| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 4589.1 | Hypothetically speaking... | ATLANT::SCHMIDT | See http://atlant2.zko.dec.com/ | Sun May 12 1996 12:48 | 22 |
| NOTE WELL:
All of the following assumes that I did not have any informtion
on my web site that I considered to be covered by the higher
security classifications.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
If I were to receive such a phone call, I'd immediately ask for
a memo/email from the caller stating:
o Exactly what information was "in violation" of exactly
which policy, and
o The expected remedy, and
o The escalation path through the complainer's management
so that, if I felt there was cause, we could have a full,
frank, and *OPEN* debate about the issue.
Atlant
|
| 4589.2 | king Canute? | ANNECY::HOTCHKISS | | Mon May 13 1996 04:28 | 13 |
| This is baloney.
First,get proof of who is calling and get it in writing.
Second,as them what is wrong with our firewall which blocks external
access.
Third,ask them to schedule the clean up of internal web sites AFTER
cleaning ALL machines internally with confidential info available-how
many thousands do we have?
Fourth,ask for which policy this contravenes
The new way of disseminating information involves a degree of openness
which would APPEAR to be out of line with what you have been asked to
do.The last guy to try this trick was called King Canute...
|
| 4589.3 | Internal Alta Vista is great | DECCXX::AMARTIN | Alan H. Martin | Mon May 13 1996 09:11 | 5 |
| Re .0:
Are you referring to http://www.sto.dec.com/rat/admin/hrlist.html or some other
page?
/AHM/THX
|
| 4589.4 | | ATLANT::SCHMIDT | See http://atlant2.zko.dec.com/ | Mon May 13 1996 10:08 | 8 |
| > Are you referring to http://www.sto.dec.com/rat/admin/hrlist.html or
> some other page?
Well, if it *IS* that page, I'll bet there are now more copies
of that page *SAVED* on peoples' systems than there were people
*AWARE* of that page before.
Atlant
|
| 4589.5 | confidential? | CFSCTC::PATIL | Avinash Patil dtn:227-3280 | Mon May 13 1996 11:15 | 5 |
|
HR (Human resource) list confidential? Why? I thought employees were supposed
to know who their HR people are. What am I missing?
Avinash
|
| 4589.6 | URL found NOT | STOSS1::OBLACK | Marty OBlack | Mon May 13 1996 11:32 | 8 |
| Good points all. Because, I was told, it was URGENT for me to get that
information off of the "Internet", I was contacted by pager at a customer
site. I was busy working an 8400 outage, so my options were limited to
complying and to do the follow up after the fact.
The person that maintains our /rat directory structure had done a restore
on said directory tree for an unrelated problem and the file reappeared
for a short time...thanks for pointing this out.
|
| 4589.7 | Good luck to the base note caller | WOTVAX::HILLN | It's OK, it'll be dark by nightfall | Mon May 13 1996 13:21 | 8 |
| Whoever made that call is going to be busy, busy, busy soon as the
internal web pages become the preferred source of all sorts of
information to the world of the ABU.
It wouldn't surpirse me to see web pages take over from Readers Choice.
Hope he's ready with his black coffee and phone book! There's going to
be some 24 hour working days for him.
|
| 4589.8 | | DECWET::FARLEE | Insufficient Virtual um...er.... | Mon May 13 1996 13:34 | 14 |
| It sounds like there is a job of education to be done.
(I almost said a "simple job of education", but some folks are pretty
good at resisting...)
What needs to happen is that the original caller needs to be identified, and
they and their management chain, need to be informed of the difference
between "intranet" and "internet", as well as all of the policy and technology
that enforces this distinction.
If allowed to run wild with such tactics, we all stand to lose access to much
valuable information.
Kevin Farlee
|
| 4589.9 | | QUARK::LIONEL | Free advice is worth every cent | Mon May 13 1996 14:57 | 21 |
| The policy under discussion is "Corporate Security Standard 210.1"
which is accessible through VTX POLICY. It describes the four levels of
classification of proprietary information:
DIGITAL RESTRICTED DISTRIBUTION
DIGITAL PERSONAL
DIGITAL CONFIDENTIAL
DIGITAL INTERNAL USE ONLY
Of these, only "documents" of the last classification may be made available
internally in an "unattended" manner (such as via the web), and then only
with permission of the author. There are no restrictions on how documents
in the last classification are to be handled other than that the
classification be clearly labelled. (I note a reference to a "Digital
classification logo, but the standard does not say where you find this.)
