6-1. AIS INFORMATION SECURITY INCIDENT REPORTING: All DeCA computer users must be alert to misuse or abuse of DeCA computer resources and report any security incidents that occur. This section defines security incidents in the context of the DeCA computing environment.
6-2. GENERAL: Misuse of DeCA computers involves either unauthorized use of computer resources or wrongful use of government information. Unauthorized use is defined as one of the following: (1) a
government resource is used for personal business or pleasure; (2) a government resource is used to perform non-government work for others; or (3) information of a personal or nongovernmental nature is stored on a government computer. Any of those forms of misuse shall be reported to a user's TASO when discovered.
a. AIS Security Incidents. Security incidents are serious occurrences and shall be reported as soon as possible to the TASO of the individual who detects them. These violations include the following:
(1) Intentional "lending" of a password to another individual. "Password" in the context of a security incident includes any other form of authenticator, such as a smart card.
(2) Stealing another person's password.
(3) Intentional acts that produce conditions likely to lead to the compromise of a password. This category includes such situations as writing the password on the desk calendar, leaving it inside a desk, or leaving a smart card on the desk or in an unlocked drawer.
(4) Attempting to obtain a password other than the one assigned to the user committing the violation.
(5) Abuse of assigned privileges such as making an unauthorized transaction just to
"see what happens."
(6) Use of unapproved software on a government computer.
(7) Violation of copyright laws by using "bootlegged" or otherwise unauthorized proprietary software.
(8) Attempting to exceed authorized access or privileges.
(9) Deliberate introduction of a computer virus into a DeCA computer system.
(10) Improperly securing sensitive information or printouts.
(11) Detection of a computer virus or other malicious software on a computer.
(12) Unexplained output to a computer screen or in a printout.
(13) Unexplained access by a user to an otherwise denied object.
b. AIS Security Incident Reports. TASOs will report security incidents to the appropriate ISSM. ISSM will report security incidents to the appropriate ISSO. ISSO will forward security incident
reports to:
Headquarters, DeCA/IM ATTN: ISSMP
Fort Lee, Virginia 23801-6300
Security reports will be forwarded within 2 working days of the discovery of the incident.
6-3. COMPUTER SECURITY TECHNICAL VULNERABILITY REPORTING PROGRAM (CSTVRP): A specialized form of incident reporting is the CSTVRP established by DoD Instruction 5215.2. (Reference n). DoD set up this program to require the reporting of all demonstrable and repeatable technical vulnerabilities associated with AISs. A technical vulnerability is defined as a hardware, firmware, or software design, or implementation characteristic, or flaw that leaves an AIS open to potential exploitation.
The exploitation may be either external or internal to the system and would result in a risk of compromise of information, alteration of information, or denial of service. It does not necessarily mean that an actual incident has occurred, or an attempt has been made to exploit the system, only that the potential or capability for exploitation has been discovered. The reference contains a format that should be used to report this type of a vulnerability.
6-4. RESPONSIBILITIES: See Chapter 3.
Chapter 7 INTERNET
7-1. INTERNET. A worldwide group of interconnected government, corporate, educational and private computer systems. The Internet allows exchange of information via services such as World Wide Web (WWW), file transfer protocol (FTP), and Telnet.
7-2. BACKGROUND.
a. The current explosive growth of the Internet and the "Information Superhighway" creates a rapidly-changing situation where boundaries between appropriate (official) and inappropriate uses can be blurred. This situation requires that DeCA establish clear and explicit policy on appropriate and acceptable uses of its computer and information systems.
b. The avoidance of inappropriate activities on the Internet requires that DeCA must set minimum standards for such use and does not exempt DeCA users from further restrictions that may be imposed by subordinate DeCA elements based on assigned duties or work location.
7-3. ACCESS.
a. Access to the Internet must be authorized by the Director Information Resources Management (IM).
b. Internet access and usage will be according to the OC-IT's established communications, hardware and software procedures.
7-4. USERS' RESPONSIBILITIES. DeCA Internet Access users will:
a. Treat electronic mail and communications on the Internet as not secure.
(1) Provide a disclaimer that their views do not represent an official DeCA, DoD, or U.
