Misuse of an automated information system is
sometimes illegal, often unethical, and always reflects poor judgment or lack of care in
following security rules and regulations. Misuse may, unintentionally, create security
vulnerabilities or cause damage to important information. A pattern of inability or
unwillingness to follow rules for the operation of computer systems raises serious
concerns about an individual's reliability and trustworthiness.
As we store more and more information in computer data bases, and
as these data bases become more closely linked in networks, more people have broader
access to more information than ever before. Computer technology has magnified many times
the ability of a careless or disaffected employee to cause severe damage.
Owing to the magnitude of problems that can be caused
by misuse of computer systems, Misuse of Technical Information Systems is now one of the
13 criteria used in adjudicating approval and revocation of security
clearances for access to classified
Many aspects of computer use are governed by
your organization's policy rather than by federal government regulation. Many
government agencies and defense contractors specify the security procedures and prohibited
or inappropriate activities discussed below.
The following are basic rules for secure use
of the computer.
- Do not enter into any computer
system without authorization. Unauthorized entry into a protected or compartmented
computer file is a serious security violation and is probably illegal. It can be a basis
for revocation of your security clearance. Whether motivated by the challenge of
penetrating the system or by simple curiosity to see what is there, unauthorized entry is
a deliberate disregard for rules and regulations. It can cause you to be
suspected of espionage. At a minimum, it violates the need-to-know principle
and in some cases is an invasion of privacy.
- Do not store or process classified information
on any system not explicitly approved for classified processing. See
Security of Hard Drives.
- Do not attempt to circumvent or defeat
security or auditing systems without prior authorization from the system administrator,
other than as part of a system test or security research authorized in
- Do not install any software
on your computer without the approval of your system administrator.
- Do not use another individuals
password, or identity.
- Do not permit an unauthorized individual
(including spouse, relative or friend) access to any sensitive computer
- Do not reveal your password to anyone
-- not even your computer system administrator. See
- Do not respond to any telephone call from
anyone whom you do not personally know who asks questions about your computer, how you use
your computer, or about your userid or password. See
- If you are the inadvertent recipient of
classified material sent via e-mail or become aware of classified material on an open
bulletin board or web site, you must report this to the security office.
- Do not modify or alter the operating system or
configuration of any system without first obtaining permission from the owner or
administrator of that system.
- Do not use your office
computer system to gain unauthorized access to any other computer
Many offices permit some,
minimal personal use of office equipment when such personal use involves
minimal expense to the organization, is performed on your personal
non-work time, does not interfere with the office's mission, and does not
violate standards of ethical conduct.
The following activities are
considered to be misuse of office equipment:
- The creation, download,
viewing, storage, copying, or transmission of sexually explicit or
sexually oriented materials can cause you to be fired from your job. See discussion under
- Annoying or harassing another individual,
for example through uninvited e-mail of a personal nature or using lewd or offensive
language can cause you to be fired from your job. See discussion under
- Using the computer for commercial
purposes or in support of "for-profit" activities or in
support of other outside employment, business activity (e.g.,
consulting for pay, sales or administration of business transactions,
sale of goods or services), or gambling.
- Engaging in any outside
fund-raising activity, endorsing any product or service, participating
in any lobbying activity, or engaging in any prohibited partisan
- The creation, copying,
transmission, or retransmission of chain letters or other unauthorized
- Any activities that are
illegal, inappropriate, or offensive to fellow employees or the
public. Such activities include hate speech or material that ridicules
others on the basis of race, creed, religion, color, sex, disability,
national origin, or sexual orientation.
- Use for posting office
information to any external newsgroup, chat room, bulletin board, or
other public forum without prior approval.
- Any personal use that
could cause congestion, delay, or disruption of service to any office
equipment. This includes sending pictures, video, or sound files or
other large file attachments that can degrade computer network
- The unauthorized
acquisition, use, reproduction, transmission, or distribution of any
controlled information. This includes copyrighted computer software;
other copyrighted or trademarked material or material with
intellectual property rights (beyond fair use); privacy information;
and proprietary data or export-controlled data or software.
Sending e-mail is like sending a postcard
through the mail. Just as the mailman and others have an opportunity to read a postcard,
network eavesdroppers can read your e-mail as it passes through the Internet from computer
to computer. E-mail is not like a telephone call, where your privacy rights are protected by law.
The courts have repeatedly sided with employers who
monitor their employees' e-mail or Internet use. A 2005 survey found that
63% of corporations with 1,000 or more employees either employ or plan to
employ staff to read or otherwise analyze outbound email. 27% of the
companies reported terminating an employee due to email misuse during the
previous year. 35% investigated a suspected email leak of confidential
information during the past year. In addition to protection of their
intellectual property, companies were concerned about compliance with
financial disclosure regulations.4
Organizations also monitor email to protect themselves against lawsuits,
as the organization can be held liable for abusive, harassing, or
otherwise inappropriate messages sent over its computer network.
In the past couple
years, The New York Times fired 23 employees for exchanging off-color
e-mail. Xerox fired 40 people for inappropriate Internet use. Dow Chemical
fired 24 employees and disciplined another 230 for sending or storing
pornographic or violent material by e-mail. 1
Several years ago,
Chevron Corp. had to pay $2.2 million to plaintiffs who successfully brought
a suit of sexual harassment, in part because an employee sent an e-mail to
coworkers listing the reasons why beer is better than women. 2
If you access your office network from home or do work at home that is then emailed
to the office or brought to the office on any removable storage media, this
can affect the security of the office network. You have an obligation to
take standard procedures for protecting your home computer against viruses
and other problems that might be transmitted to your office network. These
include installing a virus checker with automatic updates, installing a
personal firewall, turning off or uninstalling any options that
significantly increase security risk, and keeping your computer's operating
with security fixes as they become available.
Sensitive but unclassified work materials should not be left on a home
computer to which other persons have access.
Related Topics: The Insider Threat to Information Systems.
1.Larry Armstrong, "Someone to Watch Over
Week, July 10, 2000, p. 189. Todd R. Weiss, "Dow Fires More
Employees Over Inappropriate E-Mails." CNN.com, September 19,
2. Anna Davison, "Is Your E-Mail Being
Monitored?" Monterey County Herald, July 29, 2000, p. E1.
3. Alex Markels, The messy business of culling company
files. The Wall Street Journal, May 22, 1997, p. B1
Email Security and Content Compliance in Today's Enterprise, 2005. A
copy of this survey may be ordered at www.proofpoint.com/outbound/.