Nowhere in the field of automation has the explosion in information technology manifested itself more than in microprocessor based systems. A personal computer sits on the desk of virtually every individual having anything to do with the collection, analysis or processing of information. And, more often than not, each individual controls the personal computer data files, spreadsheets, or databases. In many cases, the individual is the only person who knows what data is available or how to run most of the applications. In more and more cases, these systems have a link into some sort of telecommunication network which allows the interchange of data with other systems in the network. These "other systems" may range from mainframes and LAN servers in a hard wired network to public bulletin board systems through the use of dial-up telephone circuits.
Personal computers and word processors lack many of the controls ordinarily found in larger processing environments. These include strict and regular backup procedures, access restrictions and individual accountability for changes to data. This absence of control, along with personnel changes, disk drive failure and lack of audit trails, tend to make end user computing workstations and word processors highly vulnerable to risks associated with data integrity, disclosure and loss.
STANDARD. Personal computer systems and word processors used to store, process and/or access confidential or sensitive data, shall undergo risk analysis as required by the information security function. Risk analysis results shall be presented to the owner of the information resources for risk management. The degree of risk acceptance (i.e., the exposure remaining after implementation of the recommended protective measures) must be identified. The Information Security Function must be prepared to demonstrate that security precautions have been established to ensure data confidentiality and the maintenance of information integrity.
GUIDELINES. Unless extraordinary steps are taken to ensure control, the use of end user computing workstations for sensitive or critical tasks should be avoided. The use of end user computing workstations for sensitive or critical tasks should be strictly reviewed and only permitted where adequate controls are in place to provide continued data confidentiality, integrity, and availability. Particular emphasis should be placed on training and awareness of end users responsible for data integrity and availability for sensitive or critical systems. Physical access to workstations should be limited to the degree necessary to provide data confidentiality, integrity, and availability, particularly where meaningful logical controls are not available or not used. Agency management must recognize that the use of end user computing workstations for sensitive or critical tasks implies a lack of centralized control and administration over information resources.
GUIDELINES. Program managers should thoroughly review the possible risks associated with storing information or accessing applications on personal computers or word processors.
1. Determine whether the information that the agency plans to store or access on a such a device is confidential or sensitive. In terms of classifying information, refer to the appropriate sections within this document for assistance.
2. Identify critical applications.
3. Perform a risk analysis to identify the consequences of inadequate security controls.
4. Develop the internal security policies and procedures that are necessary to assure that the information and critical applications will be adequately protected.
5. If the information is confidential or sensitive or an application is critical, consider utilizing a minicomputer or mainframe as an alternative to a personal computer system. These systems offer a variety of sophisticated security options and features to protect data and applications.
1. If an application is critical to agency operations, be sure that at least two employees are familiar with the files, data, and data element names and understand the proper sequence of operations.
2. Make sure that at least two employees have knowledge about where data files, backup files, and forms are stored.
3. Make sure that confidential files remain at the work site and that confidential information is disseminated only to authorized individuals.
4. Ensure that data backup procedures are established and enforced.
5. Ensure that there is a procedure for storage and maintenance of files and that it is followed.
6. Develop a data dictionary which will provide a complete description of all data elements.
7. Develop a flowchart showing how all data and files are related.
8. If data integrity is critical, install a verification procedure.
9. Make sure that state and federal security and privacy requirements with respect to the information are understood and enforced.
10. Determine if data encryption or other data security features are required.
11. Ensure that all state owned systems be used for state business purposes only and are not allowed to be used for games or contain any data or software that does not have an explicit business use.
Provisions should be made to ensure against the loss of data and programs stored in personal computers or word processors as a result of machine or power failures. Backup copies of all data files and software should be stored in a safe location. A regular schedule for making backup copies of all data files should be established.
Establish procedures for backing-up files stored on a hard disk to either floppy diskettes, another hard disk drive, or to magnetic tape. Ensure that the backup files are stored in a separate location.
Make arrangements for the availability of a backup system in case of an equipment failure or other emergency.
Word processing systems vary greatly in terms of the security controls or features they offer. Program managers utilizing these systems for storage of confidential or sensitive information or critical applications should become thoroughly familiar with those systems' security features. They should then determine which features should be utilized, taking into consideration the risks that exist within their operating environment. Most of the following security features are available to word processing systems. It is strongly suggested that they be investigated and used.
Unless the printer is located in a secure area or there is someone at the printer to retrieve the information as it is printed, confidential information should not be printed. Confidential information should be delivered directly to the individual it is intended for and not left on a desk or otherwise accessible to persons who are not authorized to see or use it.
Passwords are also an effective means of preventing unauthorized individuals from gaining access to information stored in a personal computer system. Systems that allow the use of passwords on personal computers are available and can be utilized to prevent the use of the system, protect files, and assign information access authorities. For additional information, refer to the applicable sections within this guideline which address passwords and information access authorities.
Word processing systems should be located in environments that have been designed with information technology security considerations in mind. For specific facility related considerations see the section on Physical Security in this document. At a minimum the following list provides the physical security features that should be considered for offices employing these systems:
To protect personal computer systems from theft and unauthorized use, desktop systems should be located in secure areas within the agency or should be physically attached to a desk or table. If the computer has a lock, it should be locked whenever the system is unattended and the key should be kept in a secure location. There are a variety of devices that can be used to secure a personal computer to a desk, including cables, adhesives, and bolt on brackets. If the personal computer is located in a private office, the office should be locked when it is unoccupied.
Personal computers having access to local or wide area networks as clients or terminals to the server should never be left unattended while logged on to the network.
Most personal computers and word processors permit the operator to place information on magnetic diskettes, commonly called "floppy disks." Floppy disks are extremely portable. Confidential information can be copied to floppy disks and easily removed from the premises. To ensure that information is properly handled, office policy and procedures should address the storage and handling of confidential and sensitive information that has been copied to floppy disks.
Floppy disks are easily destroyed by heat, magnetic fields, or other improper handling such as touching the recording surface. To avoid loss of information, personnel should be trained in the proper handling of floppy disks. Personnel should be advised of the following:
Encryption, or the coding of data to make it unintelligible to anyone not having the security key, is a method for protecting information. For additional information refer to the applicable sections within this document which address encryption.
Software license agreements must be strictly adhered to. Proprietary software cannot be duplicated, modified, or used on more than one personal computer except as expressly provided for in the manufacturer's license agreement.
A minimum set of standard documentation should be maintained by the individual or organization responsible for a personal computer or word processor. Standard documentation can be categorized into four basic areas and includes the following:
Program managers are responsible for ensuring that staff members possess the knowledge and skills necessary for effective use of the personal computers and word processors that are available to the organization. Program managers are also responsible for ensuring that there is sufficient depth of training to prevent disruption of key activities in the event of unexpected staff changes.
Personal computers and word processors are susceptible to becoming infected by viruses which can cause system malfunction and data loss. Strict adherence to the procedures and guidelines outlined above will minimize this risk. However, further steps can be taken which are specifically directed toward virus prevention.
1. Educate users about malicious software in general, the risks that it poses, virus symptoms and warning signs, how to use control measures, policies and procedures to protect themselves and the organization.
2. Establish software management policies and procedures that address public-domain software. Never download software from public access bulletin boards.
3. Establish and educate users about careful change management procedures and the use of programs to aid in virus detection.
4. Initiate control procedures to regularly run virus detection programs on personal computers and word processors used to store confidential or sensitive information or to run critical applications.
5. Monitor user and software activity to detect signs of attacks, to detect policy violations, and to monitor the overall effectiveness of policies, procedures and controls.