Incident Security & E-MailConfidentiality • Integrity • Availability

Objectives Logical Security

Anti-Virus Software Usernames and Passwords Secure Screen Savers

Physical Security Securing the work area

Other Security Individual Computer User’s

Statement Of Responsibility E-Mail Issues

Logical Security

Anti-Virus Software Every computer must run an anti-

virus software package with virus definition files being no more than 7 days old

Configured to download and update automatically unless otherwise configured by a CTSP

Incident personnel may not unload or disable anti-virus software

All portable media must be scanned before use

Anti-Virus Software User responsibilities

Never open file attachments from unknown, suspicious, or untrustworthy source

Delete spam and junk e-mail Never download files from

untrustworthy sources Do not install software without first

contacting the incident CTSP Should a virus be detected,

disconnect computer from the network and immediately notify a CTSP

Usernames and Passwords

Do not share passwords Password complexity enabled 12 characters with at least 1

uppercase, 1 lowercase, 1 number and 1 punctuation

One logon per ID

Secure Screen Saver

All computers must have a locking password protected screen saver enabled

Timeout is 15 minutes Users will logout of shared

machines when stepping away for long periods of time

System Settings

Login Banner Government owned equipment will

display a standard or Agency specific banner at login

Leased computers will display a standard banner:

System Settings

“You are about to access a computer that is owned or leased by the United States government that is intended for authorized use and users only. You should have no expectation of privacy in your use of this network. Use of this network constitutes consent to monitoring, retrieval, and disclosure of any information stored within the network for any purpose including criminal prosecution.”

Data Backups: Incident Data

Incident CTSP’s are responsible for backing up data residing on all servers

Ultimately, your data is your responsibility to secure

Back it up - Lock it up. All media that contains backed up data must be secured.

Offsite Storage / Jump Drive or Email

Data Backups: I-Suite

Under no circumstances shall I-Suite backups remain in the possession of any individual for “historical purposes”

Database and data backups (not repository or documentation box copies) will be deleted and destroyed at the end of an incident

Data Security: Access Control

Users can expect access to be limited to the data that is relevant to their position

Additional security measures shall be provided for sensitive data

Do not distribute data (files and photos) to individuals. Information generated on a fire belongs to the hosting agency.

Have management approval for all users accessing the Incident network

Data Security: PII All Federal agencies require

employees to take awareness training in dealing with Personally Identifiable Information (PII)

This training emphasizes the importance of protecting PII data

Data Security: PII Incident Management Teams collect PII data from

resources at Check-in. What is considered PII?Full name Telephone numberStreet addressE-mail addressVehicle registration plate numberDriver's license numberFace, fingerprints, or handwritingCredit card numbers

Data Security: PII What is not considered PII?

First or last name, if commonCountry, state, or city of residenceAge, especially if non-specificGender or raceName of the school attendingName of employerGrades, salary, or job positionCriminal record

Non-PII data does not imply non-private information

Data Security: Scrubbing

Deleted files are not erased Scrubbing is the process of

writing random characters over the entire hard drive

All leased computers when being returned must be scrubbed/wiped

Free space (as opposed to whole disk) scrubbers are acceptable

Physical Security

Securing the Work Area

Equipment containing sensitive data will be secured at all times

Pay special attention to high traffic areas

Common areas in leased facilities should not be considered secure

Provide specific security measures for equipment during non-business hours

Other Security Procedures

Individual Security Responsibilities

Individual Computer User’s Statement of Responsibility

Report the loss or theft of data and equipment immediately: Inform the C&G and Security Inform the administrative agency Inform the agency that owned or

rented if the loss was equipment Provide for continuity of operations Document all actions

E-Mail Issues

Questions?