training booklet

Published by: Information Security Office Risk Management Division Department of Corrections and Rehabilitation State of California

IINNFFOORRMMAATTIIOONN SSEECCUURRIITTYY AAWWAARREENNEESSSS TTRRAAIINNIINNGG

EMPLOYEE TRAINING BOOKLET

Information Security Awareness Training Revision: February 8, 2006 Information Security Office OTPD Approved: January 20, 2006

ENTERPRISE INFORMATION SERVICES (EIS) CALL UNIT (HELPDESK):

(916) 324-7789

CDCR INFORMATION SECURITY OFFICER:

Allen Pugnier (A)

(916) 358-2459

[email protected]

ON THE INTRANET: SECURITY AWARENESS TRAINING

CLICK ON THE INFORMATION SECURITY LINK FROM THE CDCR INTRANET MAIN PAGE AND NAVIGATE TO THE SECURITY AWARENESS TRAINING AREA.

http://intranet/PED/Information-Security/featured/Training/trng_main.asp

FOR MORE ON THE INFORMATION SECURITY INTRANET SITE:

http://intranet/PED/Information-Security/resources/links/links_main.asp

NOTE: Some of the material in this handbook is copyrighted by the San Francisco Chapter of the Information Security Association, Inc. (ISSA), and is used with their permission.

Reference Information

Information Security Awareness Training Revision: February 8, 2006 Information Security Office OTPD: January 20, 2006

Page i

Table of Contents

OVERVIEW.......................................................................................................................... 1

LEARNING OBJECTIVE 1: INFORMATION SECURITY AND PRIVACY A. What is information security? ............................................................................. 2

B. What is information privacy? .............................................................................. 3

C. The Importance of Information Security and Information Privacy....................... 3

LEARNING OBJECTIVE 2: LAWS AND POLICIES GOVERNING INFORMATION SECURITY A. State Laws.......................................................................................................... 5

Unauthorized Computer Access................................................................... 5

Information Practices Act (IPA) .................................................................... 6

Public Records Act (PRA) ............................................................................ 6

B. Federal Laws...................................................................................................... 7

Federal Copyright Act...................................................................................... 7

Electronics Communication Privacy Act .......................................................... 7

Computer Fraud and Abuse Act ...................................................................... 7

Health Insurance Portability and Accountability Act ........................................ 8

C. State Policies...................................................................................................... 8

State Administration Manual ........................................................................... 8

Department Operations Manual ...................................................................... 8

LEARNING OBJECTIVE 3: APPROPRIATE USE OF CDCR INFORMATION ASSETS A. Electronic Mail .................................................................................................. 10

Appropriate Use ............................................................................................... 11

Inappropriate Use............................................................................................. 11

Email Box .........................................................................................................12

B. Passwords........................................................................................................ 13

C. Internet Usage.................................................................................................. 14

D. Anti-Virus.......................................................................................................... 14

E. Telephone Usage ............................................................................................. 15

F. Remote Access ................................................................................................ 15

G. Hardware.......................................................................................................... 15

H. Software ........................................................................................................... 17


Page ii

Table of Contents LEARNING OBJECTIVE 4: CLASSIFY AND PROTECT INFORMATION ASSETS

A. Confidential Information ................................................................................... 18

B. Public Information............................................................................................. 20

C. Sensitive Information........................................................................................ 20

D. Personal Information ........................................................................................ 21

E. The Work Area ................................................................................................. 22

Workstation and Terminal Access ........................................................... 23

F. Visitors........................................................................................................... 23

G. Telephone Communications.......................................................................... 24

H. Social Engineering ........................................................................................ 24

I. Email ............................................................................................................. 25

J. Disposing “Hard Copy” Information ............................................................... 26

K. Voice Mail Protection..................................................................................... 26

L. Protecting Telephone Cards.......................................................................... 27

M. Destroying Electronic Data Files ................................................................... 27

Local Data Files....................................................................................... 27

Removable Media.................................................................................... 28

Network Disk/Server Files ....................................................................... 28

N. Safeguarding Equipment While Away from the Office.................................. 28

Modem Usage ......................................................................................... 29

O. File Backups.................................................................................................. 30

Good Backup Practices ........................................................................... 31

P. Password Selection....................................................................................... 31

Passwords to Avoid ................................................................................. 32

Password Do’s......................................................................................... 32

Password Don’ts...................................................................................... 33

Q. Malicious Software ........................................................................................ 33

Symptoms of Malware ............................................................................. 34

Preventing Malware Infections ................................................................ 34

R. Faxing Documents ........................................................................................ 35


Page iii

Table of Contents

LEARNING OBJECTIVE 5: INMATES AND COMPUTERS A. Inmate Qualifications for Computer Access .................................................. 36

B. Appropriate Computer Configurations for Inmate Access ............................. 37

C. Physical Locations for Inmate Accessible Computers................................... 37

D. Appropriate Inmate Access and Activities ..................................................... 38

E. Supervising Inmates Using Computers ......................................................... 39

LEARNING OBJECT 6: INFORMATION SECURITY INCIDENTS

A. Identifying an Information Security Incident................................................... 40

B. Handling Information Security Incidents ........................................................ 44

C. Consequences to Information Security Incident Violations ........................... 44

APPENDIX A: GLOSSARY

NOTE: All references to inmates, wards, and parolees in this document are hereby referred to as “offenders” unless specifically stated as such.


Page 1

Overview his booklet provides all California Department of Corrections and Rehabilitation (CDCR) employees with the knowledge and understanding of how to use and protect information assets. All CDCR employees accessing or

using computers are required to take annual information security awareness training. As CDCR employees, you have been trusted with CDCR’s information. This trust comes with the responsibility and obligation to make certain that the CDCR information and computing facilities are used appropriately. This is an important responsibility because CDCR handles sensitive and confidential information on a daily basis. Each learning objective covers one broad topic or one set of related topics. Some of the information in each topic may overlap learning objectives. However, after completing each of the learning objectives, you will have acquired the necessary knowledge needed to complete a final training quiz. The learning objectives will be presented in the following order:

You will be able to identify the definition and know the importance of “information security” and “information privacy.” You will be able to identify the laws and policies governing the protection of CDCR’s information assets.

You will be able to identify the appropriate use of CDCR’s information assets. You will be able to identify the classification of CDCR’s information assets and how to protect them. You will be able to identify CDCR’s requirements for inmate access to computers and the rules for supervising them. You will be able to identify information security incidents and know how to handle them.

T

OBJECTIVE 1

OBJECTIVE 4

OBJECTIVE 5

OBJECTIVE 6

OBJECTIVE 3

OBJECTIVE 2


Page 2

OBJECTIVE 1: YOU WILL BE ABLE TO IDENTIFY THE DEFINITION AND KNOW THE IMPORTANCE OF “INFORMATION SECURITY” AND “INFORMATION PRIVACY.”

Information Security and Privacy hether you work with paper records, or a computer, or spend most of your day on the telephone, you are an integral part of CDCR’s information security program. Information security is the job of every CDCR employee. When you work with

any form of records or data, it is important that you do everything possible to make sure these information assets are secure. What you should learn from this objective:

The definition of information security. The definition of information privacy. The importance of information security and information privacy.

Thinking Focus: What are some examples of an information asset?

Topic A What is Information Security? Information security is the protection of information assets from unauthorized access, use, modification, theft, deletion, and disclosure. Information security includes the strategies, policies, procedures, mechanisms and technical tools used relating to the protection of information, as well as the systems and equipments that contain and process that information. So what does that mean to us? The practice of information security means to protect the item or information every minute it is in our care. Information can come in many forms and is comprised of a collection of facts or data. Listed below are some examples of the different forms of information you might see at work:

Computer screen displays Word processing documents Spreadsheets Graphics and drawings Presentations Personal computer hard drives and records Conversations both on and off the phone

Computer printouts Letters, memos and reports FAX documents Diskettes, CDs, and USB portable drives

Electronic mail and schedules Voice mail messages

W


Page 3

Thinking Focus: Is information privacy the same thing as information security?

Topic B What is Information Privacy? Information privacy is the prevention of revealing personal information to anyone that does not have permission to have access. Information privacy is what ensures personal information is accessible only to those authorized to have it. People think of privacy and security in the same context. However, it is important to understand that giving out any personal information to a person not authorized to receive it is a violation of Information Privacy. This information should only be provided to individuals with a “need to know” and they must be authorized to access the information.

Thinking Focus: Why do you think information security and information privacy is important?

Topic C The Importance of Information Security and Privacy People protect their homes with locked doors, locked windows, an alarm system, or large dog(s) to provide a safe secure place for their family and belongings. Access to their assets is only available to those that they allow. It is important to provide the same security for CDCR assets and information. Our department’s mission relies on having adequate information security and information privacy controls. CDCR’s information systems not only have offender data, but personal information about us. The loss of any of this information can cost time, money, and in some cases even lives. Not only does CDCR have an obligation to incarcerate California’s most serious criminal offenders, it must also protect its employees and those under its care from harassment, injury, or death. YOU are a part of that process. The following are some of the things that could happen because of poor information security:

Inaccurate information. Unauthorized access to information. Loss or destruction of information.

Law enforcement agencies and the courts generate much of the information maintained by CDCR. This information must be accurate for both the judicial system and CDCR to function properly. Inaccuracies can cause delays in legal proceedings, mishandling of information, inappropriate legal actions, incorrect offender release dates, incorrect work assignments, incorrectly prescribed or dispensed medication, or other actions that have adverse effects on CDCR. For instance, if inaccurate custody level information is retrieved for an offender, that offender could be placed in an incorrect custody-level area. This could increase the risk of an offender escape or physical harm to himself or herself, other offenders, and staff.


