Docstoc

Information Technology _IT_ Secu

Document Sample
Information Technology _IT_ Secu Powered By Docstoc
					National Aeronautics and Space Administration




              Information Technology (IT)
                 Security 101 Handbook




www.nasa.gov
    39   40





                                                     Table of Contents
Preface...................................................................................................................................4
                                                  .
NASA.Basic.IT.Security.Overview. .......................................................................................6
                                                                                  .
Prohibited.Uses.of.NASA’s.IT.Resources.(Misuse.NPR)......................................................7
                                    .
IT.Security.Best.Practices. ...................................................................................................8
Extended.Leave.Guidance....................................................................................................9
                                  .
Spyware.Announcement......................................................................................................0
Contact.Sheet.......................................................................................................................
                                  .
Appendix.I:..Definitions. .....................................................................................................
Appendix.II:..UCE.Messages.............................................................................................. 4
Information.Technology.Security.User.Responsibilities........................................................9
CNE.Request.Form.for.Email.and.Network.Domain.Accounts...........................................40
Remote.Access.Account.Request.Form.................................................................................41




                                                     Prepared.by
                                          The.Systems.Management.Division.
                                               Version.,.October.006
.

                                                                    
                                              Preface
NASA’s.relationship.with.the.Internet.is.a.difficult.one.to.manage...On.the.one.hand,.the.Internet.is.
the.most.economical,.worldwide,.and.rapid.means.ever.invented.to.distribute.the.wonderful.images.
and.discoveries.NASA.is.chartered.to.share.with.all.humankind...On.the.other.hand,.the.Internet.
is.also.the.digital.secret.passage.that.allows.hackers,.spies,.and.criminals,.to.break.into.NASA.
computers.to.demonstrate.they.can.outsmart.the.rocket.scientists,.pirate.cutting.edge.technology.
to.the.detriment.of.US.national.and.economic.security,.and.steal.the.identities.and.personal.
information.of.NASA.employees,.contractors.and.partners...Therefore,.it.is.the.responsibility.of.
everyone.who.has.access.to.NASA.computers.and.networks,.civil.servant.or.contractor,.full-time.or.
part-time,.on-site.or.remote,.to.do.their.best.to.help.protect.and.preserve.NASA’s.on-line.information.
assets...The.goal.of.this.document.is.to.help.you.to.help.NASA.achieve.its.bold.mission.while.
protecting.NASA’s.employees,.IT.systems.and.reputation.




                                                  4
IT Security Overview




         
                                   Basic IT Security Overview
NASA Basic IT Security for 2007
Introduction
You.look.both.ways.before.you.cross.the.street..You.install.smoke.alarms.in.your.home..You.lock.your.
home.when.you.leave..But.are.you.security.conscious.when.it.comes.to.information.and.computer.
security?.Security.awareness.means.thinking.about.security.before.we.use.a.computer,.before.we.open.
an.e-mail.attachment,.and.before.we.create.a.password..Security.awareness.also.means.thinking.about.
security.before.we.buy.or.install.a.new.technology,.download.a.program.or.application,.or.reveal.any.
personal.information.to.strangers..Before.you.say.“this.isn’t.important.to.me”.what.if.your.system.was.
compromised.and.you.lost.important.information.that.you.had.been.working.on.for.months?

Information.Technology.(IT).security.is.complicated.and.the.“bad.guys”.are.devious.and.inventive..
Security.compromise.affects.all.of.us.and.every.one.who.works.for.the.Government.and/or.uses.
Government.systems.needs.to.know.his/her.IT.Security.responsibilities..Remember,.you’re.not.just.
protecting.the.Agency,.but.yourself.as.well.

Overview
By.now,.you.probably.know.that.the.goal.of.Information.Technology.(IT).security.is.to.ensure.
security.controls.are.examined,.chosen,.and.implemented.to.protect.the.integrity,.availability.
and.confidentiality.of.every.aspect.of.NASA’s.IT.resources.such.as.computers,.networks,.
telecommunications.systems,.applications,.data,.and.information.that.support.NASA.missions.and.
business.

What.you.may.not.know,.is.that.the.“human.factor”.of.IT.security.-.those.things.that.can.be.
affected.by.every.employee.every.day.-.remains.one.of.the.toughest.security.challenges..All.NASA.
employees.(and.anyone.else.working.with.NASA.information.and/or.systems).need.to.realize.that.
it.is.each.and.everyone’s.responsibility.to.understand.that.all.of.NASA’s.information.is.considered.
a.valuable.resource.that.must.be.protected.and.to.think.defensively.about.how.to.protect.that.
information.and.not.expose.NASA.to.any.undue.risks.

Objectives
Understand.your.responsibilities.for.IT.Security.in.the.following.areas:
 • Roles.in.Security.
 • Laws,.Regulations,.and.Policies.
 • Protecting.Information.According.to.its.Category.
 • Ethical.Behavior.
 • Appropriate.and.Inappropriate.System.Use.
 • Recognizing.and.Reporting.Security.Incidents.

Learn.secure.practices.in.reference.to:.
 • Passwords.
 • Handling.E-mail.


                                                  6
  •   Internet.Usage.
  •   Web.Browser.Settings.
  •   Social.Engineering.
  •   Identity.Theft.
  •   Physical.Security.
  •   Laptops,.PDAs.and.Cell.Phones.
  •   Backups.
  •   Risk,.Risk.Management.and.Contingency.Planning.
  •   Resource.Sharing.
  •   Remote.Access.to.NASA.IT.Resources.
  •   Wireless.Connections.

IT Security Roles and Laws
Introduction
You’ve.heard.it.before,.but.IT.security.is.everyone’s.responsibility..There.are.some.people.designated.
with.higher.responsibilities;.those.who.make.decisions.on.how.to.protect.our.network.environment,.
those.who.monitor,.and.those.of.us.who.need.to.be.aware.and.follow.the.rules.to.help.those.people.
do.their.jobs..The.same.laws.that.govern.how.to.protect.NASA’s.systems.and.information.provide.
security.for.YOUR.information.as.well.

Roles in IT Security
Although.the.NASA.Administrator.is.ultimately.responsible.and.accountable.for.the.NASA.IT.
Security.Program,.there.are.many.IT.security.roles.and.responsibilities..The.few.roles.listed.here.are.
to.help.you.know.who.you.can.contact.for.IT.security.related.problems.and/or.questions..The.Center.
IT.Security.Manager.is.responsible.for.his/her.Center.IT.Security.Program..The.Center.IT.Security.
Manager’s.role.is.to.develop.Centerwide.IT.security.policies.and.guidance,.to.facilitate.computer.
awareness.and.training,.to.maintain.an.incident.response.capability,.and.to.document,.review,.and.
report.the.status.of.the.Center.IT.Security.Program.

System Administrators
System.Administrators.ensure.that.the.protective.security.measures.of.the.system.are.functional.and.
maintain.the.system’s.security.status.

Managers
It.is.the.Manager’s.responsibility.to.support.IT.security.laws.and.guidelines.and.enforce.them.in.
his/her.organization..Managers.have.the.responsibility.to.work.with.his/her.employees.to.ensure.
everyone.understands.their.IT.security.responsibilities..Managers.must.be.able.to.give.advice.and.
guidance.on.questions.that.arise.regarding.IT.Security.and.to.ensure.that.proper.incident.response.
procedures.are.followed..Managers.also.have.the.responsibility.to.keep.their.people.informed.of.
current.issues.or.changes.that.may.affect.IT.Security..Your.Manager.should.be.able.to.offer.you.
guidance.and.answers.to.any.security.related.issues.




                                                   7
Users
A.“user”.is.defined.as.anyone.that.uses.NASA.resources.whether.it.is.via.direct.interaction.with.the.
system.(e.g.,.computers,.networks,.telecommunications.systems,.applications),.reading.computer-
prepared.reports,.or.are.being.briefed.on.such.material..Every.user.must.protect.computing.resources.
by.following.policies,.receiving.training,.and.being.aware.of.their.IT.security.responsibilities.

IT Security Laws, Regulations, and Policies
Even.in.the.game.of.Monopoly®.the.law.exists!.If.you.draw.a.certain.card.or.land.on.a.particular.
space,.“you.go.to.jail”.and.“go.directly.to.jail.without.passing.go.and.collecting.$00”..Well,.there.
are.laws.governing.IT.security.-.one.of.which.mandates.this.yearly.training.-.but.there.are.other.laws.
that.you.need.to.be.aware.of.as.well.

Title.III.of.the.E-Government.Act,.entitled.the.Federal.Information.Security.Management.Act.
(FISMA),.requires.each.Federal.agency.to.develop,.document,.and.implement.an.agency-wide.IT.
Security.Program.to.provide.security.for.the.information.and.information.systems.that.support.
the.operations.and.assets.of.the.agency,.including.those.provided.or.managed.by.another.agency,.
contractor,.or.source.

Some.laws,.regulations,.standards,.publications,.and.policies.apply.to.all.Government.systems:
  • National.Institute.of.Standards.and.Technology.(NIST).publications.
  • Federal.Information.Processing.Standards.(FIPS).publications.
  • Computer.Fraud.and.Abuse.Act.(18.USC.100).

Others.may.be.specific.to.NASA:
 • NASA.Procedural.Requirement.(NPR).810.1A.Security.of.Information.Technology
 • Center.policies.

This.is.not.a.complete.list..New.laws,.regulations,.and.policies.are.added.(or.modified).on.a.regular.
basis..The.type.of.information.contained.on.your.system.will.dictate.additional.laws,.regulations,.
and.policies.that.must.be.followed.

Other Laws, Regulations, and Polices
There.are.other.laws.and.regulations.that.apply.to.specific.types.of.information.on.many.NASA.
systems..Keeping.this.type.of.information.secure.is.a.responsibility.that.you.should.appreciate;.after.
all,.you.wouldn’t.want.your.own.information.divulged..Exposing.this.type.of.information.could.also.
cause.acute.embarrassment.for.the.individuals.involved,.the.Agency.as.a.whole,.and.could.potentially.
involve.litigation..Some.of.these.laws.and.regulations.are:
  • Privacy.Act.(privacy.information).
  • Health.Insurance.Portability.and.Accountability.Act.-.HIPAA.(health.information)
  • Export.Administration.Regulations.(EAR).(export.controlled.information)
  • International.Traffic.in.Arms.Regulations.(ITAR).(export.controlled.information).
  • Financial.Management.Financial.Integrity.Act.(FMFIA).(financial.information).
  • Sarbanes-Oxley.


                                                   8
Copyright.laws.apply.to.any.and.all.information.that.may.be.shared.with,.used.by,.or.given.to.others.
(such.as.music,.videos,.pictures,.or.other.information.off.the.Internet)...Just.because.you.can.make.a.
copy.of.something,.doesn’t.mean.you.are.legally.allowed.to.do.so..Also,.all.software.on.your.system.
that.requires.a.license.should.either.have.one,.or.the.software.should.be.removed.

The.Privacy.Act.requires.that.information.in.identifiable.form.(IIF).that.is.in.the.custody.of.the.
Federal.Government.be.protected.from.unauthorized.disclosure..There.are.external.regulations.that.
place.responsibility.on.every.NASA.employee.and.contractor.to.protect.information.in.identifiable.
form..Information.in.identifiable.form.is.information.that.directly.identifies.an.individual.(e.g.,.
name,.address,.social.security.number.or.other.identifying.number.or.code,.telephone.number,.email.
address,.etc.)...By.which.an.agency.intends.to.identify.specific.individuals.in.conjunction.with.other.
data.elements,.e.g.,.indirect.identification.(may.include.combination.of.gender,.race,.birth.date,.
geographic.indicator,.and.other.descriptors).