Unless the document in question was classified and labelled "DIGITAL
CONFIDENTIAL" or higher, HR had no right to demand its removal from the
internal web server.
Steve
|
| 4589.10 | What about "Information Containing No Restrictions"? | SIPAPU::KILGORE | The UT Desert Rat living in CO | Mon May 13 1996 16:06 | 13 |
| >> DIGITAL RESTRICTED DISTRIBUTION
>> DIGITAL PERSONAL
>> DIGITAL CONFIDENTIAL
>> DIGITAL INTERNAL USE ONLY
There is a 5th classification per Digital Standard 128-0, Security
Classifications for Engineering Intellectual Property, which is
currently under review. The classification is:
Information Containing No Restrictions
There are alot of memo that come down the pipe that have no classifications
stated on them. So I figure these must fall under this last one. :-)
|
| 4589.11 | | HDLITE::SCHAFER | Mark Schafer, SPE MRO | Mon May 13 1996 16:10 | 8 |
| Well, he's in good company if his stuff is confidential. Internal Alta
Vista just makes it easier to find!
Word count: digital confidential: about 1000
Documents 1-10 of about 1000 matching some of the query terms, best
matches first.
|
| 4589.12 | | EEMELI::BACKSTROM | bwk,pjp;SwTools;pg2;lines23-24 | Mon May 13 1996 18:39 | 6 |
| Re: .11
Even the external AltaVista finds something with "digital confidential"
and "digital internal use".
...petri
|
| 4589.13 | I'll check.. | STOSS1::OBLACK | Marty OBlack | Mon May 13 1996 23:44 | 2 |
| I will check on the security classification of the original
document after I pull it from a backup. I deleted my copy.
|
| 4589.14 | Recent Security Update | ASABET::SILVERBERG | My Other O/S is UNIX | Tue May 14 1996 06:52 | 98 |
|
>From Chuck Noble, @MSO, DTN 223-8728
DIGITAL INTERNAL USE ONLY
************** CORPORATE INFORMATION SECURITY GROUP **************
* 13 May,1996 *
********************** SECURITY UPDATE #96-1 *********************
This security update is for distribution to all Digital employees and
contract personnel worldwide. It contains general information
regarding information security issues and activities. Center of
Control Managers hosting contract personnel are responsible to ensure
appropriate forwarding of this Update.
ENHANCEMENTS TO CORPORATE INFORMATION SECURITY COMMUNICATION PROGRAM
In an ongoing effort to improve and maintain effective communication
of Digital's information security concerns and requirements, the
Corporate Information Security Group (CISG) recently conducted a Total
Quality Management (TQM) review of the CISG Security Communication
Process. As an outcome of this effort, a number of enhancements were
identified and will be implemented over the next few weeks. You will
shortly begin to see some of these enhancements, particularly in the
ways that security communications will now be provided to Digital's
workforce.
CHANGES YOU WILL SEE
CISG Security Advisories and Security Bulletins are the corner-stones
for communicating critical, time-sensitive information concerning
information security, that often requires mandatory action. To ensure
the broadest necessary distribution of the release of an Advisory or
Bulletin, CISG will begin internal worldwide distribution of CISG
Security Announcements. An announcement of an Advisory or Bulletin
will contain concise information regarding the impact and severity of
a security concern, who is affected and/or required to take action,
and network locations for accessing the detailed Advisory or Bulletin.
These new announcements will be communicated to all Digital employees
and contractors using READERS CHOICE and LIVE WIRE.
One of the advantages from implementing the announcement process is
the assurance that a timely, brief communication will be available to
all affected personnel. This will allow a more timely response to
required actions. Another advantage is that only personnel affected
or required to take action, or are otherwise interested, will need to
access the detailed information. This will help decrease the load on
internal mail networks and servers.
Additional changes over the next few weeks include:
o�o Establishment of formal repositories for security communications
and software security patch kits, as necessary
o�o Increased use of the internal Web for communicating security
information.
