Training Booklet

INFORMATION SECURITY AWARENESS TRAINING
EMPLOYEE TRAINING BOOKLET
Published by: Information Security Office Risk Management Division Department of Corrections and Rehabilitation State of California
Information Security Awareness Training Information Security Office
Revision: February 8, 2006 OTPD Approved: January 20, 2006
Reference Information
ENTERPRISE INFORMATION SERVICES (EIS) CALL UNIT (HELPDESK): (916) 324-7789 CDCR INFORMATION SECURITY OFFICER: Allen Pugnier (A) (916) 358-2459 allen.pugnier@cdcr.ca.gov ON THE INTRANET: SECURITY AWARENESS TRAINING CLICK ON THE INFORMATION SECURITY LINK FROM THE CDCR INTRANET MAIN PAGE AND NAVIGATE TO THE SECURITY AWARENESS TRAINING AREA. http://intranet/PED/Information-Security/featured/Training/trng_main.asp FOR MORE ON THE INFORMATION SECURITY INTRANET SITE: http://intranet/PED/Information-Security/resources/links/links_main.asp
NOTE: Some of the material in this handbook is copyrighted by the San Francisco Chapter of the Information Security Association, Inc. (ISSA), and is used with their permission.
Revision: February 8, 2006 OTPD: January 20, 2006
Table of Contents
OVERVIEW .......................................................................................................................... 1 LEARNING OBJECTIVE 1: INFORMATION SECURITY AND PRIVACY A. What is information security? ............................................................................. 2 B. What is information privacy? .............................................................................. 3 C. The Importance of Information Security and Information Privacy....................... 3 LEARNING OBJECTIVE 2: LAWS AND POLICIES GOVERNING INFORMATION SECURITY A. State Laws.......................................................................................................... 5 Unauthorized Computer Access................................................................... 5 Information Practices Act (IPA) .................................................................... 6 Public Records Act (PRA) ............................................................................ 6 B. Federal Laws...................................................................................................... 7 Federal Copyright Act...................................................................................... 7 Electronics Communication Privacy Act .......................................................... 7 Computer Fraud and Abuse Act ...................................................................... 7 Health Insurance Portability and Accountability Act ........................................ 8 C. State Policies...................................................................................................... 8 State Administration Manual ........................................................................... 8 Department Operations Manual ...................................................................... 8 LEARNING OBJECTIVE 3: APPROPRIATE USE OF CDCR INFORMATION ASSETS A. Electronic Mail .................................................................................................. 10 Appropriate Use ............................................................................................... 11 Inappropriate Use............................................................................................. 11 Email Box ......................................................................................................... 12 B. Passwords........................................................................................................ 13 C. Internet Usage.................................................................................................. 14 D. Anti-Virus.......................................................................................................... 14 E. Telephone Usage ............................................................................................. 15 F. Remote Access ................................................................................................ 15 G. Hardware.......................................................................................................... 15 H. Software ........................................................................................................... 17
Page i
Table of Contents
LEARNING OBJECTIVE 4: CLASSIFY AND PROTECT INFORMATION ASSETS A. Confidential Information ................................................................................... 18 B. Public Information............................................................................................. 20 C. Sensitive Information........................................................................................ 20 D. Personal Information ........................................................................................ 21 E. The Work Area ................................................................................................. 22 Workstation and Terminal Access ........................................................... 23 F. G. H. I. J. K. L. M. Visitors........................................................................................................... 23 Telephone Communications.......................................................................... 24 Social Engineering ........................................................................................ 24 Email ............................................................................................................. 25 Disposing Hard Copy Information ............................................................... 26 Voice Mail Protection..................................................................................... 26 Protecting Telephone Cards.......................................................................... 27 Destroying Electronic Data Files ................................................................... 27 Local Data Files....................................................................................... 27 Removable Media.................................................................................... 28 Network Disk/Server Files ....................................................................... 28 N. O. P. Safeguarding Equipment While Away from the Office.................................. 28 Modem Usage ......................................................................................... 29 File Backups .................................................................................................. 30 Good Backup Practices ........................................................................... 31 Password Selection....................................................................................... 31 Passwords to Avoid ................................................................................. 32 Password Dos......................................................................................... 32 Password Donts...................................................................................... 33 Q. Malicious Software ........................................................................................ 33 Symptoms of Malware ............................................................................. 34 Preventing Malware Infections ................................................................ 34 R. Faxing Documents ........................................................................................ 35
Page ii
Table of Contents
LEARNING OBJECTIVE 5: INMATES AND COMPUTERS A. B. C. D. E. Inmate Qualifications for Computer Access .................................................. 36 Appropriate Computer Configurations for Inmate Access ............................. 37 Physical Locations for Inmate Accessible Computers................................... 37 Appropriate Inmate Access and Activities ..................................................... 38 Supervising Inmates Using Computers ......................................................... 39
LEARNING OBJECT 6: INFORMATION SECURITY INCIDENTS A. B. C. Identifying an Information Security Incident................................................... 40 Handling Information Security Incidents ........................................................ 44 Consequences to Information Security Incident Violations ........................... 44
APPENDIX A: GLOSSARY
NOTE: All references to inmates, wards, and parolees in this document are hereby referred to as offenders unless specifically stated as such.
Page iii
Overview
his booklet provides all California Department of Corrections and Rehabilitation (CDCR) employees with the knowledge and understanding of how to use and protect information assets. All CDCR employees accessing or using computers are required to take annual information security awareness training. As CDCR employees, you have been trusted with CDCRs information. This trust comes with the responsibility and obligation to make certain that the CDCR information and computing facilities are used appropriately. This is an important responsibility because CDCR handles sensitive and confidential information on a daily basis.
Each learning objective covers one broad topic or one set of related topics. Some of the information in each topic may overlap learning objectives. However, after completing each of the learning objectives, you will have acquired the necessary knowledge needed to complete a final training quiz. The learning objectives will be presented in the following order:
OBJECTIVE 1
You will be able to identify the definition and know the importance of information security and information privacy. You will be able to identify the laws and policies governing the protection of CDCRs information assets. You will be able to identify the appropriate use of CDCRs information assets. You will be able to identify the classification of CDCRs information assets and how to protect them. You will be able to identify CDCRs requirements for inmate access to computers and the rules for supervising them. You will be able to identify information security incidents and know how to handle them.
OBJECTIVE 2
OBJECTIVE 3
OBJECTIVE 4
OBJECTIVE 5
OBJECTIVE 6
Page 1
OBJECTIVE 1:
YOU WILL BE ABLE TO IDENTIFY THE DEFINITION AND KNOW THE IMPORTANCE OF INFORMATION SECURITY AND INFORMATION PRIVACY.
Information Security and Privacy

hether you work with paper records, or a computer, or spend most of your day on the telephone, you are an integral part of CDCRs information security program. Information security is the job of every CDCR employee. When you work with any form of records or data, it is important that you do everything possible to make sure these information assets are secure. What you should learn from this objective: The definition of information security. The definition of information privacy. The importance of information security and information privacy.
Thinking Focus: What are some examples of an information asset?
Topic A What is Information Security?

Information security is the protection of information assets from unauthorized access, use, modification, theft, deletion, and disclosure. Information security includes the strategies, policies, procedures, mechanisms and technical tools used relating to the protection of information, as well as the systems and equipments that contain and process that information. So what does that mean to us? The practice of information security means to protect the item or information every minute it is in our care. Information can come in many forms and is comprised of a collection of facts or data. Listed below are some examples of the different forms of information you might see at work: Computer screen displays Word processing documents Spreadsheets Graphics and drawings Presentations Personal computer hard drives and records Conversations both on and off the phone Computer printouts Letters, memos and reports FAX documents Diskettes, CDs, and USB portable drives Electronic mail and schedules Voice mail messages
Page 2
Thinking Focus: Is information privacy the same thing as information security?
Topic B
What is Information Privacy?
Information privacy is the prevention of revealing personal information to anyone that does not have permission to have access. Information privacy is what ensures personal information is accessible only to those authorized to have it. People think of privacy and security in the same context. However, it is important to understand that giving out any personal information to a person not authorized to receive it is a violation of Information Privacy. This information should only be provided to individuals with a need to know and they must be authorized to access the information.
Thinking Focus: Why do you think information security and information privacy is important?
Topic C
The Importance of Information Security and Privacy
People protect their homes with locked doors, locked windows, an alarm system, or large dog(s) to provide a safe secure place for their family and belongings. Access to their assets is only available to those that they allow. It is important to provide the same security for CDCR assets and information. Our departments mission relies on having adequate information security and information privacy controls. CDCRs information systems not only have offender data, but personal information about us. The loss of any of this information can cost time, money, and in some cases even lives. Not only does CDCR have an obligation to incarcerate Californias most serious criminal offenders, it must also protect its employees and those under its care from harassment, injury, or death. YOU are a part of that process. The following are some of the things that could happen because of poor information security: Inaccurate information. Unauthorized access to information. Loss or destruction of information. Law enforcement agencies and the courts generate much of the information maintained by CDCR. This information must be accurate for both the judicial system and CDCR to function properly. Inaccuracies can cause delays in legal proceedings, mishandling of information, inappropriate legal actions, incorrect offender release dates, incorrect work assignments, incorrectly prescribed or dispensed medication, or other actions that have adverse effects on CDCR. For instance, if inaccurate custody level information is retrieved for an offender, that offender could be placed in an incorrect custody-level area. This could increase the risk of an offender escape or physical harm to himself or herself, other offenders, and staff.
Page 3
Another example is the absence of (or inaccurate) gang affiliation information for an offender. This causes the risk of an offender possibly being placed with rival gang members. The department also maintains offenders health records and is required to protect those records by the Health Insurance Portability and Accountability Act (HIPAA). This information is used to ensure appropriate health care for offenders while they are housed in our facilities. The data reflected in these records are also used to ensure the safety and protection of CDCR employees. Health information follows offenders once they are paroled, and can affect them after their release from being institutionalized. Inappropriate disclosure or modification of this confidential information could have serious negative consequences for both offenders and employees. If the integrity of an offenders medical information has been compromised, it could affect the diagnosis or dispensing of medication. Misdiagnosis could cause harm or prevent appropriate medical treatment for an offender. Inaccurately dispensed medication could cause either or both negative physical and mental health reactions increasing the risk of altering offenders behavior and cause harm to themselves, other offenders, and staff. Information security and privacy provide access controls. These controls can eliminate suspicions and identify possible wrongdoer(s) responsible for deliberately conducting unauthorized access, modification, destruction, theft or disclosure of information assets. Each time you access information systems using your logon user name and password, those activities conducted under your user name are associated with you. Adequate measures for information security help to ensure the smooth functioning of information systems and protect the organization from loss or embarrassment caused by security failures. It is essential that every single employee be a part of the information security program.
Page 4
OBJECTIVE 2:
YOU WILL BE ABLE TO IDENTIFY THE LAWS AND POLICIES GOVERNING THE PROTECTION OF CDCRS INFORMATION ASSETS.
Laws and Policies Governing Information Security

nformation security is defined by laws and regulations. The California State Constitution provides the right to privacy for all individuals. Federal and state laws require specific security provisions to be in place. Some information security violations, such as unauthorized modification or destruction of a computer system or data, are punishable by either or both a fine and incarceration. Information security is not an option or choice; it is a legal requirement. What you should learn from this objective: State laws relating to information security. Federal laws relating to information security. State policies relating to information security.
Thinking Focus: Does everyone have a right to privacy?
Topic A State Laws

