Untitled Document

Employees first and last line of defense
in assuring security in use of networks, e-mail

First in a series
The greatest vulnerability to the Idaho Transportation Department’s information system also is its greatest defense, explains Information Technology Security Coordinator Forrest Anderson.

Protecting the confidentiality, integrity and availability of ITD’s corporate technology enterprise begins and ends with employees. Inappropriate or careless use of the department’s information system – including the Internet, e-mail, and network applications – can open the door to outside intrusion and negatively impact work productivity.

Conversely, if the system is used as it is intended, information technology can improve efficiency, decision-making, data processing and research.

Historically, ITD has maintained a low-key “laissez-faire,” approach, extending generous latitude to employees in the use of technology. In about 95 percent of the instances, employees make sound, judicious decisions. It’s the other five percent that concerns Anderson and if left unaddressed, could result in tougher limits.

“The department has been very open in providing Internet access and hasn’t put many restrictions on employees,” he says. “But we do block access to specific kinds of sites.”

Among them are Web sites related to gaming and gambling, sexual content and sites that are vulnerable to spyware and the spread of unwanted, potentially harmful applications.

“We have an application that categorizes Web sites based on key word content. We don’t actively monitor individual usage unless we have reason to believe the employee is violating the computer use policy,” Anderson explains. “We have the ability to track every Internet site an employee visits. All Internet usage is captured on a log or data base that can be retrieved.

How companies limit personal Internet use

35 percent prohibit all non-work use

28 percent limit use after business hours

17 percent allow unrestricted personal use anytime

13 percent allow limited personal use anytime

4 percent have no policies on Internet use

2 percent allow unrestricted use after work hours

He said the department has developed a “standardized approach, but not a centralized approach.” Maintaining a secure environment, while based on prescribed department-wide standards, also is the responsibility of ITD's six districts.

Anderson said the department can run reports on Internet use by category, such as sports, adult-theme, crime, hate, technology, games, gambling…

Access isn’t always blocked, but the use can be traced, he warns.

“Just because you can access something, doesn’t mean that you should, and that your use isn’t being recorded. Employees should have no expectations of computer privacy in the use of department-owned computer equipment. There is no such guarantee,” he reminds.

Computers and information storage devices, networks and access to those networks remain the property of the state of Idaho. Any use, other than that directly related to work activities, may be a violation of the department’s and state’s computer use policies.

Inappropriate use can result in loss of computer privileges, suspension, termination and/or prosecution.

It’s more than guarding against e-mail that contains hate language, traffic to pornographic Web sites, or participation in on-line gambling.

Accessing some Web sites also exposes the department’s and state’s information systems to viruses, identity/information theft and malicious damage. Despite sophisticated anti-virus software that scans all in-coming e-mail at three levels (state Department of Administration, ITD systems and individual work stations) links and attachments can contain powerful viruses capable of destroying computer hard drives and that can self-propagate to other users. Non-business related activity uses the network resources or bandwidth that may be needed by other more legitimate applications.

About 80 percent of all e-mail coming to state agencies is blocked as spam by the Department of Administration. An estimated 4-5 percent of all e-mail sent to state agencies contains some form of virus, Anderson explains. He calls the safeguards “defense in depth.”

Users – ultimately the first and last line of cyber defense – can help prevent potentially harmful viruses by not opening questionable attachments and avoiding suspicious Web sites. Even electronic greeting cards, screen savers, computer wallpaper images and seemingly innocuous “dancing bunnies” can open the door to viruses and spyware.

Those fun and free downloads are seldom exactly what they seem to be and potentially can be very destructive.

“All we’re asking is that employees adhere to the computer use policy they signed when they were hired. We don’t want to engage in aggressive computer use monitoring, because it is very labor intensive. But we will take the steps necessary to secure the department’s information technology investment.”

[Next week the Transporter will explore in greater detail the use of e-mail and remedies for the rapidly increasing storage requirements resulting from personal use.]