Computer and Network Security Handbook Date: Tue, 06 Jul 1999 14:41:34 -0400 To: "USGS Employees" From: "Director's Office" Subject: Computer and Network Security Handbook NOTE TO SUPERVISORS: Please ensure that all employees without access to e-mail receive a copy of this message. MEMORANDUM June 30, 1999 To: All U.S. Geological Survey Employees From: Barbara J. Ryan Associate Director for Operations Subject: Computer and Network Security Handbook The purpose of this memorandum is to announce the approval of the new Computer and Network Security Handbook. The primary purpose of this handbook is to recast and apply many of the computer security policies and guidelines, that were developed when our systems were more centrally based, to our new networked information technology environment. Since 1993, the Survey Manual Chapter 600.5, "Automated Information Systems Security - General Requirement," has been the primary source of computer security policy for the U.S. Geological Survey (USGS). There have, however, been many technological innovations, Federal policy changes, and outside influences that have created the need to modernize our computer security-related policies. Compared with the past, there is a tremendous increase in the number of unauthorized system intrusions and denial of service attacks. These were very rare occurrences 10 years ago; they now happen several times a day. It is crucial that appropriate computer security policies and guidelines are developed to help minimize the impacts that these events have on our computing resources. In concert with our strong desire to provide maximum public access to our information, must come the means to ensure that the very systems used to supply these services are not misused to gain unauthorized access to our own networks. In addition to updating our current computer security policies and guidelines to fit the new technologies and business practices, the Computer and Network Security Handbook introduces two major new policy areas: "Web Security" and "Computer Security Incident Response." Since the concept of using Internet Web services as a method of freely distributing information first took hold in the USGS, the number of USGS-owned Web servers has grown at an astounding rate. At the same time, the Internet has become a source of antagonism. The freedom of the Internet and the proliferation of malicious software has created an environment that is insecure. This Handbook provides us with a set of security standards and procedures that will lead the way in helping to minimize the risks of unauthorized intrusions and denial of service attacks. Any computer security program must rely on both proactive and reactive control measures. A control that has recently been shown to be a critical part of an effective security program is the Computer Security Incident Response Capability (CSIRC). The USGS CSIRC defined in this Handbook establishes the requirements for a program that would evaluate the vulnerabilities of our systems on a regular basis, provide security-related awareness information to users and system administrators, and respond in a timely manner to incidents that threaten our computer resources. The Computer and Network Security Handbook will exist only as a web-based document referenced by the Survey Manual. The intent is for this handbook to be a living document that will change as necessary to accommodate changes in our organization, technology, and Federal policies. The handbook can be found at the following URL: http://www.usgs.gov:8888/ops/computing/security/hndbk3.html Additional questions or comments should be directed to Don Watson, Bureau Information Technology Security Administrator, at (703) 648-7046 or dwatson@usgs.gov.