Presentation is loading. Please wait.

Presentation is loading. Please wait.

National Science Foundation United States Antarctic Program Information Security Awareness Training.

Similar presentations


Presentation on theme: "National Science Foundation United States Antarctic Program Information Security Awareness Training."— Presentation transcript:

1 National Science Foundation United States Antarctic Program Information Security Awareness Training

2 Mandate This United States Antarctic Program (USAP) Information Security Awareness Course is authorized by the National Science Foundation (NSF) Division of Polar Programs and conforms to NSF agency CIO/CISO awareness training requirements. 2

3 Training Goals The goals of this course are: To fulfill statutory legal requirements for initial and annual information awareness training for users of US Government information systems To make you aware of threats to USAP information resources and your responsibilities for their protection To familiarize you with USAP policy on network usage To promote a working knowledge of accepted and prohibited usage of the USAP network To instill best practices in all users of USAP resources 3

4 Why Is Information Security Important? The USAP network is a federal government system, and subject to federal laws and regulations. Misuse of USAP resources can put the USAP mission at jeopardy. Your actions affect yourself, other users, and the NSF and USAP. Failure to exercise your information security responsibilities and to practice secure computing principles can subject you to appropriate administrative sanctions, civil liability or criminal prosecution. 4

5 Your Responsibility Use the USAP Network Responsibly. Any actions you take—visiting websites, using web applications, playing games—can put the USAP at risk for malware. Your online actions can misrepresent personal views with those of the US Government/NSF. Take care when posting opinions or sending from your usap.gov account. Be a Bandwidth Steward. The USAP stations, vessels, and field camps have limited bandwidth to transmit information that must be shared among multiple users, science research support, mission operations support, and medical/life safety support. Only use what you need to. 5

6 No Expectation of Privacy The USAP logon banner is a reminder that you cannot expect privacy when on the USAP network. This warning has been reviewed and approved by the NSF Office of General Council and Office of Inspector General. All network traffic is monitored, including USAP-provided , recreational and business Internet use, and Internet traffic from your personally-owned device, regardless of USAP operating location. Monitoring is needed to ensure the quality of IT services, fix problems, and address information security violations such as an external malicious attack. 6

7 USAP Information Security Policies USAP Information Resource Management Directives document the policies in place for the management of the security of USAP Information Technology systems and services, and cover areas such as user access control, security auditing, risk management, awareness training and education, physical security, disaster recovery, and the use of non-USAP systems. The USAP Enterprise Rules of Behavior (EntROB) is a detailed list of acceptable and prohibited behavior for the USAP network. For more information, USAP policies and the EntROB, go to the Information Technology and Communications page of the USAP website: 7

8 USAP Information Security Policies In order to gain access to the network, all users must sign the “Acknowledgement of USAP Information Security Policies and Permission for Use” form. By signing this form, users are acknowledging: 8 Use of this government system requires compliance with USAP policies, rules of behavior, procedures and guidance Mandatory awareness training is completed Only authorized use is allowed There is no expectation of privacy Consent to be monitored Tampering with any information system or network infrastructure is prohibited Responsibility to protect sensitive information

9 Acceptable Uses USAP information resources are provided for operational, science, and recreational use. If an acceptable use activity is found to negatively impact the USAP, acceptable use of USAP resources may be temporarily or permanently restricted. For example, network bandwidth may be restricted in order to accommodate a search and rescue activity. Users will be notified by NSF representatives, local station management, or IT&C staff that restrictions are in place. Users are expected to be aware of the impact of their system usage, and modify their use of the system appropriately and according to NSF direction. 9

10 Acceptable Uses Personal , Internet Browsing, Instant Messaging General use of the Internet for personal communications is acceptable as long as these activities do not create bandwidth congestion or are used to transmit or download prohibited material. Third-party Software on USAP Operational Systems In order to install software on a government system, NSF and/or IT&C approval is required. For non-USAP systems connecting to the USAP network, either grantee systems or personally owned systems, assure that you have a registered software license for all applications installed on the system. 10

