Embed Size (px)
Citation preview
UNCLASSIFIED
SECURITY IS A STATE OF MIND
United States Agency For International Development
M/IRM/ISS
William R. Cleveland
June 99
UNCLASSIFIED
SO WHAT???
Some consequences of a lack of proper and effective Information Systems Security Program include...
The inability of both you and USAID to perform assigned responsibilities and provide needed services to the Department of State and client nations.
The waste, loss, or abuse of USAID resources.The loss of credibility or embarrassment to
USAID.
UNCLASSIFIED
Information System Security Contacts
USAID Information Systems Security Officer:
Jim Craft <[email protected]> (202) 712-4559
Senior Security Consultant:
Mike Fuksa <[email protected]> (202) 712-1096
Ante Penaso <[email protected]> (703)-465-7008
Security Training and Awareness
Bill Cleveland <[email protected]> (703) 465-7067
UNCLASSIFIED
User Responsibilities
Use Government software and services for official business only as authorized
Protect sensitive informationProtect passwords/tokens and
report suspected compromise to supervisor or ISSO.
Maintain a “Security Mindset”Comply with USAID ISS Directives
UNCLASSIFIED
Employee Accountability
Accountability -- insures that the actions of any person may be traced back to that person.
Requirements include: Identification and authentication Audit Trails
Remember: YOU are accountable for ALL activity that occurs under YOUR system user identification!
UNCLASSIFIED
Workstation Protection
Comply with the physical security requirements of your office.
Other area protection responsibilities limited Ensure secure work habits Don’t try to bypass security Make security a habit
UNCLASSIFIED
Workstation Protection (2)
Never leave your computer unattended use password protected screen saver
for short periods of time (lunch, etc) log off at the end of the day
Protect sensitive information store it in a private area encrypt it
UNCLASSIFIED
Password Protection
Personal passwords must remain private Follow prescribed user ID/password guidelines Don’t let anyone else use it Don’t write it down Don’t type a password while others watch Don’t record password on-line or e-mail it Don’t use easily guessed words Change it regularly
UNCLASSIFIED
Password Requirements
NEVER disclose your password! Passwords must be at least six characters
(alphanumeric)e.g., I8NY2x Dog&Man3
Passwords must be changed periodically USAID requires every 90 daysReminders will be sent to all usersTreat Your Password Like A Toothbrush…
Don’t Share It, and Change It Often!
UNCLASSIFIED
Virus Protection
Protection: Use media from trusted sources Check all files and programs before
use Make backup copies of known clean
media Do not boot from diskette if possible Install USAID Antivirus software
programs Make sure virus programs are current
UNCLASSIFIED
Data and File Backups
Backup your data regularly
Verify your backupsProtect your backups
Disposition Sensitivity Disclosure Potential
UNCLASSIFIED
Human Security Factors
Be proactive and question strange things report abnormalities to supervisor or ISSO
NEVER assume ANYTHING “Trust But Verify” -- NEVER assume someone
or something is what he/it appears to beNEVER blindly trust unconfirmed rumorsAbove all…USE COMMON SENSE
UNCLASSIFIED
SBU INFORMATION
Official Information That Warrants Protection Financial, Medical, Contract, Personnel
Is legally exempt from public disclosureSBU access is on a Need-To-Know BasisUse Common Sense in handling SBU info.Must take reasonable safeguards to prevent
unauthorized access/disclosure/modificationUSAID Policy Letter 2/1997
UNCLASSIFIED
Classified Computing
Only done at authorized, MARKED terminals.
Not INTERNET-reachableIn accordance with USAID/IG and
DoD regulationsContact supervisor, IG, or ISSO for
Agency guidance
UNCLASSIFIED
SMARTGATE
Security software administered by the IRM/ISS Group that provides a secure method for
employees and contractors to connect into the USAID global network (AIDNET) from a dial-in
modem or internet service provider.
Allows IRM/ISS to monitor authorized dial-up connections to AIDNET
UNCLASSIFIED
E-Mail Security
Unsecured and Easy to InterceptDo not transmit NSI (classified data) over
E-MailSBU can be e-mailed ONLY as requiredSubject to Agency monitoring for
complianceDo NOT pass on Chain Letters or Rumors!!Remember that E-Mail is NOT PRIVATE!!!
Think of e-mail as a postcard … would you send sensitive business material on a card anyone can read?
UNCLASSIFIED
INTERNET Security
E-mail registration on external WWW sites can lead to unwanted e-mail, ads, or SPAM
Java and JavaScript applets look nice but can threaten confidentiality of your data
Remote WWW sites can see where you are coming from (e.g., usaid.gov) They can monitor your activity Reflects on the Agency if abused
UNCLASSIFIED
CONTACT INFORMATION
William R. Cleveland
(Training and Awareness)
M/IRM/ISS
(703) 465-7054
SECURITY IS A STATE OF MIND!