A.Privacy.Act.(PA).System.of.Records.(SOR).is.any.system.that.contains.privacy.information.(or.IIF).
on.individuals.and.from.which.information.is.retrieved.by.name.or.personal.identifier...

PA.System.owners.must:
 • Work.with.Center.Privacy.Act.Manager.to.publish.their.systems.in.the.Federal.Register.Provide.
   specific.notifications.to.individuals.at.the.time.of.data.collection.and.to.users.at.point.of.system.
   access
 • Safeguard.and.ensure.record.disclosure.only.for.authorized.routine.uses.
 • Provide.training.for.system.users.regarding.their.privacy.obligations.
 • Maintain.and.provide.accounting.of.non-routine.disclosures.
 • Unauthorized.disclosure.of.a.PA.record.may.result.in.criminal.penalties.and.a.fine.of.up.to.$,000.

External Regulations
Information.on.web.sites.and.in.electronic.and.hard.copy.systems.is.regulated.by:
  • E-Government.Act.of.00.(E-Gov.Act).
  • Child.Online.Privacy.Protection.Act.(COPPA).
  • Privacy.Act.of.1974.(PA).
  • Paperwork.Reduction.Act.of.199.
  • Federal.Information.Security.Management.Act.of.00.(FISMA).
  • Collecting.Information.from.the.Public

A.Privacy.Impact.Assessment.(PIA).must.be.conducted.before.developing.or.procuring.IT.systems.
that.collect.or.maintain.information.in.identifiable.form.(IIF).on.members.of.the.public..A.PIA.must.
also.be.conducted.when.initiating.a.new.electronic.collection.of.information.in.identifiable.form.on.
ten.(10).or.more.members.of.the.public.(consistent.with.the.Paperwork.Reduction.Act).

The.PIA.format.and.worksheet.are.available.through.the.Office.of.the.Chief.Information.Officer.
(OCIO)..Be.sure.to.consult.with.the.Paperwork.Reduction.Officer.before.collecting.information..
In.most.instances,.the.Office.of.Management.and.Budget.(OMB).must.authorize.an.Information.
Collection.before.NASA.collects.any.information.from.the.public.


                                                   9
When.information.is.to.be.gathered.in.a.standard.manner.(surveys,.forms,.web.enabled.forms,.
standard.verbal.questions):
  • Regardless.of.format.(via.paper,.orally,.or.web).
  • Regardless.of.whether.information.is.in.identifiable.form.
  • Regardless.of.whether.information.is.provided.voluntarily.

There.are.external.regulations.pertaining.to.web.privacy.requirements.as.well..Specific.web.privacy.
policies.must.be.posted,.including.special.provisions,.when.persistent.tracking.is.used.or.IIF.
gathered..Web.site.use.of.“persistent.tracking”.or.“persistent.cookies”.is.prohibited.without.a.waiver.
due.to.compelling.requirements.-.the.most.common.compelling.requirement.is.site.customization..A.
waiver.template.may.be.obtained.from.the.OCIO.

When.collecting.IIF.on.children.(under.1.years),.a.Children’s.Online.Privacy.Protection.Act.(COPPA).
notice.must.be.posted.and.mandatory.parental.notification/consent.procedures.must.be.implemented.

Summary
With.the.ever-changing.world.of.technology.comes.the.ever-growing.presence.of.threats..And,.with.
an.increase.in.threats.comes.laws.to.deal.with.those.threats..Many.people.think.the.Government’s.
role.in.improving.computer.security.is.to.impose.and.enforce.regulations,.but.it.can.do.a.lot.more.
positive.reinforcement.to.encourage.secure.business.practices,.including.serving.as.a.trusted.tool.for.
threat.information..As.our.reliance.on.computers.continues.to.grow,.the.importance.of.the.laws.that.
protect.us.from.the.cyber.criminals.will.continue.to.grow.as.well.and.we.must.be.aware.of.our.ever.
changing.security.responsibilities.

User Responsibilities for IT Security
Introduction
With.the.privilege.of.using.information.technology.systems.to.do.your.job.comes.responsibility..All.
of.NASA’s.employees.(and.everyone.else.working.with.NASA.information.and/or.systems).need.to.
take.an.active.part.in.ensuring.the.security.of.our.Agency’s.information.and.systems..Awareness.of.
your.responsibilities.for.IT.security.is.as.important.as.that.of.the.system.administrators.and.security.
professionals.who.manage.IT.security.at.your.Center.

Protecting Information
All.information.within.NASA.is.sensitive.to.some.degree.and.should.be.protected..Different.categories.
of.information.should.be.protected.using.different.means,.stringency.levels,.and.controls.in.proportion.
to.the.risk.and.impact.of.the.information.being.altered,.destroyed,.made.unavailable,.or.disclosed.

Order.(EO).19..These.materials.must.be.properly.marked,.locked.up.when.not.under.the.
supervision.of.an.authorized.person,.and.encrypted.while.in.transit.over.a.non-secure.network...
Some.examples.are:.trade.secrets,.proprietary.information,.financial.information,.personnel.and.
medical.records,.procurement-sensitive.information,.IT.system.security.plans,.contingency.plans,.
audit.logs,.vulnerability.reports,.and.incident.reports..Hint:.information.previously.categorized.as.
Business.and.Restricted.Technology.(BRT).is.very.likely.to.be.SBU.

                                                   10
Scientific and Technical Information
STI.is.defined.as.the.results.of.basic.and.applied.scientific,.technical,.and.related.engineering.research.
and.development..STI.also.includes.management,.industry,.and.economic.information.relevant.to.
this.research.

NOTE:.Some.STI.information.may.be.SBU.and.need.to.be.protected.as.such.

Export Controlled Information
Export.Controlled.Information.is.data.that.would.fall.under.the.protection.of.International.Traffic.
in.Arms.Regulations.(ITAR).and.Export.Administration.Regulations.(EAR).and.will.also.need.to.be.
protected.as.SBU.and/or.STI.

Secure IT Fact
Did you know?
NASA.generates,.receives,.distributes,.and.maintains.an.enormous.amount.of.information..As.stated.
earlier,.some.information.needs.to.be.protected.as.mandated.by.law.or.regulation.

Why should I care?
You.should.know.what.types.of.information.you.work.with.and.protect.it.as.required..There.are.
courses.on.SATERN.that.define.and.explain.the.appropriate.handling.of.the.different.types.of.
information.that.you.may.work.with.

Ethical Behavior and Appropriate Use
You.are.responsible.for.your.computer.and.the.information.on.it..To.use.your.computer.ethically,.you.
need.to.understand.your.responsibilities.when.using.NASA.IT.resources..NASA’s.ability.to.protect.
its.resources.is.directly.related.to.the.integrity.of.the.NASA.community..The.ethical.and.appropriate.
use.of.IT.resources.is.based.on.the.concepts.of.official,.authorized,.personal,.and.prohibited.use.
of.government.resources..Your.Center’s.policy.may.be.more.stringent.than.official.Government.
regulations.or.NASA.guidance..

A.basic.definition.of.Official.Use.is.business.correspondence.which.includes.any.computer.processing.
that.is.required.as.part.of.the.job..To.further.define,
Official.Use.includes,.but.is.not.limited.to,.the.performance.of.NASA.work-related.duties.in.position.
descriptions,.professional.training.and.class.work,.work.covered.under.grant.agreements.with.NASA,.
tasks.directed.via.NASA.contracts,.agreements.with.international.partners,.Center-authorized.
activities,.and.support.activities.related.to.NASA.contract.tasks.

Authorized Use
With.the.concurrence.of.your.Center.management,.some.less.formal.activities.involving.the.use.of.
your.computer.may.be.authorized..Authorization.for.such.activities.must.be.specifically.documented.
by.management.and.may.include,.but.is.not.limited.to,.the.following:
  • Work-related.events,.such.as.technical.symposiums,.classes,.and.presentations.
  • Activities.sponsored.by.the.Center,.such.as.a.child.care.center.and.carpooling.activities.

                                                   11
  • Events.and.activities.specific.to.a.particular.NASA.or.Center.organization
  • Center-sanctioned.activities,.such.as.blood.drives,.recognized.clubs,.and.organizations.

Permissible Use
Some.occasional.personal.use.of.electronic.mail.or.the.Internet.is.permitted.provided.it.does.not.
interfere.with.the.employee’s.work.or.the.work.of.others..Use.of.government.computing.systems.
for.personal.use.must.be.limited.to.brief.periods,.should.not.incur.any.additional.expense.to.the.
Government,.and.must.not.interfere.with.your.job.duties..When.communication.cannot.reasonably.
be.made.during.non-business.hours,.employees.may.exchange.brief.messages.with.persons.or.entities.
such.as.a.spouse.or.dependent;.someone.responsible.for.the.care.of.a.spouse.or.dependent;.state.and.
local.government.agencies.on.personal.matters;.or.medical.care.providers..Your.Center’s.policy.on.
this.issue.will.provide.additional.guidance.on.personal.use.of.your.computer.systems.

Prohibited Use
Some.uses.of.NASA.computer.systems.are.clearly.outside.the.boundaries.of.official.business.and.
permissible.use..Prohibited.uses.of.NASA’s.IT.resources.include.(but.are.not.limited.to).using.the.
system.to.do.any.of.the.following:
  • Participating.in.any.activity.or.information.exchange.that.would.violate.federal.law,.regulation,.
    or.policy
  • The.creation,.downloading,.viewing,.storing,.copying,.or.transmission.of.materials.related.to.
    illegal.weapons,.illegal.gambling,.terrorist.activities,.child.pornography,.and.any.other.illegal.
    activities.Exchanging.information.that.would.not.be.permitted.in.any.format.such.as.hate.
    literature,.sexually.explicit.or.sexually.oriented.materials,.sexual.harassment,.or.racist.literature.
  • Use.of.unauthorized.peer-to-peer.file.sharing.for.the.explicit.use.of.downloading.prohibited.
    materials.
  • Unauthorized.acquisition,.use,.reproduction,.transmission,.or.distribution.of.any.controlled.
    information.including.computer.software.and.data,.proprietary.data,.or.export.controlled.
    software.or.data.
  • Use.of.NASA.IT.resources.as.a.staging.ground.to.gain.unauthorized.access.to.other.systems.
  • Participating.in.chat.rooms.or.news.groups.that.do.not.support.official.or.permitted.use.
  • Sending.chain.letters,.personal.mass.mailings,.hoaxes,.or.harassing.messages.
  • Maintaining.or.operating.a.personal.business,.performing.consulting.work.other.than.that.
    required.by.your.job.at.NASA,.or.running.a.charitable.organization.
  • Monitoring.network.traffic,.attempting.to.identify.security.vulnerabilities,.or.in.any.way.
    circumventing.or.disabling.IT.security.measures.
  • Hacking.or.illegally.accessing.IT.resources;.or.copying.data,.files,.or.software.without.prior.
    authorization.
  • Exchanging.pirated.information,.for.example:.software,.music,.or.video.files.(Pirated.information.
    is.illegally.copied.copyrighted.information.).
  • Fund.raising,.political.endorsement,.lobbying,.or.participating.in.partisan.political.activity.
  • Any.personal.use.that.could.result.in.congestion,.delay,.or.disruption.of.service.to.any.NASA.
    network.or.computer.