11 Acceptable Uses Encryption of Personal Transmissions You may encrypt personal or data files stored on a personally owned system; however, encrypted communications are subject to monitoring and authorized auditing. In accordance with the Enterprise Rules of Behavior, users have no expectation of privacy. In the case of an authorized investigation by the NSF, be prepared to provide officials with the passphrase used to encrypt the data file or communication. 11

12 Online Representation 12 If you can be identified as a USAP participant while online, you are responsible for assuring that your postings to public web sites, blogs, and chat rooms cannot be interpreted as adverse activity or hostile material. Additionally, the general public may improperly view USAP participants as representatives of the USAP or the NSF. USAP participants are not allowed to represent themselves as U.S. government officials. You are responsible for what you post on the Internet and communicate via . Examples of activities that may be interpreted as adversely impacting the USAP mission: Discussing the effectiveness of USAP processes and facilities in a public forum. Discussing how the USAP is spending funding in a public forum. Distributing sensitive information about USAP operations to individuals who are not authorized to receive that information. Representing yourself in a public forum as speaking for the USAP or the NSF. Using USAP or NSF logos and titles unless specifically authorized by the NSF.

13 Prohibited Uses To protect information resources and abide by U.S. law, the following activities are prohibited on the USAP network: Illegal or harmful activities Misuse of representation of your USAP identity online Distribution of materials interpreted as adverse or hostile Storing, processing, or transmitting classified information Sharing account access information Enrolling others in list services Setting up personal information services Violation of copyright laws Use of Peer-to-Peer (P2P) applications Excessive bandwidth use Accessing racist or sexually explicit material NOTE: The network communications, infrastructure and information systems are monitored for violations and authorities are notified when necessary. 13

14 Computer Requirements All systems used in the USAP must be authorized before connecting to the USAP Network. These include: IT equipment used for scientific experiments Mission operation systems USAP and personally-owned workstations Servers Laptops Mobile devices (smartphones, tablets, etc.) Depending on the function of the device, there are different methods for authorization for use on the USAP network. The following slides provide information so that your participation in the USAP can be successful. All systems must continuously maintain compliance with the computer requirements. A system that falls out of compliance such as falling behind in antivirus definitions, patches, or vulnerability remediation may be disconnected without notice if the NSF determines there is an unacceptable level of risk or threat to the USAP environment. Requirements for computing equipment connected to the USAP network can be found at: 14

15 Computer Requirements—Personal Devices Whether you are a grantee, a contractor, a government employee, or military personnel, authorization of personal computing devices (e.g., laptops or workstations) on the USAP network requires the device to pass a screening process. Screening for your devices will typically occur at your initial point of entry into the program. For McMurdo and South Pole Station deploying participants, screening occurs in Christchurch. For the vessels and Palmer station, screening occurs on board the vessel and at Palmer Station for participants staying on station. Criteria for passing include: An operating system within lifecycle support of its vendor, and at the current patch level released from the vendor. The user must have access to administrative privileges for the technicians screening the device. An antivirus program that is current in its version and signatures, and configured for auto-updates. Not having any prohibited software running on the device. See the Computer Screening Requirements document for more information: After passing the screening, the systems must continuously maintain compliance with the computer requirements. A system that falls out of compliance such as falling behind in antivirus definitions, patches, or vulnerability remediation may be disconnected without notice if the NSF determines there is an unacceptable level of risk or threat to the USAP environment. 15

16 Computer Requirements—Grantee/ Scientific Devices Grantees must include all devices they wish to attach to the USAP network for their event in their Support Information Package (SIP) for review and authorization. The following information is critical for a timely review: Type of device—server, scientific instrument with a network interface, network infrastructure, mobile device Operating system Capability to remediate flaws (e.g., patching) in a timely manner If your research plans change between SIP submittal and deployment, please contact your science planner for more information or assistance. Once your equipment arrives at its Antarctic location, it will be screened for currency on operating system, antivirus software and definitions, and prohibited software. All equipment connected to the USAP network is subject to continuous monitoring, including vulnerability scans. If vulnerabilities are found on your equipment, IT&C staff will contact you for remediation actions. If the equipment is not authorized, it will not be allowed to connect to the USAP network. 16

