do not have access to the contracts which define agreed-upon procedures for handling information entrusted to State of Alaska. This policy by default assigns a classification of "confidential" to all such information. |
| 63.0 | Software and/or Data Exchanges with Third Parties Require Agreements | Exchanges of software and/or data between State of Alaska and any third party may not proceed unless a written agreement has first been signed. Such an agreement must specify the terms of the exchange, as well as the ways in which the software and/or data is to be handled and protected. This policy does not cover release of information designated as public. | The intention of this policy is to prevent misunderstandings about the use of and protection of State of Alaska proprietary or sensitive information. For example, an agency and a consultant exchange mailing lists, it could be specified in writing that the lists are to be used once only (or whatever other arrangements have been established). Having a written contract also provides some assurance that controls will be used to prevent the information from being disclosed to unauthorized third parties and from being used for purposes other than those originally intended. Because it encourages some restraint associated with the dissemination of information, this policy is relevant to electronic mail and the Internet. |
| 64.0 | Disclosure of Information on State Systems to Law Enforcement | By making use of State of Alaska systems, users consent to allow all information they store on State of Alaska systems to be divulged to law enforcement at the discretion of State of Alaska management. | This policy puts users on notice that they should not have an expectation of privacy with respect to State of Alaska systems. It also puts users on notice that no search warrant will be necessary before law enforcement agents gain access to information they store on State of Alaska systems. Management may wish to reveal certain information (such as electronic mail logs) to law enforcement; this could be appropriate if management discovered the use of its computing facilities to conduct drug deals or some other illegal activity. Like the policy entitled "Right of Management to Examine Data Stored on State of Alaska Systems," this policy helps to manage user expectations, making sure that users understand they do not have normal privacy protections applicable to public communications carriers (like the phone company). For Third Parties this applies to any data or data systems that contain State of Alaska data. For the Third Parties this does not include proprietary and company confidential information but only pertains to the portions that are relevant to work performed for the State of Alaska. Also see the policy entitled "Disclosure of Private Information to Third Parties" and "Electronic Mail Messages Are Company Records." |
| 65.0 | Privacy Expectations and Information Stored on State Systems | At any time and without prior notice, State of Alaska management reserves the right to examine archived electronic mail, personal file directories, hard disk drive files, and other information stored on State of Alaska information systems. This examination is performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of State of Alaska information systems. | The intention of this policy is to put computer users on notice that the information they store, transmit, or otherwise process via State of Alaska information systems is subject to management review. This will encourage them to use such information systems for business purposes only. It will also help to deter unethical or illegal activities such as down-loading pornography from the Internet, and then storing such information on a State of Alaska computer hard disk drive. See the policies entitled "Privacy Expectations and Electronic Mail," |
| 67.0 | No Blanket Monitoring of Employee Communications | In general terms, State of Alaska does not engage in blanket monitoring of employee communications. It does, however, reserve the right to monitor, access, retrieve, read, and/or disclose employee communications when: (a) a legitimate business need exists that cannot be satisfied by other means, (b) the involved employee is unavailable and timing is critical to a business activity, (c) there is reasonable cause to suspect criminal activity or policy violation, or (d) monitoring is required by law, regulation, or third-party agreement. | The intention of this policy is to put employees on notice that their communications may be monitored under certain circumstances. The policy also seeks to assure employees that a "big brother" style blanket monitoring process does not exist, and the right to monitor will be used judiciously and only when a legitimate business need exists. For a related idea, see the policy entitled "Privacy Expectations and Information Stored on State of Alaska Systems." |
| 69.0 | Monitoring of Electronic Mail Messages | Messages sent over State of Alaska internal electronic mail systems are not subject to the privacy provisions of the Electronic and Communications Privacy Act of 1986 (which prohibits wiretapping), and therefore may be read by State of Alaska management and system administrators. | This policy makes it clear that management and technical staff may read worker electronic mail messages when management authorizes it. By the same token, technical staff may not monitor e-mail without authorization. Also see the policy entitled "Privacy Expectations and Electronic Mail." |
