Incident Security & Confidentiality Integrity Availability

Objectives Logical Security Anti-Virus Software Usernames and Passwords Secure Screen Savers Physical Security Securing the work area Other Security Individual Computer User’s Statement Of Responsibility Issues

Logical Security

Anti-Virus Software Every computer must run an anti- virus software package with virus definition files being no more than 7 days old Configured to download and update automatically unless otherwise configured by a CTSP Incident personnel may not unload or disable anti-virus software All portable media must be scanned before use

Anti-Virus Software User responsibilities Never open file attachments from unknown, suspicious, or untrustworthy source Delete spam and junk Never download files from untrustworthy sources Do not install software without first contacting the incident CTSP Should a virus be detected, disconnect computer from the network and immediately notify a CTSP

Usernames and Passwords Do not share passwords Password complexity enabled 8 characters with at least 1 uppercase, 1 lowercase, 1 number and 1 punctuation One logon per ID

Secure Screen Saver All computers must have a locking password protected screen saver enabled Timeout is 15 minutes Users will logout of shared machines when stepping away for long periods of time

System Settings Login Banner Government owned equipment will display a standard or Agency specific banner at login Leased computers will display a standard banner:

System Settings “You are about to access a computer that is owned or leased by the United States government that is intended for authorized use and users only. You should have no expectation of privacy in your use of this network. Use of this network constitutes consent to monitoring, retrieval, and disclosure of any information stored within the network for any purpose including criminal prosecution.”

Data Backups: Incident Data Incident CTSP’s are responsible for backing up data residing on all servers Ultimately, your data is your responsibility to secure Back it up - Lock it up. All media that contains backed up data must be secured.

Data Backups: I-Suite Under no circumstances shall I-Suite backups remain in the possession of any individual for “historical purposes” Database and data backups (not repository or documentation box copies) will be deleted and destroyed at the end of an incident

Data Security: Access Control Users can expect access to be limited to the data that is relevant to their position Additional security measures shall be provided for sensitive data Do not distribute data (files and photos) to individuals. Information generated on a fire belongs to the hosting agency. Have management approval for all users accessing the Incident network

Data Security: PII All Federal agencies require employees to take awareness training in dealing with Personally Identifiable Information (PII) This training emphasizes the importance of protecting PII data

Data Security: PII Incident Management Teams collect PII data from resources at Check-in. What is considered PII? Full name Telephone number Street address address Vehicle registration plate number Driver's license number Face, fingerprints, or handwriting Credit card numbers

Data Security: PII What is not considered PII? First or last name, if common Country, state, or city of residence Age, especially if non-specific Gender or race Name of the school attending Name of employer Grades, salary, or job position Criminal record Non-PII data does not imply non- private information

Data Security: Scrubbing Deleted files are not erased Scrubbing is the process of writing random characters over the entire hard drive All leased computers when being returned must be scrubbed Free space (as opposed to whole disk) scrubbers are acceptable

Physical Security

Securing the Work Area Equipment containing sensitive data will be secured at all times Pay special attention to high traffic areas Common areas in leased facilities should not be considered secure Provide specific security measures for equipment during non-business hours

Other Security Procedures

Individual Security Responsibilities Individual Computer User’s Statement of Responsibility Report the loss or theft of data and equipment immediately: Inform the C&G and Security Inform the administrative agency Inform the agency that owned or rented if the loss was equipment Provide for continuity of operations Document all actions

Issues

Legally all for the Interior needs to be backed up indefinitely due to the Cobell Lawsuit ( Other Agencies also have backup requirements for Using Yahoo, HotMail, Gmail, or other free web based solutions does not meet this requirement

Issues Use of the Dispatch Messaging System (DMS) meets the needs of the court DMS is an system that is used by all Dispatch offices All sent through DMS is archived DMS is available to all Area Command Teams and Incident Management Teams

Issues For example, the Northern Rockies Teams: Type 1 Team Type 2 Team

Issues All Type 1 & 2 Teams already have these accounts Some Area Command Teams have these accounts If you need an account contact Steve Simon

Questions?