Page 4

Another example is the absence of (or inaccurate) gang affiliation information for an offender. This causes the risk of an offender possibly being placed with rival gang members. The department also maintains offenders’ health records and is required to protect those records by the Health Insurance Portability and Accountability Act (HIPAA). This information is used to ensure appropriate health care for offenders while they are housed in our facilities. The data reflected in these records are also used to ensure the safety and protection of CDCR employees. Health information follows offenders once they are paroled, and can affect them after their release from being institutionalized. Inappropriate disclosure or modification of this confidential information could have serious negative consequences for both offenders and employees. If the integrity of an offender’s medical information has been compromised, it could affect the diagnosis or dispensing of medication. Misdiagnosis could cause harm or prevent appropriate medical treatment for an offender. Inaccurately dispensed medication could cause either or both negative physical and mental health reactions increasing the risk of altering offenders’ behavior and cause harm to themselves, other offenders, and staff. Information security and privacy provide access controls. These controls can eliminate suspicions and identify possible wrongdoer(s) responsible for deliberately conducting unauthorized access, modification, destruction, theft or disclosure of information assets. Each time you access information systems using your logon user name and password, those activities conducted under your user name are associated with you. Adequate measures for information security help to ensure the smooth functioning of information systems and protect the organization from loss or embarrassment caused by security failures. It is essential that every single employee be a part of the information security program.


Page 5

OBJECTIVE 2: YOU WILL BE ABLE TO IDENTIFY THE LAWS AND POLICIES GOVERNING THE PROTECTION OF CDCR’S INFORMATION ASSETS.

Laws and Policies Governing Information Security

nformation security is defined by laws and regulations. The California State Constitution provides the right to privacy for all individuals. Federal and state laws require specific security provisions to be in place. Some information security

violations, such as unauthorized modification or destruction of a computer system or data, are punishable by either or both a fine and incarceration. Information security is not an option or choice; it is a legal requirement. What you should learn from this objective:

State laws relating to information security. Federal laws relating to information security. State policies relating to information security.

Thinking Focus: Does everyone have a right to privacy? Topic A

State Laws The CDCR is required to follow California State laws and regulations pertaining

to information security. Listed below are the main references in the body of those California laws that pertain to information security:

California Penal Code § 502 Unauthorized Computer Access This act refers to computer access crimes. It states that it is a crime to "intentionally access...any computer system or computer network for the purpose of devising or executing any scheme or artifice; to defraud or extort or obtain money, property or services with false or fraudulent intent, representations, or premises; or to maliciously access, alter, delete, damage, or destroy, any computer system, computer network, computer program or data." It is illegal to willfully gain unauthorized access and conduct modifications, disclosure, deletions, or destruction of CDCR systems, networks, or applications.

I


Page 6

California Civil Code § 1798 et. seq. Information Practices Act (IPA) The Information Practices Act was adopted to protect the privacy of people about whom state agencies collect information. This Act protects all personal information held by state agencies prohibiting disclosures except under certain circumstances and includes penalties for violations. The IPA states, “The Legislature declares that the right to privacy is a personal and fundamental right protected by . . . the Constitution of California and by the United States Constitution and that all individuals have the right of privacy in information pertaining to them . . .” “Each agency shall maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution . . .” The increasing use of computers and information automation makes personal information easily accessible and subject to careless handling. “Each agency shall collect personal information to the greatest extent practicable directly from the individual who is the subject of the information rather than from another source.” This law protects individuals’ rights to privacy, requiring that agencies collect and maintain only the personal information required to accomplish the mission of the agency, and to protect that information from unlawful and unauthorized disclosure and modification.

The IPA defines personal information as information that identifies or describes an individual, and includes, but is not limited to, name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history.

The IPA also requires notification to persons whose personal information has been compromised.

Thinking Focus: Who can request to see public records? Government Code § 6253 Public Records Act (PRA)

The Public Records Act is designed to give the public access to public information that is collected and maintained by state and local agencies. “Records” include all communications related to public business “regardless of physical form or characteristics, including any writing, picture, sound, or symbol, whether paper, magnetic or other media.” However, specific exceptions to disclosure are listed. Those record


Page 7

types that are exempted from this law are confidential. A list of those confidential record types most likely to be used by CDCR employees is provided under “Confidential Information” in Protecting Confidential and Sensitive Information. All other record types are non-exempt, and access to them must be provided upon request. “Public records are open to inspection at all times during the office hours of the state or local agency and every person has a right to inspect any public record, except as hereafter provided. Any reasonably segregable portion of a record shall be available for inspection by any person requesting the record after deletion of the portions that are exempted by law.”

Thinking Focus: Is personal health information exempt from the Public Records Act?

Topic B

Federal Laws The CDCR is required to follow federal laws pertaining to information security.

Listed below are the main references in the body of those federal laws that pertain to information security:

U.S. Code - Title 17 (Public Law 95-553) Federal Copyright Act This law states that persons who purchase software do not have the right to make additional copies without the permission of the copyright owner, except to make a backup copy. Copying software for any other purpose is illegal, and punishable by fines and imprisonment.

U.S. Code - Title 18 (Public Law 99-508) Electronics Communication Privacy Act (ECPA) This law prohibits the interception and disclosure of communications and unlawful access to stored communications, including computer data. Unauthorized access to data stored in “electronic storage systems” is a crime punishable by fine and imprisonment.

U.S. Code - Title 18 (Public Law 99-474) Computer Fraud and Abuse Act (CFAA) This law states that unauthorized access to computers for the purpose of obtaining protected information, or to cause damage or make unauthorized changes to software or data on a computer system is a crime punishable by fine and imprisonment.


Page 8

Public Law 104-191 Health Insurance Portability and Accountability Act (HIPAA) This is a federal law that protects individually identifiable health information. This law governs the privacy and security of individually identifiable electronic health information that is transmitted by electronic media or maintained in electronic media that conduct electronic transactions from unauthorized use, access, or disclosure. Thinking Focus: Where can you find state policies that pertain to information security?

Topic C

State Policies The CDCR is required to follow state policies containing regulations that have to

do with information security. Listed below are the state policies with regard to information security:

State Administrative Manual The State Administrative Manual (SAM), Section 4840 et. seq., requires that agencies provide for the integrity and security of their automated information. This includes information classification, establishing information ownership, establishing a risk management process, identification of agency critical applications, development of an Operational Recovery Plan for recovery of critical applications, and reporting of security incidents to the Department of Finance (DOF) and the California Highway Patrol. Should any audit indicate that the State’s security policies are not implemented, or that our department has not taken corrective actions with respect to security deficiencies, our department may be subject to any or all of the following: • Further audit and review by the DOF, Office of Technology Review, Oversight, and

Security (OTROS). • Revocation of delegated approval authority for information technology projects. • Application of penalties specified in Government Code, Section 1222.

Department Operations Manual The statewide information technology (IT) policies and procedures contained in the SAM is governed by the DOF, and is implemented via CDCR’s departmental policies and procedures contained in the Department Operations Manual (DOM), Chapter 4.


Page 9

The CDCR’s information security policy is to protect its information from unauthorized access, modification, deletion or disclosure of information maintained in agency files and databases. The purpose of this policy is to establish a standard of due care to prevent misuse or loss of CDCR’s information assets. This policy establishes internal policies and procedures that: • Establish and maintain management and staff accountability for protection of

CDCR’s information assets. • Establish and maintain processes for the analysis of risks to CDCR’s information

assets. • Establish and maintain cost-effective risk management processes. • Protect CDCR employees, who are authorized to access CDCR’s information assets,

from temptation, persuasion, and threat. • Establish and maintain processes for authorizing access and supervision of inmates

for inmate use computers. • Establish the process of identifying and reporting information security incidents.


Page 10

OBJECTIVE 3: YOU WILL BE ABLE TO IDENTIFY THE APPROPRIATE USE OF CDCR’S INFORMATION ASSETS.

Appropriate Use of CDCR Information Assets nformation assets belonging to CDCR are made available to all authorized users that require computing resources. Before you use any of the CDCR information assets, you must understand the appropriate usage of those assets and your responsibility for

that use. Information assets must only be used for CDCR-related business activities. As a CDCR employee, you are expected to follow federal and state laws, regulations, and policies governing the access and use of computers, information and electronic communications systems, and to follow CDCR information security policies and procedures. When you access and use these resources, your activities must support the goals and objectives of your assigned job responsibilities. What you should learn from this objective: The appropriate use of the following CDCR information assets:

Electronic Mail Passwords Internet Usage Anti-Virus Telephone Usage Remote Access Hardware Software

Thinking Focus: For what purposes can you use CDCR email?

Topic A

Electronic Mail The CDCR electronic mail (email) system is provided to support and facilitate employees’ ability to complete work assignments. Our department maintains its email system to facilitate communications. Even though you have been given an individual password for access, the resources remain the property of CDCR and the contents of the email messages are accessible at all times to CDCR management. If you use email in an inappropriate manner, you may be subject to either or both the loss of email

I


Page 11

privileges and disciplinary action. These guidelines establish the appropriate behaviors expected of you when using these resources.

Appropriate Use Examples of appropriate use of CDCR email include, but are not limited to, the following:

Scheduling, coordinating, and documenting business meetings and assignments. Notifying CDCR personnel of changes in work policies and/or work procedures after

the appropriate approval process has been completed (must be followed up in writing).

Transmitting and/or sharing non-confidential work related material, including documents, files, reference material, and links to Internet sites.

Sending and receiving business-related Internet mail. Notifying employees of CDCR sanctioned employee events, including but not limited

to, the Medal of Honor Ceremony, United California State Employees Campaigns, and similar activities.

Scheduling appointments including off-work appointments and lunch breaks on an electronic calendar.

Incidental personal use is allowed provided that it: • Does not prevent others from performing business activities; • Kept to a minimum and the use of system resources are negligable; • Is limited to your own time; • Does not interfere with your job performance; and • Does not adversely affect the morale and performance of co-workers.

Use of the email global distribution lists, such as CDCR Contacts, should be limited to departmental, state, or national emergencies, and information from executive levels or program areas that affect all employees.

Use the “Reply to All” email feature considerately when you respond to all the names listed on an email.

Thinking Focus: Is it okay to send chain letters if you only send it to your friends? Inappropriate Use Examples of inappropriate use of email include, but are not limited to, the following:

Internet email to discuss, distribute, or share confidential information without

encryption is prohibited. Using a disclaimer stating that the message may contain confidential information does not excuse the sender from sending unencrypted confidential information.

Email with offensive content and unlawful material.

Your email is subject to unannounced inspections from time to time and should be treated like other shared filing systems. Email is not private and is subject to monitoring without notice.