17 Computer Requirements—Mobile Devices Some operating locations within the USAP have wireless capability to support mobile devices for USAP business or scientific purposes. At this time, the USAP does not support the use of personal mobile devices, regardless of the location or USAP participant affiliation—grantee, contractor, government employee, or military personnel. Mobile devices include, but are not limited to smartphones, tablets, iPod Touch, etc. In order to connect your authorized mobile device to the wireless network in the USAP, grantees and managed events must indicate so in their SIP. The mobile devices will be screened for currency on operating system and antivirus software and signatures prior to being allowed to connect. If the equipment is not authorized, it will not be allowed to connect to the USAP network. 17

18 Case Study—Grantee Computer Screening John, Sarah and Michael have a number of computers they are taking to McMurdo this season to support the science research they are involved with and for personal use. They each have a personal laptop with them when they arrive at the Clothing Distribution Center (CDC) in Christchurch, and two systems are being shipped down with science equipment through cargo. What should John, Sarah and Michael do to meet the computer screening requirement for all computers arriving on the Ice? Resolution John, Sarah and Michael should ensure that the details regarding their systems that are connecting to scientific equipment are included in their SIP, and answer any questions regarding those systems during Research Support Plan (RSP) development. John, Sarah and Michael should have their personal laptops screened in Christchurch and apply any fixes detected by the screening before their flight to McMurdo. If a laptop fails the screening in Christchurch they must have the computer screened again in McMurdo in order to connect to the network. Upon unpacking systems shipped through cargo, John, Sarah and Michael should contact the local help desk to have systems screened before connecting to the network. 18

19 Privately Owned Information Systems All information systems attaching to USAP networking infrastructure must be authorized and must conform to NSF USAP information security policy compliance rules. Attachment of privately owned systems for personal use is governed by the EntROB. Even if the device or service is in support of a science project, it must be authorized by USAP prior to plugging it in. Introduction of personally owned networking devices or devices capable of networking features must be formally approved and are otherwise prohibited. This includes, but is not restricted to: WiFi routers/access points Gaming equipment with enabled WiFi services Ethernet switches, routers Web cams, web servers and application servers Streaming media servers (TiVo, Roku, etc.) Others as communicated to the user community as needed When in doubt – ASK FIRST! Be aware of the “No Tampering” clause in the Acknowledgement Form. Tampering with USAP networking infrastructure is strictly prohibited. This includes unauthorized cabling, taps into switches and cabling, disabling network features/configurations, circumventing security systems, etc. 19

20 Case Study—Unauthorized Equipment Before deploying to McMurdo, Jane, a grantee, buys a wireless router to take with her to the station so that she can have wireless access to the Internet from her dorm room to check on equipment in the lab remotely and to access the Internet. She hadn’t thought about this time-saving method when she wrote her Support Information Package (SIP), but she knows it will save her a lot of time. After Jane connected her router to the network, Jane’s roommate Carol, who happens to work in IT, informs her that setting up an unauthorized wireless access point on the LAN or establishing one independently, are breaches of the USAP EntROB that may result in Jane losing all access to the USAP network, including the Internet. Carol also explains that in addition to impacting limited bandwidth and conflicting with official USAP wireless services on station by setting up a new access point, Jane is also potentially impacting life safety operations on station by interfering with the radio frequency space that supports all USAP operating locations. Resolution Jane may not have been aware of her responsibility to request approval to use privately owned information systems in her SIP, but could have not only caused an impact to the USAP mission, but to her science project. Using personal servers for , web, ftp, telnet, etc., or wireless access points, wireless routers, switches/hubs and other network infrastructure is prohibited without prior authorization and a business/mission requirement. 20