S. Government position when contributing to publicly accessed Internet discussions and electronic mail correspondence.
(2) Only publicly releasable information will be placed on the Internet as an official Agency posting. Information that is placed on the Internet must be cleared through the same security and policy review channels as other publicly "hard copy" released material. Exercise caution in postings and correspondence. Since the Internet provides access across a number of interconnected networks, information on a server directly connected to the Internet is available to everyone on the Internet. Be aware that malicious Internet users beyond the control of the Agency may electronically alter E-Mail, discussion comments, or posted articles, or falsely attribute information to Agency policy or actions.
b. Report any undue or suspicious activity related to Internet accounts or Internet use to the CIU point of contact within 24 hours. A user will record the name, date, time, system, network identities, specific type of activity, connection, and information involved.
c. Follow established DeCA automated information systems (AIS) security guideline concerning the scanning of downloaded files for malicious content.
(1) Assume that all attachments or files taken from the Internet could be contaminated with malicious code.
(2) Save all files or other electronic data taken from the Internet and scan for malicious code before further processing, distribution, or introduction to the DeCA CIU Network or any other DeCA AIS.
(3) Immediately cease processing and report all suspected or confirmed instances of virus or malicious code to the CIU point of contact.
d. Refer all contacts with the news or entertainment media (by Internet or otherwise) concerning Agency matters to the Director, Public Affairs (DeCAD 100-1).
e. Internet users must be briefed on responsibilities at least annually. Rebriefing may be accomplished by providing the user a copy of this chapter. Security Managers will incorporate DeCA Internet access user responsibilities into all initial training dealing with information access, distribution, or protection.
f. Accurately attribute the source and date of any data or information acquired from the network by keeping intact all the textual header information that goes with a message or posting. If the data from the network is used internally in the Agency, along with preserving the entire posting, the user shall include the identity of the forum, news group, network, or system where the data originated.
g. Initiate action through supervisory channels to the Office of General Counsel regarding any Internet activity that raises legal or standards of conduct concerns.
h. Follow DeCA policies regarding records management. Many types of Internet
communications or files may be designated a Federal record, thus qualifying as a DeCA record to be managed according to its information content. Substantive Internet communications or documents are Federal records and need to be preserved and managed either in electronic or hard copy form according to DeCAD 30-2, Records Management Program. At a minimum, the record copy of any Internet communications sent should also contain the date and time sent and any receipt information.
7-5. USE OF FEDERAL GOVERNMENT RESOURCES. Employees are reminded of the Joint Ethics regulation, DoD 5500.7R , and that it is punitive and enforceable against all DeCA employees. Section 2-301 states the following on the USE OF FEDERAL GOVERNMENT RESOURCES:
a. Communication Systems. See GSA regulation 41 C.F.R. Subpart 201-21.6 (reference (h)), on use of Federal Government telephone systems. Federal Government communication systems and equipment (including Government owned telephones, facsimile machines, electronic mail, Internet
systems, and commercial systems when use is paid for by the Federal Government) shall be for official use and authorized purposes only.
(1) Official use includes emergency communications and communications that the DoD Component determines are necessary in the interest of the Federal Government. Official use may include, when approved by theater commanders in the interest of morale and welfare, communications by military members and other DoD employees who are deployed for extended periods away from home on official DoD business.
(2) Authorized purposes include incidental uses that are authorized by the DoD Component. They include brief communications made by DoD employees while they are traveling on Government business to notify family members of official transportation or schedule changes. They also
include personal communications from the DoD employee's usual work place that are most reasonably made during working hours (such as checking in with spouse or minor children; scheduling doctor and auto or home repair appointments; brief Internet searches; e-mailing directions to visiting relatives) when the Agency Designee approves such communications and determines that the communications:
(a) Do not adversely affect the performance of official duties by the DoD employee or the DoD employee's organization;
(b) Are of reasonable duration and frequency, and whenever possible, made during the DoD employee's personal time such as after duty hours or lunch periods;
(c) Serve a legitimate public interest (such as keeping DoD employees at their desks rather than requiring the use of commercial systems; educating the DoD employee on the use of the communications system; improving the morale of DoD employee stationed for extended periods away from home, enhancing the professional skills of the DoD employee; job-searching in response to Federal Government downsizing);
(d) Do not put Federal Government communications systems to uses that would reflect adversely on DoD or the DoD Component (such as uses involving pornography; chain letters or group mailings; unofficial advertising, soliciting or selling; violations of statute or regulation;
inappropriately handled classified information; and other uses that are incompatible with public service);
and
(e) Do not overburden the communication system, create no significant additional cost to DoD or the DoD Component, and in the case of long distance communications, charges are:
1 Charged to the DoD employee's home telephone number or other non-Federal Government number (third number call);
2 Made to an 800 toll-free number;
3 Reversed to the called party if an non-Federal Government number (collect call);
4 Charged to a personal telephone credit card; or
5 Otherwise reimbursed to DoD or the DoD Component in accordance with established collection procedures;
(f) In accordance with applicable laws and regulations, use of Federal Government communications systems may be monitored. See DoD Directives 4640.1 (reference (I) and 4640.6 (reference (j)). DoD employees shall use Federal Government communications systems with the
understanding that such use serves as consent to monitoring of any type of use, including incidental and personal uses, whether authorized or unauthorized. In addition, use of such systems is not anonymous.