Page 12

Reviewing, receiving, and/or intercepting the electronic communications of another employee without express, prior authorization by the employee or their management.

Logging on with a user ID and password other than your own. Copying or routing notes, messages, documents, or memoranda to individuals who

are not involved in the relevant work project or who otherwise have no business-related interest in the subject matter.

Distributing messages of a predominantly personal nature, or for personal gain. Distributing copyrighted material without prior written permission of the copyright

holder. Except as otherwise provided in the DOM, reading email of another employee

without their knowledge and consent. Sending sports pool or other forms of gambling messages. Using email for any unlawful or illegal endeavor. Soliciting for non-CDCR activities, such as fundraising or items of a political nature. Allowing offenders access to email, or sending messages on behalf of offenders. Transmitting profanity, obscenity, threatening language, gossip, or derogatory

remarks. Distributing material that is not related to CDCR business, including jokes, poems,

religious messages, chain-letters, advertisements, publications, audio or visual clips. Sharing of passwords is not allowed. If a situation arises when you must share your

inbox with somebody else, contact your IT Coordinator for assistance. Be cautious about using the “Reply to All” email feature when responding to all the

names listed on an email.

Thinking Focus: What is the appropriate way to manage your email box? Email Box Think of your CDCR email box as you do about your home mailbox. You retrieve and open mail from you mailbox on a regular basis. If you left all your mail, opened or not, in your mailbox for any length of time, the postal service would no longer be able to deliver your mail. Email mailbox sizes on the servers are globally set and controlled. You are encouraged to manage your server mailbox by regularly moving messages to your personal folders. There is no size limit on personal folders, other than space limitations on the local or network drive used. If your server mailbox exceeds the allowable size limitations, you may not be able to send or receive any additional email. Your local IT staff person can help you set appropriate mechanisms on your workstation to avoid disruption of your email. If your workgroup requires a single "mailbox" accessible by multiple people, contact the Enterprise Information Services (EIS) Call Center at 324-7789.

Thinking Focus: Can you use CDCR email to send confidential information?


Page 13

Email is a tool. We should all use it in a professional, courteous manner, keeping to the work at hand. When a message is confidential, NEVER USE EMAIL. Email is simply not secure. You have no idea where your email will be forwarded or how it will be handled once it leaves your computer. Common sense should guide you in the appropriate use of the CDCR email system. Inflammatory, retaliatory, defamatory remarks or messages that contain emotional outbursts should not be sent electronically.

IF IN DOUBT — DON’T SEND IT OUT

For more information on how to protect your email, see “Email” under Classify and Protect Information Assets in Objective 4.

Thinking Focus: What are the requirements for creating and maintaining passwords?

Topic B

Passwords User IDs and passwords are given to enable authorized access to CDCR systems and resources. You are accountable for all system activity associated with your ID and password. Passwords must comply with the following CDCR password selection policy:

Must be at least seven characters long. Must be a combination of numbers and letters. Must be changed in accordance to specific software applications or system

requirements, every 30 to 90 days. Cannot be words found in any dictionary. Cannot be easily guessed, such as: one’s name or nickname, the names of one’s

children, names or words associated with one’s hobbies, names associated with favorite forms of entertainment such as books, TV shows, or movies (examples: “JEDI,” “FRODO,” “PICARD”).

Shall not be written down or shared with anyone. For more information on how to select a password, see “Password Selection” under Classify and Protect Information Assets in Objective 4.

Thinking Focus: Why is downloading music, graphic files, or games prohibited?


Page 14

Topic C

Internet Usage Internet access is provided to CDCR employees in order to enhance and facilitate communications, information sharing, and to access research and reference sources. Below are guidelines to keep in mind when using the Internet:

Use the Internet for government business purposes only. All Internet access via the CDCR network is monitored. Visiting websites with the following content are strictly prohibited: • Hateful, racist, pornographic, explicit or illegal activity.

• Adult entertainment, sports, gambling, online auctions, and entertainment (including music and video downloading and peer-to-peer sharing).

• Website with hacking and anti-government contents.

Downloads of Internet files, including graphic images and templates, can create a big security risk. If done at all, use extreme caution and scan the files for any viruses. Downloading or uploading files from the Internet may not contain any of the following: • Derogatory comments regarding race, color, religion, sex, age, disability or

national origin.

• Offensive language or imagery.

• Any content prohibited by law or regulation.

• Software, computer applications, or other tools whose purpose is to break into or circumvent computer and network security.

• Screensavers, games, shareware, music files, or movies.

Violation of any copyright, internet gaming, and other file sharing is prohibited. Posting on the Internet any CDCR information or statements regarding CDCR

without prior approval from our agency Public Information Officer is prohibited.

Thinking Focus: Why are you required to use of anti-virus software?

Topic D

Anti-Virus Anti-virus software is used to identify, prevent, and eliminate computer viruses. The CDCR standard, supported anti-virus software is required on all CDCR workstations and laptops.

Anti-virus software requires updates as they become available. Unless done so automatically, download and install anti-virus software updates regularly.

Always scan removable media (floppy disk, CD-ROM, USB portable drive, etc.) before using it.

Anti-virus software must not be disabled or deactivated.


Page 15

For more information, see “Malicious Software” under Protecting Confidential and Sensitive Information in Objective 4.

Topic E Telephone Usage When using the telephone while conducting CDCR business, the same laws, policies and guidelines apply when information is being communicated or disclosed. For important guidelines on using the telephone, see “Telephone Communications” under Classify and Protect Information Assets in Objective 4.

Topic F

Remote Access Remote access is the capability to communicate from a remote location that requires a mechanism to go through before connecting to the CDCR network and accessing information assets. This represents a potential unauthorized access to CDCR information assets. If you require remote access to the CDCR network, talk to your supervisor or IT Coordinator. Thinking Focus: What should you do if you want to use non-CDCR equipment with

CDCR-owned equipment? Topic G Hardware CDCR Hardware Employees issued with CDCR equipment are responsible for the safety, care and handling of that equipment. Jobs requiring issuance of portable devices (such as laptops), require approval from the supervisor to use the equipment away from the office. If you are assigned such equipment, you are also responsible for the safety, care and handling of that equipment away from the office. Use of CDCR issued equipment must conform to all acceptable use criteria and may not be used illegally as defined by state, local, and federal laws. They must not be used for malicious activities and should be password protected at all times. All CDCR equipment connecting to the CDCR network, including those that connect via remote access, must be current with all mandatory software upgrades and “patches.” Stay in communication with your IT Coordinator, and when they request you to bring your computer in for patching, make all effort to comply in a timely manner. Workstations and Terminals • If it locks, lock it when you leave. Keep the key in a secure area. Some older

terminals still in use are kept in special boxes that can be locked. Others have


Page 16

removable keyboards, where the keyboard is stored in a locked cabinet when not in use.

• Log-off or activate the password-protection screensaver when you leave your immediate work area. DO NOT LEAVE AN UNATTENDED SESSION.

• If you see an unattended terminal or workstation, or somebody in your work area that you do not know using a terminal or workstation, notify your supervisor.

• If the screen displays sensitive information, be sure that no one else can see it.

All computing devices must be secured when left unattended. Guidelines for protecting CDCR equipment are provided under “Safeguarding Equipment While Away from the Office” within the section Protecting Confidential and Sensitive Information.

Non-CDCR Hardware

No non-CDCR hardware may be used in or with CDCR systems. If you believe you need a computer system component that is not currently provided to you, speak with your supervisor.

Thinking Focus: Can I use portable and handheld telecommunications devices for

CDCR business purposes? Portable and Handheld Telecommunications Devices Portable and handheld telecommunications devices include, but are not limited to, computers with wireless communication capability, such as a cellular telephone or a personal digital assistant (PDA). These devices are convenient because they allow us to send electronic data and voice communication without wires and from almost anywhere within range of an access point. However, these devices are easily lost or stolen and appropriate security controls are costly and time consuming to accurately manage.

Thinking Focus: Do you or someone you know ever lose or had stolen a cell phone? Without appropriate security controls and configurations these devices make it easy and convenient for “anyone,” to gain access to communications and information systems. They are difficult to control access and authentication. Transmitting and receiving data to and from PCs can be done without the knowledge or permission of the user. All wireless communication systems must be reviewed and approved by Enterprise Information Services (EIS) and the ISO. These devices are never allowed in inmate-accessible areas without prior written approval from the Information Security Officer (ISO). These devices may not be used to access public wireless networks. These devices may only be used for wireless connectivity to synchronize with a CDCR network station. You can all too easily get a virus by using public wireless networks, and although all wireless communication systems must have installed the CDCR standard virus


Page 17

protection, the risk of infecting CDCR networks still exists when you connect to synchronize with your CDCR workstation. Thinking Focus: If you develop software while at work, does the software belong to you? Topic H

Software CDCR Software

Making copies of software owned by CDCR is prohibited unless the software license specifically allows its use on more than one system and your supervisor has approved it. Creating copies or using unauthorized software may violate copyright laws or software license agreements. Copyright software, such as Microsoft or Adobe applications, requires license fees to use their products. When in doubt, contact your IT Coordinator.

Non-CDCR Software No non-CDCR software may be installed or used in or with CDCR systems. If you believe you need computer software that is not currently provided to you, speak with your supervisor.


Page 18

OBJECTIVE 4: YOU WILL BE ABLE TO IDENTIFY THE CLASSIFICATION OF CDCR’S INFORMATION ASSETS AND HOW TO PROTECT THEM.

Classify and Protect Information Assets nformation assets fall into different categories and it can often get confusing trying to determine whether or not the information is considered confidential and/or sensitive and to what degree of security that information may require. You should be able to

recognize information assets you routinely use or access so you can identify the appropriate actions necessary to correctly manage and protect these resources. What you should learn from this objective:

The definition of confidential information. The definition of public information. The definition of sensitive or personal information. Some of the actions you can take to protect information in the following subjects.

Thinking Focus: What kind of information may be classified as “confidential information?” Topic A

Confidential Information

Confidential information is information that CDCR maintains that is exempt from disclosure under the Public Records Act (PRA) or other applicable state and federal laws and requires special security precautions to ensure it is protected from unauthorized access, modification, and disclosure.