21 Peer-to-Peer (P2P) Peer-to-Peer (P2P) use is prohibited on the USAP network without authorized, formal approval for official USAP business. What is P2P? Peer-to-peer (P2P) applications exchange data between computers without the use of a centralized server, which allows users to interact directly with each other to share information. P2P applications are commonly used to anonymously exchange media and software. For more information on P2P, see: to-peer. Examples of P2P applications include BitTorrent, ©Sharman Networks Kazaa, BearShare®, © Lime Ware LLC., Limeware, and Morpheus™.http://en.wikipedia.org/wiki/Peer- to-peer Dangers and Risks of P2P Common, public/private P2P file sharing environments are a major cause of illegal copyright infringement of intellectual property (movies, music, etc.). NSF USAP has a zero tolerance for copyright violations. P2P use is not protected by USAP security systems. P2P consumes significant bandwidth resources. Use of P2P can lead to spreading of viruses, spyware, trojan horses, and/or compromise of your privacy Items That Are Not P2P include instant messaging (e.g., MSN Messenger®, AOL Instant Messenger™), group meeting software (e.g., WebEx™, Centra®, Microsoft® NetMeeting®) Q: What to do if your personal computer has a P2P app installed? A: Uninstall/disable it before presenting your computer for screening to be authorized for access to USAP information systems! 21

22 Copyright Infringement Violation of copyright laws is a criminal activity, and is not tolerated on the USAP network. USAP network and share drives are periodically monitored for violations. Federal law prohibits unauthorized copying, sharing, or distribution of copyrighted materials. Examples of copyrighted material include the following: MP3, WAV, or other audio files Digital video files DVDs or music CDs Software programs This does not apply to the legal purchase of music or video entertainment within bandwidth restrictions. Violations of copyright law may result in civil or criminal penalties, disciplinary action, employment termination, sanctions, and/or personal liability. For more information on the subject of copyright law and the concept of fair use and other helpful information, see: For more information on copyright infringement of movies and music and legal alternatives, see: 22

23 Limitations on Authorized Use It is important that all network use follows the documented rules and processes to ensure that all participants receive access to appropriate resource levels, and more importantly to ensure that essential operations of stations is not affected by other network activities. For grantees and technical events who utilize the network for activities such as transferring science data to a home institution or using Skype to communicate with your team, you must adhere to your approved levels of service. If your work requires changes to your authorized level of service, work with station IT management to update your RSP and obtain NSF approval before changing your network use practices. If your network activities exceed your authorized level of service, the NSF may restrict or disconnect your systems. 23

24 Bandwidth Limitations Each Antarctic station and research vessel has limited Internet bandwidth available. – For example, McMurdo residents (approx. 1,000 summer population) share the equivalent bandwidth of one residential high speed internet line in the U.S. Streaming media services that have been documented to cause harmful impacts on USAP Antarctic Station WAN bandwidth are prohibited: – Streaming television and movie services (e.g., NetFlix, Hulu, YouTube, live television feeds from television networks and broadcast stations, etc., irrespective of free service or fee for service) – Private streaming capabilities (e.g., personal streaming media servers such as Roku, TiVo, etc. that are outside the USAP network – example: home network in the US) – Internet radio stations streaming in other than low bitrates (24 kb/s or lower) Acceptable morale use may be restricted or limited if it negatively affects the USAP mission. Be a responsible USAP participant, and be frugal with your Internet usage. 24

25 Bandwidth Limitations Skype, FaceTime and similar personal telephony/video communications applications are prohibited for personal use. These services must be formally requested and approved for legitimate official business purposes (e.g., specific science grant educational outreach activities, specific mission operational functions, etc.) Internet gaming activities that consume excessive bandwidth are prohibited. When in doubt, check with the local IT operations support group for an assessment of bandwidth impact prior to attempting use. 25

26 Case Study—Limitations on Otherwise Authorized Use At McMurdo, a herbie moved in while two hikers were still out on Castle Rock Loop. They haven’t called in, are overdue, and the Search and Rescue team has been dispatched. That afternoon, Bob starts to select albums on iTunes to use his $50 gift card he got from Christmas. He notices that the network seems to be pretty sluggish to load pages while he browses. Station Management is attempting to contact the NSF to keep them posted on the SAR team’s process, but can’t get a clear call over the VoIP phones. What should Bob do? Resolution - While iTunes and other music or video download services are considered acceptable use of the Internet on the USAP network, recreational use must not impact the USAP mission. In this scenario, Bob is witnessing a reduction in the quality of service due to numerous people simultaneously using McMurdo bandwidth for recreational purposes while life safety activities are occurring. Bob should wait until mission needs subside before conducting bandwidth-heavy activities. Be aware of your behavior and situational awareness. If the WAN is slow, don’t do bandwidth demanding activities. 26

