Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Protect {Company}, U.S. Government Sponsor, industry, and partner information from unauthorized disclosure Protect computer systems and networks from unauthorized access/compromise Maintain confidentiality, integrity and availability of information and systems Provide clear and concise direction to personnel regarding proper methods of protecting information and information systems Culpability for cyber security incidents now a key component of security clearance determination Information Systems Security Why do we need IT security procedures?

Malware/Spyware Incidents ‒Most entry points are from users unknowingly surfing compromised web sites Improper use of IT systems ‒Connecting personal media (i.e., thumb drives, cameras, cell phones, etc.) ‒Viewing/Creating Pornography ‒Visiting inappropriate web sites ‒Downloading/installing prohibited software Information Systems Security Common IT Security Incidents

Information Systems Security Acceptable Use of Information Systems {Company} systems are for official use in support of its mission ‒“ Occasional and limited” personal use is acceptable ‒All electronic information and communications are subject to monitoring ‒“No expectation of privacy” Personnel must – Access “authorized” systems only – Process {Company} data on {Company} systems only – Connect {Company} devices/media to {Company} systems only No connecting personal iPods, media players, cameras, disk drives or USB drives

Data Preservation ‒Intentional alteration or destruction of data, systems, or media is prohibited ‒System maintenance or upgrades acceptable ‒Anti-forensics software not authorized ‒Encryption keys must be made available Ethical and Professional Conduct ‒Offensive, harassing, obscene, or threatening communications ‒Violation of copyright laws ‒Visiting inappropriate Websites ‒Commercial or promotional activities prohibited ‒All software must be professional in nature and support {Company} business needs Violations will result in management review and possible disciplinary action to include termination Information Systems Security Acceptable Use of Information Systems

Information Systems Security Protecting Networks and Information Systems Access to {Company} networks and systems require a background investigation Direct dial-in to networked systems is not authorized (e.g., connecting a modem to your desktop) All users must Lock/Log out of system before leaving systems unattended Keep antivirus software current All external communications must go through the {Company} firewall Network bridging is prohibited ‒Network bridging can occur when a user has accessed the {Company} using one computer while still connected to another  Two network cards in use on a single machine (i.e. connections to the Local Area Network (LAN) and the External Network simultaneously)  Connecting to a wireless network while connected to the LAN via a wired connection  Using software products that enable remote access to/from {Company} computer systems and the Internet

Information Systems Security Classified Information Systems Classified information systems (IS) must be certified and accredited through the Security Department before use – Systems must be labeled with the highest classification level that can be processed on them All users of a classified IS must know: ‒The programs (contracts) authorized for processing ‒The highest level of classified information which can be processed ‒Users must protect their passwords for the systems at the same level as the system it is used for ‒Hard copy and media handling and marking procedures ‒The required notifications to be made prior to any hardware, software, location, or security-relevant configuration changes No classified processing on unclassified systems Timing is a critical factor if suspected or actual classified contamination occurs ‒Immediate reporting limits further distribution and costs

Remote access to classified systems is prohibited unless documented and approved Remote access to unclassified systems requirements (Tailor to your facility policy) ‒Department of Defense (DoD) Security clearance ‒{Company}-owned equipment only ‒Two-factor authentication ‒One-time passwords ‒Virtual Private Network ‒Personal Firewall Solution Information Systems Security Remote Access to Networks and Information Systems

Information Systems Security Disposition of Computers Decommissioned or unused equipment must be returned to Security Department to – Ensure system hard drives are Overwritten Degaussed Destroyed – Ensure no media is left in the systems

Information Systems Security Wireless Technology Wireless devices are prohibited in all areas processing classified data and must be disabled during classified discussions, briefings and presentations No wireless device usage within 10 ft “3-meters” of Secure Areas Any wireless device accessing {Company} networks or processing its information must be {Company}-owned Bluetooth may not be used at any time while at the facility ‒Exceptions: mice or pointers used to advance slides Personal cell phones are permitted in the unclassified areas of the facility with specified restrictions The introduction of wireless devices by external personnel and visitors is restricted Users should exercise professional behavior when using authorized wireless devices

Embedded cameras ‒Can be carried by employees and “cleared” visitors ‒Prohibited for Foreign Nationals ‒Camera functionality cannot be used on {Company} property Standalone cameras ‒{Company}-owned only ‒DoD Clearance required Personally owned ‒Prohibited from {Company} facilities Camera use within the {Company} is audited periodically by the Security Department Information Systems Security Camera Uses and Restrictions