| 70.0 | Notification of Suspected Loss or Disclosure of Sensitive Information | If secret, confidential, or private data is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties, its owner and the Agency Computer Security Officer must be notified immediately. | Prompt notification of loss or disclosure is a necessary precursor to performing effective damage control. For instance, if information about a new but not yet released RFP has been mistakenly disclosed to a vendor, then the date for the official announcement may need to be changed. The intention of the policy is therefore to require that all workers report all losses or disclosures of sensitive information. |
| 82.0 | Misrepresentation of Identity on Electronic Communication Systems | Misrepresenting, obscuring, suppressing, or replacing a user's identity on an electronic communications system is forbidden. The user name, electronic mail address, organizational affiliation, and related information included with messages or postings must reflect the actual originator of the messages or postings. | The intention of this policy is to put users on notice that they may not misrepresent their identity on electronic communication systems, even for practical jokes or other humor. The scope of the policy is deliberately broad (specifically "electronic communication systems") so that it includes telephone systems as well as electronic mail systems. Note that this policy does not require all the routing information on an electronic mail message to be maintained, only the originator's identity. Separately, under this policy, the use of another person's user-ID is a policy violation (and technically electronic forgery). This policy assumes that no group user-IDs have been assigned; in other words, each user should have one or more personal user-IDs. |
| 85.0 | Dial-Up Connections Must Utilize an Access Control Point | All inbound dial-up lines connected to State of Alaska internal networks must pass through an additional access control point before users can reach a log-in banner. The access control point can be a firewall or other security device suitably configured to only restrict unauthorized activities. | The intention of this policy is to restrict dial-in connections with authorized parties such as consultants, travelling executives, and technicians working from home (telecommuters). Some organizations may allow extended user authentication systems (smart cards with dynamic passwords, dial-back modems, etc.) to be used. The advantage to this process is that users would not be required to log-in twice; the approach is therefore consistent with the notion of single-sign-on. In part this policy is an acknowledgement that traditional fixed password systems do not provide adequate security--at least when used the way that so many firms have implemented them. Acknowledging this, a two-layer approach provides additional security. This policy seeks to directly address dial-up modems that some users may have placed on their desks, that can in turn be used to gain direct access to a local area network (LAN). Also see the policy entitled "Restriction of Third Party Dial-Up Privileges," |
| 86.0 | External Network Connections Require Firewalls | All in-bound connections to State of Alaska networks must pass through an additional access control point (such as a firewall, VPN, or access server) before users can reach protected State of Alaska computer resources.. | This policy is intended to make sure that the periphery of an internal network always has strong access control mechanisms. If the boundaries to a network cannot be protected, then the controls inside the network may be superfluous. Examples would be a thrid party broadband device (cable modem or DSL) or a wireless access point located inside the State network. Separately, this policy requires all external real-time connections to have a firewall or comparable security system. Also see the policy entitled "Positive Identification Required for Initial System Usage" |
| 89.0 | Security Requirements for Work at Home Arrangements | Work at home (telecommuting) arrangements are a management option, not a universal employee benefit. Permission to telecommute is the decision of the involved employee's manager. Before a telecommuting arrangement can begin, this manager must be satisfied that an alternative worksite (such as a home office) is appropriate for the State of Alaska work performed by the involved employee. Security factors that must be evaluated and approved by the Agency Computer Security Officer before authorizing telecommuting include: Virus scanning, Firewall, VPN, Data backup and Physical Security. | Discussions about "alternative worksites" (notably home offices) have become more prevalent in the last few years. Whenever these arrangements are being considered it is important to consider what happens to State of Alaska physical assets (such as computers) as well as information assets. See also the policies "Dial-Up Connections Must Utilize an Access Control Point", " External Network Connections Require Firewalls", and "Internet Connections Require Approved Firewalls" |
| 94.0 | Minimum Length for User-Chosen Encryption Keys. | Whenever user-chosen encryption keys are employed, the encryption system must prevent users from employing keys made up of less than eight (8) characters. | Like the policy entitled "Process for Generating Encryption Keys," the intention of this policy is to make sure that an encryption system provides the security it was meant to provide. If encryption keys are easily guessed (because they are made up of too few characters), then an encryption system can be readily compromised. This policy is targeted at users who need to encrypt data on their computer system and does not apply to encryption of network traffic. For a related idea, see the policy entitled "Minimum Password Length." |