27 USAP Network Access Prior to accessing any/all USAP information systems, including the network – whether accessing via a network account or just desiring Internet access – ALL prospective users must: – Complete mandatory information security awareness training (this course). – Familiarize themselves with NSF USAP information security policy, guidance, and the Enterprise Rules of Behavior. – Sign and date the mandatory Acknowledgement Form that includes additional terms/conditions for access to service and warnings regarding violations. – Return the signed Acknowledgement Form to your sponsoring organization or manager to become part of the management record for the duration of your service access. IF YOU DO NOT COMPLETE THESE BEFORE ARRIVING ON STATION/VESSEL, YOU WILL NOT HAVE ANY NETWORK OR INTERNET ACCESS UNTIL YOU COMPLETE THE REQUIRED AWARENESS TRAINING, SIGN THE ACKNOWLEDGEMENT FORM, AND SUBMIT TO ANY RELEVANT COMPUTER SCANNING/PATCHING REQUIREMENTS. Delaying until arrival on station/vessel to comply with mandatory NSF USAP information security compliance requirements may delay or prevent your ability to perform your job duties or field work. Station IT resources are not staffed to provide unlimited on-demand last minute service. BE PREPARED. COMPLETE YOUR REQUIREMENTS AS EARLY IN THE DEPLOYMENT PROCESS AS POSSIBLE! You are the only authorized user of USAP equipment and network access issued to you. Do NOT allow unauthorized persons, for example visitors, guests and family members, to access the Internet or other files from USAP equipment or accounts. 27

28 Password Requirements The USAP network account issued to you is only to be used by you to access the network. It is prohibited to allow someone else to use your login information or your USAP account. NEVER SHARE YOUR PASSWORD WITH OTHERS Your password must be a minimum of 12 alphanumeric characters. Does not contain three or more consecutive characters from your username. Contains a combination of characters from at least three of the following categories: English uppercase characters (A-Z) English lowercase characters (a-z) Base 10 digits (0-9) Non-alphanumeric characters (for example: !, $, #, or %) Expires every 60 days and is not reused for one year. Examples of Strong Passwords: (Dark goggles) (Travel to Antarctica) 28

29 Sensitive and Personally Identifiable Information Personally identifiable information (PII) is information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Sensitive information (SI) refers to information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction. The term also includes information whose improper use could adversely affect the ability of the agency to accomplish its mission, proprietary information, records about individuals requiring protection under the Privacy Act, and information not releasable under the Freedom of Information Act. 29

30 Sensitive and Personally Identifiable Information Each USAP participant has a different responsibility for protecting PII and SI. US government employees, military personnel, contract employees, and others who may have exposure to USAP data are required to protect PII/SI in accordance with federal and statutory compliance requirements. While the grantee community may not come into contact with much PII or SI, the information presented in the following pages will prepare grantees to protect any PII or SI that they encounter, either in the USAP, their home institution, or their home. 30

31 Protecting Sensitive Information Personally Identifiable Information (PII) may include: Social Security Numbers (SSN) Birth date and place of birth Mother’s maiden name Bank account information Medical information Sensitive Information (SI) may include: Proprietary business information contained in funded proposals Reviewer identity tied to reviews Unfunded proposals Security information 31