I

Confidential Information - information maintained by State agencies that is exempt from disclosure under the provisions of the California Public Records Act (Government Code, Sections 6250–6265) or other applicable State or Federal laws…”

SAM 4841.3

• Work Area • Visitors • Phone Communications • Social Engineering • “Hard Copy” or Paper Information • Electronic Files

• Work Away from the Office • Modems • Passwords • Malicious Software • Backups • Faxing


Page 19

That means we must maintain the confidentiality of information, allowing only certain authorized individuals access to it with the understanding that they will disclose it only to other authorized individuals that have a need to know. Here are some examples of confidential information:

Notice-triggering personal information as defined in the Information Practices Act (IPA), Civil Code §§ 1798.29 and 1798.3. This is information that, if compromised, would require notification to the persons to whom the information pertains. It consists of the following: • Individual’s Last Name and First Name or First Initial in combination with any one

or more of the following data elements: Social security number. Drivers’ license number or California identification card number. Account number, credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account.

Confidential information does not include publicly available information that is lawfully made available to the general public from federal, state, or local governments. This includes, but is not limited to, staff classification and salary information, data from court records, county property records, and many public websites.

Protected Health Information (PHI). This is individually identifiable health information that is created, received, or maintained in any form or medium, which is held by such organizations as health care providers, health plans, and contractors to these entities. PHI relates to a past, present, or future physical or mental condition, provision of health care or payment for healthcare.

Electronic health information. This information is individually identifiable health information transmitted by electronic media or maintained in electronic media.

Documents pertaining to pending litigation. Investigatory, security or licensing documents to or from law enforcement or

correctional agencies. Test questions and scoring keys for licensing and employment examinations. Correspondence with the Governor or his office or maintained by the Governor’s

Legal Affairs Secretary. Records related to an agency’s deliberative processes, such as internal

memorandums to assist our department to reach a policy decision and documents that pertain to collective bargaining.

Records and contracts pertaining to the delivery of medical and health care services. Vulnerability assessments relevant to terrorists and other criminal activities. Criminal Offender Record Information (CORI), such as offender name and location,

conviction of offense, release date, etc.


Page 20

Thinking Focus:

What kind of information may be classified as “public information?”

Topic B

Public Information All information maintained by the state is public unless it is exempt from disclosure under the California Public Records Act (PRA). In other words, information that CDCR maintains that is not exempt from disclosure under the PRA or other applicable state or federal laws, is considered public information. If you work with any information that does not fall under one of the exemptions to the PRA and is not considered confidential and/or sensitive according to other state or federal laws, it is subject to being provided to the public upon request. All information maintained by the State is considered public unless it is exempt from disclosure under the PRA.

Thinking Focus: What kind of information is classified as “sensitive information?” Topic C

Sensitive Information Sensitive information is information that needs special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. This information may be confidential or public. Special care should be taken to ensure accuracy and integrity of sensitive information.

Here are some examples of what may be considered sensitive information:

Information on CDCR’s Intranet Strategic Plans Budgetary Information Internal Correspondence (including email) Drawings of Public Buildings and Floor Plans Equipment Inventory Lists Schedules and Calendars Procurement Related Documentation

Sensitive Information—information maintained by state agencies that requires special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion.

SAM 4841.3


Page 21

Thinking Focus: What kind of information may be classified as “personal information?” Topic D

Personal Information

Personal information is information that identifies or describes you. It may include the information that is protected by the Information Practices Act (IPA) or information that is publicly available, such as from public websites or government records. Personal information is sensitive and may be classified as confidential or public.

Here are some examples of personal information:

Addresses for the property you own that are available in the Courts, Recorder’s Office, and on many public websites.

Information about you that is available through public sources, such as telephone directories or government records, such as your county property records.

Address where you work. Classification and salary information. Office telephone number and email address.

Whether or not personal information is confidential or public, it is your responsibility to protect that information from unauthorized access, modification, deletion, or disclosure. Disclosing personal information unnecessarily within the CDCR environment may increase the risk of potential harm or harassment to staff and their families. Thinking Focus: What kind of things can you do to protect the integrity of personal

information? Some of the things you can do to maintain the integrity of personal information when working are:

Collect only information that is relevant and necessary to accomplish the purpose of your job. For instance, if you do not need to collect social security numbers, do not collect it.

Collect as much as is practical of the personal or confidential information directly from the individual.

The original source of personal or confidential information must be kept, except when the source is the individual, or when a copy of the original is provided to the individual.

Data collection forms must contain all pertinent details about the information collection, such as agency information, purpose of collection, consequences of not providing the information, any known or foreseeable disclosure of the information, and the person’s right to access the information.


Page 22

The accuracy, relevance, timeliness, and completeness of the information must be maintained. Personal or confidential information shall not be disclosed, except to the individual to whom it pertains; without prior written consent of the individual. The exceptions to this is when information is required for a valid CDCR business need, and when the information must be shared with other government entities as required by law.

The remainder of this learning objective will describe to you the things you can do to protect confidential and sensitive information assets.

Thinking Focus: What can you do in your work area to protect confidential and sensitive information?

Topic E

The Work Area Now that you are aware of the different classification types of information, it is extremely important that you be alert to the sensitivity of the information you work with and be continually aware of those who may have access to it. It is your responsibility to prevent unauthorized access to CDCR information assets from visitors, service personnel, offenders, or anyone else to whom access has not been allowed. Be aware of “how” information in your area can be accessed and know what you can do to protect it. Here are some things you can do to protect information in your work area.

Lock doors where appropriate. Lock up sensitive documents and removable media (i.e., diskettes, CDs, etc.). Secure all computing devices when left unattended by logging off or activating the

password-protected screensaver (i.e., CTRL-ALT-DELETE keys). Never share your logon ID or passwords for any reason. Clear your desk and work area at the end of the day. This includes the proper

disposal or storage of sensitive documents. Never discuss confidential information in public areas or with individuals who do not

have a need to know. Reports and documents with personal information or other confidential data should be placed in folders or turned over to avoid inadvertent disclosure.

Challenge unescorted people you do not know. Keep food or liquids away form workstations, printers, documents, diskettes, CDs, or

any other removable media. Keep the removable media clean and dry. Do not touch the recording surface with

anything, including fingers, pencils or pens. CDs are easily scratched. Diskettes are sensitive to magnets, and should be stored away from magnets,

computer tops, and electric motors.


Page 23

Thinking Focus: What can you do to prevent someone form accessing your

workstation or terminal?

Workstation and Terminal Access

Use these precautions to restrict workstation and terminal access:

If it can be locked, then lock it when you leave. Keep the key in a secure area. Some older terminals still in use are kept in special boxes that can be locked. Others have removable keyboards where the keyboard is stored in a locked cabinet when not in use.

Log-off or activate the password-protection screensaver when you leave your immediate work area.

If you use a terminal or workstation for terminal services, do not leave an unattended session.

If you see an unattended terminal or workstation, or someone in your work area that you do not know using one, notify your supervisor.

If the screen displays sensitive information, keep your terminal or workstation screen facing away from visitors or traffic.

Protect your password! Do not share your password with anyone else. YOU will be the one responsible for every activity during a connection to the network

or session using your logon ID, whether or not it is really you. Thinking Focus: Who is considered a visitor and how can you protect confidential or

sensitive information from them? Topic F

Visitors

You should always use caution when divulging information in the presence of visitors. Visitors include any friends or relatives, former and current CDCR employees, consultants, contractors, and sales or marketing people. And, depending on your job, you may come into contact with a number of people who do not have permission to receive or access the information you use. If you are asked to provide information, and are not sure if the requestor is authorized, ask your supervisor for instructions. Here are some suggestions on how to handle this:

Verify the requestor’s identity. If you receive any requests from the news media (reporters), refer them to your

designated Public Information Officer (PIO). Each facility, institution, or parole office should have a designated PIO on duty or available by telephone. If you cannot find a PIO, refer to your supervisor.

If asked to respond to a survey or questionnaire, check with your supervisor. Refer to your supervisor any requests for employee information such as lists with

home addresses or phone numbers.


Page 24

Thinking Focus: What should you know before giving information over the telephone?

Topic G

Telephone Communications When providing information over the telephone, it is important to verify the identity of the caller, whether that person has a need to know, and if the caller has permission to receive the requested information. If you have any doubts as to the identity of the person or their authorization to have the requested information, talk to your supervisor. Do NOT give information to a person who is not authorized to receive it. Listed below are some general things to keep in mind when talking on the phone with information requestors:

Verify the identity of the caller. If in doubt, tell the caller that you will have to have call them back, and then verify if the caller is genuine with your supervisor.

Verify the need to know with your supervisor. Verify if they are authorized to receive the information. Only provide necessary information. Do not give additional information. Do not provide employee information, such as home address and phone numbers,

without prior permission from your supervisor. Be aware of who is in the area that could overhear your conversation. Be aware of social engineering tactics (as will be reviewed within the next topic).

Thinking Focus: How can you determine if someone is trying to “trick” you to get

information from you? Topic H

Social Engineering Social engineering is a term that describes the practice of getting confidential or sensitive information by deceiving people. A social engineer runs what used to be called a “con game” and will trick people into revealing sensitive information or getting them to do something that is against typical policies. Do not be fooled by the intentional manipulation of an individual into believing that the person requesting information is authorized and entitled to receive that information. Often done over the phone, the caller makes their way through the organization, gaining familiarity with names, terms, acronyms, and jargon and thereby enhancing their credibility as an authorized CDCR employee.


Page 25

We take for granted the information with which we work. Others with criminal intent may want that information. The following tips will help you to avoid being “taken in” by social engineering:

Do not mention names of other employees or use CDCR terminology unless you are sure of the identity of the caller.

Be especially wary if the caller wants telephone numbers.

Never provide information about the setup or configurations of computers, networks and other telecommunications.

Do not email or fax any documents, plans, schedules, or any other document unless you are sure that the recipient is authorized to receive them.

If you have any doubts about a caller, tell the caller that you will have to call them back later and ask for their name and telephone number, and then talk to your supervisor.

Do not disclose your password over the telephone.