| 100.0 | Transmission of Cleartext Private Encryption Keys Prohibited | If private encryption keys are transmitted over communication lines, they must be sent in encrypted form. The Public key in a Public Key Encryption System must not be encrypted. The encryption of keys should be performed with a stronger algorithm than is used to encrypt other sensitive data protected by encryption. | The intention of this policy is to prevent users from inadvertently sending readable (cleartext) encryption keys over communication systems. If this is done, then the encryption process (depending on the type of system) may be easily circumvented. Note that the second sentence is a guideline and not a policy (the word "should" is used rather than "must"). For example, if the organization in question is using a standard "symmetric" encryption algorithm, such as the Triple Data Encryption Standard (3DES), implementation of the guideline in the second sentence would be straightforward. |
| 103.0 | Required Procedures for Personal Computer Modems in Autoanswer Mode | Users must not leave modems connected to personal computers in autoanswer mode without Agency Computer Security Officer review and authorization. | Modems left in auto-answer mode expose the organization to unauthorized visitors, especially when these modem connections have no access control system. This problem is particularly serious if the PC is connected to an internal network. Rather than prohibiting the use of modems, or even requiring the use of dynamic password systems, this policy relies on the awareness and judgement of the ACSO to approve and monitor the useage of auto-answer modems. See also "Dial-Up Connections Must Utilize an Access Control Point" |
| 104.0 | Privacy Expectations and Electronic Messaging, such as E-Mail and Voice Mail | Workers must treat electronic messages and files as private information. Electronic mail must be handled as a private and direct communication between a sender and a recipient. | The intention of this policy is to clearly specify what type of privacy workers should expect when it comes to electronic mail and other electronic messaging systems such as voice mail and pagers. A clear understanding of the privacy they can expect will enable users to make appropriate decisions about the types of information to send via electronic mail. This policy does not address matters such as looking at messages in order to support the administration of an electronic mail system. Such message examination would be fully in keeping with this policy so long as the intention was to maintain or administer the system, and not to violate another's privacy. The words "messages and files" in the policy make it apply to messages in transit, messages that have not yet been read that are stored in a holding file, and messages that have been read and archived. Also see the policy entitled "Monitoring of Electronic Mail Messages," |
| 105.0 | Treat Electronic Mail as Public Communications | Consider electronic mail to be the electronic equivalent of a postcard. Unless the material is encrypted, users must refrain from sending credit card numbers, passwords, research and development information, and other sensitive data via electronic mail. | The intention of this policy is to impress users with the fact that their electronic mail communications are not protected the way an ordinary letter going through the postal service is. Unknown parties can readily intercept e-mail and use the contents as they please, without either the sender's or the recipient's knowledge. The policy also alerts users to the primary mechanism to secure e-mail communications: encryption. |
| 106.0 | Profane, Obscene or Derogatory Remarks in Electronic Mail Messages | Workers should not use profanity, derogatory remarks, obscenities, or harassing, embarrassing, indecent, intimidating or other unethical remarks in electronic mail messages. Such remarks -- even when made in jest -- may create legal problems such as defamation of character. Special caution is warranted because back-up and archival copies of electronic mail may actually be more permanent and more readily accessed than traditional paper communications. | Many users consider electronic mail to be more informal than traditional paper letters. This can lead to the inclusion of obscenities or derogatory comments that would not have been included in a paper letter. This policy is intended to put workers on notice that their electronic mail may come back to haunt them, and be a legal problem for their employer. The policy also indirectly discourages "flaming," the practice of venting negative emotions via electronic mail (as well as other ways to communicate such as Internet chat rooms). |
| 107.0 | Telecommuter Remote System Information Security Procedures | As a condition of continued employment, telecommuters agree to abide by all remote system security procedures. These include, but are not limited to, compliance with software license agreements, performance of regular back-ups, and anti-virus software. | The intention of this policy to make telecommuters aware of the procedures they must perform on a day-to-day basis. If an agency is going to permit its sensitive information to be used in remote locations that cannot be easily supervised, it is reasonable for it to insist that certain security precautions be observed. Because telecommuting introduces new risks, a more stringent and specially-documented policy dealing with telecommuters may be set by the Agency Computer Security Officer on a case by case basis. This policy is also appropriate for workers which are not -- properly speaking -- telecommuters, but who nonetheless take organizational information to their home or on business trips. |