32 Protecting Sensitive Information Best practices in your USAP work as well as your personal life to protect sensitive information: Restrict access to those who require access to perform a legitimate function Physically secure documents Dispose of documents properly Lock computer when not present Use caution in transport – be aware of “shoulder surfing” Encrypt portable devices If transmitting PII/SI via , encrypt the data Participants who handle government information must be cognizant of their responsibilities with PII/SI. Never release the following USAP information: USAP participant personal information or medical records SSNs, citizenship status, date/place of birth, marital status, home address, home phone or salary of USAP personnel or USAP participants Information associated with USAP grant proposals, including: Names of reviewers (and other identifying information) related to a proposal review List of proposals Principal Investigators (PI), institutions, prior to award decisions Unsuccessful proposals 32

33 System Maintenance NSF USAP Network Operations Continuously Monitors Your System All systems connected to the USAP network are subject to continuous monitoring. Network traffic monitoring and vulnerability scans are used to identify vulnerabilities and risks to the USAP. If your system is deemed by the NSF as an unacceptable threat to the network, your system may be disconnected. Maintain Your System to Avoid a Disconnect Notice Ways to properly maintain your system to lower the likelihood of being identified as a risk to the network include the following: Maintaining current patches for the operating system and software applications installed on your system Updating antivirus definitions daily Running the current version of your antivirus software Remediating vulnerabilities in a timely manner Antivirus Protection All computers connected to the USAP network are required to run active and current antivirus software. When using a personal system on the USAP network you are required to assure that antivirus definition files are kept up-to-date, which can be achieved by enabling the auto-update option. 33

34 Spam Scams and Spyware Spam is unsolicited advertising sent in bulk to many recipients, and is often used as a vehicle to identity theft or to distribute spyware and malware. Spyware monitors your computer, observes your Internet habits, and can report back what it sees. It can lead to identity theft and theft of other personal information. Ignore unsolicited ; if you can’t tell that it’s from a known and trusted source, delete it without opening it. NEVER give personal information Do NOT click links to web pages NEVER reply to spam 34

35 Don’t Get Caught by the Phishing Hook Phishing is a method criminals use to compromise systems. Scammers copy major websites, and send a fake with a link to the fake site. Some ways to detect that you’re being phished: Unsolicited s, instant messages or texts Misspelled URLs URLs that show you a different address when you hover over them than what’s written in the 35

36 Don’t Get Caught by the Phishing Hook Remember: Do NOT click links or open attachments in unexpected s or in s from people you don’t know. Even if you know who sent it, check the header of the to see if it matches the address it came from. Check URLs before clicking on them; hover your cursor over the link and see if it matches what is typed in the message. Be careful about posting personal information. 36

37 Reporting an Incident In the event of a suspected or confirmed breach of sensitive information (SI) or personally identifiable information (PII), you must immediately report the event. If you realize you’ve been a victim of a phishing attack or if there is suspicious activity on your computer, report it as soon as possible. 37

38 Contact Information 38 For USAP operating locations in the US (Denver, CO; Charleston, SC; Port Hueneme, CA; or offices in Arlington, VA and Galveston, TX), please contact the USAP Enterprise Help Desk If you have any questions, or need to report suspicious activity or an incident, use the contact information below based on your location. For the Christchurch, NZ USAP operating location, please contact the Christchurch Help Desk / x35420 For the Punta Arenas, Chile USAP operating location, please contact the USAP Enterprise Help Desk at

39 Contact Information For Antarctic stations and vessels, please contact: 39 Palmer Station: x52794 McMurdo Station: South Pole Station: x61603 (winter), x61801 (summer) Research Vessels: LMG: x52855 NBP: x52861

40 For More Information If you have any questions on information security, acceptable or prohibited uses of the USAP network, please contact us. And remember: the USAP Information Security Policies are located at: 40

41 Summary The protection of the USAP network and the government information that resides on it depends on your awareness of threats to USAP information and systems, and a solid understanding of your responsibilities in the use and operation of network resources. Failing to do your part increases risks to the network and other users, and could lead to a compromise for which you will be held responsible. Use of NSF USAP information systems is a privilege. Failure to comply with required information security policy and obligations could result in a temporary or permanent revocation of this privilege, irrespective of your status as contractor, grantee or government employee. 41


Download ppt "National Science Foundation United States Antarctic Program Information Security Awareness Training."

Similar presentations


Ads by Google