WHAT REMAINS THE SAME
The foundation of CISG Security Communication is still the Security
Advisories, Bulletins, Updates, Guidelines. These communications will
continue to be prioritized into:
1. Information Security Advisories
- Highest Risk/Threat/Vulnerability Level
- Time-sensitive - Typically requires mandatory action(s)
2. Information Security Bulletins
- Moderate Risk/Threat/Vulnerability
- Not as time-sensitive - May or may not require action(s)
3. Information Security Updates
- General communication to all employees - Not time-sensitive
- Useful information, updates, new requirements or changes
4. Information Security Guidelines
- Define security procedures in lieu of standard
- Used to reduce risk in a timely manner
- Not intended as total solution
The Corporate Information Security Group continues to be the only
authorized source of computer/network security related advisories and
bulletins for Digital. Please advise your system managers and users
of Digital's computers and networks that any security warnings,
alerts, advisories, and bulletins -- especially those requiring
responsive action on their part -- are the explicit responsibility of
the CISG.
If an internal or external advisory or bulletin is received from other
sources and no information on the topic has been received from CISG,
please contact us at DTN 223-8900. This allows a single focus for all
security advisory and bulletin information within Digital. A complete
archive of all security advisories and bulletins can be found via
NOTES at:
- MINOTR::SECURITY_ADVISORY
- URL http://www-notes.lkg.dec.com/minotr/security_advisory
-=<>=-
Any questions or comments concerning this or any other
Information Security Communication should be addressed to
CISG @MSO, or [email protected].
DIGITAL INTERNAL USE ONLY
|
| 4589.15 | no classification | STOSS1::OBLACK | Marty OBlack | Tue May 14 1996 17:18 | 7 |
| I looked at the html output from Internet Assistant for Word and
could find no security classifications on the document. I think
this would default to Digital Internal Use Only because it does
give names and numbers to contact for various issues, but I don't
have access to the original memo. It looks suitable for posting
to me and seems to be for the general employee population. I'll
forward it to personnel and ask if I can re-post it on our web.
|
| 4589.16 | Hellllloooooooo! | MPOS02::BJAMES | I feel the need, the need for SPEED | Tue May 14 1996 17:49 | 22 |
| Clearly the caller couldn't differentiate between an Internet, Intranet
or a Volkswagen. Well maybe a Volkswage only because the Farfugnugen
sticker would be on the back window :')
But seriously, I'd have said, "Look you got a problem put it in writing
and send it to my boss and he/she will be happy to review it and get
back to you about it. Now, it's off to work I go."
And I wouldn't mess with it further unless my manager came to me with
the details. Obviously, these folks don't have enough to do with their
day other then to muck around in B.S. like this.
Everyone pretty much knows about the rules as outlined in the security
memos. I mean if I'm a moderator or a website master don't you think
I'm going to pay some attention to the stuff that would get me
terminated? Assuming that the all the bulbs are lit upstairs, I
probably would be on top of this stuff.
Don't worry about it. That's yet another example of folks who are
scrambling for something to do before the next TFSO.
Mav
|
| 4589.17 | At a minimum | SNAX::PIERPONT | | Thu May 16 1996 11:48 | 6 |
| Extracted from: (CP211-00) General Requirements for Computer Security
NOTE
All Digital internal telephone numbers are classified at a minimum
as Digital Internal Use Only.
|
| 4589.18 | | ATLANT::SCHMIDT | See http://atlant2.zko.dec.com/ | Thu May 16 1996 13:27 | 13 |
| > All Digital internal telephone numbers are classified at a minimum
> as Digital Internal Use Only.
And that's obviously BS. A statement put together by someone
who put exactly 3 ns of thought into the ramifications.
Customer: "So Bob, where can I can you back?"
Bob: "I could tell you, but then I'd have to kill you.
Corporate Security Policy CP211-00, don't you know?
Just call 508-493-5111 and ask for Bob."
Atlant
|
| 4589.19 | more information | STOSS1::OBLACK | Marty OBlack | Thu May 16 1996 15:11 | 74 |
|
Well, I did receive feedback from personnel about my note. First,
there initially was some confusion about our intranet being only
available to internal employees. I think that issue may be clear
now to everyone involved.