                                                   1
Warning Banner and Privacy
Although.you.are.responsible.for.the.information.on.your.computer,.you.must.remember.that.it.is.
not.your.personal.property..The.warning.banner.you.are.presented.with.prior.to.the.login.window.
when.you.start.your.computer.contains.important.information.regarding.NASA’s.systems..A.
warning.banner.has.been.placed.on.all.NASA-owed.or.NASA.funded.IT.systems.to.warn.all.users.
that.by.accessing.the.system,.they.are.consenting.to.complete.monitoring.with.no.expectation.of.
privacy.

Because.the.computer.equipment,.software,.and.information.you.use.are.NASA-owned.property,.
all.activities.on.any.given.system.may.be.monitored.to.the.extent.permitted.by.law.and.NASA.
directives..It.also.means.that.unauthorized.access.or.unauthorized.use.may.subject.you.to.
disciplinary.action.and.criminal.prosecution..When.you.click.OK,.you.accept.the.conditions.stated.
in.the.warning.banner.which.means.all.files,.including.e-mail,.may.be.examined.

Recognizing a Computer Incident
There.are.times.when.you.may.observe.a.change.in.your.computer,.such.as.the.way.it.operates..This.
could.be.a.simple.system.error,.or.it.could.be.a.warning.sign.of.a.security.incident..Inappropriate.use.
of.NASA’s.IT.resources.is.a.computer.incident;.however,.not.all.incidents.are.easily.identifiable..IT.
security.incidents.have.the.potential.to.cause.damage.to.systems.and.the.information.they.contain..
An.IT.security.incident.is.an.event.whereby.some.aspect.of.IT.security.could.be.threatened:
  • Loss.of.data.confidentiality
  • Disruption.of.data.or.system.integrity
  • Disruption.or.denial.of.availability.

Computer.incidents.include,.but.are.not.limited.to:

Denial of Service
An.attack.on.NASA.systems.that.prevents.or.impairs.the.authorized.use.of.networks,.systems,.or.
applications.

Malicious Code
A.virus,.worm,.Trojan.horse,.or.other.code-based.malicious.entity.(e.g.,.mobile.code).that.infects.the.
NASA.network.

Unauthorized Access
A.person.gains.logical.or.physical.access.without.permission.to.a.NASA.network,.system,.application,.
data,.or.other.resource.

Misuse
A.person.violates.acceptable.computing.use.policies




                                                  1
Multiple Component Incident
An.incident.that.falls.into.several.incident.categories.at.once.

Reporting Computer Incidents
Here.are.the.steps.you.should.follow.when.you.think.your.system.is.the.target.of.an.incident:
 1. Take.notes.on.paper.(not.on.your.computer).
 . Write.down.any.information.you.think.may.be.helpful..
     a. Date
     b. Time
     c. What.you.were.doing.at.the.time.it.occurred
     d. What.happened.and.how.the.computer.is.acting
     e. Any.computer.messages.you.may.have.received.
 . Notify.the.proper.people.according.to.your.Center’s.Incident.Response.process..This.could.be.
     the.Help.Desk,.the.IT.Security.Office,.or.your.manager..
 4. Tell.only.the.people.who.need.to.know.about.the.situation,.and.make.sure.you.give.them.all.
     the.details..
 . Don’t.do.anything.to.your.system.unless.instructed.to.do.so.
 6. Don’t.use.your.computer.to.exchange.information.about.the.incident.

Summary
The.use.of.government.computing.resources.carries.the.responsibility.of.performing.tasks.in.an.ethical.
and.appropriate.manner..Users.are.required.to.protect.the.integrity,.confidentiality,.and.availability.
of.the.systems.and.information.to.which.they.have.access.and.report.any.inappropriate.behavior..Be.
aware.of.what.types.of.information.are.on.your.system.and.the.ways.you.can.use.to.protect.it.from.
unauthorized.disclosure..No.one.knows.what.is.stored.on.your.systems.better.than.you.

Using IT Resources Safely and Securely
Introduction
Studies.show.that.a.company’s.biggest.security.threat.is.its.own.employees..That’s.because.many.
of.us.don’t.realize.that.the.screen.saver.we.downloaded.this.morning,.or.that.cute.joke.with.the.
attachment,.could.ever.do.harm.to.the.NASA.network..In.reality,.many.software.features.or.freely.
downloadable.packages.appear.to.be.helpful.and.harmless;.however,.they.can.cause.systems.to.be.less.
secure..Just.one.infected.e-mail.attachment.has.the.potential.to.shutdown.the.entire.NASA.network..
It.only.takes.one.person.unaware.of.his.or.her.IT.security.responsibilities.to.cause.a.security.breach..
Don’t.be.that.person!

Passwords
You’ve.heard.it.over.and.over,.but.do.you.really.know.why.good.password.management.is.essential?.It.
could.be.because.a.hacker.can.crack.an.eight-character.dictionary.word.in.seconds!.Good.password.
management.is.vital.whether.you.are.at.home.or.at.work..IT.security.experts.recommend.that.users.select.
different.passwords.for.each.system.(or.online.service.for.home.users).and.you.should.never.write.down.your.
password..(You.may.write.down.hints.to.yourself.to.remember.it.if.needed.).After.all,.you.wouldn’t.write.
your.personal.identification.number.(PIN).code.on.your.automated.teller.machine.(ATM).card,.would.you?

                                                    14
Pam.used.her.street.name,.“Boardwalk”.as.her.password.for.her.online.banking.account..Her.
account.was.compromised.and.by.the.time.her.bank.notified.her,.her.account.was.depleted.and.she.
had.been.fined.hundreds.of.dollars.of.overdraft.fees..

When.devising.a.new.password,.follow.these.password.best.practices.
 1. To.avoid.using.an.insecure.password,.create.a.password.“phrase”..When.a.password.phrase.is.
    created,.you.will.remember.it.easier.and.you.won’t.need.to.write.it.down.
 . Remember,.a.secure.password.is.one.that.isn’t.shared.with.ANYONE!

Password.Best.Practices:
  1. Use.a.minimum.of.eight.characters
  . Passwords.should.contain.three.of.the.following.four.options:
     a. UPPERCASE.LETTERS
     b. lowercase.letters
     c. numeric.characters.
     d. special.characters.(such.as.@,&,%).

Passwords.should.not:
  1. Contain.any.form.of.your.name,.user.ID,.birth.date,.family.member.name,.pet.name,.or.other.
     personal.information.
  . Relate.to.any.NASA.project.or.organization,.any.vendor.product,.or.the.name.of.a.vehicle.or.
     sports.team.
  . Be.a.dictionary.word.or.combination.of.words.
  4. Be.a.repetition.of.numbers.or.letters;.keyboard.patterns.
  . Be.written.down.and.left.in.an.unsecured.location.

It.is.quick.and.easy.to.create.(and.remember).a.secure.password.if.you.use.a.password.phrase..Think.
of.a.phrase.that.you.will.easily.remember.and.use.the.first.letter.of.each.word.to.create.the.password..
Substitute.numbers.for.words,.capitalize,.insert.characters,.and.you.have.a.password.that.will.be.easy.
for.you.to.remember.and.hard.for.someone.to.figure.out!.For.example:

PHRASE
. .......................................................................
PASSWORD
   • My.favorite.sport.to.play.is.football!..=.MfspiF
   • I.really.would.like.to.win.the.state.lottery..=.IrwlwtSl
   • I.was.at.the.park.last.Friday.afternoon...=.iw@tplFa

DISCLAIMER:.As.many.people.across.the.Agency.will.be.viewing.this.course,.please.refrain.from.
using.any.of.the.above.listed.passwords.on.your.system.

E-Mail Basics
An.e-mail.message.is.not.just.a.message;.it’s.a.document.that.can.also.be.considered.an.official.
federal.record..E-mail.is.not.your.personal.property..It.is.the.property.of.NASA.which.provides.
the.system.that.creates,.circulates,.copies.and.files.it..You.should.know.that.any.use.of.government.

                                                             1
resources.for.communication.will.identify.you.as.a.representative.of.NASA,.so.be.sure.you.make.it.
clear.that.any.opinion.expressed.is.your.own.and.not.that.of.NASA.unless.you.are.communicating.in.
an.official.capacity.

Opening.unsolicited.e-mail.attachments.without.first.verifying.their.source.is.the.greatest.contributor.
to.the.spread.of.viruses.and.other.malicious.code..Most.viruses.are.contained.in.e-mail.attachments..
Even.e-mail.that.appears.to.come.from.someone.you.know.may.be.contaminated.

Although.convenient.for.some,.enabling.the.preview.pane.in.the.e-mail.program.is.not.the.most.
secure.thing.to.do..Setting.up.your.e-mail.program.to.only.open.e-mails.when.you.double-click.
them.is.the.best.way.to.protect.your.system.from.unwanted.viruses.or.malicious.code.

E-mail.empowers.us.to.organize.and.streamline.our.work.flow.--.so.long.as.we.use.it.correctly..When.
e-mail.is.used.incorrectly,.however,.it.becomes.part.of.the.problem.

Remember:
 • Never.forward.chain.letters;.just.delete.them.
 • To.be.careful.when.opening.attachments;.they.could.contain.viruses.
 • Don’t.respond.to.a.group.list.-.unless.you.really.want.to.send.your.message.to.everyone.
 • To.use.e-mail.for.business.purposes.only.
 • The.misuse.of.e-mail.may.cause.personal.and.professional.embarrassment,.potential.lawsuits,.and.
   costly.litigation.

Sending E-Mails
E-mail.should.always.be.considered.public.information,.so.if.you.are.sending.sensitive.information,.
encryption.(e.g..Entrust,.PGP).should.be.used..Any.e-mail.sent.unencrypted.should.be.considered.
insecure.and.vulnerable.to.potential.disclosure..Caution.must.be.used.whether.you.are.sending.the.
information.via.
e-mail.or.as.an.attachment;.within.a.Center.or.workgroup..Inadvertent.disclosure.of.such.
information.may.be.a.violation.of.NASA.policy,.regulation,.or.law..Check.with.your.IT.Security.
Manager.or.supervisor.if.you.are.uncertain.about.the.sensitivity.of.the.information.you.are.sending..
Public.Key.Infrastructure.(PKI).provides.security.for.desktops.and.network.applications.including.
electronic.and.Internet.commerce.

John’s.e-mail.to.several.senior.officials.contained.an.unencrypted.attachment.of.a.sensitive.report..
The.report.dealt.with.an.on-going.criminal.investigation..The.report.was.intercepted.and.now.the.
investigation.has.been.compromised..

NOTE:.If.you.need.to.send.an.e-mail.containing.sensitive.information,.see.the.NASA.Certificate.
Authority.web.site.for.policies,.user.agreement,.and.assistance;.or.the.Public.Key.Infrastructure.
(PKI).course.on.SATERN.for.detailed.information.on.how.PKI.works.

Common Sense Rule:.If.you.wouldn’t.put.it.on.a.postcard,.don’t.send.it.in.an.e-mail.message!



                                                  16
Unsolicited Commercial E-Mail (UCE)
Along.with.the.convenience.and.improved.productivity,.e-mail.creates.the.possibility.of.receiving.
unsolicited.commercial.e-mail.(UCE),.commonly.known.as.SPAM..This.is.the.electronic.equivalent.
of.the.junk.mail.that.you.receive.at.home.

Tired.of.receiving.unsolicited.e-mails.from.Marvin.Gardens,.Calvin.tried.sending.a.return.message.
asking.to.be.removed.from.the.mailing.list..But.instead.of.less.e-mails,.he.got.more!.Why?.Because.
the.senders.found.they.had.a.legitimate.address.that.they.could.continue.to.use,.share,.or.sell..