| 108.0 | Right To Conduct Inspections of Telecommuter Environments | State of Alaska maintains the right to conduct inspections of telecommuter offices with one or more days advance notice. | The intention of this policy is to put telecommuters on notice that State of Alaska representatives may conduct inspections of their home offices. This will help ensure that telecommuters observe both safety and security policies and procedures. In return for permitting employees to telecommute, State of Alaska has the right to conduct inspections of its property kept in the houses of telecommuters. Thus, by conducting inspections, State of Alaska management is carrying out it's duty to protect State of Alaska assets. It is only because the home is generally the domain of the employee that such a right to inspect must be clearly communicated and/or negotiated. The policy allows multiple follow-up inspections to correct deficiencies that were detected during prior visits. |
| 109.0 | Internet Access With State Computers Must Go Through a Firewall | Internet access using computers inside State of Alaska offices is permissible only when users go through a State of Alaska firewall. Other ways to access the Internet, such as dial-up connections with an Internet Service Provider (ISP), are prohibited if the connected computer is also attached to a State of Alaska network. | This policy prevents users from deliberately or unwittingly circumventing the controls supported by a firewall. These controls include the ability to: screen down-loaded files for viruses, scan down-loaded files for keywords, bar the connection with certain web sites, and block the down-loading of Java applets. The policy is restricted to computers in State of Alaska offices because telecommuters and mobile computer users cannot practically live up to the requirements of this policy. There may be circumstances where technicians or users need to test equipment or an ISP, however this must be done from a computer that is not connected to a State of Alaska network. For a related idea, see the policy entitled "Permissible Internet Access Without Firewalls." |
| 110.0 | Required Reporting of Information Security Incidents | All suspected information security incidents must be reported as quickly as possible to the Agency Computer Security Officer. | This policy is intended to require that all problems and violations are promptly brought to the attention of those who can actually do something about them. If problems and violations go unreported, they may lead to much greater losses for the organization than would have been incurred, had the problems been reported right away. Also see the policies entitled "Internal Reporting of Information Security Violations & Problems," and "Information Security Alert System" |
| 113.0 | Interference with Reporting of Information Security Problems | Any attempt to interfere with, prevent, obstruct, or dissuade a staff member in their efforts to report a suspected information security problem or violation is strictly prohibited and cause for disciplinary action. Any form of retaliation against an individual reporting or investigating information security problems or violations is also prohibited and cause for disciplinary action. | This policy attempts to encourage workers who wish to report an information security problem or violation, yet are concerned that they may find it difficult, problematic, or otherwise ill-advised. These "whistle blowers" often are concerned that their own immediate management will penalize them for reporting problems or violations. This policy attempts to foster a perspective that is in the best interest of the State of Alaska that all security problems be reported and that it is against this policy for anyone to interfere with the reporting, even if the report may make someone "look bad". |
| 114.0 | Protection of Workers Who Report Information Security Problems | State of Alaska will protect workers who report in good faith what they believe to be a violation of laws or regulations, or conditions that could jeopardize the health or safety of other workers. This means that such workers will not be terminated, threatened, or discriminated against because they report what they perceive to be a wrongdoing or dangerous situation. Before taking any other action, these workers must report the problem to their manager or the Agency Computer Security Officer, and then give the organization time to remedy the situation. | The intention of this policy is to assure workers who are considering reporting problems that the organization will protect them. This should encourage workers to make reports when they may otherwise have been deterred by the potential adverse consequences. This policy does not prohibit external reporting -- it only states that the problem should first be internally reported. The policy is deliberately defined in a broad manner so that it includes information security problems; it also includes physical security problems as well as worker safety problems. For a related idea, see the policy entitled "External Reporting of Information Security Violations." |