The CDCR is required to follow California State laws and regulations pertaining to information security. Listed below are the main references in the body of those California laws that pertain to information security:
California Penal Code 502

Unauthorized Computer Access This act refers to computer access crimes. It states that it is a crime to "intentionally access...any computer system or computer network for the purpose of devising or executing any scheme or artifice; to defraud or extort or obtain money, property or services with false or fraudulent intent, representations, or premises; or to maliciously access, alter, delete, damage, or destroy, any computer system, computer network, computer program or data." It is illegal to willfully gain unauthorized access and conduct modifications, disclosure, deletions, or destruction of CDCR systems, networks, or applications.
Page 5
California Civil Code 1798 et. seq.

Information Practices Act (IPA) The Information Practices Act was adopted to protect the privacy of people about whom state agencies collect information. This Act protects all personal information held by state agencies prohibiting disclosures except under certain circumstances and includes penalties for violations. The IPA states, The Legislature declares that the right to privacy is a personal and fundamental right protected by . . . the Constitution of California and by the United States Constitution and that all individuals have the right of privacy in information pertaining to them . . . Each agency shall maintain in its records only personal information which is relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution . . . The increasing use of computers and information automation makes personal information easily accessible and subject to careless handling. Each agency shall collect personal information to the greatest extent practicable directly from the individual who is the subject of the information rather than from another source. This law protects individuals rights to privacy, requiring that agencies collect and maintain only the personal information required to accomplish the mission of the agency, and to protect that information from unlawful and unauthorized disclosure and modification. The IPA defines personal information as information that identifies or describes an individual, and includes, but is not limited to, name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. The IPA also requires notification to persons whose personal information has been compromised.
Thinking Focus: Who can request to see public records?
Government Code 6253

Public Records Act (PRA) The Public Records Act is designed to give the public access to public information that is collected and maintained by state and local agencies. Records include all communications related to public business regardless of physical form or characteristics, including any writing, picture, sound, or symbol, whether paper, magnetic or other media. However, specific exceptions to disclosure are listed. Those record
Page 6
types that are exempted from this law are confidential. A list of those confidential record types most likely to be used by CDCR employees is provided under Confidential Information in Protecting Confidential and Sensitive Information. All other record types are non-exempt, and access to them must be provided upon request. Public records are open to inspection at all times during the office hours of the state or local agency and every person has a right to inspect any public record, except as hereafter provided. Any reasonably segregable portion of a record shall be available for inspection by any person requesting the record after deletion of the portions that are exempted by law.
Thinking Focus: Is personal health information exempt from the Public Records Act?
Topic B Federal Laws

The CDCR is required to follow federal laws pertaining to information security. Listed below are the main references in the body of those federal laws that pertain to information security:
U.S. Code - Title 17 (Public Law 95-553)

Federal Copyright Act This law states that persons who purchase software do not have the right to make additional copies without the permission of the copyright owner, except to make a backup copy. Copying software for any other purpose is illegal, and punishable by fines and imprisonment.

Electronics Communication Privacy Act (ECPA) This law prohibits the interception and disclosure of communications and unlawful access to stored communications, including computer data. Unauthorized access to data stored in electronic storage systems is a crime punishable by fine and imprisonment.

Computer Fraud and Abuse Act (CFAA) This law states that unauthorized access to computers for the purpose of obtaining protected information, or to cause damage or make unauthorized changes to software or data on a computer system is a crime punishable by fine and imprisonment.
Page 7
Public Law 104-191

Health Insurance Portability and Accountability Act (HIPAA) This is a federal law that protects individually identifiable health information. This law governs the privacy and security of individually identifiable electronic health information that is transmitted by electronic media or maintained in electronic media that conduct electronic transactions from unauthorized use, access, or disclosure.
Thinking Focus: Where can you find state policies that pertain to information security?
Topic C State Policies

The CDCR is required to follow state policies containing regulations that have to do with information security. Listed below are the state policies with regard to information security:
State Administrative Manual

The State Administrative Manual (SAM), Section 4840 et. seq., requires that agencies provide for the integrity and security of their automated information. This includes information classification, establishing information ownership, establishing a risk management process, identification of agency critical applications, development of an Operational Recovery Plan for recovery of critical applications, and reporting of security incidents to the Department of Finance (DOF) and the California Highway Patrol. Should any audit indicate that the States security policies are not implemented, or that our department has not taken corrective actions with respect to security deficiencies, our department may be subject to any or all of the following: Further audit and review by the DOF, Office of Technology Review, Oversight, and Security (OTROS). Revocation of delegated approval authority for information technology projects. Application of penalties specified in Government Code, Section 1222.
Department Operations Manual

The statewide information technology (IT) policies and procedures contained in the SAM is governed by the DOF, and is implemented via CDCRs departmental policies and procedures contained in the Department Operations Manual (DOM), Chapter 4.
Page 8
The CDCRs information security policy is to protect its information from unauthorized access, modification, deletion or disclosure of information maintained in agency files and databases. The purpose of this policy is to establish a standard of due care to prevent misuse or loss of CDCRs information assets. This policy establishes internal policies and procedures that: Establish and maintain management and staff accountability for protection of CDCRs information assets. Establish and maintain processes for the analysis of risks to CDCRs information assets. Establish and maintain cost-effective risk management processes. Protect CDCR employees, who are authorized to access CDCRs information assets, from temptation, persuasion, and threat. Establish and maintain processes for authorizing access and supervision of inmates for inmate use computers. Establish the process of identifying and reporting information security incidents.
Page 9
OBJECTIVE 3:
YOU WILL BE ABLE TO IDENTIFY THE APPROPRIATE USE OF CDCRS INFORMATION ASSETS.
Appropriate Use of CDCR Information Assets

nformation assets belonging to CDCR are made available to all authorized users that require computing resources. Before you use any of the CDCR information assets, you must understand the appropriate usage of those assets and your responsibility for that use. Information assets must only be used for CDCR-related business activities. As a CDCR employee, you are expected to follow federal and state laws, regulations, and policies governing the access and use of computers, information and electronic communications systems, and to follow CDCR information security policies and procedures. When you access and use these resources, your activities must support the goals and objectives of your assigned job responsibilities. What you should learn from this objective: The appropriate use of the following CDCR information assets: Electronic Mail Passwords Internet Usage Anti-Virus Telephone Usage Remote Access Hardware Software
Thinking Focus: For what purposes can you use CDCR email?
Topic A Electronic Mail