Thinking Focus: What can you do to protect your email? Topic I

Email Email is the fastest and easiest way to spread viruses. It is your responsibility to make sure CDCR’s most current virus protection software is on your workstation. The anti-virus software is configured to automatically update with the most recent anti-virus files. Do not disable this process. Workstations or email accounts that transmit viruses may be subject to removal from the CDCR network. Direct any questions about virus protection to your IT Coordinator. Here are some additional things to keep in mind to protect your email:

Do not open unsolicited attachments. Do not open email without a subject line. Do not open email with a misleading or provocative subject line. Avoid using the “Auto Preview” or “Preview Pane” option of your e-mail client. Check accuracy of the name of the person you intend to send the email before

clicking that “send” button.

Review “Electronic Mail” under Appropriate Use of CDCR Information Assets in Objective 3 for a detailed list on how email should be used.


Page 26

Thinking Focus: What should you be aware of when throwing away paper documents and how should they be disposed of?

Topic J

Disposing of “Hard Copy” Information As discussed earlier under social engineering, social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Give careful thought before you throw into the regular disposal bin those old pages to procedures, policies, CDCR phone directories, etc. Often times, social engineers will rummage through an organization’s trash bins looking for information like names and acronyms to use in social engineering to gain access to systems. Destroy or dispose of confidential and sensitive documents and files appropriately using the confidential destruction process in place for your office. Consult with your supervisor if you do not know the process. Reports, forms, computer printouts, screen prints and other documents may contain confidential or sensitive information even if you no longer need them. Thinking Focus: How can voicemail be a security risk and what can you do to

prevent someone from using it for their benefit?

Topic K

Voice Mail Protection Voice mail, phone card theft, and the transferring of phone numbers or calls are all common means of what can be an expensive telephone fraud. An easily-guessed voice mail password, such as the telephone number, can be exploited in a popular voice mail scam. Here is how it works:

A hacker calls into a voice mail system and searches for voice mailboxes that still have the default passwords active or have passwords with easily-guessed combinations. The hacker then uses the password in a process to access the telephone system and to make long-distance calls. The victimized consumer of this type of fraud usually find out about what has happened when high phone bills are received.

Here are some tips to help you protect your voice mail:

Make your voice mail password is a minimum of seven characters in length. Do not use your telephone number as your voice mail password. Do not use repeated or consecutive numbers in your voice mail password. If your telephone has memory capability, do not program your password into it. Follow the password tips provided in this manual under “Password Selection.”


Page 27

Do not give your password to anyone. Remember, telephone service personnel do not need your password to maintain

your system. If a person who represents themselves to be a telephone service technician asks for your password, immediately inform your supervisor.

Thinking Focus: How can you prevent someone from getting your telephone card access number?

Topic L

Protecting Telephone Cards If you use a telephone card with an access number, you should shield the keypad to prevent those who would steal your card number. Your phone card number and pin can be stolen by someone looking over your shoulder as you dial. This is sometimes referred to as “shoulder surfing”.

Thinking Focus: When removable media with confidential information is no longer needed, should it just be discarded or should it be destroyed?

Topic M

Destroying Electronic Data Files Electronic data files can be stored on either stationary media like a computer hard drive, and a network LAN (local area network) or on removable media, like CDs, diskettes, and USB portable drives. When that information is no longer needed, the information must be destroyed by either physically destroying the media or overwriting the information. Deleting electronic data files does not remove that information from the media upon which it is stored. It only erases the information that tells you ‘where’ the file was located. Electronically deleted files can be “recovered.”

Thinking Focus: When you delete data files, can that information still be retrieved? Local Data Files When you delete files from the hard drive, they can be restored because the file still exists on the hard drive. Not even formatting the drive can destroy data. If you have a computer that needs to be reassigned or surveyed, work with your IT Coordinator to determine the appropriate method of destroying the data on the hard drive. Do not pass on removable media or hard drives that you believe may have stored confidential or sensitive information.


Page 28

Thinking Focus: Who do you contact if you need to destroy data on removable media? Removable Media Removable media can come in different forms.

Diskettes, Tapes, USB Portable Drives, etc.

Diskettes, tapes, or USB portable drives used to store confidential information must be physically destroyed or entirely overwritten before being passed along.

CDs and DVDs All CDs and DVDs used to store confidential information must be physically broken or destroyed to make unreadable. You can accomplish this by scrubbing the top surface (laser side) with a cleaning scrub or by simply breaking or cutting it into several pieces. You can use Readable (R) CDs and DVDs only once to store confidential information, but similar to a hard drive, Read-Writable (RW) CDs and DVDs can be written to a number of times. If you use RW CDs and DVDs to store confidential information, you must follow the same guidelines as for a hard drive. Deleting data files stored on RW CDs and DVDs does not destroy the data.

Thinking Focus: Are the files you store on the network or server removed when you

delete them from the network?

Network Disk/Server Files

It is possible that when you delete a file, you have not actually deleted all the copies of the data. There may be additional copies of that file on a local area network (LAN) drive or possibly on network backups. Keep in mind that just because you delete a file that is located on your computer, that file may still exist on servers or in backup files.

Thinking Focus: What can you do to protect your equipment when you use state-

owned equipment and resources outside or away from the office? Topic N Safeguarding Equipment While Away from the Office Portable computing devices, such as laptops and handheld communications devices, can be easily stolen or damaged when you remove them from the office. Before you take equipment away from the office, remember these important points:

Obtain approval from your manager or supervisor to use state-owned equipment away from the office.

Obtain an equipment pass if your division has such a requirement.


Page 29

Use care in handling the equipment. Follow CDCR’s information security policies and procedures to protect the equipment

from loss or theft. Ensure access to CDCR equipment or resources is only for authorized CDCR

activities. Do not leave equipment visible in your parked car. Do not leave equipment in a car overnight, including the trunk. Take it with you! In public facilities, do not leave equipment unattended, even if “just for a moment.”

This is especially true in the airport gate security checks and in restaurants and coffee shops. Never let it out of your sight.

Be sure to take all your bags and cases with you before returning rental cars. Make backup copies of your information and leave the backup copies at the office. No confidential information may be taken from your workplace without prior written

approval from your chain of command. Keep sensitive/confidential information from casual observation by others, such as

hotel staff members and strangers in public places. Do not discard unneeded reports and other papers that contain sensitive or

confidential information in the trash can in your hotel room. Take the information back to the office and dispose of it using the confidential trash process.

When using remote access by logging onto the CDCR network, do not leave the connection open when away from your computer. The remote logon process could provide a means of obtaining unauthorized access to the CDCR network.

Do not allow others to use your CDCR computer. This includes family members. The computer provided to you by CDCR is intended for your use only.

Make sure the equipment is tagged with an inventory control tag. Keep a copy of your device spec sheet at your office, including the inventory control

tag number and serial number.

Modem Usage Using a modem to connect to CDCR systems is the same as being connected to the CDCR network at the office. The same rules apply as if you were sitting in your work area using a computer:

If your computer has a modem, the modem must not be in use when the computer is connected to the CDCR network with a network cable. The modem is to be used ONLY when the computer is not already connected to the network.

Never leave an active session unattended and be aware of anyone that can see the information on your computer screen.

Lock up the modem when you are not using it. If your computer has an internal modem, make sure your computer is in a lockable area.

No modems are allowed in areas where inmates have access. All other policy and guidelines apply, including appropriate use of email, Internet

access, and keeping current virus scanning software. Work with your IT Coordinator to configure your computer to update automatically when you use remote access.


Page 30

Thinking Focus: What will you do if your working files or documents become lost or suddenly unavailable?

Topic O

File Backups Backups can be a real time saver if something happens to your computer or data. Without a backup of your data, you may be faced with the overwhelming task of reentering and recreating reports, spreadsheets and databases. That is of course if you actually can re-enter or recreate the information after losing it. Some data, if they are lost, can never be replaced.

Thinking Focus: Which files or documents should you back up? Not everything needs to be backed up, but generally, information should be backed up for the following reasons:

You cannot afford to lose it. It would take too much time to recreate it. It would cost more to recreate it than the cost of backing it up. The original source is no longer available.

Thinking Focus: How do you go about backing up your files or documents? If you use a computer on the CDCR network, you can use the network itself to complete your backups. Simply save your files to a shared area of the network. Network shares are set up with different types of accesses. Most of the network shares are configured on the servers to allow only specific divisions or branches to access them. The term servers is used for the hardware equipment that stores the electronic files, and are regularly backed up by the IT Coordinator. Check with your IT Coordinator on which network share would be best to use for your files. If your computer is not on the network, backups you make on removable media should be stored in a secure location away from your office. If a catastrophic event occurs, such as a fire, your backups will be destroyed along with your computer if they are in the same place. Backups are, by definition, copies of the same confidential and sensitive data you take great pains to secure on your computer. Be sure to afford the backups an equal measure of security – lock them up!


Page 31

Thinking Focus: What are considered good backup practices when using removable media for backups?

Good Backup Practices If one backup is good, then two backup copies are even better. Sometimes backups fail. If the data is essential and critical, multiple backups are necessary. The most straightforward process is to make daily backups, and keep several days’ worth. All backups made on Monday are kept on the “Monday” disk; those made on Tuesday are on the “Tuesday” disk, etc. If you need to restore information from a backup, you have your most current daily backup and four fall-back backups, each one day older than the one before. Restoring from a two-day old backup means you have to recreate two full days’ worth of data, but that is still better than having to recreate it all. For those systems with irreplaceable data, or requirements for restoration in a very short period of time, one more backup is made as well – the offsite recovery backup. This backup is usually made weekly and is stored in a location quite distant from your normal operation. Services are available to pick up your offsite backups and store them in climate controlled vaults at some distance, often hundreds of miles away. In the event that all other backups are destroyed or fail, the offsite recovery backup can be retrieved and used to rebuild your system. Test your recovery process before you need to use it. Do not assume your backups will work. Finding out your backups are bad when you need them is too late. Store backups in a fire-resistant media safe or away from your work area far enough so that in the event of a fire, flood, earthquake or other event that bars return to your work area, your backups will still be available. Backups may contain confidential and sensitive data, and should be stored accordingly – securely with access only to those authorized. If you need assistance on how to test your backup data, contact your IT Coordinator.

