Computer User's Guide to the Protection of Information Resources National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is responsible or developing standards, providing technical assistance, and conducting research for computers and related systems. These activities provide technical support to government and industry in the effective, safe, and economical use of computers. With the passage of the Computer Security Act of 1987 (P.L. 100-235), NIST's activities also include the development of standards and guidelines needed to assure the cost-effective security and privacy of sensitive information in Federal computer systems. This guide is just one of three brochures designed for a specific audience. The "Executive Guide to the Protection of Information Resources," and the "Managers Guide to the Protection of Information Resources" complete the series. ACKNOWLEDGMENTS This guide was written by Cheryl Helsing of Deloitte, Haskins & Sells in conjunction with Marianne Swanson and Mary Anne Todd of the National Institute of Standards and Technology. Introduction Today's computer technology, with microcomputers and on-line access, has placed the power of the computer where it belongs, in YOUR hands. YOU, the users, develop computer applications and perform other data processing functions which previously were only done by the computer operations personnel. These advances have greatly improved our efficiency and effectiveness but, also present a serious challenge in achieving adequate data security. While excellent progress has been made in computer technology, very little has been done to inform users of the vulnerability of data and information to such threats as unauthorized modification, disclosure, and destruction, either deliberate or accidental. This guide will make you aware of some of the undesirable things that can happen to data and will provide some practical solutions for reducing your risks to these threats. WHO IS RESPONSIBLE FOR PROTECTING DATA AND INFORMATION? The statement that "security is everyone's responsibility" is absolutely true. Owners, developers, operators and users of information systems each has a personal responsibility to protect these resources. Functional managers have the responsibility to provide appropriate security controls for any information resources entrusted to them. These managers are personally responsible for understanding the sensitivity and criticality of their data and the extent of losses that could occur if the resources are not protected. Managers must ensure that all users of their data and systems are made aware of the practices and procedures used to protect the information resources. When you don't know what your security responsibilities are, ASK YOUR MANAGER OR SUPERVISOR. WHAT IS "SENSITIVE" DATA? All data is sensitive to some degree; exactly how sensitive is unique to each business environment. Within the Federal Government, personal information is sensitive to unauthorized disclosure under the Privacy Act of 1974. In some cases, data is far more sensitive to accidental errors or omissions that compromise accuracy, integrity, or availability. For example, in a Management Information System, inaccurate, incomplete, or obsolete information can result in erroneous management decisions which could cause serious damage and require time and money to rectify. Data and information which are critical to an agency's ability to perform its mission are sensitive to nonavailability. Still other data are sensitive to fraudulent manipulation for personal gain. Systems that process electronic funds transfers, control inventories, issue checks, control accounts receivables and payables, etc., can be fraudulently exploited resulting in serious losses to an agency. One way to determine the sensitivity of data is to ask the questions "What will it cost if the data is wrong? Manipulated for fraudulent purposes? Not available? Given to the wrong person?" If the damage is more than you can tolerate, then the data is sensitive and should have adequate security controls to prevent or lessen the potential loss. RISKS ASSOCIATED WITH THE USE OF COMPUTERS? Over the past several decades, computers have taken over virtually all of our major record-keeping functions. Recently, personal computers have made it cost-effective to automate many office functions. Computerization has many advantages and is here to stay; however, automated systems introduce new risks, and we should take steps to control those risks. We should be concerned with the same risks that existed when manual procedures were used, as well as some new risks created by the unique nature of computers themselves. One risk introduced by computers is the concentration of tremendous amounts of data in one location. The greater the concentration, the greater the consequences of loss or damage. Another example is that computer users access information from remote terminals. We must be able to positively identify the user, as well as ensure that the user is only able to access information and functions that have been authorized. Newspaper accounts of computer "hackers," computer virus attacks, and other types of intruders underscore the reality of the threat to government and commercial computer systems. HOW MUCH SECURITY IS ENOUGH? No matter how many controls or safeguards we use, we can never achieve total security. We can, however, decrease the risk in proportion to the strength of the protective measures. The degree of protection is based on the value of the information; in other words, how serious would be the consequences if a certain type of information were to be wrongfully changed, disclosed, delayed, or destroyed? General Responsibilities All Federal computer system users share certain general responsibilities for information resource protection. The following considerations should guide your actions. Treat information as you would any valuable asset. You would not walk away from your desk leaving cash or other valuables unattended. You should take the same care to protect information. If you are not sure of the value or sensitivity of the various kinds of information you handle, ask your manager for guidance. Use government computer systems only for lawful and authorized purposes. The computer systems you use in your daily work should be used only for authorized purposes and in a lawful manner. There are computer crime laws that prescribe criminal penalties for those who illegally access Federal computer systems or data. Additionally, the unauthorized use of Federal computer systems or use of authorized privileges for unauthorized purposes could result in disciplinary action. Observe policies and procedures established by agency management. Specific requirements for the protection of information have been established by your agency. These requirements may be found in policy manuals, rules, or procedures. Ask your manager if you are unsure about your own responsibilities for protection of information. Recognize that you are accountable for your activities on computer systems. After you receive authorization to use any Federal computer system, you become personally responsible and accountable for your activity on the system. Accordingly, your use should be restricted to those functions needed to carry out job responsibilities. Report unusual occurrences to your manager. Many losses would be avoided if computer users would report any circumstances that seem unusual or irregular. Warning signals could include such things as unexplainable system activity that you did not perform, data that appears to be of questionable accuracy, and unexpected or incorrect processing results. If you should notice anything