The CDCR electronic mail (email) system is provided to support and facilitate employees ability to complete work assignments. Our department maintains its email system to facilitate communications. Even though you have been given an individual password for access, the resources remain the property of CDCR and the contents of the email messages are accessible at all times to CDCR management. If you use email in an inappropriate manner, you may be subject to either or both the loss of email
Page 10
privileges and disciplinary action. These guidelines establish the appropriate behaviors expected of you when using these resources.
Your email is subject to unannounced inspections from time to time and should be treated like other shared filing systems. Email is not private and is subject to monitoring without notice.
Appropriate Use
Examples of appropriate use of CDCR email include, but are not limited to, the following: Scheduling, coordinating, and documenting business meetings and assignments. Notifying CDCR personnel of changes in work policies and/or work procedures after the appropriate approval process has been completed (must be followed up in writing). Transmitting and/or sharing non-confidential work related material, including documents, files, reference material, and links to Internet sites. Sending and receiving business-related Internet mail. Notifying employees of CDCR sanctioned employee events, including but not limited to, the Medal of Honor Ceremony, United California State Employees Campaigns, and similar activities. Scheduling appointments including off-work appointments and lunch breaks on an electronic calendar. Incidental personal use is allowed provided that it: Does not prevent others from performing business activities; Kept to a minimum and the use of system resources are negligable; Is limited to your own time; Does not interfere with your job performance; and Does not adversely affect the morale and performance of co-workers. Use of the email global distribution lists, such as CDCR Contacts, should be limited to departmental, state, or national emergencies, and information from executive levels or program areas that affect all employees. Use the Reply to All email feature considerately when you respond to all the names listed on an email.
Thinking Focus: Is it okay to send chain letters if you only send it to your friends?
Inappropriate Use
Examples of inappropriate use of email include, but are not limited to, the following: Internet email to discuss, distribute, or share confidential information without encryption is prohibited. Using a disclaimer stating that the message may contain confidential information does not excuse the sender from sending unencrypted confidential information. Email with offensive content and unlawful material.
Page 11
Reviewing, receiving, and/or intercepting the electronic communications of another employee without express, prior authorization by the employee or their management. Logging on with a user ID and password other than your own. Copying or routing notes, messages, documents, or memoranda to individuals who are not involved in the relevant work project or who otherwise have no businessrelated interest in the subject matter. Distributing messages of a predominantly personal nature, or for personal gain. Distributing copyrighted material without prior written permission of the copyright holder. Except as otherwise provided in the DOM, reading email of another employee without their knowledge and consent. Sending sports pool or other forms of gambling messages. Using email for any unlawful or illegal endeavor. Soliciting for non-CDCR activities, such as fundraising or items of a political nature. Allowing offenders access to email, or sending messages on behalf of offenders. Transmitting profanity, obscenity, threatening language, gossip, or derogatory remarks. Distributing material that is not related to CDCR business, including jokes, poems, religious messages, chain-letters, advertisements, publications, audio or visual clips. Sharing of passwords is not allowed. If a situation arises when you must share your inbox with somebody else, contact your IT Coordinator for assistance. Be cautious about using the Reply to All email feature when responding to all the names listed on an email.
Thinking Focus: What is the appropriate way to manage your email box?
Email Box
Think of your CDCR email box as you do about your home mailbox. You retrieve and open mail from you mailbox on a regular basis. If you left all your mail, opened or not, in your mailbox for any length of time, the postal service would no longer be able to deliver your mail. Email mailbox sizes on the servers are globally set and controlled. You are encouraged to manage your server mailbox by regularly moving messages to your personal folders. There is no size limit on personal folders, other than space limitations on the local or network drive used. If your server mailbox exceeds the allowable size limitations, you may not be able to send or receive any additional email. Your local IT staff person can help you set appropriate mechanisms on your workstation to avoid disruption of your email. If your workgroup requires a single "mailbox" accessible by multiple people, contact the Enterprise Information Services (EIS) Call Center at 324-7789.
Thinking Focus: Can you use CDCR email to send confidential information?
Page 12
Email is a tool. We should all use it in a professional, courteous manner, keeping to the work at hand. When a message is confidential, NEVER USE EMAIL. Email is simply not secure. You have no idea where your email will be forwarded or how it will be handled once it leaves your computer. Common sense should guide you in the appropriate use of the CDCR email system. Inflammatory, retaliatory, defamatory remarks or messages that contain emotional outbursts should not be sent electronically.
IF IN DOUBT DONT SEND IT OUT
For more information on how to protect your email, see Email under Classify and Protect Information Assets in Objective 4.
Thinking Focus: What are the requirements for creating and maintaining passwords?
Topic B Passwords
User IDs and passwords are given to enable authorized access to CDCR systems and resources. You are accountable for all system activity associated with your ID and password. Passwords must comply with the following CDCR password selection policy: Must be at least seven characters long. Must be a combination of numbers and letters. Must be changed in accordance to specific software applications or system requirements, every 30 to 90 days. Cannot be words found in any dictionary. Cannot be easily guessed, such as: ones name or nickname, the names of ones children, names or words associated with ones hobbies, names associated with favorite forms of entertainment such as books, TV shows, or movies (examples: JEDI, FRODO, PICARD). Shall not be written down or shared with anyone. For more information on how to select a password, see Password Selection under Classify and Protect Information Assets in Objective 4.
Thinking Focus: Why is downloading music, graphic files, or games prohibited?
Page 13
Topic C Internet Usage

Internet access is provided to CDCR employees in order to enhance and facilitate communications, information sharing, and to access research and reference sources. Below are guidelines to keep in mind when using the Internet: Use the Internet for government business purposes only. All Internet access via the CDCR network is monitored. Visiting websites with the following content are strictly prohibited: Hateful, racist, pornographic, explicit or illegal activity.

Adult entertainment, sports, gambling, online auctions, and entertainment (including music and video downloading and peer-to-peer sharing). Website with hacking and anti-government contents.
Downloads of Internet files, including graphic images and templates, can create a big security risk. If done at all, use extreme caution and scan the files for any viruses. Downloading or uploading files from the Internet may not contain any of the following: Derogatory comments regarding race, color, religion, sex, age, disability or national origin.

Offensive language or imagery. Any content prohibited by law or regulation. Software, computer applications, or other tools whose purpose is to break into or circumvent computer and network security. Screensavers, games, shareware, music files, or movies.
Violation of any copyright, internet gaming, and other file sharing is prohibited. Posting on the Internet any CDCR information or statements regarding CDCR without prior approval from our agency Public Information Officer is prohibited.
Thinking Focus: Why are you required to use of anti-virus software?
Topic D Anti-Virus
Anti-virus software is used to identify, prevent, and eliminate computer viruses. The CDCR standard, supported anti-virus software is required on all CDCR workstations and laptops. Anti-virus software requires updates as they become available. Unless done so automatically, download and install anti-virus software updates regularly. Always scan removable media (floppy disk, CD-ROM, USB portable drive, etc.) before using it. Anti-virus software must not be disabled or deactivated.
Page 14
For more information, see Malicious Software under Protecting Confidential and Sensitive Information in Objective 4.
Topic E Telephone Usage

When using the telephone while conducting CDCR business, the same laws, policies and guidelines apply when information is being communicated or disclosed. For important guidelines on using the telephone, see Telephone Communications under Classify and Protect Information Assets in Objective 4.
Topic F Remote Access

Remote access is the capability to communicate from a remote location that requires a mechanism to go through before connecting to the CDCR network and accessing information assets. This represents a potential unauthorized access to CDCR information assets. If you require remote access to the CDCR network, talk to your supervisor or IT Coordinator.
Thinking Focus: What should you do if you want to use non-CDCR equipment with CDCR-owned equipment?
Topic G Hardware
CDCR Hardware Employees issued with CDCR equipment are responsible for the safety, care and handling of that equipment. Jobs requiring issuance of portable devices (such as laptops), require approval from the supervisor to use the equipment away from the office. If you are assigned such equipment, you are also responsible for the safety, care and handling of that equipment away from the office. Use of CDCR issued equipment must conform to all acceptable use criteria and may not be used illegally as defined by state, local, and federal laws. They must not be used for malicious activities and should be password protected at all times. All CDCR equipment connecting to the CDCR network, including those that connect via remote access, must be current with all mandatory software upgrades and patches. Stay in communication with your IT Coordinator, and when they request you to bring your computer in for patching, make all effort to comply in a timely manner. Workstations and Terminals If it locks, lock it when you leave. Keep the key in a secure area. Some older terminals still in use are kept in special boxes that can be locked. Others have
Page 15
removable keyboards, where the keyboard is stored in a locked cabinet when not in use. Log-off or activate the password-protection screensaver when you leave your immediate work area. DO NOT LEAVE AN UNATTENDED SESSION. If you see an unattended terminal or workstation, or somebody in your work area that you do not know using a terminal or workstation, notify your supervisor. If the screen displays sensitive information, be sure that no one else can see it.
All computing devices must be secured when left unattended. Guidelines for protecting CDCR equipment are provided under Safeguarding Equipment While Away from the Office within the section Protecting Confidential and Sensitive Information. Non-CDCR Hardware No non-CDCR hardware may be used in or with CDCR systems. If you believe you need a computer system component that is not currently provided to you, speak with your supervisor.
Thinking Focus: Can I use portable and handheld telecommunications devices for CDCR business purposes?
Portable and Handheld Telecommunications Devices Portable and handheld telecommunications devices include, but are not limited to, computers with wireless communication capability, such as a cellular telephone or a personal digital assistant (PDA). These devices are convenient because they allow us to send electronic data and voice communication without wires and from almost anywhere within range of an access point. However, these devices are easily lost or stolen and appropriate security controls are costly and time consuming to accurately manage.
Thinking Focus: Do you or someone you know ever lose or had stolen a cell phone?
Without appropriate security controls and configurations these devices make it easy and convenient for anyone, to gain access to communications and information systems. They are difficult to control access and authentication. Transmitting and receiving data to and from PCs can be done without the knowledge or permission of the user. All wireless communication systems must be reviewed and approved by Enterprise Information Services (EIS) and the ISO. These devices are never allowed in inmate-accessible areas without prior written approval from the Information Security Officer (ISO). These devices may not be used to access public wireless networks. These devices may only be used for wireless connectivity to synchronize with a CDCR network station. You can all too easily get a virus by using public wireless networks, and although all wireless communication systems must have installed the CDCR standard virus
Page 16
protection, the risk of infecting CDCR networks still exists when you connect to synchronize with your CDCR workstation.
Thinking Focus: If you develop software while at work, does the software belong to you?
Topic H Software
CDCR Software Making copies of software owned by CDCR is prohibited unless the software license specifically allows its use on more than one system and your supervisor has approved it. Creating copies or using unauthorized software may violate copyright laws or software license agreements. Copyright software, such as Microsoft or Adobe applications, requires license fees to use their products. When in doubt, contact your IT Coordinator.
Non-CDCR Software
No non-CDCR software may be installed or used in or with CDCR systems. If you believe you need computer software that is not currently provided to you, speak with your supervisor.
Page 17
OBJECTIVE 4:
YOU WILL BE ABLE TO IDENTIFY THE CLASSIFICATION INFORMATION ASSETS AND HOW TO PROTECT THEM. OF CDCRS
Classify and Protect Information Assets
nformation assets fall into different categories and it can often get confusing trying to determine whether or not the information is considered confidential and/or sensitive and to what degree of security that information may require. You should be able to recognize information assets you routinely use or access so you can identify the appropriate actions necessary to correctly manage and protect these resources. What you should learn from this objective: The definition of confidential information. The definition of public information. The definition of sensitive or personal information. Some of the actions you can take to protect information in the following subjects.