For example, for each use of the Internet over Federal Government systems, the name and computer address of the DoD employee user is recorded by the Government and also by the locations searched.
(g) Most Federal Government communications systems are not secure. DoD employees shall not transmit classified information over any communication system unless it is
transmitted using approved security procedures and practices (e.g., encryption, secure networks, secure workstations). In addition, DoD employees shall not release access information, such as passwords, to anyone unless specifically authorized to do so by the Agency Designee. See DoD Directives 5200.28 (reference (k) and C-5200.5 (reference (1)). DoD employees should exercise extreme care when
transmitting any sensitive information. or other valued data. Information transmitted over an open network (such as through unsecure e-mail, the Internet, or telephone) may be accessible to anyone else on the network. Information transmitted through the Internet or by e-mail, for example, is accessible to anyone in the chain of delivery. Internet information and e-mail messages can be re-sent to others by anyone in the chain.
b. Other Federal Government Resources. Other than the use of Federal Government communications systems authorized in accordance with subsection 2-301.a. of this Regulation, above; the use of Federal Government resources as logistical support to non-Federal entity events in accordance with subsection 3-211 of this Regulation, below; and the use of Federal Government time authorized in accordance with subsection 3-300 of this Regulation, below; Federal Government resources, including equipment, personnel, and property, shall be used by DoD employees for official purposes only, except as follows:
(1) Agency Designees may permit their DoD employees to make limited personal use of Federal Government property, such as typewriters, calculators, libraries, and other similar resources and facilities, if the Agency Designee determines the following:
(a) The use does not adversely affect the performance of official duties by the DoD employee or the DoD employee's organization;
(b) The use is of reasonable duration and frequency, and aide only during the DoD employee's personal time such as after duty hours or lunch periods;
(c) The use serves a legitimate public interest (such as supporting local charities or volunteer services to the community; enhancing the professional skills of the DoD employee; job
searching in response to Federal Government downsizing);
(d) The use does not put Federal Government resources to uses that would reflect adversely on DoD or the Component (such as involving commercial activities; unofficial advertising, soliciting or selling; violation of statute or regulation; and other uses that are incompatible with public service); and
(e) The use creates no significant additional cost to DoD or the DoD Component."
7-6. LOSS OF PRIVILEGES. A user who fails to follow the DeCA Internet access instruction, or any law or regulations applicable to users of the Internet, is subject to immediate loss of Internet access
privileges. Employees may be subject to disciplinary action.
a. DeCA employees and contractor personnel using DeCA Internet Access or DeCA AIS may also be subject to administrative and contractual sanctions.
b. DeCA users are also subject to all applicable civil, criminal and administrative sanctions.
7-7. FORMAL ACKNOWLEDGMENT. Supervisors, at their discretion, may require DeCA employees and contractors to read this instruction and formally acknowledge their responsibilities and understanding. A sample acknowledgment is at Exhibit 7-1. The responsible supervisor will retain the signed acknowledgment.
EMPLOYEE ACKNOWLEDGMENT AND CONSENT
I acknowledge that I have read and understand the Defense Commissary Agency Internet Access Instruction and consent to such monitoring, inspection, and audit of my Internet activities as Agency management and/or security officials deem appropriate.
I realize that if I fail to follow the DeCA Internet Access Instructions or any of the laws or
regulations applicable to users of the Internet, I will be subject to immediate loss of Internet access privileges and that I may be subject to various disciplinary actions, up to and including removal from Federal Service.
DATE SIGNATURE
OFFICE CODE PRINTED NAME
Exhibit 7-1
REFERENCES
a. Public Law 93-579, Privacy Act of 1974.
b. Public Law 99-474, Computer Fraud and Abuse Act of 1986.
c. Public Law 100-235, Computer Security Act of 1987.
d. General Accounting Office, Report to the Chairman, Committee on Science, Space, and Technology, House of Representatives, INFORMATION SYSTEMS: Agencies Overlook Security Controls during Development (GAO/IMTEC-88-11S) Appendix I, "Model of Security in the System Life Cycle Development Process," May 1988.
e. Office of Management and Budget Circular A-123, "Internal Control Systems," August 4, 1986.