Second, although there was not a violation of company information
policy, the information posted was not on a public VTX directory, but
rather from a VTX application used by Human Resource Assistants who
answer calls on the People Support Network (PSN), HR's call handling
group. (This VTX application appears to have been publicly accessible
at some point.)
This list has been around for a long time but the reason they hesitate
to make it public is that they would prefer to have employees call the
PSN for the latest information. (Seems like a good idea!)
The way they work is that a HRA takes the call and contacts the person
on the list who can best answer the question. This is part of their
operating standards for handling the HR phones. Also, this list is
updated on a monthly basis and if it is posted it may become dated.
I did receive permission to post the following on my site:
THE U.S. HUMAN RESOURCE ADMINISTRATION CENTER - YOUR LINK TO HUMAN
RESOURCE ADMINISTRATION
A few years ago, as part of our goal to become more streamlined and
efficient, Human Resources set up one, centralized Administration
Center to provide information and answer questions. Working from the
MSO1 facility in Maynard, Massachusetts, the HR Admin Center provides
access to Human Resource information. Here are some of the ways the
Center works for you:
o The People Support Network (PSN) - DTN 592-7500 or 1-800-544-9944
Currently supporting over 1200 calls per week, Human Resource
Assistants are available from 8:15 am to 8:00 pm (EST), Monday
through Friday.
o The Staffing and Planning Hotline - DTN 223-5432 or 508-493-5432
Currently supporting U.S. Staffing and Planning Recruiters,
Staffing Human Resource Assistants are available from 8:15 am to
8:00 pm (EST), Monday through Friday.
o Some of the other services provided within the HR Admin Center
are:
- Maintenance of all employee Human Resource files
- Updating and processing personal and company data
- Support for all International assignees
- Performing new hire orientations
- Administering the condolence program, providing flowers
or charitable donations
- Issuing both internal and external U.S. job offers
- Coordinating applicant and resume tracking
THE HR ADMIN CENTER OFFERS AN EFFICIENT SOLUTION FOR YOUR HUMAN
RESOURCE ADMINISTRATIVE NEEDS. WE'RE AT YOUR SERVICE - "WHATEVER IT
TAKES" TO GET THE JOB DONE!
You can reach us at: US HR Administration Center
111 Powdermill Road
MSO1-1/B4
Maynard, MA 01754
ICS::USHR or USHR @MSO
Fax#: DTN: 223-8952 or 508-493-8952
PSN#: DTN: 592-7500 or 800-544-9944
Please print and save this document as a resource for your Human
Resource Administrative needs.
|
| 4589.20 | | ACISS2::LENNIG | Dave (N8JCX), MIG, @CYO | Thu May 16 1996 15:25 | 5 |
| Interesting -
I received an email copy of .-1 on Tuesday, marked 'URGENT INFO' (?)
Hmmm...
|
| 4589.21 | The Cure of Docter Tarr and Professor Feather | ATLANT::SCHMIDT | See http://atlant2.zko.dec.com/ | Thu May 16 1996 15:26 | 17 |
| .L> This list has been around for a long time but the reason they hesitate
.L> to make it public is that they would prefer to have employees call the
.L> PSN for the latest information. (Seems like a good idea!)
.0> I did receive such a call stating that I was in violation of company
.0> policy because I had posted company information on the "Internet"
.0> without permission. I was told that I could be terminated for making
.0> this information available to persons outside of Digital. It was
.0> not a fun phone call and I don't think it should have happened.
So for their "hesitation", you were threatened with "termination".
Seems fair to me.
Is it any wonder we're reading a lot of "Good Bye!" notes?
Atlant
|
| 4589.22 | Ready,fire!,aim? | STOSS1::OBLACK | Marty OBlack | Fri May 17 1996 01:25 | 11 |
| re: -1
Although I am pretty sure that the person(s) who initiated this
process did not know it would be communicated to me that way, you
have accurately characterized this situation. Of all groups, the
personnel organization should be careful to check out the details
before talking about immediate termination. Thank you all for
your feedback and comments.
Marty
|
| 4589.23 | Solution 101~ | PCBUOA::WHITEC | Parrot_Trooper | Fri May 17 1996 10:41 | 7 |
|
What about IMMEDIATE termination of H/R types that go off half cocked
and upset the human resources of the company for reasons of ignorance?
Nah, never work. ;^)
chet
|