Work Area Visitors Phone Communications Social Engineering Hard Copy or Paper Information Electronic Files
Work Away from the Office Modems Passwords Malicious Software Backups Faxing
Thinking Focus: What kind of information may be classified as confidential information?
Topic A Confidential Information

Confidential information is information that CDCR maintains that is exempt from disclosure under the Public Records Act (PRA) or other applicable state and federal laws and requires special security precautions to ensure it is protected from unauthorized access, modification, and disclosure.
Confidential Information - information maintained by State agencies that is exempt from disclosure under the provisions of the California Public Records Act (Government Code, Sections 62506265) or other applicable State or Federal laws SAM 4841.3
Page 18
That means we must maintain the confidentiality of information, allowing only certain authorized individuals access to it with the understanding that they will disclose it only to other authorized individuals that have a need to know. Here are some examples of confidential information: Notice-triggering personal information as defined in the Information Practices Act (IPA), Civil Code 1798.29 and 1798.3. This is information that, if compromised, would require notification to the persons to whom the information pertains. It consists of the following: Individuals Last Name and First Name or First Initial in combination with any one or more of the following data elements: Social security number. Drivers license number or California identification card number. Account number, credit or debit card number in combination with any required security code, access code or password that would permit access to an individuals financial account. Confidential information does not include publicly available information that is lawfully made available to the general public from federal, state, or local governments. This includes, but is not limited to, staff classification and salary information, data from court records, county property records, and many public websites. Protected Health Information (PHI). This is individually identifiable health information that is created, received, or maintained in any form or medium, which is held by such organizations as health care providers, health plans, and contractors to these entities. PHI relates to a past, present, or future physical or mental condition, provision of health care or payment for healthcare. Electronic health information. This information is individually identifiable health information transmitted by electronic media or maintained in electronic media. Documents pertaining to pending litigation. Investigatory, security or licensing documents to or from law enforcement or correctional agencies. Test questions and scoring keys for licensing and employment examinations. Correspondence with the Governor or his office or maintained by the Governors Legal Affairs Secretary. Records related to an agencys deliberative processes, such as internal memorandums to assist our department to reach a policy decision and documents that pertain to collective bargaining. Records and contracts pertaining to the delivery of medical and health care services. Vulnerability assessments relevant to terrorists and other criminal activities. Criminal Offender Record Information (CORI), such as offender name and location, conviction of offense, release date, etc.
Page 19
Thinking Focus:
What kind of information may be classified as public information?
Topic B Public Information

All information maintained by the state is public unless it is exempt from disclosure under the California Public Records Act (PRA). In other words, information that CDCR maintains that is not exempt from disclosure under the PRA or other applicable state or federal laws, is considered public information. If you work with any information that does not fall under one of the exemptions to the PRA and is not considered confidential and/or sensitive according to other state or federal laws, it is subject to being provided to the public upon request. All information maintained by the State is considered public unless it is exempt from disclosure under the PRA.
Thinking Focus: What kind of information is classified as sensitive information?
Topic C Sensitive Information

Sensitive information is information that needs special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. This information may be confidential or public. Special care should be taken to ensure accuracy and integrity of sensitive information.
Sensitive Informationinformation maintained by state agencies that requires special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. SAM 4841.3
Here are some examples of what may be considered sensitive information: Information on CDCRs Intranet Strategic Plans Budgetary Information Internal Correspondence (including email) Drawings of Public Buildings and Floor Plans Equipment Inventory Lists Schedules and Calendars Procurement Related Documentation
Page 20
Thinking Focus: What kind of information may be classified as personal information?
Topic D Personal Information

Personal information is information that identifies or describes you. It may include the information that is protected by the Information Practices Act (IPA) or information that is publicly available, such as from public websites or government records. Personal information is sensitive and may be classified as confidential or public. Here are some examples of personal information: Addresses for the property you own that are available in the Courts, Recorders Office, and on many public websites. Information about you that is available through public sources, such as telephone directories or government records, such as your county property records. Address where you work. Classification and salary information. Office telephone number and email address. Whether or not personal information is confidential or public, it is your responsibility to protect that information from unauthorized access, modification, deletion, or disclosure. Disclosing personal information unnecessarily within the CDCR environment may increase the risk of potential harm or harassment to staff and their families.
Thinking Focus: What kind of things can you do to protect the integrity of personal information?
Some of the things you can do to maintain the integrity of personal information when working are: Collect only information that is relevant and necessary to accomplish the purpose of your job. For instance, if you do not need to collect social security numbers, do not collect it. Collect as much as is practical of the personal or confidential information directly from the individual. The original source of personal or confidential information must be kept, except when the source is the individual, or when a copy of the original is provided to the individual. Data collection forms must contain all pertinent details about the information collection, such as agency information, purpose of collection, consequences of not providing the information, any known or foreseeable disclosure of the information, and the persons right to access the information.
Page 21
The accuracy, relevance, timeliness, and completeness of the information must be maintained. Personal or confidential information shall not be disclosed, except to the individual to whom it pertains; without prior written consent of the individual. The exceptions to this is when information is required for a valid CDCR business need, and when the information must be shared with other government entities as required by law. The remainder of this learning objective will describe to you the things you can do to protect confidential and sensitive information assets.
Thinking Focus: What can you do in your work area to protect confidential and sensitive information?
Topic E The Work Area

Now that you are aware of the different classification types of information, it is extremely important that you be alert to the sensitivity of the information you work with and be continually aware of those who may have access to it. It is your responsibility to prevent unauthorized access to CDCR information assets from visitors, service personnel, offenders, or anyone else to whom access has not been allowed. Be aware of how information in your area can be accessed and know what you can do to protect it. Here are some things you can do to protect information in your work area. Lock doors where appropriate. Lock up sensitive documents and removable media (i.e., diskettes, CDs, etc.). Secure all computing devices when left unattended by logging off or activating the password-protected screensaver (i.e., CTRL-ALT-DELETE keys). Never share your logon ID or passwords for any reason. Clear your desk and work area at the end of the day. This includes the proper disposal or storage of sensitive documents. Never discuss confidential information in public areas or with individuals who do not have a need to know. Reports and documents with personal information or other confidential data should be placed in folders or turned over to avoid inadvertent disclosure. Challenge unescorted people you do not know. Keep food or liquids away form workstations, printers, documents, diskettes, CDs, or any other removable media. Keep the removable media clean and dry. Do not touch the recording surface with anything, including fingers, pencils or pens. CDs are easily scratched. Diskettes are sensitive to magnets, and should be stored away from magnets, computer tops, and electric motors.
Page 22
Thinking Focus: What can you do to prevent someone form accessing your workstation or terminal?
Workstation and Terminal Access Use these precautions to restrict workstation and terminal access: If it can be locked, then lock it when you leave. Keep the key in a secure area. Some older terminals still in use are kept in special boxes that can be locked. Others have removable keyboards where the keyboard is stored in a locked cabinet when not in use. Log-off or activate the password-protection screensaver when you leave your immediate work area. If you use a terminal or workstation for terminal services, do not leave an unattended session. If you see an unattended terminal or workstation, or someone in your work area that you do not know using one, notify your supervisor. If the screen displays sensitive information, keep your terminal or workstation screen facing away from visitors or traffic. Protect your password! Do not share your password with anyone else. YOU will be the one responsible for every activity during a connection to the network or session using your logon ID, whether or not it is really you.
Thinking Focus: Who is considered a visitor and how can you protect confidential or sensitive information from them?
Topic F Visitors
You should always use caution when divulging information in the presence of visitors. Visitors include any friends or relatives, former and current CDCR employees, consultants, contractors, and sales or marketing people. And, depending on your job, you may come into contact with a number of people who do not have permission to receive or access the information you use. If you are asked to provide information, and are not sure if the requestor is authorized, ask your supervisor for instructions. Here are some suggestions on how to handle this: Verify the requestors identity. If you receive any requests from the news media (reporters), refer them to your designated Public Information Officer (PIO). Each facility, institution, or parole office should have a designated PIO on duty or available by telephone. If you cannot find a PIO, refer to your supervisor. If asked to respond to a survey or questionnaire, check with your supervisor. Refer to your supervisor any requests for employee information such as lists with home addresses or phone numbers.
Page 23
Thinking Focus: What should you know before giving information over the telephone?
Topic G Telephone Communications

When providing information over the telephone, it is important to verify the identity of the caller, whether that person has a need to know, and if the caller has permission to receive the requested information. If you have any doubts as to the identity of the person or their authorization to have the requested information, talk to your supervisor. Do NOT give information to a person who is not authorized to receive it. Listed below are some general things to keep in mind when talking on the phone with information requestors: Verify the identity of the caller. If in doubt, tell the caller that you will have to have call them back, and then verify if the caller is genuine with your supervisor. Verify the need to know with your supervisor. Verify if they are authorized to receive the information. Only provide necessary information. Do not give additional information. Do not provide employee information, such as home address and phone numbers, without prior permission from your supervisor. Be aware of who is in the area that could overhear your conversation. Be aware of social engineering tactics (as will be reviewed within the next topic).
Thinking Focus: How can you determine if someone is trying to trick you to get information from you?
Topic H Social Engineering

Social engineering is a term that describes the practice of getting confidential or sensitive information by deceiving people. A social engineer runs what used to be called a con game and will trick people into revealing sensitive information or getting them to do something that is against typical policies. Do not be fooled by the intentional manipulation of an individual into believing that the person requesting information is authorized and entitled to receive that information. Often done over the phone, the caller makes their way through the organization, gaining familiarity with names, terms, acronyms, and jargon and thereby enhancing their credibility as an authorized CDCR employee.
Page 24
We take for granted the information with which we work. Others with criminal intent may want that information. The following tips will help you to avoid being taken in by social engineering: Do not mention names of other employees or use CDCR terminology unless you are sure of the identity of the caller. Be especially wary if the caller wants telephone numbers. Never provide information about the setup or configurations of computers, networks and other telecommunications. Do not email or fax any documents, plans, schedules, or any other document unless you are sure that the recipient is authorized to receive them. If you have any doubts about a caller, tell the caller that you will have to call them back later and ask for their name and telephone number, and then talk to your supervisor. Do not disclose your password over the telephone.
Thinking Focus: What can you do to protect your email?
Topic I Email
Email is the fastest and easiest way to spread viruses. It is your responsibility to make sure CDCRs most current virus protection software is on your workstation. The anti-virus software is configured to automatically update with the most recent anti-virus files. Do not disable this process. Workstations or email accounts that transmit viruses may be subject to removal from the CDCR network. Direct any questions about virus protection to your IT Coordinator. Here are some additional things to keep in mind to protect your email: Do not open unsolicited attachments. Do not open email without a subject line. Do not open email with a misleading or provocative subject line. Avoid using the Auto Preview or Preview Pane option of your e-mail client. Check accuracy of the name of the person you intend to send the email before clicking that send button. Review Electronic Mail under Appropriate Use of CDCR Information Assets in Objective 3 for a detailed list on how email should be used.
Page 25
Thinking Focus:
What should you be aware of when throwing away paper documents and how should they be disposed of?
Topic J Disposing of Hard Copy Information