Thinking Focus: What can you do to protect your password?

Topic P Password Selection Passwords are meant to be difficult to guess (strong), but should also be easy for you to remember. Passwords can be easily guessed if the person guessing knows you or if you make the password too simple. Select passwords that are character strings that mean something only to you. Be sure to include a number(s) or special a character within your password. Here are some suggestions for choosing a STRONG password: Choose a word that you can easily remember, remove the vowels and insert a number or two, for example:

PRESIDENT ⇒ PR2SDNT


Page 32

Use the first letters in a phrase and add a number, for example: The quick brown fox jumped over the fence six times. ⇒ TQBFJOTF6x

Combine two misspelled words and insert numbers, for example: TRUE BLUE ⇒ TRU05BLU

Use words that are spelled backwards and insert numbers: PENCIL ⇒ LIC12NEP

Review “Passwords” under Appropriate Use of CDCR Information Assets in Objective 3 for password requirements and do not use these or any other examples provided in printed or training materials.

Thinking Focus: What words or characters should you avoid using when selecting a password?

Passwords to Avoid Here are some words you should not use as a password:

Your name, nicknames, initials, or names of family and friends. Your system User ID. Dates; especially those that appear on your driver license or in a personal calendar

that you carry in a wallet or purse. Telephone numbers, home addresses, zip codes, social security or driver license

numbers, etc. Names of pets, hobbies, special interests, etc. Words that appear in any dictionary, regardless of the language (they can be

compromised by password cracking programs that use electronic dictionaries). Consecutive keys on a keyboard, e.g., QWERT or FGHJKL. All the same character, e.g., XXXXXX or 999999. Default passwords shipped with the system or software. Words in which the letter “O” has been replaced with zeros.

Thinking Focus: What are some password do’s and don’ts? Password Do’s

Change your password at least every 90 days. Change your password immediately if it becomes known or you suspect it is known

by anyone else. Select hard-to-guess passwords containing seven or eight characters—but not so

hard that you have to write it down to remember it. Enter your password in private with no one in a position to observe your keystrokes

(the system should not display the password on the computer screen.)


Page 33

Password Don’ts Don’t use words listed in the paragraph above, Passwords to Avoid. Don’t write down your password on a desk pad, calendar, phone book, address

book, etc. Don’t post your password on the computer screen by writing it on a post-it note and

stick it on your computer screen, under your keyboard, or in your desk drawer. Don’t tell your password to anyone. Sharing passwords is not allowed for any

reason.

Thinking Focus: What types of malicious software are harmful to your computer?

Topic Q

Malicious Software Malicious software is any software with the intent to cause harm. The short term for malicious software is “malware” and some examples of malware are worms, viruses, Trojan horses, and certain spyware. These have the potential of bringing harm to the CDCR network and system resources. If malicious software is spread, it can be responsible for productivity and/or financial loss. While you may not be able to completely stop the possibility of getting a virus, worm, or other malware; you can greatly reduce the risk of infection and the potential for serious damage. Viruses are small programs usually embedded in much larger programs (hosts), and are only spread when the “host” is executed. Virus infection can result in fairly harmless activity; such as a message or graphic being displayed on the screen, or more serious events; such as causing mission critical system resources to be unavailable for lengthy periods of time. Worms are small pieces of code that spread itself from an infected computer to other computers on the same network without having to be attached to a host (program). They do not normally cause damage directly, but can have a devastating impact on a network by virtue of the number of copies of itself that can clog up network resources. The Trojan horse (usually referred to simply as a Trojan), works like the mythical Greek story of the Trojan horse and the city of Troy. A Trojan is malware disguised as a useful or “interesting” program, but in fact, is really harmful once it is executed. As with spyware, Trojans cannot replicate themselves, but they can be responsible for spreading other malware like viruses. Trojans can also be responsible for erasing or overwriting data on your computer, or appropriating your computer to launch attacks on other systems. Lastly, is spyware. Spyware intercepts or captures partial control of a computer’s operation without your knowing about it. Spyware is responsible for unsolicited pop-up advertisements, identity thefts, and recording keystrokes (including logons and passwords). Unlike viruses or worms, spyware does not replicate itself.


Page 34

Thinking Focus: How can you tell if your computer has contracted some form of

malicious software? Symptoms of Malware While there are no universal symptoms for all the different types of malicious software (malware), following are some indications that malware is present on your computer:

Programs take longer to load. Disk access seems excessive for simple tasks. Unusual error messages appear. Access lights come on when no disk activity should occur. Less memory is available. Files mysteriously disappear. Less disk space than normal is available. Files change size, date, or content. Unexpected messages or characters appear on the screen. System often crashes. The system dial-up connection attempts to automatically connect to a telephone

number without the knowledge or interaction of the user.

Thinking Focus: How does your computer get malware on it and what can you do to prevent from getting one?

Preventing Malware Infection The most common ways to spread and become infected with malware is through email and downloading files from the Internet. You can take the following actions to protect your computer from infection:

NEVER disable the virus scanning software on your workstation. All email you

receive, regardless of where it comes from, including email sent from a fellow CDCR employee should be scanned.

Keep virus scanning software current with the most recently released file updates. If your computer is connected to the CDCR network, the updates should happen automatically. If your computer is not connected to the CDCR network, contact your local IT Coordinator to find out how frequently the virus protection software is updated.

Restrict use of your workstation to authorized people only. Scan removable media with anti-virus software prior to accessing it. This includes

diskettes, CDs, USB drives, PDAs, etc. Do not open attachments you receive in your email, unless you can verify the sender

is the person who actually sent the email. Viruses and worms can be “hidden” in these attachments, and when you open them, you release or “activate” the virus or worm. Once the malware has been activated, you cannot stop it. Malware can be


Page 35

embedded in Word and Excel files (files with a .DOC or .XLS extension), executables (.EXE), compressed or “zipped” files (.ZIP), and even some graphic files (.JPG and .GIF).

Do not use “shareware,” “freeware,” and demo CDs on CDCR computers without approval. Only IT support staff are authorized to install software on CDCR computers.

When downloading a file, use the “save” function and then scan the file before using it.

Do not download software from the Internet. Never connect to the Internet unless your virus protection software is current and

active. If your computer has been sent out for repair, check it with virus detection software

before you start to use it. Update your virus software often – at least weekly. New viruses are created and

released all the time. Your virus protection software is optimally effective only if it is current.

If your computer does not have virus detection software, contact your IT Coordinator to have it installed.

Thinking Focus: How can you protect documents that are faxed?

Topic R

Faxing Documents Use good judgment when using CDCR fax machines. Some of the things you can do when faxing documents are:

Do not fax confidential or sensitive information. Verify the recipient information including the fax number before faxing any

information. Verify that the fax number has been correctly dialed before pressing the “start” button

to transmit the information. Notify the recipient just prior to sending the fax so they are prepared to receive the

information and immediately remove it from the receiving fax machine. Use a cover sheet when faxing documents.


Page 36

OBJECTIVE 5: YOU WILL BE ABLE TO IDENTIFY CDCR’S REQUIREMENTS FOR INMATE ACCESS TO COMPUTERS AND THE RULES FOR SUPERVISING INMATES WITH COMPUTER ACCESS.

Inmates and Computers t is important to protect CDCR’s information and your own personal information from access by inmates. The CDCR policy prohibits inmate access to sensitive and confidential information.

What you should learn from this objective:

Inmate qualifications for computer access. Appropriate computer configurations for inmate use. Physical location requirements for inmate accessible computers. Appropriate inmate access and activities. Supervising inmates using computers.

Thinking Focus: What criteria must inmates meet in order to be granted authorization to have computer access?

Topic A Inmate Qualifications for Computer Access Inmates may only be allowed access to a computer when they are working in an employment or educational assignment and only after the inmate has been cleared for computer use. Inmates may use computers if they meet these criteria:

abuse

1. No history of computer fraud or abuse.

2. No extensive experience or education in computer programming, software engineering, network management or administration.

3. No occurrences of computer abuse while in the prison system.

4. Must be granted permission before being given authorization.

If you are the person requesting clearance for an inmate, you cannot be the person requesting the clearance check. Inmates may be given the privilege of using a computer in their education or work area if they meet all four criteria. Access to computers is a privilege, not a right.

I


Page 37

Thinking Focus: How must inmate access computers be setup before an inmate is

authorized to use it?

Topic B Appropriate Computer Configurations for Inmate Use Computers used by inmates must meet the following criteria:

1. All storage media, such as hard drives, previously used by staff must completely overwritten before being assigned to inmate use.

2. Computers previously used by staff or for purposes other than “inmate use” must be approved by the appropriate Information Security Coordinator (ISC) before being allowed for inmate usage. Contact your IT Coordinator If you do not know who the appropriate ISC is.

3. Direct access to the operating and file system, “run” feature, Control Panel, configuration dialogue boxes, and system utilities is prohibited.

4. Access to the MS-DOS commands ASSIGN, DEBUG, and ATTRIB must be removed.

5. Signs identifying whether or not “inmate use” is allowed must be obviously displayed on all computers.

Thinking Focus: How would you describe the attributes for the physical location where authorized inmate use computers can be located?

Topic C Physical Location Requirements for Inmate Accessible Computers Requirements for the physical location of inmate accessible computers are:

1. Signs identifying inmate use must be posted clearly in all rooms or areas where inmates use computers.

2. No communication capabilities, such as a telephone line, computer line, fax machine, wireless communications devices (cell phones or wireless access points), or radio communications are allowed in any area where inmates are allowed computer access. This includes telephones with “outside” line capability.

3. A copy of the written certification that the policies relating to inmate use of computers are being followed must be kept on site by the local ISC.


Page 38

Thinking Focus: What activities are inmates not allowed to do with computer access?

Topic D Appropriate Inmate Access and Activities Inmates are allowed limited activities when granted authorization for computer access. Inmates are not allowed to:

Develop new applications.

NOTE: Any existing application or program developed by an inmate shall not be used to accomplish departmental work or used on any computer connected to the CDCR computer network.