The.office.of.the.Chief.Information.Officer.and.the.IT.Security.Management.recommends.that.the.
best.way.to.deal.with.UCE.is.to.delete.the.correspondence.

BEWARE:.Some.e-mails.are.becoming.sneaky.in.the.way.they.try.to.trick.people..There.have.been.
some.that.say.they.were.sent.to.you.because.you.need.a.security.patch.and.must.go.to.a.particular.
web.site.and.download.it..But,.instead.of.installing.something.that.makes.your.system.more.
secure,.you.end.up.installing.harmful.programs...Offensive.or.threatening.UCE.should.be.handled.
according.to.your.Center’s.guidelines...Following.are.links.for.information.on.where.to.forward.these.
e-mails:

Forwarding.Offensive.or.Threatening.UCE.to.one.of.the.following:

(Center./.E-mail.to.Forward.UCE.(spam).to;.also.see.Appendix.II:..UCE.Messages)

ARC                Computer-security@mail.arc.nasa.gov
DFRC               junkmail@dfrc.nasa.gov
GRC                See.the.following.web.site.for.directions:
                   http://www.grc.nasa.gov/WWW/CIO/IT_Security/Web/
                   select.the.unsolicited.e-mails.link.to.the.left
GSFC               abuse@abuse.gsfc.nasa.gov
HQ                 security@hq.nasa.gov
JPL                SPAM-spamreport@jpl.nasa.gov
JSC                See.the.following.web.site.for.directions:
                   http://jsc-cio-01.jsc.nasa.gov/center/its/spam.htm
KSC                abuse@ksc.nasa.gov
LaRC               abuse@larc.nasa.gov
MSFC               abuse@msfc.nasa.gov
SSC                abuse@ssc.nasa.gov

Internet Usage
Internet.use.is.a.privilege,.not.a.right,.and.should.be.used.for.business.purposes.only...Caution.
should.be.used.when.using.the.Internet.due.to.the.number.of.IT.security.risks..




                                                   17
A.“pharming”.attack.(also.known.as.domain.name.server.(DNS).poisoning.or.domain.spoofing).is.
when.an.Internet.user.is.automatically.redirected.to.web.pages.controlled.by.unknown.attackers..
Unfortunately,.if.you.are.redirected,.you.probably.won’t.be.able.to.tell.it.isn’t.a.legitimate.site.-.the.
site.will.look.real...The.attackers.then.collect.sensitive.information.or.financial.data.from.their.
victims..Be.sure.you.are.on.a.legitimate.site.before.giving.out.any.information.

Phishing
Phishing.is.a.form.of.online.identity.theft.that.uses.spoof.(or.fake).e-mails.and.fraudulent.web.sites,.
among.other.techniques,.to.lure.people.into.divulging.personal.financial.data.such.as.credit.card.
numbers,.account.usernames,.passwords,.and.social.security.numbers.

Downloads
Downloading.is.always.a.concern.when.using.the.Internet..More.and.more.sites.are.carrying.“free”.
programs.that,.when.downloaded,.will.install.unwanted.software,.(or.viruses),.on.your.system..To.be.
safe,.any.software.that.you.wish.to.download.should.be.checked.and.approved.by.your.organization’s.
computer.security.official.or.Center.Information.Technology.Security.Manager.(ITSM).

Unsolicited Commercial Software
Unsolicited.Commercial.Software.(UCS).is.a.program.that.you.never.asked.for.which.gets.installed.
on.your.computer.and.does.something.you.probably.don’t.want.it.to,.for.someone.else’s.profit..This.is.
becoming.a.huge.problem.lately..There.are.several.different.types.of.UCS:

SPYWARE.can.typically.watch.everything.you.do.online.and.send.information.back.to.marketing.
companies.and/or.use.the.information.gathered.to.steal.your.identity.

ADWARE.will.send.you.lots.of.unwanted.advertising.

OTHER TYPES OF MALWARE.can.make.your.modem.(analogue.or.ISDN).call.other.phone.
numbers,.leaving.security.holes.that.allow.the.makers.of.the.software.(or,.sometimes,.anyone.at.all).
to.download.and.run.software.on.your.machine,.degrade.system.performance.and/or.cause.errors..

CAUTION:.Even.spyware.and.adware.removal.programs.can.install.other.UCS.you.don’t.want.on.
your.system.(especially.when.they.are.free)..Contact.the.help.desk.for.assistance.on.checking.for.the.
presence.and/or.the.removal.of.these.programs.on.your.system.

“Cookies”.are.data.files.that.a.web.site.will.place.and.store.on.the.hard.drive.of.your.computer.that.
contain.information.about.your.activities.on.the.web..They.store.information.that.might.be.useful.
in.serving.your.needs.the.next.time.you.visit.the.site;.however,.they.can.also.be.used.to.see.what.web.
pages.you.visit.and.how.often.you.visit.them..This.means.the.company.has.a.profile.of.your.Internet.
habits,.which.they.use.for.marketing.and.advertising.purposes.

Web Browser Settings
The.settings.for.your.web.browser.(Internet.Explorer,.Safari,.etc.).can.affect.how.secure.it.is.and.how.
much.malicious.code.can.be.picked.up.while.you.are.“surfing”.the.Internet..They.can.also,.however,.

                                                    18
cause.web.pages.not.to.load.all.the.way.(if.at.all)..The.idea.is.to.have.the.security.settings.as.high.as.
you.can.without.“breaking”.the.web.pages.you.need.to.use.to.do.your.job.

Be.cautious.downloading.and.installing.screen.savers,.or.programs.from.questionable.Internet.
sources.-.you.don’t.know.what.software.codes,.viruses,.or.other.malicious.software.might.be.hidden.
within.them.that.could.infect.your.PC...Be.careful.about.providing.personal,.sensitive.information.
to.an.Internet.site..Find.out.what.the.organization’s.IT.security.and.privacy.policies.are.-.they.could.
be.collecting.your.information.and.sharing.or.selling.it.to.other.sources...Be.aware.that.you.can.get.
viruses.from.Internet.Relay.Chat.(IRC).and.Instant.Messenger-type.services...Computer.systems.
must.be.secured.with.all.required.security.patches.(fixes).before.connecting.to.the.Internet.to.avoid.
being.hacked..Periodically,.additional.patches.may.need.to.be.installed.to.protect.against.new.
vulnerabilities..It.is.your.responsibility.to.make.sure.this.happens.if.your.system.is.not.an.ODIN.
system...You.don’t.have.to.be.a.high.profile.user.to.be.targeted.by.a.hacker..

Social Engineering
Social.engineering.is.the.“art”.of.utilizing.human.behavior.to.gain.information.without.the.person.
(target).even.realizing.that.they.have.been.manipulated..The.information.is.gained.slowly.by.asking.
for.small.favors.or.gaining.information.through.seemingly.innocent.conversation..The.information.
may.be.something.seemingly.unimportant,.but.the.social.engineer.may.use.it,.along.with.other.small.
bits.of.acquired.information,.to.gain.unauthorized.access.to.an.IT.system.

Social.engineers.trick.unsuspecting.employees.into.revealing.sensitive.and.confidential.information.
over.the.phone,.via.e-mail,.and.in.person..Employees.are.often.willing.to.give.away.valuable.
information.to.strangers.in.response.to.a.personable.voice.and.friendly.tone..Remember,.no.one.ever.
needs.to.know.your.password.to.provide.any.kind.of.maintenance.on.your.system.

Jane.receives.a.call.from.a.person.claiming.to.be.with.the.Procurement.Department..He.tells.
Jane.that.someone.from.her.division.has.ordered.a.software.package.and.he.needs.to.verify.some.
information..The.caller.is.in.a.panic.to.get.the.paperwork.completed.so.the.order.can.be.placed.
today..Jane.complies.by.giving.the.caller.inside.information..

In.this.scenario,.the.social.engineer.is.pretending.to.try.and.help.get.something.done,.so.the.
reasoning.follows.that.we.should.return.the.favor.by.helping.him...If.you.can’t.identify.a.caller.
who.is.requesting.information,.ask.questions..Refusal.from.the.caller.to.give.his.or.her.information.
should.be.a.warning.sign...Insist.on.verifying.the.caller’s.identity..This.procedure.causes.minimal.
inconvenience.to.legitimate.requests.when.compared.with.the.scope.of.potential.losses.

Remember,.social.engineers.will.use:
 • Impersonation.(pretending.to.be.someone.you.trust).
 • Intimidation.
 • Flattery/flirtation.
 • Lies.
 • Tricks.
 • Threats,.bribes,.blackmail.
 • Insider.Threats

                                                    19
Jane.dismissed.the.man.dressed.as.an.exterminator.and.left.her.workstation..While.she.was.gone.
the.“exterminator”.read.her.calendar.(knowing.who.may.be.on.vacation.at.a.given.time.give.social.
engineers.an.advantage.to.use.that.person.in.a.scam.because.they.won’t.be.there),.got.important.
phone.numbers.out.of.her.rolodex,.and.took.a.piece.of.stationery.with.the.Agency.letterhead..

It.is.important.to.be.aware.of.the.people.around.you.at.any.given.time..Visitors.should.have.a.
temporary.badge,.but.if.they.don’t,.ask.questions...Unfortunately,.many.people.are.reluctant.to.do.this.
because.it.makes.them.look.paranoid,.and.they.are.embarrassed.to.show.distrust.towards.a.visitor.

Refrain.from.openly.discussing.sensitive.work.topics.-.whether.at.work.or.out.in.public..You.never.
know.who.may.be.listening.and.even.a.fellow.employee.may.be.trying.to.gain.inside.information.for.his.
or.her.own.gain..Be.cautious.that.you.aren’t.being.watched.when.you.enter.your.User.ID.and.password.

Secure IT Fact
Did.you.know?.Many.IT.security.incidents,.both.government.and.commercial,.result.from.the.
activities.of.authorized.users.(either.intentional.or.accidental).

Why.should.I.care?..There.is.a.general.presumption.that.authorized.users.(anyone.with.access.to.the.
NASA.network).are.trustworthy..Make.sure.those.who.request.information.need.it.for.their.job.and.
are.authorized.to.have.access.to.it..Also,.make.sure.you.understand.how.to.use.your.system.securely.
so.that.you.don’t.accidentally.cause.a.security.incident.

Identity Theft
Associated.with.the.social.engineering.scheme.is.identity.theft..Identity.theft.is.a.serious.crime..
People.whose.identities.have.been.stolen.can.spend.months.or.years.–.and.their.hard-earned.money.
-.cleaning.up.the.mess.identity.thieves.have.made.of.their.good.name.and.credit.record.

An.identity.thief.obtains.some.piece.of.your.sensitive.information.-.your.bank.and/or.credit.card.
account.numbers;.your.Social.Security.number.(SSN);.or.your.name,.address,.and.phone.numbers.
-.and.uses.it.without.your.knowledge.to.commit.fraud.or.theft.

Can.you.prevent.identity.theft.from.occurring?.As.with.any.crime,.you.cannot.completely.control.
whether.you.will.become.a.victim..But,.you.can.minimize.your.risk.by.managing.your.personal.
information.cautiously.and.with.heightened.sensitivity.