of a questionable nature, bring it to your manager's attention. Security and Control Guidelines Some common-sense protective measures can reduce the risk of loss, damage, or disclosure of information. Following are the most important areas of information systems controls that assure that the system is properly used, resistant to disruptions, and reliable. Make certain no one can impersonate you. If a password is used to verify your identity, this is the key to system security. Do not disclose your password to anyone, or allow anyone to observe your password as you enter it during the sign-on process. If you choose your own password, avoid selecting a password with any personal associations, or one that is very simple or short. The aim is to select a password that would be difficult to guess or derive. "1REDDOG" would be a better password than "DUKE." If your system allows you to change your own password, do so regularly. Find out what your agency requires, and change passwords at least that frequently. Periodic password changes keep undetected intruders from continuously using the password of a legitimate user. After you are logged on, the computer will attribute all activity to your user id. Therefore, never leave your terminal without logging off-even for a few minutes. Always log off or otherwise inactivate your terminal so no one could perform any activity under your user id when you are away from the area. Safeguard sensitive information from disclosure to others. People often forget to lock up sensitive reports and computer media containing sensitive data when they leave their work areas. Information carelessly left on top of desks and in unlocked storage can be casually observed, or deliberately stolen. Every employee who works with sensitive information should have lockable space available for storage when information is not in use. If you aren't sure what information should be locked up or what locked storage is available, ask your manager. While working, be aware of the visibility of data on your personal computer or terminal display screen. You may need to reposition equipment or furniture to eliminate over-the-shoulder viewing. Be especially careful near windows and in public areas. Label all sensitive diskettes and other computer media to alert other employees of the need to be especially careful. When no longer needed, sensitive information should be deleted or discarded in such a way that unauthorized individuals cannot recover the data. Printed reports should be finely shredded, while data on magnetic media should be overwritten. Files that are merely deleted are not really erased and can still be recovered. Install physical security devices or software on personal computers. The value and popularity of personal computers make theft a big problem, especially in low-security office areas. Relatively inexpensive hardware devices greatly reduce the risk of equipment loss. Such devices involve lock-down cables or enclosures that attach equipment to furniture. Another approach is to place equipment in lockable cabinets. When data is stored on a hard disk, take some steps to keep unauthorized individuals from accessing that data. A power lock device only allows key-holders to turn on power to the personal computer. Where there is a need to segregate information between multiple authorized users of a personal computer, additional security in the form of software is probably needed. Specific files could be encrypted to make them unintelligible to unauthorized staff, or access control software can divide storage space among authorized users, restricting each user to their own files. Avoid costly disruptions caused by data or hardware loss. Disruptions and delays are expensive. No one enjoys working frantically to re-enter work, do the same job twice, or fix problems while new work piles up. Most disruptions can be prevented, and the impact of disruptions can be minimized by advance planning. Proper environmental conditions and power supplies minimize equipment outages and information loss. Many electrical circuits in office areas do not constitute an adequate power source, so dedicated circuits for computer systems should be considered. Make certain that your surroundings meet the essential requirements for correct equipment operation. Cover equipment when not in use to protect it from dust, water leaks, and other hazards. For protection from accidental or deliberate destruction of data, regular data backups are essential. Complete system backups should be taken at intervals determined by how quickly information changes or by the volume of transactions. Backups should be stored in another location, to guard against the possibility of original and backup copies being destroyed by the same fire or other disaster. Maintain the authorized hardware/software configuration. Some organizations have been affected by computer "viruses" acquired through seemingly useful or innocent software obtained from public access bulletin boards or other sources; others have been liable for software illegally copied by employees. The installation of unauthorized hardware can cause damage, invalidate warranties, or have other negative consequences. Install only hardware or software that has been acquired through normal acquisition procedures and comply with all software licensing agreement requirements. SUMMARY Ultimately, computer security is the user's responsibility. You, the user, must be alert to possible breaches in security and adhere to the security regulations that have been established within your agency. The security practices listed are not inclusive, but rather designed to remind you and raise your awareness towards securing your information resources: PROTECT YOUR EQUIPMENT Keep it in a secure environment Keep food, drink, and cigarettes AWAY from it Know where the fire suppression equipment is located and know how to use it PROTECT YOUR AREA Keep unauthorized people AWAY from your equipment and data Challenge strangers in your area PROTECT YOUR PASSWORD Never write it down or give it to anyone Don't use names, numbers or dates which are personally identified with you Change it often, but change it immediately if you think it has been compromised PROTECT YOUR FILES Don't allow unauthorized access to your files and data NEVER leave your equipment unattended with your password activated - SIGN OFF! PROTECT AGAINST VIRUSES Don't use unauthorized software Back up your files before implementing ANY new software LOCK UP STORAGE MEDIA CONTAINING SENSITIVE DATA If the data or information is sensitive or critical to your operation, lock it up! BACK UP YOUR DATA Keep duplicates of your sensitive data in a safe place, out of your immediate area Back it up as often as necessary REPORT SECURITY VIOLATIONS Tell your manager if you see any unauthorized changes to your data Immediately report any loss of data or programs, whether automated or hard copy For Additional Information National Institute of Standards and Technology Computer Security Program Office A-216 Technology Gaithersburg, MD 20899 (301) 975-5200 For further information on the management of information resources, NIST publishes Federal Information Processing Standards Publications (FIBS PUBS). These publications deal with many aspects of computer security, including password usage, data encryption, ADP risk management and contingency planning, and computer system security certification and accreditation. A list of current publications is available from: Standards Processing Coordinator (ADP) National Computer Systems Laboratory National Institute of Standards and Technology Technology Building, B-64 Gaithersburg, MD 20899 Phone: (301) 975-2817