Access any computer based tool that could be used to create a malicious code. Access dialogue boxes, the Control Panel, or any other feature on the computer that

could allow modification or changes to the configuration of a computer. Use staff-assigned computers or access to CDCR business applications. Use more than one computer. An exception is in the classroom setting when one

instructor is responsible for supervising all inmates and computers. Use computer peripherals, such as CD burner, printers, and scanners, unless CDCR

staff directly supervises their usage. Install software. Possess removable media, such as diskettes, tapes or CDs, unless the media is

controlled and “checked out” to the inmate. Access external communication capability, such as modems, communication tools

such as email, and “chat” applications. Share the same network with staff. Access network shares that are also accessible to other inmates. Access the Internet, Intranet, or the CDCR computer network. Possess a computer as personal property or outside of the authorized work,

vocational or educational program area.

Thinking Focus: What are your responsibilities if you are required to supervise inmates authorized for inmate use computers?


Page 39

Topic E Supervising Inmates Using Computers Many of the institutions have inmates in the workforce, including inmate clerks using computers. To ensure information security while supervising inmates using computers, inmates must be closely supervised. The responsible staff are required to do the following when supervising these inmates:

Certify in writing that all the policies related to inmate use of computers are being followed.

Limit inmate access to computers to only the authorized activity. Ensure computers that are designated for inmate use are used strictly for that

purpose. Inmates may not use staff computers. Authorized inmate-use networks are only allowed if a security plan has been

approved by the ISO. Supervising staff must understand what the inmate is doing under his or her

supervision. Supervising staff must have more knowledge and expertise with the computer than

the supervised inmate. Be able to see all inmate computer screens from a single location. Must not allow inmates to have passwords, unless the password is assigned and

controlled by the supervising staff, and cannot be changed by inmates. Ensure only inmates with access authorization use computers. This includes

troubleshooting, problem solving, data entry, or any other way in which an inmate may view the screen, or touch any component of the computer system.

Maintain control of removable media, such as diskettes, CDs, and zip disks, used by inmates with an inventory and appropriate controls, such as a check-in and check-out process.

Monitor and control all inmate activity. This includes reviewing the contents of the removable media and hard drives, ensuring files are related to their work, reviewing all printed material produced or requested by inmates, and constantly monitoring their activity on the screen.


Page 40

OBJECTIVE 6: YOU WILL BE ABLE TO IDENTIFY INFORMATION SECURITY INCIDENTS AND KNOW HOW TO HANDLE THEM.

Information Security Incidents n essential part of your individual information security responsibilities is to report known or suspected security incidents that may place CDCR information assets at risk. Before you can do that you need to understand the definition of and how to

identify an incident. What you should know from this objective:

The definition and identification of the different types of information security incidents.

How to handle information security incidents.

Thinking Focus: What is an information security incident? Topic A Identifying an Information Security Incident An information security incident is an event or security breach, whether intentional or unintentional, that causes loss, damage, destruction, modification, or disclosure of CDCR computer systems or facilities; unauthorized access to confidential or sensitive data; or fraud, embezzlement, or misuse of state property. The following is a list of the types of security incidents:

Unauthorized Access and Disclosure to Information Assets Unauthorized Modification, Destruction or Loss of Information Assets Introduction of Malicious Code Falsification and Unauthorized Use of Information Assets Misuse of Information Assets

Unauthorized Access and Disclosure Information Assets

These are described as unauthorized intrusions, which consists of any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource electronically. It is an act of unauthorized access that results from either or both tampering and damage to CDCR information assets.

A


Page 41

Examples:

A computer user or unknown hacker gains unauthorized access to CDCR computer systems and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, whether existing or residing internal or external to a computer, computer system, or network.

Someone calls you using social engineering tactics to gain access to computer systems and networks, by claiming to be an administrator for CDCR network or computer systems and requests from you a User ID and password for troubleshooting purposes.

Disruption of state services or denial of computer services occurs in a manner that appears to have been caused by deliberate and unauthorized acts. An example would be a Denial of Service (DoS), which is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming bandwidth of the network and overloading the system.

An individual knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network, such as someone other than an authorized user logging in and utilizing the system.

An individual finds they have either or both access to another user’s email and documents and browses through them, knowing that access is not authorized, and does not report the access capability.

Unauthorized Modification, Destruction or Loss of Information Assets

These are unauthorized acts that result in the loss of confidential, sensitive, or mission critical information assets. These occur when there has been deliberate or unintentional destruction or disappearance of information assets, including theft of information assets used to process or store CDCR information. Unauthorized modification of information assets is the act of modifying information assets by someone not authorized to access it. This can occur when computer device(s), such as a desktop, laptop, or handheld devices are either stolen from the office or while traveling. Examples:

An individual gains access to CDCR network and gains access to the web servers, changing the web pages to include inappropriate information or images.

Intentionally entering false data into a database or file. Someone breaks into the computer room and sabotages the computer equipment

causing physical damage to that equipment and causing the loss of data maintained by that equipment.

The cabinet containing your CDs with confidential or sensitive information has the lock broken off and some CDs are missing.

While you are traveling away from the office for work, your state-owned laptop is stolen from your vehicle.

You went home after work and forgot that you left your PDA on your desk. The next morning you remember that you had it with you in the office, but you realize it is no longer there.

You come into work one morning and discover your desktop has been stolen.


Page 42

Disclosure, by an employee, of his or her password. This includes disclosure to family members, coworkers, the employee’s supervisor, or any other person. The exception is when the password must be provided to a technician so that maintenance or repairs to the computer or equipment can be made. In these instances, the employee must change his or her password immediately upon completion of the work by the technician.

During your workday you discover your USB drive with confidential or sensitive information has been stolen or misplaced.

Disclosing another employee’s password to anyone. Employees who learn another employee’s password should report that fact to their supervisor immediately. The employee must change the password, or if that is not possible, the supervisor must immediately request deactivation of the employee’s account by the access management entity.

Disclosing medical information or inmate data to any employee whose job does not require this knowledge.

Providing address or telephone numbers of a CDCR employee to anyone, including another CDCR employee, unless required by CDCR, either deliberately or by accident.

Discussing facts from an investigative file or pending legal actions outside the performance of official duties.

Introduction of Malicious Code

Introduction of malicious code (malware) is when a contaminant is introduced into any State computer, computer system, or computer network. This includes, but is not limited to viruses, Trojans, worms, and other types of malicious attacks. Examples:

The introduction of malware is received in an email with an attachment that looks suspicious, but is opened before it is verified that it is indeed a virus.

An employee brings work from home on removable media that is infected with malware and does not scan the media for viruses before using the data.

An employee downloads an infected file from the Internet.

Falsification and Unauthorized Use of Information Assets

This is the falsification of information and unauthorized alteration of computerized information, computer programs, or information in any other form. The unauthorized alteration may be for any reason, including fraud, embezzlement, personal gain, or aiding in the perpetration of a crime or the personal gain of another person. Intentional falsification of computerized data for any reason is in itself a crime under California Penal Code, Section 502. Fraud or other crimes involving information falsification are prosecuted in addition to the crime of computer data falsification. Examples:

Accessing a computer using another person’s User ID and password. An employee who is logged on allows another employee to use the computer or

terminal without logging off. This is unauthorized access, even though the second employee may be authorized to use the system under his or her own User ID.


Page 43

Either or both Internet domain names and user account names have been used without permission in connection with the sending of one or more electronic mail messages that caused damage to a state computer, computer system, or computer network, or misrepresented the state or state employees in electronic communications.

Intentional entering of false data into a database or file. Intentional entering incomplete data into a record without authorization. Omitting entries or updates in a database, file, or record without permission. Modifying or deleting valid information without authorization. Changing of production data by a version of an application program which has not

been formally tested and released to production via the Department’s standard application change control process.

Modifying computer source code without authorization. Modifying an operating system or network configuration without authorization. Changing access permissions in an access control table without authorization. Unauthorized alteration of paper documents.

Misuse of Information Assets

Misuse of information assets is when authorized users use CDCR’s computing resources for unauthorized purposes or inappropriate activities and personal gain. The misuse of information assets occurs when CDCR information is read, copied, or used for unauthorized purposes. Authorized purposes include only those related to the individual’s job or education assignment. This also pertains to external CDCR information users, contractors, and consultants that have been given authorization to read, copy, or use only those CDCR information assets that pertain to their contracted CDCR business and only for the purpose stated in their agreement with the Department. Examples:

An authorized person uses CDCR systems to access the Internet to view inappropriate web sites that are against CDCR policy.

Bringing to work any games or unauthorized software to install and play on your workstation.

Unauthorized installation and use of an employee’s own software on Enterprise Information Services (EIS) on a CDCR computer.

Use of an illegal copy of software or software not licensed or approved by EIS on a CDCR computer.

An individual is threatening or harassing another individual through CDCR electronic communications.

Using knowledge of CDCR personal or confidential information for non-CDCR purposes.

Using CDCR computer resources for an outside business or interest. Using CDCR information assets to commit embezzlement or fraud. Accidental viewing of information because of a computer, terminal, or paper

document in the work area is placed in such a way that unauthorized employees or offenders cannot avoid seeing it.


Page 44

Thinking Focus: To whom do you report an information security incident? Topic B Handling Information Security Incidents If you believe there has been an information security incident, the occurrence must be reported immediately to your supervisor and local ISC.

Thinking Focus: What could happen if you violate information security policies and

procedures? Topic C Consequences to Information Security Violations All violations of security policies or procedures are subject to disciplinary action. The specific disciplinary action that will be taken depends upon the nature of the violation and impact of the violation on CDCR’s information assets and related facilities.

Following is a partial list of possible disciplinary actions:

Written reprimand. Suspension without pay. Reduction in pay. Demotion. Dismissal. Criminal prosecution (misdemeanor/felony, state or federal).

During the time that a suspected violation is under investigation, the suspected violator’s access privileges may be revoked or other appropriate action taken to prevent harm to CDCR.


