Security Considerations

This countermeasure applies to the departmental network access documentation. The document should include procedures for granting access, determining which files the user can access, and when a user is no longer authorized to access the network because of a change in job function, reassignment, or termination.

Ref: TAC 202.70

This countermeasure applies to the audit capability which keeps track of all critical changes made to confidential data by the users. The audit trail provides accountability for changes to confidential data by recording:

  UserID
  Date
  Time
  Machine IP
  Actions performed

Ref: TAC 202.70

This countermeasure applies to the audit capability which keeps track of all critical changes made to mission critical data, hardware and software. The audit trail provides accountability for changes to mission critical data by recording:

Ref: TAC 202.70

This countermeasure applies to the storing of back-up copies of the mission critical data at a location that is physically separate from the spaces that house the information systems. This countermeasure is intended to help avoid the loss of both primary and back-up data to a common disaster. Some airtight fireproof safes are available that, if in use and kept closed, might satisfy this objective without being physically "offsite". For example, the safe may have been tested and proven to protect its contents for up to four minutes with an outside temperature of 1700 degrees Fahrenheit.

Ref: TAC 202.70

This countermeasure applies to the settings of the building thermostats (and any other controls for temperature and humidity) in the room(s) which house the information systems. By having only designated personnel have access to the environmental controls, the possibility of frequent changes based on individual preferences is minimized. The ideal situation would be a thermostat that is set at a constant temperature.

Ref: TAC 202.70

This countermeasure applies to the protection of confidential information. The information can be digital (stored on a computer, or on a monitor) or can be hard copy (printed on paper). Protection mechanisms range from file access controls (role-based or by user group) to distribution controls for computer output to encryption of files for network delivery. Shredders should be used to destroy confidential documents that are no longer needed. The protection mechanisms employed will depend on the risks associated with maintaining the confidentiality of the information.

Ref: TAC 202.70

This countermeasure applies to the password length for both the operating system and mission critical applications. Because passwords have vulnerabilities (short passwords are easily guessed or observed when typed, passwords written on a sticky note and placed on the monitor, etc.), longer passwords are desirable. In addition, changing passwords at regular intervals is an important countermeasure against password compromise. The minimum guidelines outlined in the TAMU Security Rule (which is based on state and federal guidelines) is - at least 6 characters in length and changed every 6 months.

Ref: TAC 202.70

This countermeasure applies to the measures taken to physically secure the information systems facilities. For example, closets which contain network or telephone equipment should be locked. Also the room which houses the departmental server(s) should be physically secured. If the room is an office which cannot be locked during business hours, then tie down mechanisms should be utilized for mission critical equipment. Also, a procedure for challenging strangers in the computer area is an effective countermeasure. The procedure could range from a simple, "Hello, may I help you?" to a careful review of the stranger's identification and outside verification of their stated purpose for being in the computer area. Please see the ISAAC Physical Security Module for a detailed checklist to be used for securing the information systems facilities. The physical security should be reviewed at least annually.

Ref: TAC 202.70

This countermeasure applies to confidential and/or mission critical systems and applications. When an employee resigns or is terminated, the associated accounts and passwords need to be removed or deactivated. In the case of a disgruntled employee, the account revocation may have to occur before the employee has been escorted from the premises.

Ref: TAC 202.70

This countermeasure applies to the steps outlined in the TAMU Security Incident Reporting System (SIRS). The SIRS Web reporting form was created to assist system administrators in reporting any of the following categories:

1. Malicious Code Attacks - Attacks by programs typically written to masquerade presence and often difficult to detect. Including:
   1. Viruses
   2. Trojan horse programs
   3. Worms
   4. Scripts used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs.
2. Unauthorized Access - Large range of incidents, including:
   1. unauthorized person logging into a legitimate user's account
   2. unauthorized access to files and directories (by capturing superuser privileges)
   3. a sniffer program to capture packets
3. Unauthorized Use - Access to a user's account to perpetrate an attack is not absolutely necessary. Unauthorized use includes:
   1. using the network file system (NFS) to mount the file system of a remote server machine
   2. the VMS file access listener to transfer files without authorization
   3. inter-domain access mechanisms in Windows NT to access files and directories in another organization's domain
4. Disruption or Denial of Service - Disruptions to network and computing services. Include:
   1. erasing a critical program
   2. spamming (flooding accounts with email)
   3. altering system functionality (installing a Trojan horse)
5. Misuse - Misuse can be intentional or unintentional. Misuse incidents and response are based on departmental risk assessment and defined by TAMU policy. Including:
   1. use of a computing system for other than official purposes
   2. changes made to system hardware, firmware, or software characteristics without the department's knowledge, instruction, or consent.
6. Hoaxes - Spreading false information about incidents or vulnerabilities. Many of these are spread via email chain letters. Example:

   Information on the Good Times Virus spread rapidly across the Internet, but it never existed.

Ref: TAC 202.70

This countermeasure applies to a sequence of unique data that must be entered by each individual desiring access to a mission critical application. One common type of account ID is the logon ID which uniquely identifies an individual's account.

This countermeasure applies to the security awareness training that is required for all users of confidential and/or mission critical information systems. The goal of information security awareness training is to help all users understand why they need to take information security seriously, what they will gain from its implementation, and how it will assist them in completing their assigned tasks. The process should begin at new-employee orientation and continue annually for all employees at all levels of the department.

Ref: TAC 202.70

This countermeasure applies to the environmental hazards which affect information systems. For example, the equipment should be located away from areas exposed to water spray, steam pipes, dust sources, temperature extremes, or direct sunlight.

This countermeasure applies to the protection from fraudulent activity by separation of duties. Separation of duties by a procedure or software prevents one individual from having the capability to make hardware or software modifications or updates without some oversight or approval. This is usually accomplished through administrative procedures but it can also be accomplished by dividing capabilities between the individual and the system.

Ref: TAC 202.70

This countermeasure applies to a formal acknowledgement by departmental employees and independent contractors to comply with TAMU information security standards before they are given access to confidential and/or mission critical information resources. Often the formal acknowledgement is a "code of ethics" document that is required to be read and signed by the individual seeking access to the information resource.

Ref: TAC 202.70

This countermeasure applies to a formal acknowledgement by departmental employees and independent contractors to comply with information security standards before they are given access to confidential and/or mission critical information resources. Often the formal acknowledgement is a "non-disclosure agreement" document that is required to be read and signed by the individual seeking access to the information resource.

Ref: TAC 202.70

This countermeasure applies to new employee orientation. The orientation should include a security awareness training component before the new employee is granted access to confidential and/or mission critical information resources.

Ref: TAC 202.70

This countermeasure applies to information resources which are shared between the department and another state agency (or other TAMU department). The information resources shall be protected in accordance with the conditions imposed by the provider. If your department does not share it's confidential information with another department or state agency, then please answer this question with "Yes".

Ref: TAC 202.70

This countermeasure applies to the practice of periodically scanning the information systems connected to the departmental network and scanning software before installing it for the first time. In order to be effective, the anti-virus software should be kept up to date and not exclude compressed files.

This countermeasure applies to Uniterruptible Power Supplies (UPS) designed to provide a continued supply of power to the mission critical information systems. Larger systems may also use power from generators that are driven by engines. Some UPS devices provide an automatic shut-down feature which protects software and data before the power is completely used.