f. Office of Management and Budget Circular A-127, "Financial Management Systems," December 19, 1984.
g. Office of Management and Budget Circular A-130, "Management of Federal Information Re-sources," February 8, 1996.
h. Office of Management and Budget Bulletin 90-08, "Guidance for Preparation of Security Plans for Federal Computer Systems that Contain Sensitive Information," July 9, 1990.
i. DoD Directive 5200.1-R, "Information Security Program Regulation," July 12, 1982.
j. DoD Directive 5200.28, "Security Requirements for Automated Information Systems," March 21, 1988.
k. DoD Directive 5010.19, "DoD Configuration Management Program," October 28, 1987.
l. DOD Directive 5105.55, "Defense Commissary Agency (DeCA)," November 9, 1990.
m. DoD Directive 5010.38, "Internal Management Control Program," April 14, 1987.
n. DoD Instruction 5215.2, "Computer Security Technical Vulnerability Reporting Program (CSTVRP)," September 2, 1986.
o. DoD Instruction 7935.1, "DoD Automated Information Systems," September 13, 1977.
p. DoD Instruction 5000.1 "Defense Acquisition", March 15, 1996.
q. CSC-STD-002-85, "DoD Password Management Guideline," April 12, 1985.
r. NCSC-TG-001, "A Guide to Understanding Audit in Trusted Systems," June 1, 1988.
s. NCSC-TG-017, "A Guide to Understanding Identification and Authentication in Trusted Systems,"
September 1, 1991.
t. NCSC-TG-006, "A Guide to Understanding Configuration Management in Trusted Systems," March 28, 1988.
u. NCSC-TG-027, "A Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems," May 1992,
v. DeCA Directive 30-9, "Configuration Management for Automated Information Systems (AIS),"
March 12, 1993.
w. DeCA Directive 30-8, "Automated Information Systems (AIS) Testing Procedures," February 26, 1993.
x. DeCA Directive 70-2, "Internal Management Control Program," March, 1991.
y. Federal Information Processing Standard Publication (FIPS Pub) 31, "Guidelines for ADP Physical Security and Risk Management," June 1974.
z. FIPS Pub 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974," May 30, 1975.
aa. FIPS Pub 65, "Guideline for Automatic Data Processing Risk Analysis," August 1, 1979 bb. FIPS Pub 87, "Guideline for ADP Contingency Planning," March 27, 1981
cc. FIPS Pub 102, "Guideline for Computer Security Certification and Accreditation," September 27, 1983
dd. Federal Information Resources Management Regulation, Chapter 201, November 1984.
DEFINITIONS AND ACRONYMS
1. DEFINITIONS. The definitions in this glossary have been taken from National Security
Telecommunications and Information Systems Security (NSTISS) publication 4009, "National Information Systems Security (INFOSEC) Glossary", 5 June 1992 and definitions that are applicable to DeCA and this directive.
access. A specific type of interaction between a subject (person, process, or input device) and an object (record, file, program, or output device) that results in the flow of information from one to the other; the ability and opportunity to obtain knowledge of information in a system.
accountability. Property that allows auditing of activities on an AIS to be traced to persons who may then be held responsible for their actions.
accreditation. Formal declaration by a designated approving authority that an AIS is approved to operate in a particular security mode using a prescribed set of safeguards.
accreditation authority. Synonymous with designated approving authority.
access type. Privilege to perform an action on a program or file.
NOTE: Read, write, execute, append, modify, delete, and create are examples of access types.
administrative security. Management constraints, operational procedures, accountability procedures, and other administrative controls used to enforce security policy. Administrative security includes defining security roles and responsibilities for personnel and organizations, achieving and maintaining system accreditation, and managing the system's security program.
approval to operate. An accreditation by the DAA that authorizes the operation of a specific information system at a specific facility with a specific set of security controls.
assurance. Measure of confidence that the security features and architecture of an AIS accurately mediate and enforce the system-specific security policy.
audit trail. Chronological records of system activities to enable the reconstruction and examination of the sequence of events and/or changes in an event.
authentication. Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's eligibility to receive specific categories of information.
automated information systems (AIS). Any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data and includes computer software, firmware, and hardware.
NOTE: Included are stand-alone systems, personal computers, networks, word processing systems, networks, or other electronic information handling systems, and associated equipment.
automated information systems security. Synonymous with computer security.
availability. The property that ensures the information system data, services, and resources are available to authorized users reliably, consistently, and in a timely manner.
availability of data. Data that is in the place, at the time, and in the form needed by the user.
availability of data. Data that is in the place, at the time, and in the form needed by the user.