|
DIGITAL INTERNAL USE ONLY
** DRAFT **
EXARC STANDARD PROCEDURE
FOR
HOME COMPUTER CONNECTIONS
BACKGROUND:
Frequently, computers in Digital Internal Users' homes are
connected to Digital's internal computer systems to satisfy valid
business requirements. Prudent accountability must be exercised
to ensure such connections are in accordance with Corporate
policies and procedures.
OBJECTIVE:
The objective of this procedure is to establish minimum
requirements for Home Computer connections.
SCOPE:
Digital Worldwide. This procedure is intended to address node and
terminal emulation connections from Home Computers. This
procedure is not intended to address basic terminal connections.
DEFINITIONS:
Computer:
A device that processes information. A machine that has
input, output, storage, and arithmetic devices plus logic and
control units.
(Ref; The Digital Dictionary, Second Edition, copyright 1986)
Home Computer:
Any computer which is maintained in a Digital Internal User's
place of private residence, and which is used to establish
node and/or terminal emulation connections to Digital's
internal computer systems.
Home Computer User:
The Home Computer User is the Digital Internal User
authorized to establish node and/or terminal emulation
connections to Digital's internal computer systems from
his/her designated Home Computer. The person accountable for
maintaining secure access and use of the Home Computer, in
accordance with corporate policies and procedures.
DIGITAL INTERNAL USE ONLY
** DRAFT **
Digital Internal User:
1. Any Digital Employee, or
2. Any Contract Worker or Consultant, as defined by Corporate
Personnel Policy 2.01, who is granted access privileges
necessary to perform his/her contracted tasks.
Network:
A collection of interconnected computer systems.
(Ref; The Digital Dictionary, Second Edition, copyright 1986)
Node:
An individual computer system in a network that can
communicate with other computer systems in the network.
(Ref; The Digital Dictionary, Second Edition, copyright 1986)
Routing Node:
A node that can transfer information from one node to another
node.
(Ref; The Digital Dictionary, Second Edition, copyright 1986)
Terminal:
A peripheral device that has a keyboard and a video screen or
printer, which, under program control, enables a user to type
commands and data on the keyboard and to receive messages on
the video screen or printer. (Ref; The Digital Dictionary,
Second Edition, copyright 1986)
Terminal Emulation:
The mode of operation in which a computer is logged on to a
host computer system and appears to the host as a terminal.
(Ref; The Digital Dictionary, Second Edition, copyright 1986)
PROCEDURE:
To establish node and/or terminal emulation connections to
Digital's internal computer systems, an External Access Request
must be prepared and submitted in accordance with Corporate DIS
Policy 6.13, after obtaining the additionally required
authorization:
1. The Home Computer User's Cost Center Manager
2. The Network Area Manager providing internal Network Router
support
3. The Manager responsible for information security for the
business function.
A Home Computer Connection request must be in writing and
identify the Home Computer User's name, Digital Badge Number, the
location of the Home Computer, the registered Node Name and Number
for the Internal Node(s), a brief description of the business or
DIGITAL INTERNAL USE ONLY
** DRAFT **
job requirement this connection will satisfy, and the Digital
proprietary, personnel, export controlled, or other, information
that will be accessed and/or maintained by the Home Computer. The
Home Computer Connection request must also include an
acknowledgment, signed by the Home Computer User and His/her Cost
Center Manager, that they have both read and understand all
related corporate policies, procedures, and standards (see
"RELATED POLICIES:"). Lastly, the request must include a
completed EXTERNAL ACCESS REQUEST form for the internal computer
system(s) assigned to receive Home Computer connections.
All approved Home Computer connections must be re-approved every
six months. Home Computer connections already occurring when this
procedure is implemented, must be reviewed immediately for
compliance with this procedure.
REQUIREMENTS:
1. If Digital has provided the computer to be used as the Home
Computer, then the Home Computer must:
-- Have a properly executed Property Removal Pass
-- Have ONLY Digital owned or licensed software installed.
2. The Home Computer must be registered with the Corporate Data
Networks Program.
3. The Home Computer must be completely controlled by the Home
Computer User Family members, and non-family members, who are not
also Digital Internal Users are not to be granted access
privileges. The Home Computer must be kept secure from
unauthorized access when the Home Computer User is not present.
Maintaining the Home Computer in a locked room or cabinet is
strongly recommended.
4. The Home Computer must always connect to the assigned
internal computer system(s).
5. Network node connections must use Routing Initialization
Passwords for link authorization. However, the Home Computer
must NOT itself be configured as a network routing node. All
network node connections should be to an internal Network Router,
which is supported by the appropriate Digital Geography
Telecommunications group.
6. When available, the use of an "auto-callback" mechanism on
the internal computer system is strongly recommended.