As discussed earlier under social engineering, social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Give careful thought before you throw into the regular disposal bin those old pages to procedures, policies, CDCR phone directories, etc. Often times, social engineers will rummage through an organizations trash bins looking for information like names and acronyms to use in social engineering to gain access to systems. Destroy or dispose of confidential and sensitive documents and files appropriately using the confidential destruction process in place for your office. Consult with your supervisor if you do not know the process. Reports, forms, computer printouts, screen prints and other documents may contain confidential or sensitive information even if you no longer need them.
Thinking Focus: How can voicemail be a security risk and what can you do to prevent someone from using it for their benefit?
Topic K Voice Mail Protection

Voice mail, phone card theft, and the transferring of phone numbers or calls are all common means of what can be an expensive telephone fraud. An easily-guessed voice mail password, such as the telephone number, can be exploited in a popular voice mail scam. Here is how it works: A hacker calls into a voice mail system and searches for voice mailboxes that still have the default passwords active or have passwords with easily-guessed combinations. The hacker then uses the password in a process to access the telephone system and to make long-distance calls. The victimized consumer of this type of fraud usually find out about what has happened when high phone bills are received. Here are some tips to help you protect your voice mail: Make your voice mail password is a minimum of seven characters in length. Do not use your telephone number as your voice mail password. Do not use repeated or consecutive numbers in your voice mail password. If your telephone has memory capability, do not program your password into it. Follow the password tips provided in this manual under Password Selection.
Page 26
Do not give your password to anyone. Remember, telephone service personnel do not need your password to maintain your system. If a person who represents themselves to be a telephone service technician asks for your password, immediately inform your supervisor.
Thinking Focus: How can you prevent someone from getting your telephone card access number?
Topic L Protecting Telephone Cards

If you use a telephone card with an access number, you should shield the keypad to prevent those who would steal your card number. Your phone card number and pin can be stolen by someone looking over your shoulder as you dial. This is sometimes referred to as shoulder surfing.
Thinking Focus: When removable media with confidential information is no longer needed, should it just be discarded or should it be destroyed?
Topic M Destroying Electronic Data Files

Electronic data files can be stored on either stationary media like a computer hard drive, and a network LAN (local area network) or on removable media, like CDs, diskettes, and USB portable drives. When that information is no longer needed, the information must be destroyed by either physically destroying the media or overwriting the information. Deleting electronic data files does not remove that information from the media upon which it is stored. It only erases the information that tells you where the file was located. Electronically deleted files can be recovered.
Thinking Focus: When you delete data files, can that information still be retrieved? Local Data Files
When you delete files from the hard drive, they can be restored because the file still exists on the hard drive. Not even formatting the drive can destroy data. If you have a computer that needs to be reassigned or surveyed, work with your IT Coordinator to determine the appropriate method of destroying the data on the hard drive. Do not pass on removable media or hard drives that you believe may have stored confidential or sensitive information.
Page 27
Thinking Focus: Who do you contact if you need to destroy data on removable media? Removable Media
Removable media can come in different forms. Diskettes, Tapes, USB Portable Drives, etc. Diskettes, tapes, or USB portable drives used to store confidential information must be physically destroyed or entirely overwritten before being passed along.
CDs and DVDs

All CDs and DVDs used to store confidential information must be physically broken or destroyed to make unreadable. You can accomplish this by scrubbing the top surface (laser side) with a cleaning scrub or by simply breaking or cutting it into several pieces. You can use Readable (R) CDs and DVDs only once to store confidential information, but similar to a hard drive, Read-Writable (RW) CDs and DVDs can be written to a number of times. If you use RW CDs and DVDs to store confidential information, you must follow the same guidelines as for a hard drive. Deleting data files stored on RW CDs and DVDs does not destroy the data.
Thinking Focus: Are the files you store on the network or server removed when you delete them from the network? Network Disk/Server Files
It is possible that when you delete a file, you have not actually deleted all the copies of the data. There may be additional copies of that file on a local area network (LAN) drive or possibly on network backups. Keep in mind that just because you delete a file that is located on your computer, that file may still exist on servers or in backup files.
Thinking Focus: What can you do to protect your equipment when you use stateowned equipment and resources outside or away from the office?
Topic N
Safeguarding Equipment While Away from the Office
Portable computing devices, such as laptops and handheld communications devices, can be easily stolen or damaged when you remove them from the office. Before you take equipment away from the office, remember these important points: Obtain approval from your manager or supervisor to use state-owned equipment away from the office. Obtain an equipment pass if your division has such a requirement.
Page 28
Use care in handling the equipment. Follow CDCRs information security policies and procedures to protect the equipment from loss or theft. Ensure access to CDCR equipment or resources is only for authorized CDCR activities. Do not leave equipment visible in your parked car. Do not leave equipment in a car overnight, including the trunk. Take it with you! In public facilities, do not leave equipment unattended, even if just for a moment. This is especially true in the airport gate security checks and in restaurants and coffee shops. Never let it out of your sight. Be sure to take all your bags and cases with you before returning rental cars. Make backup copies of your information and leave the backup copies at the office. No confidential information may be taken from your workplace without prior written approval from your chain of command. Keep sensitive/confidential information from casual observation by others, such as hotel staff members and strangers in public places. Do not discard unneeded reports and other papers that contain sensitive or confidential information in the trash can in your hotel room. Take the information back to the office and dispose of it using the confidential trash process. When using remote access by logging onto the CDCR network, do not leave the connection open when away from your computer. The remote logon process could provide a means of obtaining unauthorized access to the CDCR network. Do not allow others to use your CDCR computer. This includes family members. The computer provided to you by CDCR is intended for your use only. Make sure the equipment is tagged with an inventory control tag. Keep a copy of your device spec sheet at your office, including the inventory control tag number and serial number.
Modem Usage
Using a modem to connect to CDCR systems is the same as being connected to the CDCR network at the office. The same rules apply as if you were sitting in your work area using a computer: If your computer has a modem, the modem must not be in use when the computer is connected to the CDCR network with a network cable. The modem is to be used ONLY when the computer is not already connected to the network. Never leave an active session unattended and be aware of anyone that can see the information on your computer screen. Lock up the modem when you are not using it. If your computer has an internal modem, make sure your computer is in a lockable area. No modems are allowed in areas where inmates have access. All other policy and guidelines apply, including appropriate use of email, Internet access, and keeping current virus scanning software. Work with your IT Coordinator to configure your computer to update automatically when you use remote access.
Page 29
Thinking Focus: What will you do if your working files or documents become lost or suddenly unavailable?
Topic O File Backups

Backups can be a real time saver if something happens to your computer or data. Without a backup of your data, you may be faced with the overwhelming task of reentering and recreating reports, spreadsheets and databases. That is of course if you actually can re-enter or recreate the information after losing it. Some data, if they are lost, can never be replaced.
Thinking Focus: Which files or documents should you back up?
Not everything needs to be backed up, but generally, information should be backed up for the following reasons: You cannot afford to lose it. It would take too much time to recreate it. It would cost more to recreate it than the cost of backing it up. The original source is no longer available.
Thinking Focus:
How do you go about backing up your files or documents?
If you use a computer on the CDCR network, you can use the network itself to complete your backups. Simply save your files to a shared area of the network. Network shares are set up with different types of accesses. Most of the network shares are configured on the servers to allow only specific divisions or branches to access them. The term servers is used for the hardware equipment that stores the electronic files, and are regularly backed up by the IT Coordinator. Check with your IT Coordinator on which network share would be best to use for your files. If your computer is not on the network, backups you make on removable media should be stored in a secure location away from your office. If a catastrophic event occurs, such as a fire, your backups will be destroyed along with your computer if they are in the same place. Backups are, by definition, copies of the same confidential and sensitive data you take great pains to secure on your computer. Be sure to afford the backups an equal measure of security lock them up!
Page 30
Thinking Focus: What are considered good backup practices when using removable media for backups? Good Backup Practices
If one backup is good, then two backup copies are even better. Sometimes backups fail. If the data is essential and critical, multiple backups are necessary. The most straightforward process is to make daily backups, and keep several days worth. All backups made on Monday are kept on the Monday disk; those made on Tuesday are on the Tuesday disk, etc. If you need to restore information from a backup, you have your most current daily backup and four fall-back backups, each one day older than the one before. Restoring from a two-day old backup means you have to recreate two full days worth of data, but that is still better than having to recreate it all. For those systems with irreplaceable data, or requirements for restoration in a very short period of time, one more backup is made as well the offsite recovery backup. This backup is usually made weekly and is stored in a location quite distant from your normal operation. Services are available to pick up your offsite backups and store them in climate controlled vaults at some distance, often hundreds of miles away. In the event that all other backups are destroyed or fail, the offsite recovery backup can be retrieved and used to rebuild your system. Test your recovery process before you need to use it. Do not assume your backups will work. Finding out your backups are bad when you need them is too late. Store backups in a fire-resistant media safe or away from your work area far enough so that in the event of a fire, flood, earthquake or other event that bars return to your work area, your backups will still be available. Backups may contain confidential and sensitive data, and should be stored accordingly securely with access only to those authorized. If you need assistance on how to test your backup data, contact your IT Coordinator.
Thinking Focus: What can you do to protect your password?
Topic P Password Selection

