SECURITY IS A STATE OF MIND United States Agency For International Development
advertisement
SECURITY IS A STATE OF MIND United States Agency For International Development M/IRM/ISS William R. Cleveland <wcleveland@usaid.gov> June 99 UNCLASSIFIED SO WHAT??? Some consequences of a lack of proper and effective Information Systems Security Program include... The inability of both you and USAID to perform assigned responsibilities and provide needed services to the Department of State and client nations. The waste, loss, or abuse of USAID resources. The loss of credibility or embarrassment to USAID. UNCLASSIFIED Information System Security Contacts USAID Information Systems Security Officer: Jim Craft <jcraft@usaid.gov> (202) 712-4559 Senior Security Consultant: Mike Fuksa <mfuksa@usaid.gov> (202) 712-1096 Ante Penaso <apenaso@usaid.gov> (703)-465-7008 Security Training and Awareness Bill Cleveland <wcleveland@usaid.gov> (703) 465-7067 UNCLASSIFIED User Responsibilities Use Government software and services for official business only as authorized Protect sensitive information Protect passwords/tokens and report suspected compromise to supervisor or ISSO. Maintain a “Security Mindset” Comply with USAID ISS Directives UNCLASSIFIED Employee Accountability Accountability -- insures that the actions of any person may be traced back to that person. Requirements include: Identification and authentication Audit Trails Remember: YOU are accountable for ALL activity that occurs under YOUR system user identification! UNCLASSIFIED Workstation Protection Comply with the physical security requirements of your office. Other area protection responsibilities limited Ensure secure work habits Don’t try to bypass security Make security a habit UNCLASSIFIED Workstation Protection (2) Never leave your computer unattended use password protected screen saver for short periods of time (lunch, etc) log off at the end of the day Protect sensitive information store it in a private area encrypt it UNCLASSIFIED Password Protection Personal passwords must remain private Follow prescribed user ID/password guidelines Don’t let anyone else use it Don’t write it down Don’t type a password while others watch Don’t record password on-line or e-mail it Don’t use easily guessed words Change it regularly UNCLASSIFIED Password Requirements NEVER disclose your password! Passwords must be at least six characters (alphanumeric) e.g., I8NY2x Dog&Man3 Passwords must be changed periodically USAID requires every 90 days Reminders will be sent to all users Treat Your Password Like A Toothbrush… Don’t Share It, and Change It Often! UNCLASSIFIED Virus Protection Protection: Use media from trusted sources Check all files and programs before use Make backup copies of known clean media Do not boot from diskette if possible Install USAID Antivirus software programs Make sure virus programs are current UNCLASSIFIED Data and File Backups Backup your data regularly Verify your backups Protect your backups Disposition Sensitivity Disclosure Potential UNCLASSIFIED Human Security Factors Be proactive and question strange things report abnormalities to supervisor or ISSO NEVER assume ANYTHING “Trust But Verify” -- NEVER assume someone or something is what he/it appears to be NEVER blindly trust unconfirmed rumors Above all…USE COMMON SENSE UNCLASSIFIED SBU INFORMATION Official Information That Warrants Protection Financial, Medical, Contract, Personnel Is legally exempt from public disclosure SBU access is on a Need-To-Know Basis Use Common Sense in handling SBU info. Must take reasonable safeguards to prevent unauthorized access/disclosure/modification USAID Policy Letter 2/1997 UNCLASSIFIED Classified Computing Only done at authorized, MARKED terminals. Not INTERNET-reachable In accordance with USAID/IG and DoD regulations Contact supervisor, IG, or ISSO for Agency guidance UNCLASSIFIED SMARTGATE Security software administered by the IRM/ISS Group that provides a secure method for employees and contractors to connect into the USAID global network (AIDNET) from a dial-in modem or internet service provider. Allows IRM/ISS to monitor authorized dial-up connections to AIDNET UNCLASSIFIED E-Mail Security Unsecured and Easy to Intercept Do not transmit NSI (classified data) over E-Mail SBU can be e-mailed ONLY as required Subject to Agency monitoring for compliance Do NOT pass on Chain Letters or Rumors!! Remember that E-Mail is NOT PRIVATE!!! Think of e-mail as a postcard … would you send sensitive business material on a card anyone can read? UNCLASSIFIED INTERNET Security E-mail registration on external WWW sites can lead to unwanted e-mail, ads, or SPAM Java and JavaScript applets look nice but can threaten confidentiality of your data Remote WWW sites can see where you are coming from (e.g., usaid.gov) They can monitor your activity Reflects on the Agency if abused UNCLASSIFIED CONTACT INFORMATION William R. Cleveland (Training and Awareness) M/IRM/ISS (703) 465-7054 <wcleveland@usaid.gov> SECURITY IS A STATE OF MIND! UNCLASSIFIED