Don’t.give.out.personal.information.on.the.phone,.through.the.mail,.or.over.the.Internet.unless.
you’ve.initiated.the.contact.or.are.sure.you.know.who.you’re.dealing.with..As.with.social.engineers,.
identity.thieves.can.be.skilled.liars,.and.may.pose.as.representatives.of.banks,.Internet.service.
providers.(ISPs),.or.even.government.agencies.to.get.you.to.reveal.important.information.

NOTE:.For.more.information.on.Identity.Theft,.visit.the.Federal.Trade.Commission.(FTC).web.site.




                                                  0
Summary
Each.of.us.needs.to.improve.our.awareness.about.computer.and.information.security,.but.in.reality,.
most.of.IT.security.is.common.sense..Just.as.you.wouldn’t.yell.out.your.social.security.number.in.a.
crowded.room,.you.shouldn’t.post.your.password.on.your.monitor..You.need.to.be.diligent.and.ever.
aware.of.your.surroundings,.and.make.good.decisions.before.doing.anything.that.may.compromise.
NASA.IT.resources.

Physical Security and Preparedness
Introduction
Physical.security.is.an.important.component.of.computer.and.information.security..If.physical.security.
isn’t.maintained,.any.and.all.safeguards.taken.in.the.virtual.world.may.be.meaningless..Natural.and.
man-made.disasters.can.cripple.a.business.and.NASA.is.not.immune..Understanding.how.physical.
security.may.make.our.IT.assets.vulnerable,.being.aware.of.and.recognizing.physical.threats,.and.being.
prepared.in.the.event.of.a.disaster.can.help.us.minimize.the.potential.for.security.compromise.

Physical Security
Today’s.security.initiatives.involve.guarding.buildings.and.equipment,.as.well.as.protecting.networks,.
dealing.with.privacy.issues,.and.managing.risk..A.savvy.system.wizard.who.can.gain.physical.access.
to.a.computer.can.take.over.that.machine.in.less.than.half.an.hour.under.most.circumstances..There.
may.be.a.disgruntled.former.employee.that.does.something.as.simple.as.disconnect.a.computer.
from.the.network.to.steal.equipment.or.destroys.valuable.data.by.committing.vandalism..Although.
the.rules.and.procedures.for.physical.security.may.vary.at.your.Center,.the.following.best.practices.
should.be.performed:
  • Adopt.a.“clean.desk”.policy.by.locking.up.sensitive.information.when.you.aren’t.using.it..
  • Secure.sensitive.materials.whenever.you.leave.your.workspace..
  • Use.a.password-protected.screen.saver.and.be.sure.to.have.it.set.to.activate.at.a.maximum.of.1.
    minutes.of.inactivity..
  • Any.persons.not.displaying.ID.badges.or.acting.suspiciously.should.either.be.challenged.or.
    reported.immediately.to.security.or.management..
  • Shred.or.burn.sensitive.materials.when.discarding..
  • Remember.to.remove.sensitive.documents.from.the.copy.and/or.fax.machine..
  • Be.alert.to.unusual.behavior.or.items.out.of.place..
  • Always.be.on.guard.against.laptop.theft..
  • Be.sure.to.wear.your.badge.and.guard.it.against.theft.or.loss..

Screen Saver
Window.Users:.To.activate.your.screen.saver,.hit.and.hold.down.the.Control,.Alt,.and.Delete.
buttons.simultaneously.to.bring.up.the.Windows.Security.Task.Manager.window..Click.on.the.
“Lock.Computer”.button.to.activate.the.screen.saver..If.you.do.not.have.a.screen.saver.set.up.on.your.
computer,.from.the.Start.menu.go.to.Control.Panel,.Display,.Screen.Saver.to.set.one.up..Be.sure.to.
select.the.“On.resume,.password.protect”.checkbox..(Your.screen.saver.password.will.be.the.same.as.
your.system.password.)


                                                  1
For.other.operating.systems,.please.call.your.Help.Desk.for.screen.saver.activation.procedures.

Shred or Burn Sensitive Materials
When.Social.Engineers.sift.through.the.garbage,.it.is.called.“dumpster.diving”..Quite.often,.an.
abundance.of.information.that.has.been.discarded.in.the.form.of.directories,.organizational.charts,.
and.reports.may.be.found..Armed.with.this.knowledge,.the.criminal.can.legitimize.his.or.her.
dealings.with.the.intended.target(s).by.appearing.to.be.intimate.with.the.corporate.structure.

Items.that.can.be.recovered.in.the.dumpster.and.some.of.their.uses:
  • Agency.phone.books.and.organization.charts.provide.phone.numbers.and.locations.of.employees,.
    especially.management.level.employees.who.can.be.exploited.to.the.criminal’s.benefit.
  • Procedure.and.policy.manuals.can.help.the.criminal.become.knowledgeable.about.NASA’s.
    policies.and.procedures,.and.be.able.to.convince.the.victim.of.their.authenticity.
  • Calendars.are.an.important.source.of.information.about.meetings,.vacations,.etc.,.that.the.
    criminal.can.use.to.improve.his.or.her.“storyline”.when.conversing.with.a.chosen.target.
  • A.discarded.sheet.of.company.letterhead.can.be.used.by.a.criminal.to.create.official.looking.
    correspondence..

Laptops, PDAs and Cell Phones
Cellular.phones,.Personal.Digital.Assistants.(PDAs),.Flash.(or.universal.serial.bus.-.USB).drives,.and.
laptops.enable.greater.productivity.and.effective.communication.or.information.sharing,.but.also.
introduce.security.risks..These.devices.may.be.easily.stolen.and.people.can.eavesdrop.or.“shoulder.
surf”.for.information..Flash.(USB).drives.and.laptops.can.be.attached.to.just.about.any.system.or.
network.easily..Know.the.system.you.use.your.Flash.(USB).drive.on.and.who.owns.it..Do.not.connect.
an.unauthorized.laptop.to.the.NASA.network.and.do.not.connect.a.NASA.laptop.to.an.unauthorized.
network.without.proper.configuration.and.authorization.(part.of.the.authorization.process.is.ensuring.
the.system.is.scanned.for.vulnerabilities.prior.to.being.allowed.on.the.internal.network).

Waiting.for.the.Short.Line,.Dr..Indiana’s.focus.was.on.his.Blackberry,.catching.up.on.e-mail..
Oblivious.to.the.fact.that.he.was.being.targeted,.someone.picked.up.his.laptop.case..Now.someone.
else.has.the.science.behind.his.patent.application..

Protect.them.as.if.they.were.“cash.”.Be.aware.of.your.surroundings.and.never.leave.devices.
unattended..Immediately.report.stolen.or.lost.IT.equipment..When.traveling,.divert.a.potential.
thief.by.carrying.portable.devices.(like.laptops).in.a.sports.bag.rather.than.a.computer.case..Never.
save.sensitive.information.to.a.laptop.hard.drive.(unless.it.is.encrypted);.save.to.a.disk.and.store.it.
separately.in.a.safe.place..Password-protect.your.devices.and.enable.the.security.features..

Backups
It.is.important.to.back.up.critical.data.files.and.software.that.cannot.be.easily.replaced.or.recreated..
Information.and.data.files.that.are.the.result.of.years.of.work.may.be.lost.in.a.system.malfunction..
Some.Centers.provide.common.backup.services.for.all.connected.users,.but.in.many.cases,.the.user.
is.responsible.for.making.sure.that.all.critical.data.is.properly.saved..One.way.to.back.up.critical.files.
is.to.save.them.to.both.a.local.and.a.network.drive..The.most.often.overlooked.step.in.the.backup.

                                                    
procedure.is.testing.the.backup..If.you.can’t.restore.your.critical.files,.the.backups.won’t.do.you.any.
good..Be.sure.to.store.your.information.in.a.place.where.it.cannot.be.stolen,.harmed,.or.accessed.by.
unauthorized.people..Backups.of.Sensative.But.Unclassified.(SBU).must.be.encrypted.if.they’re.being.
transmitted.over.a.non-secure.network.or.they’re.leaving.a.Center.

Risk, Risk Management & Contingency Planning
IT.resources.are.vulnerable.to.a.variety.of.disruptions,.ranging.from.mild.(e.g.,.short-term.power.
outage,.disk.drive.failure).to.severe.(e.g.,.equipment.destruction,.fire).from.a.variety.of.sources.
such.as.natural.disasters.to.terrorists.actions..While.many.vulnerabilities.may.be.minimized.or.
eliminated.through.technical,.management,.or.operational.solutions.as.part.of.the.organization’s.risk.
management.effort,.it.is.virtually.impossible.to.completely.eliminate.all.risks.

In.many.cases,.critical.resources.may.reside.outside.the.organization’s.control.(such.as.electric.power.
or.telecommunications),.and.the.organization.may.be.unable.to.ensure.their.availability..Thus.
effective.contingency.planning,.execution,.and.testing.are.essential.to.mitigate.the.risk.of.system.
and.service.unavailability..A.successful.Risk.Management.Program.relies.on.the.awareness.and.
cooperation.of.members.of.the.user.community,.who.must.follow.procedures.and.comply.with.the.
implemented.controls.to.safeguard.the.mission.of.NASA..

General.rules.for.emergencies:
 • Know.emergency.procedures.for.your.work.area...
 • Abide.by.all.restrictions.and.off-limit.areas.that.result.from.an.emergency..
 • Follow.the.instructions.of.the.Emergency.Response.Team.during.an.emergency..
 • Be.familiar.with.the.Building.Evacuation.Plan.for.your.building..
 • If.you.are.listed.as.an.emergency.contact,.be.prepared.to.provide.necessary.information..

Summary
A.safe.physical.working.environment.certainly.affects.personnel,.but.data.and.equipment.also.have.
physical.requirements..To.avert.potential.disasters.or.minimize.the.damage.they.cause,.we.must.take.
steps.to.recognize.any.type.of.physical.security.breach,.theft,.or.vandalism.and.report.it..You.must.
remember.to.take.the.necessary.precautions.to.guard.Agency.resources.and.do.your.part.to.keep.
needed.resources.safe.

Local, Remote, and Wireless Access
Introduction
Technology.continues.to.evolve.and.security.is.an.essential.part.of.using.that.technology..Resource.
sharing,.working.remotely.from.home.or.on.travel,.and.wireless.connectivity,.includes.all.the.same.
security.risks.that.have.already.been.explained.and.then.some..Be.sure.you.know.what.the.rules.are.
-.and.you.have.the.authorization.you.need.-.before.you.use.this.technology.and.open.the.Agency.up.
to.additional.risks.




                                                   
Resource Sharing
One.feature.of.current.information.technology.is.the.ability.to.share.files.across.a.network.or.the.
Internet..This.allows.people.to.collaborate.without.the.need.to.constantly.exchange.files.(usually.
via.e-mail)..Sharing.data.within.a.Center.network.between.NASA.systems.should.be.used.carefully.
and.should.be.limited.in.the.amount.of.people.and.types.of.permissions.given..It.is.very.easy.to.find.
shares.on.a.network.and.the.files.contained.within.them.when.they.are.not.set.up.properly.

Sharing.data.outside.the.Center.network,.via.the.Internet,.is.particularly.risky.(especially.when.
using.peer-to-peer.technologies)..Although.easily.downloaded,.these.programs.pose.considerable.
risks.to.NASA’s.IT.infrastructure.by.potentially.introducing.viruses,.worms,.Trojan.horses,.and.
other.malicious.code..In.addition.to.the.potential.harm.that.can.be.done.to.NASA’s.networks,.these.
programs.are.closely.connected.with.the.illegal.sharing.of.copyrighted.music,.videos,.and.images.