DIGITAL INTERNAL USE ONLY
** DRAFT **
RESPONSIBILITIES:
1. Home Computer User -
The Home Computer User is responsible for preparing the Home
Computer Connection request, the EXTERNAL ACCESS REQUEST
form, and his/her signed policy acknowledgment, and
obtaining the required approvals from:
-- His/her CC Manager
-- Network Area Manager
-- Information Security Manager
-- Others, as required for the EXTERNAL ACCESS REQUEST
form.
Once the approvals are obtained, the Home Computer User will
maintain a copy of the approved request forms for audit
purposes.
2. Home Computer User's Cost Center Manager -
The Cost Center Manager will ensure the connection is
necessary to support a business or job requirement and
required forms are properly completed. He/she will also
ensure the Home Computer User has proper authorization from
the System Manager(s) of the internal computer system(s) to
be accessed. The Home Computer User's Cost Center Manager
will sign the policy acknowledgment and maintain copies of
the approved request forms for audit purposes.
When the Cost Center Manager finds one of his/her Employees
involved with an unauthorized Home Computer connection,
he/she will ensure that the connection is discontinued until
such time it is properly authorized.
At such time as the Home Computer User is no longer a member
of the approving Cost Center -- such as transfer, leave of
absence, or termination -- the Cost Center Manager will
ensure that all Digital owned property and proprietary
information is returned by the Home Computer User. The
Manager will also notify the Network Area Manager, the
Information Security Manager, and the System Managers of the
internal nodes assigned to support the Home Node connection,
of such changes in the Home Computer User's status.
3. Network Area Manager -
The Network Area Manager will ensure the request has received
the Home Computer User's Cost Center Manager's approval and
that the Home Computer and the internal computer system(s)
assigned for connection are registered with the Corporate
Data Networks Program. If the access is to be a network
DIGITAL INTERNAL USE ONLY
** DRAFT **
link, then he/she will ensure that Routing Initialization
Passwords are used. The Network Area Manager will maintain a
copy of the approved request for audit purposes.
When the Network Area Manager finds an unauthorized Home
Computer connection occurring, he/she will inform the
involved Home Computer User's Cost Center Manager, who will
ensure that the connection is discontinued until such time it
is properly authorized.
4. Information Security Manager -
The Information Security Manager will review the Digital
information intended to be accessed and ensure the Home
Computer User is authorized to access that information.
He/she will also ensure the information will be handled in
accordance with corporate policies, and that both the
Internal User and his/her CC Manager have signed policy
acknowledgments. The Information Security Manager will
maintain a copy of the approved request for audit purposes.
When the Information Security Manager finds an unauthorized
Home Computer connection occurring, he/she will inform the
involved Home Computer User's Cost Center Manager, who will
ensure that the connection is discontinued until such time it
is properly authorized.
RELATED POLICIES:
Both the Home Computer User and his/her Cost Center Manager are
responsible for providing signed acknowledgments that they have
read and understand the following policies, procedures, and
standards.
DIS Policies and Procedures:
3.10 - Electronic Information Protection
3.11 - Electronic Information Access
4.91 - Internal Use and Distribution of External Proprietary Software
6.11 - Connection to EASYnet
6.13 - Connection of External Terminals, Computer Systems, and Networks
to Digital's Internal Systems and Networks
6.14 - Electronic Mail System Accounts for Those Who Are Not Digital
Employees.
6.41 - Handling of Legally Regulated Information
Corporate Security Policy and Standards Manual:
Section 2.1 - Property Removal Pass
Section 10 - Proprietary Information
Section 11 - Electronic Information Protection
DIGITAL INTERNAL USE ONLY
** DRAFT **
Personnel Policies and Procedures:
2.01 - Employment
6.24 - Employee Conduct
6.26 - Internal Use and Distribution of External Proprietary Software
6.54 - Proper Use of Digital's Computer Systems and Networks
8.03 - Proprietary Information Protection Policies
Corporate Finance and Administration Policies
903-04 - Electronic Information Security
903-05 - Electronic Information Access
|
| Art,
Your third paragraph stands as a good capsule critique. The things
you mention, fleshed out, are pretty damning to the policy as written.
Now, a cynic might say that this draft policy reeks of a hidden
agenda. But let me make a few short comments which address the
connection policy draft's shortcomings.
1. It's not clear why DIS Policy 6.13 - Connection of External
Terminals, Computer Systems and Networks - needs changing to such
a degree. If the goal is better protection of Digital's proprietary
information, then a better policy might cover "Storage and Processing
of Proprietary Electronic Information by Off-Site Computers."
2. This policy makes no attempt to address the easy integration
of electronic tools into the job when working off-site. It will
certainly discourage working at home.
3. It seems to be yet another point response to a perceived threat
when an integrated information security policy is needed instead.
4. It will be open to widely varying interpretation and discourage
working at home.
5. It makes audacious claims against employees' privacy and ethics.
6. This policy moves employees yet another step down the road from
being trusted professionals to being adversaries of the corporation.
By the way, individual access request forms and dialback modems
are not in general use around Greater Maynard, to my knowledge.