Page 1

Appendix A - Glossary accountability The ability to trace violations or attempted violations of system security to the individual(s) responsible. authorized access Access to information, regardless of media type (paper, electronic, film, etc.), that is granted to specified individuals by management for the purpose of performing specific CDCR work functions. availability The condition in which information, computer equipment, or computer services are accessible and can be used when needed. backup The duplication of computer programs and files (usually to diskette or tape), prior to any loss or damage to such information, so that the information can be restored in the event the original is destroyed. backup copies More than one copy of programs and files, usually on diskette or tape, used to restore such information if the original is destroyed. CDCR network A Wide Area Network (WAN) consisting of Local Area Networks (LANs) that connect desktop computers in most of the Headquarters offices, Parole Offices and several Institutions. The CDCR Network provides email, scheduling, access to the Intranet, departmental applications and standardized forms. Internet access is provided to authorized users.

classification The assignment of information, including paper documents, to a category on the basis of its sensitivity concerning disclosure, modification, or destruction. confidential information Information maintained by State agencies that is exempt from disclosure under provisions of the California Public Records Act (Government Code, Sections 6250–6265), or other applicable State and Federal laws. See State Administrative Manual (SAM), Section 4841.3. Confidential information is so defined because its unauthorized disclosure could cause harm to an individual or organization or would be violating an individual’s or organization’s right to privacy. Personal information, including personnel, medical, or similar files the disclosure of which would constitute an invasion of personal privacy should be treated as confidential. All information pertaining to information security incidents and all incident reports are classified confidential and are subject to all requirements for maintaining confidentiality. controls Technological mechanisms and/or procedural measures that help enforce information security policies, standards, and laws. copyright law Software is protected by the Federal Copyright Act, U.S. Code, Title 17–18, which gives the owner of the copyright “the exclusive rights to reproduce the copyrighted work and to distribute copies.” The act of illegally copying


Page 2

software is commonly known as “software piracy.” critical application A computer program so important to CDCR that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the services and/or information provided would have a significant negative impact on the health and safety of the public or employees, the financial or legal integrity of CDCR operations, or the continuation of essential CDCR programs. All CDCR department-wide information systems are considered critical applications. data A representation of information, knowledge, facts, concepts, computer software, computer programs, or instructions. Data may be in any form, for example in storage media, such as, the memory of a computer, in transit, such as, information sent over communication lines, as presented on a display device, such as, a terminal, or in a paper document. downloading The transfer of information from a computer application such as DDPS to a local computing configuration, such as, a microcomputer or Local Area Network (LAN.) dumpster diver Someone who goes through an organization’s trash in search of access codes, credit card numbers, computer printouts, and other information that can be used for dishonest purposes. electronic mail (email) A system that allows a message to be typed at one computer or terminal and then “sent” to someone on another computer or terminal. The message is stored until the receiver chooses to read it.

firewall A device consisting of hardware and/or software that limits communications between two networks. Access to the Internet from CDCR Network is controlled by a Firewall that is administered by ISD. freeware Software (programs) that are available to anyone free of charge (no licensing fee.) hacker A person who gains, or attempts to gain, unauthorized access to computers, computerized information, or software, usually from a remote site. information assets All types of information including, but not limited to, documents, records, files, databases, and information technology facilities, as well as equipment and software owned or leased by CDCR. information owner The entity assigned decision-making authority for specific data, such as inmate health data or parole information. The Information Owner has responsibility for determining appropriate access authorizations, monitoring and ensuring compliance with CDCR and State security policies and procedures concerning the information, identifying acceptable levels of risk, and defining precautions for protection of the information. Information Privacy (IP) The right of individuals and organizations to control the collection, storage, and release of information about themselves.


Page 3

information security The protection of information assets from unauthorized access (accidental or intentional), modification, destruction, disclosure, or the inability to process that information (unavailability.) information security incident An occurrence involving CDCR information assets that violates Federal or State information security laws or State or CDCR information security policies or procedures. Information Security Incidents involve the unauthorized or accidental modification, distribution, or misuse of, disclosure from, or access to CDCR information assets. Refer to the CDCR Handling and Reporting of Information Security Incidents handbook for details. Information Security Incident Report A report documenting the details of an occurrence involving CDCR information assets that violates Federal or State information security laws or State or CDCR information security policies and procedures. Certain incidents are reportable to the Department of Finance and the California Highway Patrol. All incidents must be reported to the ISO within three working days of the discovery. An “incident” involves one or more of the following

1. Unauthorized intentional release, modification, or destruction of confidential or sensitive information, or the theft of such information.

2. Comprehensive Computer Data Access and Fraud Act (Penal Code, Section 502.)

3. Use of a State information asset in the commission of a crime.

4. Tampering, interference, damage, or unauthorized access to computer data and/or computer systems as described in the Intentional noncompliance, by the Information Custodian,

with custodial responsibilities as specified in the SAM, Section 4841.6.

5. Intentional damage or destruction of State information assets, or theft of such assets, with an estimated value of $500 or more

Information Security Officer (ISO) The person, designated by the agency director, who is responsible for overseeing the agency’s compliance with policies and procedures regarding the security of the agency’s information assets. (See Government Code, Section 11771 and SAM, Section 4840.2.) Enterprise Information Services (EIS) CDCR division charged with the development and maintenance of information technology solutions. ISD is the Information Custodian for most of CDCR’s critical systems. ISD also provides support services for the CDCR Network. Information Technology (IT) All computerized and auxiliary automated information handling, including systems design and analysis, computer programming, information storage and retrieval, voice, video, and data communications, etc. information user An individual having specific limited authority from the Information Owner or management to view, change, add to, disseminate, or delete information. The responsibilities of Information Users are using State information assets only for State purposes, complying with applicable laws (including copyright and license requirements), administrative policies, any additional security policies and procedures, and notifying the Information Owner and ISO of any actual or attempted violations of


Page 4

information security laws, policies, practices, or procedures. integrity The condition in which data or programs are protected from unauthorized modification. Intranet CDCR information resource, available to all systems connected to the CDCR Network. The Intranet provides access to several services for CDCR employees, including personnel information, access to policies, travel information, forms, etc. Internet A term used to refer to the worldwide “network of networks.” Access is available through the CDCR firewall or through local Internet Service Providers (ISPs) if the CDCR network is not available, to CDCR staff who have been approved for such access. Local Area Network (LAN) Two or more microcomputers in the same general area that are connected by some means, such as wire, infrared or radio, providing access to shared data such as forms, documents and databases, email, scheduling, applications, printers and other peripherals. logic bomb A malicious program, similar to a virus, designed to carry out a usually destructive mission in response to a trigger event. Unlike a Virus, a Logic Bomb does not replicate itself. log on/off The procedure by which a session is begun and ended on a computer. malicious code Malicious code is computer instructions, usually in the form of a program, designed to perform undesired changes

to the computer system, data, or programs. See Virus definition for more information. malware Short term for malicious software, such as viruses, Trojans, worms, and certain spyware. mission critical A process or business function that must be available for an agency to continue to operate. modem A device that connects computers to each other via telephone lines. In CDCR, modems are used to provide Remote access to the CDCR network, connect to specialized systems, and to provide email and/or Internet access for employees not currently able to use the CDCR network. monitoring The process of analyzing, assessing, and reviewing audit trails, and other data gathered, to detect events that may be security violations or that may possibly create a security incident. password A unique string of characters used to authenticate (verify) an identity. Usually associated with a User ID. Passwords are confidential and should be kept secret. personal computer A microcomputer configured to be used primarily by a single user. process The work activities that produce products, including the efforts of people and equipment.


Page 5

program The set of instructions by which a computer operates to accomplish a specific task. proprietary software Computer applications developed by independent vendors to meet specific programmatic needs, and then marketed to users and agencies with those needs. An example would be an application that manages personnel and payroll for small and medium-sized companies. public information Any information prepared, owned, used, or retained by a State agency and not exempted specifically from disclosure requirements under the California Public Records Act, Government Code, Sections 6250–6265, or other applicable State or Federal laws. remote access The process by which authorized CDCR Network users may connect to the CDCR Network with a modem. risk The probability that a loss of information assets or breach of security will occur. risk analysis The process of evaluating 1) the vulnerability of information assets to various threats, 2) the costs or impact of potential losses to the organization, and 3) the options for removing or limiting risks. risk management The process of taking actions to avoid risk or reduce it to an acceptable level. sensitive information Information maintained by State agencies which requires special precautions to protect it from unauthorized modification or deletion

(SAM, Section 4841.3). Sensitive information may be either public or confidential. shareware Software available either free of charge, or for a small fee, that the user is allowed to evaluate/use for a short period of time (usually 30 days) before deciding whether or not to purchase it. shoulder surfing A term used to refer to a telephone fraud technique whereby telephone access codes are acquired by watching somebody enter the code on the keypad. The simplest form involves an individual looking over somebody’s shoulder. More sophisticated methods involve video cameras, tape records or other processes to record the number sequence as it is entered. social engineering Posing as an employee, client, service technician, or any other bona fide (genuine) individual to gain information that can be used to break into a computer system or for other dishonest purposes. software Computer program(s) consisting of instructions for the CPU that perform specific functions, such as word processing. spyware A broad category of malicious software intended to intercept or take partial control of a computer’s operations without the users informed consent. storage media Media used to store information electronically, such as hard disks, diskettes, and tapes.


Page 6

surfing By analogy with riding the waves on the ocean, refers to going from site to site on the Internet. terminal A computer display device which displays information generated by the computer system. threat Condition, that given the opportunity, could cause a harmful event to occur. Trojan Malicious program disguised as legitimate software. unauthorized access Access to information which is not within the scope of an individual’s job duties or without the permission of management and/or the Information Owner. user ID The unique identifier assigned to an individual for the purpose of access to a computer system. virus A self-replicating program, usually malicious. A virus has three parts, a replicator, a trigger, and a mission. The replicator makes copies of the virus program so that it can spread. A trigger is an event that will cause the virus to perform the function for which it was designed, such as a specific date or time. The mission is the function the virus will perform when triggered. voice mail Telephone answering system that provides the user with such services as, message forwarding, message storage and retrieval, and message notification. vulnerability Susceptibility of an information asset to a specific threat.

worm A malicious program, similar to a virus, that replicates itself and carries out a destructive (usually) mission. Unlike a virus, a worm does not require a trigger event. write-protected Preventing data from being written onto electronic storage media. The write-protect mechanism varies depending on the type of storage media.