When.peer-to-peer.software.is.installed.from.the.Internet,.it.is.not.securely.configured..When.this.
happens,.it.can.allow.illegal.material.to.be.downloaded.and.allow.others.to.copy.files.without.your.
knowledge..Every.day.NASA’s.sensitive.data,.including.Sensative.But.Unclassified.(SBU),.is.shared.
electronically.-.internally.among.organizations.and.externally.with.business.associates,.outsourcing.
partners,.and.others..If.you.think.you.need.to.use.peer-to-peer.software.to.accomplish.a.work.
requirement,.check.with.your.Center.IT.Security.Manager.to.see.if.it.is.allowed.(or.if.there.is.a.more.
secure.solution.available).and.to.get.help.to.ensure.it.is.configured.securely..You.do.not.want.to.have.
to.explain.having.illegal.material.on.your.computer.

Remote Access (Work From Home)
NASA.employees.can.connect.to.NASA.computing.resources.from.home.or.when.on.travel.by.
remote.connectivity..This.connectivity.can.create.additional.security.exposure.for.NASA.by.creating.
a.gateway.into.NASA.data.and.resources..It.is.important.that.if.you.elect.(and.are.authorized).to.use.
remote.access,.you.protect.the.additional.security.exposures.by.following.the.highly.recommended.
safeguards.for.any.system.that.connects.to.a.NASA.network.remotely:
  • Always.have.current.anti-virus.software.running..(Some.Centers.will.provide.anti-virus.software.
    for.home.use;.check.with.your.Center.IT.Security.Manager.).
  • Install.a.firewall.(software.or.hardware)..
  • Keep.your.software.up-to-date.with.proper.patches..(Be.sure.to.back.up.important.files.prior.to.
    installing.any.patches.on.your.system..Patches.can.break.your.system.and.possibly.cause.a.loss.of.
    information.).
  • Ensure.Government.files.are.secured.from.other.users.of.your.system..
  • Some.Centers.are.starting.to.deploy.Virtual.Private.Network.(VPN).software.and.security.
    tokens.as.additional.safeguards.for.those.who.access.the.NASA.network.remotely..

You.are.accountable.for.your.actions.and.responsibilities.related.to.information.resources.that.have.
been.entrusted.to.you..You.should.conduct.yourself.in.an.ethical.manner.when.using.NASA.IT.
resources.on.or.off-site.and.should.never.attempt.to.override.security.controls.




                                                  4
Firewalls
The.following.links.may.be.of.help.in.selecting.a.firewall.for.your.system:
 • Federal.Trade.Commission.
 • Home.PC.Firewall.Guide.
 • Security.Focus.

For.more.advanced.information,.PC.World.or.ZDnet.gives.descriptions,.comparisons,.etc.,.on.
firewalls,.spyware,.virus.software,.and.more.

Wireless Connections
Although.wireless.networking.offers.advantages.of.mobility,.it.also.offers.cyber.criminals.another.
way.to.obtain.NASA.data..Be.sure.to.go.through.proper.channels.at.your.Center.prior.to.setting.
up.any.wireless.system.for.a.workgroup..There.are.specific.guidelines.that.must.be.met,.and.some.
configurations.may.not.be.allowed..Encryption.is.required.with.these.systems,.and.you.should.ask.
for.assistance.before.you.attempt.to.connect.your.system..There.are.many.new.wireless.items.that.
may.be.extremely.useful.(phones.with.Internet.access,.Personal.Digital.Assistants.(PDAs),.and.
Blackberry.units),.but.it.is.your.responsibility.to.ensure.that.the.information.contained.on.your.
device(s),.and.the.information.transmitted.to.and.from.them,.is.not.compromised.in.any.way.

For.more.information,.please.reference.the.Wireless.Local.Area.Network.Implementation.(NASA.
Standard.Operating.Procedure.ITS-SOP.000).which.is.located.on.the.NASA.Online.Directives.
Information.System.(NODIS).at.http://nodis-dms.gsfc.nasa.gov/restricted_directives/SOP_
restricted/SOP_list.cfm.(please.note.that.this.web.site.is.restricted.to.the.nasa.gov.domain).

Summary
The.ability.for.a.user.to.work.almost.anywhere.at.anytime.has.greatly.increased.productivity..With.
the.advances.in.wireless.you.are.able.to.remain.connected.in.some.of.the.most.remote.locations.
and.still.perform.your.job..The.key.to.any.secure.environment,.wireless.devices.included,.is.to.be.
sure.you.use.the.security.features.that.each.device.has.available.and.to.be.diligent.about.security,.
whenever.and.wherever.you.have.Agency.information.at.risk.

IV) OVERVIEW CONCLUSION
This.concludes.the.Basic.IT.Security.006.overview..In.it,.you.were.taught.what.your.responsibilities.
are.and.some.secure.practices.for.many.areas.that.can.cause.problems.

Remember,.the.protection.of.NASA’s.information.and.IT.resources.requires.the.cooperation.and.
diligence.of.everyone.




                                                  
Best Practices




      6
                         Prohibited Uses of NASA’s IT Resources
Some.uses.of.NASA.computer.systems.are.clearly.outside.the.boundaries.of.official.business.and.
permissible.use...NASA.Procedural.Requirements.(NPR).810.1A.cites.prohibited.uses.of.NASA’s.IT.
resources,.which.include.using.systems.to.do.the.following:
   a. Maintaining.or.conducting.an.outside.business.
   b. Monitoring.network.traffic.(e.g.,.run.a.sniffer);.access.IT.resources;.or.copy.data,.files,.or.
      software.without.prior.authorization..(Activities.for.which.prior.authorization.is.assumed.
      include.performing.defined.job.duties,.copying.information.that.is.intended.to.be.copied,.and.
      doing.work.that.has.been.approved.by.the.Center.IT.Security.Manager.).
   c. Participating.in.Chat.Rooms,.News.Groups,.or.similar.activities.where.the.posting.will.be.
      seen.by.the.public..Use.of.the.NASA.Internet.address.of.“nasa.gov”.is.a.representation.of.the.
      Agency,.analogous.to.the.use.of.NASA.letterhead.in.which.the.opinions.expressed.reflect.on.
      NASA..
   d. Advertising.goods.or.services.for.sale.for.monetary.or.personal.gain..
   e. Sending.chain.letters,.personal.mass.mailings,.hoaxes,.or.harassing.messages.
 .




                                                 7
                                   IT Security Best Practices
It.is.the.responsibility.of.each.NASA.employee.to.protect.their.data...Information.Technology.(IT).
vulnerabilities.can.lead.to.exposure.of.sensitive.data,.forgery.of.personal.identity,.abuse.of.resources.
and.data.corruption,.with.effects.ranging.from.embarrassment.to.significant.damage.or.financial.
loss..Use.the.following.IT.security.tips.to.help.secure.your.data.
   • Back-up.your.data.
       » Keep.copies.of.data.files.on.external.media.(e.g.,..disk.or.CD).
       » ODIN.users.should.contact.ODIN.for.back-up.service.
       » Contact.your.System.Administrator.(SA).or.Computer.Security.Official.OCSO.for.other.
         back-up.options.
   • Maintain.current.anti-virus.software.and.security.patches.
       » For.Windows,.use.McAfee.anti-virus.software.
       » For.Mac,.use.Virex.anti-virus.software.
       » To.download.the.software,.visit.the.CNE.web.site.at.http://cne.gsfc.nasa.gov.
   • Practice.appropriate.email.etiquette
       » Do.not.open.unexpected.attachments.from.strangers..
       » Do.not.reply.to.spam.or.unsolicited.e-mails,.forward.these.messages.to.abuse@abuse.gsfc.
         nasa.gov.
       » Do.not.distribute.your.email.address.to.strangers.
   • Protect.your.computer.password.
       » Do.not.tell.anyone.your.password.
       » A.good.password.contains.at.least.eight.characters.(at.least.one.from.the.following.sets.of.
         characters.-.uppercase.letters,.lowercase.letters,.numbers,.special.characters).
   • Unauthorized.duplication.of.licensed.or.copyrighted.software.is.a.Federal.crime.
       » Do.not.make,.acquire,.or.use.unauthorized.software.
       » Retain.purchase.records,.original.disks,.documentation.and/or.licensing.agreements.to.prove.
         your.software.is.legal..
   • Caution.using.imported.software.
       » Many.freeware/shareware.software.contain.spyware,.viruses.or.malicious.code.
       » Obtain.the.approval.from.your.system.administrator.and/or.supervisor.before.installing.any.
         software.on.a.GSFC.computer.system.or.network.
   • Logoff.or.lock.the.keyboard.any.time.you.leave.your.workstation.unattended.
       » For.Windows,.use.the.Ctrl+Alt+Delete.function.
       » For.Mac,.use.a.password.protected.screen.saver
   • Do.not.connect.your.non-government.computer.to.the.Center.network.without.obtaining.
     permission.
       » All.computers.must.undergo.a.vulnerability.scan.and.have.current.anti-virus.software.prior.
         to.connecting.to.a.Center.network...
       » Your.supervisor.must.approve.in.writing.your.connecting.to.a.Center.network.
   • Realize.that.you.may.be.monitored.at.work.
       » Avoid.sending.highly.personal.e-mails.
       » Do.not.use.a.commercial.instant.messaging.service.(such.as.AOL.Instant.Messenger.or.
         Yahoo.Messenger).
       » Do.not.log.onto.Internet.chat.rooms.

                                                   8
                           Extended Leave Preparation Guidance
Before.leaving.for.extended.periods.of.time,.consider.the.following.guidelines:
 • Don’t.forget.to.power.off.printers,.copiers,.computer.peripherals,.etc...Printers.and.other.
   computer.peripherals,.even.in.“stand-by”.mode,.consume.a.fair.amount.of.electricity..
 • If.a.system.needs.to.be.left.powered.on,.all.idle.users.should.be.logged.off.or.lock.the.screen.with.
   a.password..
 • Every.year,.a.number.of.Holiday.scams.are.perpetrated.on.businesses...Please.use.caution.in.
   responding.to.any.phone,.fax,.or.email.solicitation...Legitimate.fund-raising.efforts.should.
   not.be.contacting.employees.at.work,.except.through.sanctioned.channels...In.previous.years,.
   reports.have.been.received.of.calls.to.employees.to.“verify.a.Holiday.card.mailing.list”...This.is.
   an.example.of.social.engineering,.in.which.the.caller.is.attempting.to.obtain.a.list.of.employees.
   for.an.inappropriate.use...Please.use.caution.in.providing.information.to.unknown.parties.about.
   your.fellow.employees..
 • Back-up.your.systems.before.you.leave...Be.sure.the.back-up.are.secured.in.a.safe.location.(e.g.,.
   different.Bldg.,.offsite)..




                                                  9
                                             Spyware
Spyware.has.become.a.significant.and.frustrating.problem.in.the.fight.to.protect.data...Spyware.is.
software.that.is.installed.on.computer.systems.to.secretly.gather.and.relay.information.about.users.
and.system.usage.to.advertisers.and.other.interested.parties...A.benign.piece.of.spyware.may.simply.
record.Web.browsing.histories.and.send.information.to.advertisers,.while.more.malicious.spyware.
may.install.key.stroke.loggers,.and.remote.control.or.backdoor.components.

Spyware.can.be.installed.in.a.variety.of.ways...“Drive-By”.downloads.exploit.Web.browser.
vulnerabilities.to.install.software.without.the.user’s.knowledge...“Pop-Up”.downloads.use.pop-up.
advertisements.such.as.security.warnings.to.trick.the.user.into.installing.software...Furthermore,.
spyware.applications.“piggy-back”.other.software.downloaded.from.the.Internet...