To put the home computer 'threat' in perspective, let me suggest that
an unscrupulous employee with a VAXmate or Rainbow somewhere at
his site, and with a $7 box of diskettes, poses a far greater danger
to the corporation than those of us who dial in to get our work
done or download after hours.
This policy is getting coverage in other personal computer notesfiles,
and looking outside this conference may be worthwhile.
Wes Plouff
|
| re: .2
|
| Do you work for the same company that I do? Perhaps you actually are
|
Paul, I think its the same company? Although having worked in
Manufacturing for my 12 years with DEC, where you have to return
your pencil subs before you get another one, while at the same
time the salesforce was off in Hawaii, I sometimes wonder! But
that's a subject for another very emotional discussion.
|
| Where I work they either don't have such ridiculous policies, or they
|
Maybe I didn't make it clear, but the DRAFT in .1 is a CORPORATE
(not Canadian) DIS Policy, and as such should impact everyone -
"SCOPE: Digital Worldwide". Much of this did sound 1984'ish, and
that's why I posted it.
I also may have given the wrong impression regarding the
eleventeen forms. The process for completing the forms I
described is relatively easy - your name, badge number, cost
centre, phone number, location code, and finally your signature,
and your Plant Staff members signature. Normally a new hire
collects an account and line request form his/her first day and
has them both signed by the manager in one-swell-foop. However,
while completion of the form is a relatively simple, routine task,
MIS and the Plant Staff (and hopefully the employee) take the act
of the employee having affixed his/her signature to a statement at
the bottom of each form that they have read and will adhere to the
applicable Policies and Procedures, understand the importance of
protecting Digitals 'jewels', etc., etc., VERY SERIOUSLY. If you
don't have any such/like forms, I would suggest that your IS
organization hasn't been audited.
|
| What do they do to you if you just happen to hear of a phone number and
|
As Alan described in .3, knowing the dial-back number buys you
nothing without you knowing a password and the dial-back having
your phone number tied to that password so that it can call you
back after you hang up. This is why the ""use of an
"auto-callback" mechanism" is strongly recommended""
(REQUIREMENTS: #6).
Like I said in .0, I don't know how they are going to audit parts
of this - short of breaking into my house! Maybe they will pay
the System Managers to watch for Kermit and Xmodem images running
during off hours and report the culprits to the CIA?
--- Not me! I sold my AMIGA for a VT100. Honest! ---
re: .4
Wes, excellent input. I will incorporate some of your thoughts in
my response to the Gods. I will also check some of the other PC
notesfiles.
Art
|
| I wonder how much this has to do with a law that may exist prohibiting
unauthorized access to computers for felonious purposes. It could
protect an employee if records showed full authorization to sign
on the system, in a case in which the employee was accused of
unauthorized access.
Dial-back is a pretty secure system, and is often used by the military.
DEC , as a successful computer company, is under constant scrutiny
by competitors, and subject to industrial espionage by unscrupulous
persons. In addition, pranksters, hackers that hurt systems, viruses,
and other mischief are problems that should be contained. Security
of information is also important. I'd be surprised if someday we
weren't required to use encryption to move Digital info. over the
phone. Printers at home are discouraged in some DEC facilities.
I am concerned about guarding my home computer to DEC policies and
procedures. This should be only necessary WHILE it is connected. When
the home computer is not connected, and if I own it, I should be
expected to follow
my own procedures. Only while the computer is connected to Digital
networks, if owned by the user, need Digital policies and procedures
be required by Digital.
Remember there are hundreds of teenage hackers out there trying
to get into our systems, or anyway assume that they are close to
guessing your password because you used something obvious. The
only footprints they would leave would be in your ACCOUNT file.
Tom
|
| After writing .4, I had some second thoughts and was ready to replace
that reply with a toned-down version. As someone with casual access
to rather opulent computing resources, I had quite a knee-jerk
reaction! But now it's too late to recall that message.
I think security policies like this have to be placed in context.
To paraphrase the VMS manuals, every security enhancement comes
at the expense of some productivity or convenience. The draft policy
is bothersome because, even stripped of some of its more outlandish
requirements, it does not attempt to strike a balance. We ordinary
users come out on the wrong end of this, because there are people
whose job includes identifying security issues, but really nobody
to champion the ease/productivity side. And arguments on both sides
are impossible to quantify.
This policy and Art Gosling's description of Kanata's current policies
show up the piecemeal and uneven treatment of security issues around
the corporation. There is really no one person or committee who
tries to address these issues in some coordinated fashion. This
policy is somewhat similar in spirit to the policy which does not
allow electronic mail addresses on business cards unless they take
a form currently unsupported by any Digital product or resource.
In other words, these policies fulfill some group's narrow goal
with no consideration of the big picture.
Lastly, this proposed policy and some accomodating answers disturb
me because in other aspects of my job, I am trusted to do the right
thing. That attitude is a refreshing change from other companies,
where controls are used widely instead of the Digital norms of
consensus, cooperation and trust. The cumulative effect of policies
like this makes Digital a much more ordinary place to work.
Wes Plouff
|