Passwords are meant to be difficult to guess (strong), but should also be easy for you to remember. Passwords can be easily guessed if the person guessing knows you or if you make the password too simple. Select passwords that are character strings that mean something only to you. Be sure to include a number(s) or special a character within your password. Here are some suggestions for choosing a STRONG password: Choose a word that you can easily remember, remove the vowels and insert a number or two, for example: PRESIDENT PR2SDNT
Page 31
Use the first letters in a phrase and add a number, for example: The quick brown fox jumped over the fence six times. TQBFJOTF6x Combine two misspelled words and insert numbers, for example: TRUE BLUE TRU05BLU Use words that are spelled backwards and insert numbers: PENCIL LIC12NEP Review Passwords under Appropriate Use of CDCR Information Assets in Objective 3 for password requirements and do not use these or any other examples provided in printed or training materials.
Thinking Focus: What words or characters should you avoid using when selecting a password? Passwords to Avoid
Here are some words you should not use as a password: Your name, nicknames, initials, or names of family and friends. Your system User ID. Dates; especially those that appear on your driver license or in a personal calendar that you carry in a wallet or purse. Telephone numbers, home addresses, zip codes, social security or driver license numbers, etc. Names of pets, hobbies, special interests, etc. Words that appear in any dictionary, regardless of the language (they can be compromised by password cracking programs that use electronic dictionaries). Consecutive keys on a keyboard, e.g., QWERT or FGHJKL. All the same character, e.g., XXXXXX or 999999. Default passwords shipped with the system or software. Words in which the letter O has been replaced with zeros.
Thinking Focus: What are some password dos and donts? Password Dos
Change your password at least every 90 days. Change your password immediately if it becomes known or you suspect it is known by anyone else. Select hard-to-guess passwords containing seven or eight charactersbut not so hard that you have to write it down to remember it. Enter your password in private with no one in a position to observe your keystrokes (the system should not display the password on the computer screen.)
Page 32
Password Donts
Dont use words listed in the paragraph above, Passwords to Avoid. Dont write down your password on a desk pad, calendar, phone book, address book, etc. Dont post your password on the computer screen by writing it on a post-it note and stick it on your computer screen, under your keyboard, or in your desk drawer. Dont tell your password to anyone. Sharing passwords is not allowed for any reason.
Thinking Focus: What types of malicious software are harmful to your computer?
Topic Q Malicious Software

Malicious software is any software with the intent to cause harm. The short term for malicious software is malware and some examples of malware are worms, viruses, Trojan horses, and certain spyware. These have the potential of bringing harm to the CDCR network and system resources. If malicious software is spread, it can be responsible for productivity and/or financial loss. While you may not be able to completely stop the possibility of getting a virus, worm, or other malware; you can greatly reduce the risk of infection and the potential for serious damage. Viruses are small programs usually embedded in much larger programs (hosts), and are only spread when the host is executed. Virus infection can result in fairly harmless activity; such as a message or graphic being displayed on the screen, or more serious events; such as causing mission critical system resources to be unavailable for lengthy periods of time. Worms are small pieces of code that spread itself from an infected computer to other computers on the same network without having to be attached to a host (program). They do not normally cause damage directly, but can have a devastating impact on a network by virtue of the number of copies of itself that can clog up network resources. The Trojan horse (usually referred to simply as a Trojan), works like the mythical Greek story of the Trojan horse and the city of Troy. A Trojan is malware disguised as a useful or interesting program, but in fact, is really harmful once it is executed. As with spyware, Trojans cannot replicate themselves, but they can be responsible for spreading other malware like viruses. Trojans can also be responsible for erasing or overwriting data on your computer, or appropriating your computer to launch attacks on other systems. Lastly, is spyware. Spyware intercepts or captures partial control of a computers operation without your knowing about it. Spyware is responsible for unsolicited pop-up advertisements, identity thefts, and recording keystrokes (including logons and passwords). Unlike viruses or worms, spyware does not replicate itself.
Page 33
Thinking Focus: How can you tell if your computer has contracted some form of malicious software? Symptoms of Malware
While there are no universal symptoms for all the different types of malicious software (malware), following are some indications that malware is present on your computer: Programs take longer to load. Disk access seems excessive for simple tasks. Unusual error messages appear. Access lights come on when no disk activity should occur. Less memory is available. Files mysteriously disappear. Less disk space than normal is available. Files change size, date, or content. Unexpected messages or characters appear on the screen. System often crashes. The system dial-up connection attempts to automatically connect to a telephone number without the knowledge or interaction of the user.
Thinking Focus: How does your computer get malware on it and what can you do to prevent from getting one? Preventing Malware Infection
The most common ways to spread and become infected with malware is through email and downloading files from the Internet. You can take the following actions to protect your computer from infection: NEVER disable the virus scanning software on your workstation. All email you receive, regardless of where it comes from, including email sent from a fellow CDCR employee should be scanned. Keep virus scanning software current with the most recently released file updates. If your computer is connected to the CDCR network, the updates should happen automatically. If your computer is not connected to the CDCR network, contact your local IT Coordinator to find out how frequently the virus protection software is updated. Restrict use of your workstation to authorized people only. Scan removable media with anti-virus software prior to accessing it. This includes diskettes, CDs, USB drives, PDAs, etc. Do not open attachments you receive in your email, unless you can verify the sender is the person who actually sent the email. Viruses and worms can be hidden in these attachments, and when you open them, you release or activate the virus or worm. Once the malware has been activated, you cannot stop it. Malware can be
Page 34
embedded in Word and Excel files (files with a .DOC or .XLS extension), executables (.EXE), compressed or zipped files (.ZIP), and even some graphic files (.JPG and .GIF). Do not use shareware, freeware, and demo CDs on CDCR computers without approval. Only IT support staff are authorized to install software on CDCR computers. When downloading a file, use the save function and then scan the file before using it. Do not download software from the Internet. Never connect to the Internet unless your virus protection software is current and active. If your computer has been sent out for repair, check it with virus detection software before you start to use it. Update your virus software often at least weekly. New viruses are created and released all the time. Your virus protection software is optimally effective only if it is current. If your computer does not have virus detection software, contact your IT Coordinator to have it installed.
Thinking Focus: How can you protect documents that are faxed?
Topic R Faxing Documents