Although.not.as.noticeable.as.viruses.and.worms,.spyware.poses.a.serious.threat.to.your.data...The.
impact.of.spyware.can.include:
  • Slow.internet.access/Web.browsing
  • Web.browser.instability
  • Corrupted.files
  • Stolen.usernames.and.passwords
  • Exposure.of.confidential.personal.information.(SSN,.tax.information,.credit.card.numbers)
  • Identity.theft
  • Increased.network.bandwidth.utilization
  • Instability.in.legitimate.applications
  • Threats.to.data.stored.on.systems.(deletion,.modification,.copying)

Spyware.is.difficult.to.detect.because.it.usually.operates.without.the.users.knowledge...Some.
indicators.of.spyware.include:.
  • Web.browser.crashes.more.than.normal
  • Anti-virus.software.is.nonoperational.(will.not.start.up,.crashes.during.virus.scanning)
  • Strange.additions.to.Start.Menu.and.Favorites.(that.may.reappear.when.deleted)
  • New,.unknown.applications.installed.
  • Unwanted.toolbars
  • Unwanted.sexually.explicit.desktop.icons
  • New.browser.default.home.page

If.you.suspect.your.system.has.been.compromised.with.spyware,.contact.your.OCSO...A.list.of.
OCSO’s.can.be.found.at.http://eitsb.gsfc.nasa.gov/services/dcso/cso.stm...If.your.system.is.ODIN.
managed,.contact.ODIN.for.assistance,.x6-100,.or.http://www.odingsfc.com/default.html.
.
Some.general.steps.that.can.be.followed.in.an.effort.to.remove.spyware:
  1. Attempt.to.uninstall.the.spyware.using.Windows.Add/Remove.feature
  . Run.your.anti-virus.scanning.software
      a. Anti-virus.software.is.available.through.the.CNE.at.http://cne.gsfc.nasa.gov/application/
          cne_sppt_sw/



                                                 0
 . Run.at.least.two.different.spyware.removal.tools
    a. Anti-spyware.software.is.available.from.http://eitsb.gsfc.nasa.gov/antiVirus.html#null.or.
       http://cne/application/cne_sppt_sw/.
 4. Restart.the.system

To.prevent.Spyware.related.problems,.abide.by.the.following.recommendations:
 • The.Microsoft.Internet.Explorer.Web.browser.contains.a.wide.variety.of.security.vulnerabilities.
   that.can.cause.significant.damage...If.using.Internet.Explorer:
     » Consider.using.alternate.Web.browsers.for.most.of.your.browsing.needs.(Netscape,.Mozilla,.
       Opera,.etc.)
     » Raise.the.security.settings.in.Internet.Explorer
 • For.more.information,.visit:.http://www.microsoft.com/windows/ie/using/securityandprivacy/
   default.mspx.
 • Perform.anti-virus.and.anti-spyware.scans.at.least.once.a.week.
 • Turn.off.the.e-mail.client.preview.pane.
 • Delete.unsolicited.e-mail.without.opening.
 • Use.caution.when.opening.attachments.unless.you.know.who.sent.it,.what.it.is,.and.why.it.was.sent.
 • Limit.Web.browsing.to.unofficial.or.non-government.Web.sites.
 • Do.not.download.free.games.
 • Do.not.download.software.from.the.Internet.without.prior.authorization.from.your.line.manager.

Currently,.GSFC.is.in.the.process.of.procuring.a.Centerwide.spyware.removal.tool...The.tool.will.be.
available.to.all.employees.and.possibly.available.for.remote.access/home.users...The.expected.date.for.
the.spyware.removal.tool.is.yet.to.be.determined.




                                                  1
                                          Contacts
Computer Security Violations–if you suspect one, report it...Be.alert.for.unexplainable.changes.
in.your.computing.environment...If.you.suspect.suspicious.activity.on.your.system,.immediately.
inform.your.Organizational.Computer.Security.Official.(OCSO)...A.list.of.OCSO’s.can.be.found.at.
http://eitsb.gsfc.nasa.gov/csoListing.html

If.your.computer.is.Outsourcing Desktop Initiative for NASA (ODIN).owned,.please.contact.
ODIN.at.x6-100...ODIN.is.NASA’s.innovative.approach.to.desktop.computing.and.communications.
support...For.more.information.about.ODIN.at.GSFC,.visit.https://www.odin.lmit.com/gsfc/

Questions.about.the.Center Network Environment (CNE).services.can.be.submitted.to.http://cne.
gsfc.nasa.gov/forms/requestinfo.html.or.x6-74...The.CNE.provides.general.purpose.and.Project.
specific.Administrative.Network.support.for.the.Greenbelt.and.Wallops.communities...For.more.
information.about.the.CNE,.visit.http://cne.gsfc.nasa.gov/




                                              
                Appendix I: Definitions (Arranged in Alphabetical Order)
Authorized Use:.With.the.concurrence.of.your.Center.management,.some.less.formal.activities.
involving.the.use.of.your.computer.may.be.authorized..Authorization.for.such.activities.must.be.
specifically.documented.by.management.and.may.include,.but.is.not.limited.to,.the.following:.
  a. Work-related.events,.such.as.technical.symposiums,.classes,.and.presentations.
  b. Activities.sponsored.by.the.Center.such.as.a.child.care.center.and.carpooling.activities.
  c. Events.and.activities.specific.to.a.particular.NASA.or.Center.organization.
  d. Center.sanctioned.activities.such.as.blood.drives,.recognized.clubs,.and.organizations

Encryption: .Encryption.is.the.process.of.converting.data.into.a.form,.known.as.cipher.text,.
rendering.the.data.completely.unreadable.to.unauthorized.individuals..

Encryption, strong enough:...To.be.strong.enough,.encryption.must.be.FIPS.140-.compliant..For.
more.information,.visit.http://csrc.nist.gov/publications/fips/fips140-/fips140.pdf.

Export control information:..Export.control.information.is.data.that.would.fall.under.the.protection.
of.International.Traffic.in.Arms.Regulations.(ITAR).and.Export.Administration.Regulations.(EAR)..

Official Use:..The.broad.definition.of.Official.Use.(Business).includes.any.computer.processing.that.
is.required.as.part.of.the.job..Official.Use.(Business).includes,.but.is.not.limited.to,.the.performance.of.
NASA.work-related.duties.in.position.descriptions,.professional.training.and.class.work,.work.covered.
under.grant.agreements.with.NASA,.tasks.directed.via.NASA.contracts,.agreements.with.international.
partners,.Center-authorized.activities,.and.support.activities.related.to.NASA.contract.tasks.

Password Rules:.When.devising.a.new.password,.follow.these.password.practices:
 • Passwords must:.Be.at.least.8.characters.long;.Contain.a.mixture.of.three.of.the.following.four.
   character.types:.Upper.case.letters;.Lower.case.letters;.Numeric.characters;.Special.characters..
 • Passwords must NOT:.Contain.any.form.of.your.name,.user.ID,.birth.date,.family.member.
   name,.pet.name,.or.other.personal.information;.Be.a.word.found.in.any.dictionary;.Relate.to.any.
   NASA.project.or.organization,.any.vendor.product,.or.the.name.of.a.vehicle.or.sports.team;.Be.
   shared.with.anyone.
 • Other password considerations:.Passwords.should.not.be.written.down.and.left.in.an.unsecure.
   location;.and.You.should.use.a.different.password.for.each.system.(including.personal.non-work.
   accounts).

Permissible Use: .Some.occasional.personal.use.of.electronic.mail.or.the.Internet.is.permitted.
provided.it.does.not.interfere.with.the.employee’s.work.or.the.work.of.others..Use.of.government.
computing.systems.for.personal.use.must.be.limited.to.brief.periods,.should.not.incur.any.additional.
expense.to.the.Government,.and.must.not.interfere.with.your.job.duties..When.communication.
cannot.reasonably.be.made.during.non-business.hours,.employees.may.exchange.brief.messages.with.
persons.or.entities.such.as.a.spouse.or.dependent;.someone.responsible.for.the.care.of.a.spouse.or.
dependent;.state.and.local.government.agencies.on.personal.matters;.or.medical.care.providers..




                                                    
Phishing:..Internet.scammers.casting.about.for.people’s.financial.information.have.a.new.way.to.lure.
unsuspecting.victims:.They.go.“phishing.”

Phishing.is.a.high-tech.scam.that.uses.spam.or.pop-up.messages.to.deceive.you.into.disclosing.
your.credit.card.numbers,.bank.account.information,.Social.Security.number,.passwords,.or.other.
sensitive.information.

According.to.the.Federal.Trade.Commission.(FTC),.phishers.send.an.e-mail.or.pop-up.message.that.
claims.to.be.from.a.business.or.organization.that.you.deal.with.–.for.example,.your.Internet.service.
provider.(ISP),.bank,.online.payment.service,.or.even.a.government.agency..The.message.usually.
says.that.you.need.to.“update”.or.“validate”.your.account.information..It.might.threaten.some.dire.
consequence.if.you.don’t.respond..The.message.directs.you.to.a.Web.site.that.looks.just.like.a.legitimate.
organization’s.site,.but.it.isn’t..The.purpose.of.the.bogus.site?.To.trick.you.into.divulging.your.personal.
information.so.the.operators.can.steal.your.identity.and.run.up.bills.or.commit.crimes.in.your.name.

Prohibited Use:..Some.uses.of.NASA.computer.systems.are.clearly.outside.the.boundaries.of.official.
business.and.permissible.use..Prohibited.uses.of.NASA’s.IT.resources.include.using.the.system.to.do.
any.of.the.following:.
  • Participating.in.any.activity.or.information.exchange.which.would.violate.federal.law,.regulation,.
    or.policy.
  • Exchanging.information.that.would.not.be.permitted.in.any.format.such.as.hate.literature,.
    sexually.explicit.material,.sexual.harassment,.or.racist.literature.
  • Participating.in.Chat.Rooms.or.News.Groups.that.do.not.support.official.or.permitted.use.
  • Sending.chain.letters,.personal.mass.mailings,.hoaxes,.or.harassing.messages.
  • Maintaining.or.operating.a.personal.business,.performing.consulting.work.other.than.that.
    required.by.your.job.at.NASA,.or.running.a.charitable.organization.
  • Monitoring.network.traffic,.attempting.to.identify.security.vulnerabilities,.or.in.any.way.
    circumventing.or.disabling.IT.Security.measures.
  • Hacking.or.illegally.accessing.IT.resources;.or.copying.data,.files,.or.software.without.prior.
    authorization.
  • Exchanging.pirated.information,.for.example:.software,.music,.or.video.files.(pirated.information.
    is.illegally.copied.copyrighted.information).
  • Fund.raising,.political.endorsement,.lobbying,.or.participating.in.partisan.political.activity.

Remember.that.any.use.of.government.resources.for.communication.will.identify.you.as.a.
representative.of.NASA..Make.sure.you.make.it.clear.that.any.opinion.expressed.is.your.own.and.not.
that.of.NASA,.unless.you.are.communicating.in.an.official.capacity.

