Information Systems Security for End Users
Download
Report
Transcript Information Systems Security for End Users
SECURITY IS A STATE OF
MIND
United States Agency For International
Development
M/IRM/ISS
William R. Cleveland
<[email protected]>
June 99
UNCLASSIFIED
SO WHAT???
Some consequences of a lack of proper and effective
Information Systems Security Program include...
The inability of both you and USAID to perform
assigned responsibilities and provide needed
services to the Department of State and client
nations.
The waste, loss, or abuse of USAID resources.
The loss of credibility or embarrassment to
USAID.
UNCLASSIFIED
Information System Security Contacts
USAID Information Systems Security Officer:
Jim Craft
<[email protected]>
(202) 712-4559
Senior Security Consultant:
Mike Fuksa <[email protected]>
(202) 712-1096
Ante Penaso <[email protected]> (703)-465-7008
Security Training and Awareness
Bill Cleveland <[email protected]> (703) 465-7067
UNCLASSIFIED
User Responsibilities
Use Government software and
services for official business only as
authorized
Protect sensitive information
Protect passwords/tokens and report
suspected compromise to supervisor
or ISSO.
Maintain a “Security Mindset”
Comply with USAID ISS Directives
UNCLASSIFIED
Employee Accountability
Accountability -- insures that the actions
of any person may be traced back to that
person.
Requirements include:
Identification and authentication
Audit Trails
Remember: YOU are accountable for ALL activity that
occurs under YOUR system user identification!
UNCLASSIFIED
Workstation Protection
Comply with the physical security
requirements of your office.
Other area protection responsibilities
limited
Ensure secure work habits
Don’t try to bypass security
Make security a habit
UNCLASSIFIED
Workstation Protection (2)
Never leave your computer unattended
use password protected screen saver
for short periods of time (lunch, etc)
log off at the end of the day
Protect sensitive information
store it in a private area
encrypt it
UNCLASSIFIED
Password Protection
Personal passwords must remain private
Follow prescribed user ID/password guidelines
Don’t let anyone else use it
Don’t write it down
Don’t type a password while others watch
Don’t record password on-line or e-mail it
Don’t use easily guessed words
Change it regularly
UNCLASSIFIED
Password Requirements
NEVER disclose your password!
Passwords must be at least six characters
(alphanumeric)
e.g., I8NY2x
Dog&Man3
Passwords must be changed periodically
USAID requires every 90 days
Reminders will be sent to all users
Treat Your Password Like A Toothbrush…
Don’t Share It, and Change It Often!
UNCLASSIFIED
Virus Protection
Protection:
Use media from trusted sources
Check all files and programs before use
Make backup copies of known clean media
Do not boot from diskette if possible
Install USAID Antivirus software programs
Make sure virus programs are current
UNCLASSIFIED
Data and File Backups
Backup your data regularly
Verify your backups
Protect your backups
Disposition
Sensitivity
Disclosure Potential
UNCLASSIFIED
Human Security Factors
Be proactive and question strange things
report abnormalities to supervisor or ISSO
NEVER assume ANYTHING
“Trust But Verify” -- NEVER assume someone
or something is what he/it appears to be
NEVER blindly trust unconfirmed rumors
Above all…USE COMMON SENSE
UNCLASSIFIED
SBU INFORMATION
Official Information That Warrants Protection
Financial, Medical, Contract, Personnel
Is legally exempt from public disclosure
SBU access is on a Need-To-Know Basis
Use Common Sense in handling SBU info.
Must take reasonable safeguards to prevent
unauthorized access/disclosure/modification
USAID Policy Letter 2/1997
UNCLASSIFIED
Classified Computing
Only done at authorized, MARKED
terminals.
Not INTERNET-reachable
In accordance with USAID/IG and DoD
regulations
Contact supervisor, IG, or ISSO for
Agency guidance
UNCLASSIFIED
SMARTGATE
Security software administered by the IRM/ISS
Group that provides a secure method for
employees and contractors to connect into the
USAID global network (AIDNET) from a dial-in
modem or internet service provider.
Allows IRM/ISS to monitor authorized dial-up
connections to AIDNET
UNCLASSIFIED
E-Mail Security
Unsecured and Easy to Intercept
Do not transmit NSI (classified data) over E-Mail
SBU can be e-mailed ONLY as required
Subject to Agency monitoring for compliance
Do NOT pass on Chain Letters or Rumors!!
Remember that E-Mail is NOT PRIVATE!!!
Think of e-mail as a postcard … would you send
sensitive business material on a card anyone can read?
UNCLASSIFIED
INTERNET Security
E-mail registration on external WWW sites
can lead to unwanted e-mail, ads, or SPAM
Java and JavaScript applets look nice but can
threaten confidentiality of your data
Remote WWW sites can see where you are
coming from (e.g., usaid.gov)
They can monitor your activity
Reflects on the Agency if abused
UNCLASSIFIED
CONTACT INFORMATION
William R. Cleveland
(Training and Awareness)
M/IRM/ISS
(703) 465-7054
<[email protected]>
SECURITY IS A STATE OF MIND!
UNCLASSIFIED