Use good judgment when using CDCR fax machines. Some of the things you can do when faxing documents are: Do not fax confidential or sensitive information. Verify the recipient information including the fax number before faxing any information. Verify that the fax number has been correctly dialed before pressing the start button to transmit the information. Notify the recipient just prior to sending the fax so they are prepared to receive the information and immediately remove it from the receiving fax machine. Use a cover sheet when faxing documents.
Page 35
OBJECTIVE 5:
YOU WILL BE ABLE TO IDENTIFY CDCRS REQUIREMENTS FOR INMATE ACCESS TO COMPUTERS AND THE RULES FOR SUPERVISING INMATES WITH COMPUTER ACCESS.
Inmates and Computers
t is important to protect CDCRs information and your own personal information from access by inmates. The CDCR policy prohibits inmate access to sensitive and confidential information.
What you should learn from this objective: Inmate qualifications for computer access. Appropriate computer configurations for inmate use. Physical location requirements for inmate accessible computers. Appropriate inmate access and activities. Supervising inmates using computers.
Thinking Focus: What criteria must inmates meet in order to be granted authorization to have computer access?
Topic A
Inmate Qualifications for Computer Access
Inmates may only be allowed access to a computer when they are working in an employment or educational assignment and only after the inmate has been cleared for computer use. Inmates may use computers if they meet these criteria: abuse 1. No history of computer fraud or abuse. 2. No extensive experience or education in computer programming, software engineering, network management or administration. 3. No occurrences of computer abuse while in the prison system. 4. Must be granted permission before being given authorization. If you are the person requesting clearance for an inmate, you cannot be the person requesting the clearance check. Inmates may be given the privilege of using a computer in their education or work area if they meet all four criteria. Access to computers is a privilege, not a right.
Page 36
Thinking Focus: How must inmate access computers be setup before an inmate is authorized to use it?
Topic B
Appropriate Computer Configurations for Inmate Use
Computers used by inmates must meet the following criteria: 1. 2. All storage media, such as hard drives, previously used by staff must completely overwritten before being assigned to inmate use. Computers previously used by staff or for purposes other than inmate use must be approved by the appropriate Information Security Coordinator (ISC) before being allowed for inmate usage. Contact your IT Coordinator If you do not know who the appropriate ISC is. Direct access to the operating and file system, run feature, Control Panel, configuration dialogue boxes, and system utilities is prohibited. Access to the MS-DOS commands ASSIGN, DEBUG, and ATTRIB must be removed. Signs identifying whether or not inmate use is allowed must be obviously displayed on all computers.
3. 4. 5.
Thinking Focus: How would you describe the attributes for the physical location where authorized inmate use computers can be located?
Topic C
Physical Location Requirements for Inmate Accessible Computers
Requirements for the physical location of inmate accessible computers are: 1. Signs identifying inmate use must be posted clearly in all rooms or areas where inmates use computers. 2. No communication capabilities, such as a telephone line, computer line, fax machine, wireless communications devices (cell phones or wireless access points), or radio communications are allowed in any area where inmates are allowed computer access. This includes telephones with outside line capability. 3. A copy of the written certification that the policies relating to inmate use of computers are being followed must be kept on site by the local ISC.
Page 37
Thinking Focus: What activities are inmates not allowed to do with computer access?
Topic D
Appropriate Inmate Access and Activities
Inmates are allowed limited activities when granted authorization for computer access. Inmates are not allowed to: Develop new applications.
NOTE: Any existing application or program developed by an inmate shall not be used to accomplish departmental work or used on any computer connected to the CDCR computer network.
Access any computer based tool that could be used to create a malicious code. Access dialogue boxes, the Control Panel, or any other feature on the computer that could allow modification or changes to the configuration of a computer. Use staff-assigned computers or access to CDCR business applications. Use more than one computer. An exception is in the classroom setting when one instructor is responsible for supervising all inmates and computers. Use computer peripherals, such as CD burner, printers, and scanners, unless CDCR staff directly supervises their usage. Install software. Possess removable media, such as diskettes, tapes or CDs, unless the media is controlled and checked out to the inmate. Access external communication capability, such as modems, communication tools such as email, and chat applications. Share the same network with staff. Access network shares that are also accessible to other inmates. Access the Internet, Intranet, or the CDCR computer network. Possess a computer as personal property or outside of the authorized work, vocational or educational program area.
Thinking Focus: What are your responsibilities if you are required to supervise inmates authorized for inmate use computers?
Page 38
Topic E
Supervising Inmates Using Computers
Many of the institutions have inmates in the workforce, including inmate clerks using computers. To ensure information security while supervising inmates using computers, inmates must be closely supervised. The responsible staff are required to do the following when supervising these inmates: Certify in writing that all the policies related to inmate use of computers are being followed. Limit inmate access to computers to only the authorized activity. Ensure computers that are designated for inmate use are used strictly for that purpose. Inmates may not use staff computers. Authorized inmate-use networks are only allowed if a security plan has been approved by the ISO. Supervising staff must understand what the inmate is doing under his or her supervision. Supervising staff must have more knowledge and expertise with the computer than the supervised inmate. Be able to see all inmate computer screens from a single location. Must not allow inmates to have passwords, unless the password is assigned and controlled by the supervising staff, and cannot be changed by inmates. Ensure only inmates with access authorization use computers. This includes troubleshooting, problem solving, data entry, or any other way in which an inmate may view the screen, or touch any component of the computer system. Maintain control of removable media, such as diskettes, CDs, and zip disks, used by inmates with an inventory and appropriate controls, such as a check-in and check-out process. Monitor and control all inmate activity. This includes reviewing the contents of the removable media and hard drives, ensuring files are related to their work, reviewing all printed material produced or requested by inmates, and constantly monitoring their activity on the screen.
Page 39
OBJECTIVE 6:
YOU WILL BE ABLE TO IDENTIFY INFORMATION SECURITY INCIDENTS AND KNOW HOW TO HANDLE THEM.
Information Security Incidents
n essential part of your individual information security responsibilities is to report known or suspected security incidents that may place CDCR information assets at risk. Before you can do that you need to understand the definition of and how to identify an incident. What you should know from this objective: The definition and identification of the different types of information security incidents. How to handle information security incidents.
Thinking Focus: What is an information security incident?
Topic A
Identifying an Information Security Incident
An information security incident is an event or security breach, whether intentional or unintentional, that causes loss, damage, destruction, modification, or disclosure of CDCR computer systems or facilities; unauthorized access to confidential or sensitive data; or fraud, embezzlement, or misuse of state property. The following is a list of the types of security incidents: Unauthorized Access and Disclosure to Information Assets Unauthorized Modification, Destruction or Loss of Information Assets Introduction of Malicious Code Falsification and Unauthorized Use of Information Assets Misuse of Information Assets Unauthorized Access and Disclosure Information Assets These are described as unauthorized intrusions, which consists of any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource electronically. It is an act of unauthorized access that results from either or both tampering and damage to CDCR information assets.
Page 40
Examples: A computer user or unknown hacker gains unauthorized access to CDCR computer systems and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, whether existing or residing internal or external to a computer, computer system, or network. Someone calls you using social engineering tactics to gain access to computer systems and networks, by claiming to be an administrator for CDCR network or computer systems and requests from you a User ID and password for troubleshooting purposes. Disruption of state services or denial of computer services occurs in a manner that appears to have been caused by deliberate and unauthorized acts. An example would be a Denial of Service (DoS), which is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consuming bandwidth of the network and overloading the system. An individual knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network, such as someone other than an authorized user logging in and utilizing the system. An individual finds they have either or both access to another users email and documents and browses through them, knowing that access is not authorized, and does not report the access capability. Unauthorized Modification, Destruction or Loss of Information Assets These are unauthorized acts that result in the loss of confidential, sensitive, or mission critical information assets. These occur when there has been deliberate or unintentional destruction or disappearance of information assets, including theft of information assets used to process or store CDCR information. Unauthorized modification of information assets is the act of modifying information assets by someone not authorized to access it. This can occur when computer device(s), such as a desktop, laptop, or handheld devices are either stolen from the office or while traveling. Examples: An individual gains access to CDCR network and gains access to the web servers, changing the web pages to include inappropriate information or images. Intentionally entering false data into a database or file. Someone breaks into the computer room and sabotages the computer equipment causing physical damage to that equipment and causing the loss of data maintained by that equipment. The cabinet containing your CDs with confidential or sensitive information has the lock broken off and some CDs are missing. While you are traveling away from the office for work, your state-owned laptop is stolen from your vehicle. You went home after work and forgot that you left your PDA on your desk. The next morning you remember that you had it with you in the office, but you realize it is no longer there. You come into work one morning and discover your desktop has been stolen.
Page 41
Disclosure, by an employee, of his or her password. This includes disclosure to family members, coworkers, the employees supervisor, or any other person. The exception is when the password must be provided to a technician so that maintenance or repairs to the computer or equipment can be made. In these instances, the employee must change his or her password immediately upon completion of the work by the technician. During your workday you discover your USB drive with confidential or sensitive information has been stolen or misplaced. Disclosing another employees password to anyone. Employees who learn another employees password should report that fact to their supervisor immediately. The employee must change the password, or if that is not possible, the supervisor must immediately request deactivation of the employees account by the access management entity. Disclosing medical information or inmate data to any employee whose job does not require this knowledge. Providing address or telephone numbers of a CDCR employee to anyone, including another CDCR employee, unless required by CDCR, either deliberately or by accident. Discussing facts from an investigative file or pending legal actions outside the performance of official duties. Introduction of Malicious Code Introduction of malicious code (malware) is when a contaminant is introduced into any State computer, computer system, or computer network. This includes, but is not limited to viruses, Trojans, worms, and other types of malicious attacks. Examples: The introduction of malware is received in an email with an attachment that looks suspicious, but is opened before it is verified that it is indeed a virus. An employee brings work from home on removable media that is infected with malware and does not scan the media for viruses before using the data. An employee downloads an infected file from the Internet. Falsification and Unauthorized Use of Information Assets This is the falsification of information and unauthorized alteration of computerized information, computer programs, or information in any other form. The unauthorized alteration may be for any reason, including fraud, embezzlement, personal gain, or aiding in the perpetration of a crime or the personal gain of another person. Intentional falsification of computerized data for any reason is in itself a crime under California Penal Code, Section 502. Fraud or other crimes involving information falsification are prosecuted in addition to the crime of computer data falsification.
Examples: Accessing a computer using another persons User ID and password. An employee who is logged on allows another employee to use the computer or terminal without logging off. This is unauthorized access, even though the second employee may be authorized to use the system under his or her own User ID.
Page 42
Either or both Internet domain names and user account names have been used without permission in connection with the sending of one or more electronic mail messages that caused damage to a state computer, computer system, or computer network, or misrepresented the state or state employees in electronic communications. Intentional entering of false data into a database or file. Intentional entering incomplete data into a record without authorization. Omitting entries or updates in a database, file, or record without permission. Modifying or deleting valid information without authorization. Changing of production data by a version of an application program which has not been formally tested and released to production via the Departments standard application change control process. Modifying computer source code without authorization. Modifying an operating system or network configuration without authorization. Changing access permissions in an access control table without authorization. Unauthorized alteration of paper documents. Misuse of Information Assets Misuse of information assets is when authorized users use CDCRs computing resources for unauthorized purposes or inappropriate activities and personal gain. The misuse of information assets occurs when CDCR information is read, copied, or used for unauthorized purposes. Authorized purposes include only those related to the individuals job or education assignment. This also pertains to external CDCR information users, contractors, and consultants that have been given authorization to read, copy, or use only those CDCR information assets that pertain to their contracted CDCR business and only for the purpose stated in their agreement with the Department.
Examples: An authorized person uses CDCR systems to access the Internet to view inappropriate web sites that are against CDCR policy. Bringing to work any games or unauthorized software to install and play on your workstation. Unauthorized installation and use of an employees own software on Enterprise Information Services (EIS) on a CDCR computer. Use of an illegal copy of software or software not licensed or approved by EIS on a CDCR computer. An individual is threatening or harassing another individual through CDCR electronic communications. Using knowledge of CDCR personal or confidential information for non-CDCR purposes. Using CDCR computer resources for an outside business or interest. Using CDCR information assets to commit embezzlement or fraud. Accidental viewing of information because of a computer, terminal, or paper document in the work area is placed in such a way that unauthorized employees or offenders cannot avoid seeing it.
Page 43
Thinking Focus: To whom do you report an information security incident?
Topic B
Handling Information Security Incidents
If you believe there has been an information security incident, the occurrence must be reported immediately to your supervisor and local ISC.
Thinking Focus: What could happen if you violate information security policies and procedures?
Topic C
Consequences to Information Security Violations
All violations of security policies or procedures are subject to disciplinary action. The specific disciplinary action that will be taken depends upon the nature of the violation and impact of the violation on CDCRs information assets and related facilities. Following is a partial list of possible disciplinary actions: Written reprimand. Suspension without pay. Reduction in pay. Demotion. Dismissal. Criminal prosecution (misdemeanor/felony, state or federal). During the time that a suspected violation is under investigation, the suspected violators access privileges may be revoked or other appropriate action taken to prevent harm to CDCR.
Page 44
Appendix A - Glossary
accountability The ability to trace violations or attempted violations of system security to the individual(s) responsible. authorized access Access to information, regardless of media type (paper, electronic, film, etc.), that is granted to specified individuals by management for the purpose of performing specific CDCR work functions. availability The condition in which information, computer equipment, or computer services are accessible and can be used when needed. backup The duplication of computer programs and files (usually to diskette or tape), prior to any loss or damage to such information, so that the information can be restored in the event the original is destroyed. backup copies More than one copy of programs and files, usually on diskette or tape, used to restore such information if the original is destroyed. CDCR network A Wide Area Network (WAN) consisting of Local Area Networks (LANs) that connect desktop computers in most of the Headquarters offices, Parole Offices and several Institutions. The CDCR Network provides email, scheduling, access to the Intranet, departmental applications and standardized forms. Internet access is provided to authorized users. classification The assignment of information, including paper documents, to a category on the basis of its sensitivity concerning disclosure, modification, or destruction. confidential information Information maintained by State agencies that is exempt from disclosure under provisions of the California Public Records Act (Government Code, Sections 62506265), or other applicable State and Federal laws. See State Administrative Manual (SAM), Section 4841.3. Confidential information is so defined because its unauthorized disclosure could cause harm to an individual or organization or would be violating an individuals or organizations right to privacy. Personal information, including personnel, medical, or similar files the disclosure of which would constitute an invasion of personal privacy should be treated as confidential. All information pertaining to information security incidents and all incident reports are classified confidential and are subject to all requirements for maintaining confidentiality. controls Technological mechanisms and/or procedural measures that help enforce information security policies, standards, and laws. copyright law Software is protected by the Federal Copyright Act, U.S. Code, Title 1718, which gives the owner of the copyright the exclusive rights to reproduce the copyrighted work and to distribute copies. The act of illegally copying
Page 1
software is commonly known as software piracy. critical application A computer program so important to CDCR that its loss or unavailability is unacceptable. With a critical application, even short-term unavailability of the services and/or information provided would have a significant negative impact on the health and safety of the public or employees, the financial or legal integrity of CDCR operations, or the continuation of essential CDCR programs. All CDCR department-wide information systems are considered critical applications. data A representation of information, knowledge, facts, concepts, computer software, computer programs, or instructions. Data may be in any form, for example in storage media, such as, the memory of a computer, in transit, such as, information sent over communication lines, as presented on a display device, such as, a terminal, or in a paper document. downloading The transfer of information from a computer application such as DDPS to a local computing configuration, such as, a microcomputer or Local Area Network (LAN.) dumpster diver Someone who goes through an organizations trash in search of access codes, credit card numbers, computer printouts, and other information that can be used for dishonest purposes. electronic mail (email) A system that allows a message to be typed at one computer or terminal and then sent to someone on another computer or terminal. The message is stored until the receiver chooses to read it. firewall A device consisting of hardware and/or software that limits communications between two networks. Access to the Internet from CDCR Network is controlled by a Firewall that is administered by ISD. freeware Software (programs) that are available to anyone free of charge (no licensing fee.) hacker A person who gains, or attempts to gain, unauthorized access to computers, computerized information, or software, usually from a remote site. information assets All types of information including, but not limited to, documents, records, files, databases, and information technology facilities, as well as equipment and software owned or leased by CDCR. information owner The entity assigned decision-making authority for specific data, such as inmate health data or parole information. The Information Owner has responsibility for determining appropriate access authorizations, monitoring and ensuring compliance with CDCR and State security policies and procedures concerning the information, identifying acceptable levels of risk, and defining precautions for protection of the information. Information Privacy (IP) The right of individuals and organizations to control the collection, storage, and release of information about themselves.
Page 2
information security The protection of information assets from unauthorized access (accidental or intentional), modification, destruction, disclosure, or the inability to process that information (unavailability.) information security incident An occurrence involving CDCR information assets that violates Federal or State information security laws or State or CDCR information security policies or procedures. Information Security Incidents involve the unauthorized or accidental modification, distribution, or misuse of, disclosure from, or access to CDCR information assets. Refer to the CDCR Handling and Reporting of Information Security Incidents handbook for details. Information Security Incident Report A report documenting the details of an occurrence involving CDCR information assets that violates Federal or State information security laws or State or CDCR information security policies and procedures. Certain incidents are reportable to the Department of Finance and the California Highway Patrol. All incidents must be reported to the ISO within three working days of the discovery. An incident involves one or more of the following 1. Unauthorized intentional release, modification, or destruction of confidential or sensitive information, or the theft of such information. 2. Comprehensive Computer Data Access and Fraud Act (Penal Code, Section 502.) 3. Use of a State information asset in the commission of a crime. 4. Tampering, interference, damage, or unauthorized access to computer data and/or computer systems as described in the Intentional noncompliance, by the Information Custodian,
with custodial responsibilities as specified in the SAM, Section 4841.6. 5. Intentional damage or destruction of State information assets, or theft of such assets, with an estimated value of $500 or more Information Security Officer (ISO) The person, designated by the agency director, who is responsible for overseeing the agencys compliance with policies and procedures regarding the security of the agencys information assets. (See Government Code, Section 11771 and SAM, Section 4840.2.) Enterprise Information Services (EIS) CDCR division charged with the development and maintenance of information technology solutions. ISD is the Information Custodian for most of CDCRs critical systems. ISD also provides support services for the CDCR Network. Information Technology (IT) All computerized and auxiliary automated information handling, including systems design and analysis, computer programming, information storage and retrieval, voice, video, and data communications, etc.
information user An individual having specific limited authority from the Information Owner or management to view, change, add to, disseminate, or delete information. The responsibilities of Information Users are using State information assets only for State purposes, complying with applicable laws (including copyright and license requirements), administrative policies, any additional security policies and procedures, and notifying the Information Owner and ISO of any actual or attempted violations of
Page 3
information security laws, policies, practices, or procedures. integrity The condition in which data or programs are protected from unauthorized modification. Intranet CDCR information resource, available to all systems connected to the CDCR Network. The Intranet provides access to several services for CDCR employees, including personnel information, access to policies, travel information, forms, etc. Internet A term used to refer to the worldwide network of networks. Access is available through the CDCR firewall or through local Internet Service Providers (ISPs) if the CDCR network is not available, to CDCR staff who have been approved for such access. Local Area Network (LAN) Two or more microcomputers in the same general area that are connected by some means, such as wire, infrared or radio, providing access to shared data such as forms, documents and databases, email, scheduling, applications, printers and other peripherals. logic bomb A malicious program, similar to a virus, designed to carry out a usually destructive mission in response to a trigger event. Unlike a Virus, a Logic Bomb does not replicate itself. log on/off The procedure by which a session is begun and ended on a computer. malicious code Malicious code is computer instructions, usually in the form of a program, designed to perform undesired changes
to the computer system, data, or programs. See Virus definition for more information. malware Short term for malicious software, such as viruses, Trojans, worms, and certain spyware.
mission critical A process or business function that must be available for an agency to continue to operate. modem A device that connects computers to each other via telephone lines. In CDCR, modems are used to provide Remote access to the CDCR network, connect to specialized systems, and to provide email and/or Internet access for employees not currently able to use the CDCR network. monitoring The process of analyzing, assessing, and reviewing audit trails, and other data gathered, to detect events that may be security violations or that may possibly create a security incident. password A unique string of characters used to authenticate (verify) an identity. Usually associated with a User ID. Passwords are confidential and should be kept secret. personal computer A microcomputer configured to be used primarily by a single user. process The work activities that produce products, including the efforts of people and equipment.
Page 4
program The set of instructions by which a computer operates to accomplish a specific task. proprietary software Computer applications developed by independent vendors to meet specific programmatic needs, and then marketed to users and agencies with those needs. An example would be an application that manages personnel and payroll for small and medium-sized companies. public information Any information prepared, owned, used, or retained by a State agency and not exempted specifically from disclosure requirements under the California Public Records Act, Government Code, Sections 62506265, or other applicable State or Federal laws. remote access The process by which authorized CDCR Network users may connect to the CDCR Network with a modem. risk The probability that a loss of information assets or breach of security will occur. risk analysis The process of evaluating 1) the vulnerability of information assets to various threats, 2) the costs or impact of potential losses to the organization, and 3) the options for removing or limiting risks. risk management The process of taking actions to avoid risk or reduce it to an acceptable level.
(SAM, Section 4841.3). Sensitive information may be either public or confidential. shareware Software available either free of charge, or for a small fee, that the user is allowed to evaluate/use for a short period of time (usually 30 days) before deciding whether or not to purchase it. shoulder surfing A term used to refer to a telephone fraud technique whereby telephone access codes are acquired by watching somebody enter the code on the keypad. The simplest form involves an individual looking over somebodys shoulder. More sophisticated methods involve video cameras, tape records or other processes to record the number sequence as it is entered. social engineering Posing as an employee, client, service technician, or any other bona fide (genuine) individual to gain information that can be used to break into a computer system or for other dishonest purposes. software Computer program(s) consisting of instructions for the CPU that perform specific functions, such as word processing. spyware A broad category of malicious software intended to intercept or take partial control of a computers operations without the users informed consent. storage media Media used to store information electronically, such as hard disks, diskettes, and tapes.
sensitive information Information maintained by State agencies which requires special precautions to protect it from unauthorized modification or deletion
Page 5
surfing By analogy with riding the waves on the ocean, refers to going from site to site on the Internet. terminal A computer display device which displays information generated by the computer system. threat Condition, that given the opportunity, could cause a harmful event to occur. Trojan Malicious program disguised as legitimate software. unauthorized access Access to information which is not within the scope of an individuals job duties or without the permission of management and/or the Information Owner. user ID The unique identifier assigned to an individual for the purpose of access to a computer system. virus A self-replicating program, usually malicious. A virus has three parts, a replicator, a trigger, and a mission. The replicator makes copies of the virus program so that it can spread. A trigger is an event that will cause the virus to perform the function for which it was designed, such as a specific date or time. The mission is the function the virus will perform when triggered. voice mail Telephone answering system that provides the user with such services as, message forwarding, message storage and retrieval, and message notification. vulnerability Susceptibility of an information asset to a specific threat.
worm A malicious program, similar to a virus, that replicates itself and carries out a destructive (usually) mission. Unlike a virus, a worm does not require a trigger event. write-protected Preventing data from being written onto electronic storage media. The writeprotect mechanism varies depending on the type of storage media.
Page 6