Sensitive But Unclassified:..SBU.is.sensitive.but.unclassified.information.that.should.not.be.disclosed.
but.is.not.national.security.information.and.cannot.be.classified.according.to.Executive.Order.(EO).
19..These.materials.must.be.properly.marked,.locked.up.when.not.under.the.supervision.of.an.
authorized.person,.and.encrypted.while.in.transit.over.a.non-secure.network..Some.examples.are:.trade.
secrets,.proprietary.information,.financial.information,.personnel.and.medical.records,.procurement-
sensitive,.IT.system.security.plans,.contingency.plans,.audit.logs,.vulnerability.reports,.and.incident.
reports..Hint:.information.previously.categorized.as.BRT.is.very.likely.to.be.SBU.

                                                    4
Scientific.and.Technical.Information.(STI):..STI.is.defined.as.the.results.of.basic.and.applied.
scientific,.technical,.and.related.engineering.research.and.development..STI.also.includes.
management,.industry,.and.economic.information.relevant.to.this.research..Note:.some.STI.
information.may.be.SBU.and.need.to.be.protected.as.such.




                                                  
            Appendix II: Definitions (Arranged in Alphabetical Order)
Other.NASA.Centers.forward.UCE.messages.to:
Center         E-mail to Forward UCE (spam) to
ARC            Computer-security@mail.arc.nasa.gov
DFRC           junkmail@dfrc.nasa.gov
GRC            See.the.following.web.site.for.directions:
               http://www.grc.nasa.gov/WWW/CIO/IT_Security/Web/
               select.the.unsolicited.e-mails.link.to.the.left
GSFC           abuse@abuse.gsfc.nasa.gov
HQ             security@hq.nasa.gov
JPL            SPAM-spamreport@jpl.nasa.gov
JSC            See.the.following.web.site.for.directions:
               http://jsc-cio-01.jsc.nasa.gov/center/its/spam.htm
KSC            abuse@ksc.nasa.gov
LaRC           abuse@larc.nasa.gov
MSFC           abuse@msfc.nasa.gov
SSC            abuse@ssc.nasa.gov




                                         6
Forms




  7
                                              Forms
Form 1: Information Technology Security User Responsibilities
This.form.is.required,.along.with.the.CNE.request.form,.to.receive.an.email.and.domain.account.on.
the.CNE...Read.and.accept.the.IT.Security.User.Responsibilities.Terms.and.Conditions.

Form 2: CNE Request Form for Email and Network Domain Accounts
This.form.is.required.for.an.account.on.the.Center.Network.Environment.(CNE).and.must.be.
accompanied.by.Information.Technology.Security.User.Responsibilities.form...Not.all.GSFC.
employees.will.be.on.this.network..Consult.with.your.OCSO.to.verify.what.network.you.are.on.
and.what.forms.should.be.completed...A.list.of.OCSO’s.can.be.found.at.http://eitsb.gsfc.nasa.gov/
csoListing.html

Form 3: Remote Access Account Request Form
This.form.is.optional,.but.if.submitted,.must.be.accompanied.by.Information.Technology.Security.
User.Responsibilities.form..This.form.provides.remote.access.to.the.CNE.and.associated.resources.
for.authorized.Customers.while.at.home.or.on.travel..The.form.must.be.signed.by.the.user,.
supervisor.and.OCSO..A.list.of.OCSO’s.can.be.found.at.http://eitsb.gsfc.nasa.gov/csoListing.html
 .




                                                 8
                Information Technology Security User Responsibilities
As.a.user.of.GSFC.information.technology.resources,.I.have.read.the.IT.Security.101.handbook,.
which.includes.the.Basic.IT.Security.Overview,.and.understand.that.I.am.responsible.for:
  • Completing.IT.Security.training.annually.
  • Not.using.commercial.instant.messaging.service.(such.as.AOL.Instant.Messenger.or.Yahoo.
    Messenger).
  • Using.GSFC.systems.and.resources.for.official.government.business.
  • Protecting.my.password.by.not.sharing.it.with.anyone.
  • Not.accessing.GSFC.computer/networks.using.someone.else’s.password.
  • Obtaining.the.approval.of.my.supervisor.before.installing.any.software.on.any.GSFC.system,.to.
    include.personal.computers.
  • Not.using.or.making.unauthorized.copies.of.licensed.or.copyright.software,.except.as.permitted.
    by.law.or.the.owner.of.the.copyright.
  • Performing.regular.back-ups.of.my.work.
  • Logging.off.the.system.or.network.when.I.leave.my.workstation.unattended.
  • Immediately.reporting.any.suspected.security.violation.(virus,.unauthorized.access,.tampering,.
    and.theft).to.my.supervisor.and/or.Organziational.Computer.Security.Official.(OCSO).
  • Not.opening.unsolicited.e-mail.attachments.without.verifying.their.source.
.

Printed.Employee.Name.        .       .       .        .     .       .      Org.Code

Employee.Signature.    .      .       .       .        .     .       .      Date.

Name.of.Supervisor/Group.Coordinator

Fax.this.signed/completed.form.to.01-86-6170,.Attn:.CNE.Call.Center




                                                  9
                CNE Request Form for Email and Network Domain Accounts
Full.Name.(First,.Middle,.Last)                               Date

E-Mail.Address.(if.available)

Phone.Number                                                  Org.Code                        Employer

Mail.Stop                                                     Building                        Room

Are.you.a.temporary.employee?.(Yes/No)                        .U.S..Citizen?.(Yes/No)
Badge.expiration.date:

                                             Required Information
I.am.requesting.the.following.accounts:.......Email.account........GSFC.Domain.account
Please.complete.this.section.if.requesting.a.GSFC.Domain.Account
Requested.Domain.Group.Memberships.(Without.this.you.may.not.have.the.required.access)
1:                                                           4:
:                                                           :
:                                                           6:

                                     Additional Request Information
Unauthorized.use.of.the.computer.account.and.computer.resources.to.which.I.am.granted.access.is.a.violation.
of.Section.799,.Title.18,.U.S..Code;.constitutes.theft;.and.is.punishable.by.law...I.understand.that.I.am.the.only.
individual.to.access.these.accounts.and.will.not.knowingly.permit.access.by.others.without.written.approval...I.
understand.that.my.misuse.of.assigned.accounts.and.my.accessing.others’.accounts.without.authorization.is.not.
allowed...I.understand.that.this/these.system(s).and.resources.are.subject.to.monitoring.and.recording...I.further.
understand.that.failure.to.abide.by.these.provisions.may.constitute.grounds.for.termination.of.access.privileges,.
administrative.action,.and/or.civil.or.criminal.prosecution.


                                       Acknowledgement Statement
                   I have read and agree to the Acknowledgement Statement above
User.Signature                                                                                  Date


                                  Approval (Project/Branch Manager)
Print.Name                               Signature                                Date




                                             Administrative Use Only
 Ticket.Number.Assigned:
 CNE.Administrator’s.Name:
 GSFC.Domain.Account.Name:
 Comments:

Fax.this.Signed./.Completed.form.to.01-86-6170.Attn:.CNE.Call.Center.             .
CNE.form.#.CNE-CS-FOR-00-01



                                                           40
               Remote Access Account Request Form
Required Information
Full.Name.(Last,.First,.MI)                                   Org.Code


E-Mail.Address


On-site.Telephone.No.                                         Home.Phone.No.


Cell.Phone.No...(Govt.-.or.employer.provided.-optional)       Employer


Host.Operating.System.(check.all.that.apply):
.....Windows.000.....Windows.XP......Mac.OS.X......Other:
Please.select.the.form.of.Remote.Access.that.you.require:.(check.all.that.apply)
.....VPN.....Basic.Dial-up.....Toll-free.Dial-up
Are.you.a.temporary.employee?.(Yes/No)                         Are.you.a.U.S..Citizen?.(Yes/No)
Badge.Expiration.date:
Justification.(briefly.explain.how.this.service.will.help.you.accomplish.official.NASA.business):




. ...
Agreement
I.agree.to.the.terms.and.conditions.specified.defined.for.the.use.of.remote.access,.including.the.requirements.to.run.
current.anti-virus.software.and.to.install.the.latest.security.patches.for.my.operating.system.and.that.this.service.will.be.
used.only.to.conduct.official.NASA.business.
 Applicant.Signature                                                                                Date



Approval
I.approve.the.above-named.user’s.request.for.CNE.Remote.Access...Furthermore,.I.certify.that.this.user.will.be.using.
Remote.Access.to.perform.their.official.NASA.duties...I.understand.that.in.the.event.of.a.security.incident.I.may.be.
required.to.take.administrative.or.disciplinary.action.at.the.request.of.the.CNE.Project,.the.IT.Security.Branch,.or.
other.appropriate.authority.
 Govt..Line.Supervisor/COTR.(print)                  Signature                                     Date



Acknowledgement
I.certify.that.I.have.been.informed.of.the.applicant’s.request.to.utilize..CNE.Remote.Access.services....To.the.best.of.my.
knowledge,.the.requester.has.sufficient.IT.Security.awareness.to.utilize.the.service.with.a.reasonable.degree.of.safety...I.
understand.that.if.a.security.incident.occurs,.my.services.may.be.requested.by.the.IT.Security.Branch.as.needed.
 Organizational.Computer.Security.Official.          Signature                                     Date
 (OCSO).(print.name)



CNE.form.#.CNE-CS-FOR-001-0


                                                            41
                                                                                            NO.
                              National Aeronautics and Space                                          06-51
                                                                                            DATE
                              Administration                                                      7/17/2006
                              Goddard Space Flight Center                                   DISTRIBUTION

                                                                                            GREENBELT ONLY
                                                                                            WALLOPS ONLY
                                                                                            GSFC                   * A
                                                                                            CONTRACTORS            ** A


Announcement

SUBJECT: Protecting IT Resources against Malware (Computer Virus and Spyware)


Protection of Information Technology (IT) resources is a top priority for NASA and is a key component of
successful mission accomplishment. This announcement defines standards and MANDATORY requirements
for protecting the Goddard Space Flight Center’s network resource from any Malware threat to include
Viruses, Worms, Trojan Horses or Spyware. These requirements minimize the potential exposure to the
Center from damages that may result from unprotected systems and are being established to improve the
Center’s ability to ensure effective virus and spyware detection and prevention.

All systems connected to any GSFC network (institutional, mission, private, etc.) shall be protected by a
Chief Information Official approved anti-virus and anti-spyware software solution, where available. Systems
will be configured to perform, at a minimum, weekly updates to the software, engines and/or signature files.
These requirements apply to all operators and owners of IT systems provided by the Government, including
Civil Service Personnel and on-site Contractors, as well as, all visitors to GSFC that connect to any GSFC-
provided network with the exception of the Guest Network. Systems Owners, as identified by the cognizant
system IT security plan, may elect not to install anti-virus and anti-spyware software but shall implement risk-
based practices to ensure effective virus and spyware detection and prevention.

The Information Technology and Communication Directorate (Code 700) provides and supports anti-virus
and anti-spyware solutions which can be found at http://cne.gsfc.nasa.gov/application/cne_sppt_sw/.

Thank you for your cooperation in helping the Center protect its valuable IT resources.

Original Signed By:
Linda Y. Cureton

Linda Y. Cureton
Director of Information Technology & Communications
Chief Information Officer



                              PLEASE POST AND CIRCULATE THIS ANNOUNCEMENT
 DISTRIBUTION CODES:

 *A (Civil Service) – GSFC Employees                           **A (Contractor) – Contractor and Other Employees
 *B (Civil Service) – GSFC Section Level and Above             **B (Contractor) – Contractor and Other Offices
 *C (Civil Service) – GSFC Branch Level and Above
 *D (Civil Service) – GSFC Division Level and Above

 GSFC 3-1 (05/94)




                                                               4