incident security & e-mail confidentiality integrity availability
TRANSCRIPT
Incident Security & E-MailConfidentiality • Integrity • Availability
Objectives Logical Security
Anti-Virus Software Usernames and Passwords Secure Screen Savers
Physical Security Securing the work area
Other Security Individual Computer User’s
Statement Of Responsibility E-Mail Issues
Logical Security
Anti-Virus Software Every computer must run an anti-
virus software package with virus definition files being no more than 7 days old
Configured to download and update automatically unless otherwise configured by a CTSP
Incident personnel may not unload or disable anti-virus software
All portable media must be scanned before use
Anti-Virus Software User responsibilities
Never open file attachments from unknown, suspicious, or untrustworthy source
Delete spam and junk e-mail Never download files from
untrustworthy sources Do not install software without first
contacting the incident CTSP Should a virus be detected,
disconnect computer from the network and immediately notify a CTSP
Usernames and Passwords
Do not share passwords Password complexity enabled 12 characters with at least 1
uppercase, 1 lowercase, 1 number and 1 punctuation
One logon per ID
Secure Screen Saver
All computers must have a locking password protected screen saver enabled
Timeout is 15 minutes Users will logout of shared
machines when stepping away for long periods of time
System Settings
Login Banner Government owned equipment will
display a standard or Agency specific banner at login
Leased computers will display a standard banner:
System Settings
“You are about to access a computer that is owned or leased by the United States government that is intended for authorized use and users only. You should have no expectation of privacy in your use of this network. Use of this network constitutes consent to monitoring, retrieval, and disclosure of any information stored within the network for any purpose including criminal prosecution.”
Data Backups: Incident Data
Incident CTSP’s are responsible for backing up data residing on all servers
Ultimately, your data is your responsibility to secure
Back it up - Lock it up. All media that contains backed up data must be secured.
Offsite Storage / Jump Drive or Email
Data Backups: I-Suite
Under no circumstances shall I-Suite backups remain in the possession of any individual for “historical purposes”
Database and data backups (not repository or documentation box copies) will be deleted and destroyed at the end of an incident
Data Security: Access Control
Users can expect access to be limited to the data that is relevant to their position
Additional security measures shall be provided for sensitive data
Do not distribute data (files and photos) to individuals. Information generated on a fire belongs to the hosting agency.
Have management approval for all users accessing the Incident network
Data Security: PII All Federal agencies require
employees to take awareness training in dealing with Personally Identifiable Information (PII)
This training emphasizes the importance of protecting PII data
Data Security: PII Incident Management Teams collect PII data from
resources at Check-in. What is considered PII?Full name Telephone numberStreet addressE-mail addressVehicle registration plate numberDriver's license numberFace, fingerprints, or handwritingCredit card numbers
Data Security: PII What is not considered PII?
First or last name, if commonCountry, state, or city of residenceAge, especially if non-specificGender or raceName of the school attendingName of employerGrades, salary, or job positionCriminal record
Non-PII data does not imply non-private information
Data Security: Scrubbing
Deleted files are not erased Scrubbing is the process of
writing random characters over the entire hard drive
All leased computers when being returned must be scrubbed/wiped
Free space (as opposed to whole disk) scrubbers are acceptable
Physical Security
Securing the Work Area
Equipment containing sensitive data will be secured at all times
Pay special attention to high traffic areas
Common areas in leased facilities should not be considered secure
Provide specific security measures for equipment during non-business hours
Other Security Procedures
Individual Security Responsibilities
Individual Computer User’s Statement of Responsibility
Report the loss or theft of data and equipment immediately: Inform the C&G and Security Inform the administrative agency Inform the agency that owned or
rented if the loss was equipment Provide for continuity of operations Document all actions
E-Mail Issues
Questions?