Secure Use
Of Computer Systems

Misuse of an automated information system is sometimes illegal, often unethical, and always reflects poor judgment or lack of care in following security rules and regulations. Misuse may, unintentionally, create security vulnerabilities or cause damage to important information. A pattern of inability or unwillingness to follow rules for the operation of computer systems raises serious concerns about an individual's reliability and trustworthiness.

bullet  As we store more and more information in computer data bases, and as these data bases become more closely linked in networks, more people have broader access to more information than ever before. Computer technology has magnified many times the ability of a careless or disaffected employee to cause severe damage.

Owing to the magnitude of problems that can be caused by misuse of computer systems, Misuse of Technical Information Systems is now one of the 13 criteria used in adjudicating approval and revocation of security clearances for access to classified information.

Many aspects of computer use are governed by your organization's policy rather than by federal government regulation.  Many government agencies and defense contractors specify the security procedures and prohibited or inappropriate activities discussed below.

cartoon

Security Rules

The following are basic rules for secure use of the computer.
  • Do not enter into any computer system without authorization. Unauthorized entry into a protected or compartmented computer file is a serious security violation and is probably illegal. It can be a basis for revocation of your security clearance. Whether motivated by the challenge of penetrating the system or by simple curiosity to see what is there, unauthorized entry is a deliberate disregard for rules and regulations. It can cause you to be suspected of espionage. At a minimum, it violates the need-to-know principle and in some cases is an invasion of privacy.
  • Do not store or process classified information on any system not explicitly approved for classified processing. See Security of Hard Drives.
  • Do not attempt to circumvent or defeat security or auditing systems without prior authorization from the system administrator, other than as part of a system test or security research authorized in advance.
  • Do not install any software on your computer without the approval of your system administrator.
  • Do not use another individual’s userid, password, or identity.
  • Do not permit an unauthorized individual (including spouse, relative or friend) access to any sensitive computer network.
  • Do not reveal your password to anyone -- not even your computer system administrator. See Passwords
  • Do not respond to any telephone call from anyone whom you do not personally know who asks questions about your computer, how you use your computer, or about your userid or password. See "Social Engineering."
  • If you are the inadvertent recipient of classified material sent via e-mail or become aware of classified material on an open bulletin board or web site, you must report this to the security office.
  • Do not modify or alter the operating system or configuration of any system without first obtaining permission from the owner or administrator of that system.
  • Do not use your office computer system to gain unauthorized access to any other computer system.

Inappropriate Use

Many offices permit some, minimal personal use of office equipment when such personal use involves minimal expense to the organization, is performed on your personal non-work time, does not interfere with the office's mission, and does not violate standards of ethical conduct. 

The following activities are considered to be misuse of office equipment:

  • The creation, download, viewing, storage, copying, or transmission of sexually explicit or sexually oriented materials can cause you to be fired from your job. See discussion under Email.
  • Annoying or harassing another individual, for example through uninvited e-mail of a personal nature or using lewd or offensive language can cause you to be fired from your job. See discussion under E-Mail.
  • Using the computer for commercial purposes or in support of "for-profit" activities or in support of other outside employment, business activity (e.g., consulting for pay, sales or administration of business transactions, sale of goods or services), or gambling.
  • Engaging in any outside fund-raising activity, endorsing any product or service, participating in any lobbying activity, or engaging in any prohibited partisan political activity.
  • The creation, copying, transmission, or retransmission of chain letters or other unauthorized mass mailings.
  • Any activities that are illegal, inappropriate, or offensive to fellow employees or the public. Such activities include hate speech or material that ridicules others on the basis of race, creed, religion, color, sex, disability, national origin, or sexual orientation.
  • Use for posting office information to any external newsgroup, chat room, bulletin board, or other public forum without prior approval.
  • Any personal use that could cause congestion, delay, or disruption of service to any office equipment. This includes sending pictures, video, or sound files or other large file attachments that can degrade computer network performance.
  • The unauthorized acquisition, use, reproduction, transmission, or distribution of any controlled information. This includes copyrighted computer software; other copyrighted or trademarked material or material with intellectual property rights (beyond fair use); privacy information; and proprietary data or export-controlled data or software.

Monitoring of Inappropriate E-Mail

Sending e-mail is like sending a postcard through the mail. Just as the mailman and others have an opportunity to read a postcard, network eavesdroppers can read your e-mail as it passes through the Internet from computer to computer. E-mail is not like a telephone call, where your privacy rights are protected by law.

The courts have repeatedly sided with employers who monitor their employees' e-mail or Internet use. A 2005 survey found that 63% of corporations with 1,000 or more employees either employ or plan to employ staff to read or otherwise analyze outbound email. 27% of the companies reported terminating an employee due to email misuse during the previous year. 35% investigated a suspected email leak of confidential information during the past year. In addition to protection of their intellectual property, companies were concerned about compliance with financial disclosure regulations.4 Organizations also monitor email to protect themselves against lawsuits, as the organization can be held liable for abusive, harassing, or otherwise inappropriate messages sent over its computer network.

In the past couple years, The New York Times fired 23 employees for exchanging off-color e-mail. Xerox fired 40 people for inappropriate Internet use. Dow Chemical fired 24 employees and disciplined another 230 for sending or storing pornographic or violent material by e-mail. 1

Several years ago, Chevron Corp. had to pay $2.2 million to plaintiffs who successfully brought a suit of sexual harassment, in part because an employee sent an e-mail to coworkers listing the reasons why beer is better than women. 2

Protecting Your Home Computer

If you access your office network from home or do work at home that is then emailed to the office or brought to the office on any removable storage media, this can affect the security of the office network. You have an obligation to take standard procedures for protecting your home computer against viruses and other problems that might be transmitted to your office network. These include installing a virus checker with automatic updates, installing a personal firewall, turning off or uninstalling any options that significantly increase security risk, and keeping your computer's operating system up-to-date with security fixes as they become available. Sensitive but unclassified work materials should not be left on a home computer to which other persons have access.

Related Topics: The Insider Threat to Information Systems. Wireless Network Vulnerabilities.

References
1.Larry Armstrong, "Someone to Watch Over You," Business Week, July 10, 2000, p. 189. Todd R. Weiss, "Dow Fires More Employees Over Inappropriate E-Mails." CNN.com, September 19, 2000.
2. Anna Davison, "Is Your E-Mail Being Monitored?" Monterey County Herald, July 29, 2000, p. E1.
3. Alex Markels, The messy business of culling company files. The Wall Street Journal, May 22, 1997, p. B1
4.
Proofpoint, Outbound Email Security and Content Compliance in Today's Enterprise, 2005. A copy of this survey may be ordered at www.proofpoint.com/outbound/.

 

HOME   |  COMPUTER VULNERABILITIES CONTENTS   |   TOP OF PAGE   |   HELP

INFORMATIONCONDUCT | THREATS | TECH VULNERABILITYASSISTANCE
SPY STORIES | TREASON 101