Training Booklet

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Training Booklet

Uploaded by

Copyright:

Available Formats

INFORMATION SECURITY AWARENESS TRAINING

EMPLOYEE TRAINING BOOKLET

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Information Security and Privacy

Thinking Focus: What are some examples of an information asset?

Topic A What is Information Security?

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Thinking Focus: Is information privacy the same thing as information security?

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Laws and Policies Governing Information Security

Thinking Focus: Does everyone have a right to privacy?

Topic A State Laws

California Penal Code 502

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

California Civil Code 1798 et. seq.

Thinking Focus: Who can request to see public records?

Government Code 6253

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Topic B Federal Laws

U.S. Code - Title 17 (Public Law 95-553)

U.S. Code - Title 18 (Public Law 99-508)

U.S. Code - Title 18 (Public Law 99-474)

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Public Law 104-191

Topic C State Policies

State Administrative Manual

Department Operations Manual

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Appropriate Use of CDCR Information Assets

Topic A Electronic Mail

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Thinking Focus: Why is downloading music, graphic files, or games prohibited?

Information Security Awareness Training Information Security Office

Revision: February 8, 2006 OTPD Approved: January 20, 2006

Topic C Internet Usage

Thinking Focus: Why are you required to use of anti-virus software?

Information Security Awareness Training Information Security Office