| 116.0 | Immediate Reporting of Suspected Computer Virus Infestation | Computer viruses, worms, trojans and other malicious code can spread quickly and need to be eradicated as soon as possible to limit serious damage to computers and data. Accordingly, if workers report a computer virus infestation to the Agency Computer Security Officer immediately after it is noticed, even if their negligence was a contributing factor, no disciplinary action will be taken. The only exception to this early reporting amnesty will be those circumstances where a worker knowingly caused a computer virus to be introduced into State of Alaska systems. However, if a report of a known infestation is not promptly made, and if an investigation reveals that certain workers were aware of the infestation, these workers may be subject to disciplinary action. | This policy is intended to encourage quick reporting of viruses, which is essential if their growth is to be limited and consequential losses are to be contained. A notable aspect of the policy is that disciplinary action may be taken if there is a delay in reporting a problem. Because even minutes can make a great difference when it comes to the propagation of computer viruses, the word "immediately" was used in the policy. Of course, if a worker has written a virus and let it loose on State of Alaska computers, then this should still be cause for disciplinary action, even if the employee did call the Information Security Department promptly after it got out of hand. The policy, as written, does not stop such a disciplinary action because it refers to "negligence" rather than a deliberate malicious act. Also see the policies "Testing for Viruses Prior to Use on State of Alaska Systems" and "Internal Reporting of Information Security Violations & Problems." |
| 135.0 | Tools Used to Break Systems Security Prohibited | Unless specifically authorized by the State Computer Security Officer, State of Alaska workers must not acquire, possess, trade, or use hardware or software tools that could be employed to evaluate or compromise information systems security. Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, or decrypt encrypted files. This policy applies to all State of Alaska computer systems, premises and devices connected to any State of Alaska network system. | Because these tools can be and often are used to circumvent controls, their possession and use should be severely restricted. Possession and use should be allowed only for those who have a need for such powerful tools, such as EDP auditors and tiger-team staff (penetration attack team members). While these tools are readily available on the open market, on the Internet, and on electronic bulletin boards, State of Alaska users should not be in possession of these tools in such a way that they could be used to compromise any State of Alaska system. Thus, ordinary users should not have a collection of vulnerability identification tools like SATAN and COPS stored on their hard drive at work. Likewise, users should not have a Sniffer(TM) in their possession because it can be used to perform a wiretap. For the same reason, users should not have a database which contains working serial numbers needed to operate stolen software. Some users may claim that they never intended to use such tools, that they only acquired them to learn about computers. This policy removes the whole question of the user's intent from the discussion; if users have the tools, they are in violation of the policy. Note that this policy does not prohibit an employee from using such tools on a home computer unless that computer is configured to access any State of Alaska data system. The policy is not intended to prohibit any authorized user from accessing State of Alaska web or e-mail services. Also see the policies "Prohibition Against Testing Information System Controls," "Disclosure of Information About Information System Vulnerabilities." |
| 137.0 | Confidentiality of Internal Investigations Information | Until charges are pressed or disciplinary action taken, all investigations of alleged criminal or abusive conduct must be kept strictly confidential to preserve the reputation of the suspected party. | Beyond the objective stated in the policy, this policy helps reduce the probability that State of Alaska will be hit with a lawsuit alleging defamation of character. The intention of the policy is to clearly define the point in time when it becomes permissible to disclose information about employee investigations. One desirable aspect of this policy is that investigations which do not result in prosecution (pressing charges) or disciplinary action will never be disclosed (declassified). If the employee never knew about the investigation, then they can remain as a worker in good standing. On the other hand, if the employee heard about an investigation in process that later turned out to be inappropriate, they may become disgruntled or soon leave the organization. The policy mentions the "reputation" of the individual rather than staying out of legal trouble because the dignity of the individual is a more noble goal, and because it is taken for granted that management wants to operate within the confines of the law. Also see the policy entitled "Required Investigation Following Computer Crimes." |
| 142.0 | Users may not connect a modem to any phone system on a network-connected machine without authorization. | No computer user may connect a modem to a phone line if the computer with the modem is attached to a State of Alaska computer network without Agency Computer Security Officer approval. | One of the largest potential security holes in the State of Alaska network is the use of uncontrolled modems. If the computer with the modem is on a State network it is possible for a hacker to use the trusted computer with the modem to gain access to State computer resources and data. It is probable that the legitimate user of the computer would appear in security logs as the party performing the hack. This policy is intended to protect both the State of Alaska resources and legitimate State computer users. It is the role of the Agency Computer Security Officer to ensure that any modems in use within their Agency of responsibility conform to the State of Alaska security policies. |