Date: 05/21/02, Partial Revision 1/26/06
Office: Office of Management/ CIO and IRM
Supersedes: 06/16/88

Table of Contents
Attachments

Table Of Contents

Attachments

Subsection A: General Policies and Procedures

1.0 Authorities

Statutes and Regulations

The Information Technology Management Reform Act (Clinger-Cohen Act) of 1996, 40 U.S.C. 1401 et seq; The Paperwork Reduction Act, 44 U.S.C. 3506; The Computer Security Act of 1987 ( Pub. L. 100-235); The Government Information Security Reform Act (GISRA), Pub. L. 106-398 (2000); and The Federal Property Management Regulations, 101 CFR Part 35.

Presidential Directives and OMB Circulars and Memoranda

OMB Circular A-130 Appendix III (Management of Information Resources); OMB Memorandum 99-05 (Instructions on Complying with President's Memorandum of May 14, 1998, Privacy and Personal Information in Federal Records, July 1, 1999); OMB Memorandum 99-18 (Privacy Policies on Federal Web Sites, June 2, 1999); OMB Memorandum 00-13 (Policies and Data Collection on Federal Web Sites, June 22, 2000); Presidential Decision Directive 63, Protecting America's Critical Infrastructures, May 22, 1998; Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of Government, October 21, 1998.

Federal Standards

Federal Information Processing Standard Publications (FIPS Pub) 31, Guidelines for Automated Data Processing Physical Security and Risk Management; FIPS Pub 41, Computer Security Guidelines for Implementing the Privacy Act of 1974; FIPS Pub 73, Guidelines for Security of Computer Applications; FIPS Pub 83, Guidelines on User Authentication Techniques for Computer Network Access Control; FIPS Pub 87, Guidelines for ADP Contingency Planning; FIPS Pub 102, Guidelines for Computer Security Certification and Accreditation; FIPS Pub 112, Standard on Password Usage;
National Bureau of Standards Special Publication 500-137, Security for Dial-Up Lines.

2.0 Purpose

This manual section sets out the minimum policies and practices governing the security of the Peace Corps' computer systems with the goal of preserving the integrity, availability, and confidentiality of the agency's computer information systems.

3.0 Applicability

3.1

This manual section applies to all Peace Corps employees, contract personnel, and Volunteer Leaders/Coordinators, both in the United States or overseas. Guidelines and policies governing Volunteer use of computers shall be separately issued by the Office of Information Resource Management (IRM). Country Directors may issue additional country-specific IT security policies and procedures, provided they are consistent with this manual section.

3.2

Overseas posts are subject to the policies and requirements of this manual section to the extent they have been provided with the appropriate equipment and have the technical capacity to do so. Posts that are still transitioning to the new electronic systems shall confer with their Regional Directors and the IT Security Program Manager for guidance on methods for securing their systems.

4.0 General Definitions

4.1

"Acceptable risk" is the level of risk responsible management is willing to accept based on its evaluation of the cost of implementing security controls.

4.2

"Availability protection" is the protection required to ensure the availability of the agency's IT systems. Such protection requires the backup of the system and its information, contingency plans, disaster recovery plans, and redundancy. Examples of systems and information requiring availability protection are time-share systems, mission-critical applications, and time and attendance, financial, procurement, or life-critical information.

4.3

"Computer security" is the protection afforded an automated information system in order to preserve the integrity, reliability, availability, and confidentiality of the system's information resources, including its hardware, software, firmware (software stored on an ROM chip), information data, and telecommunications. The term applies to the entire spectrum of computer information technology, including its applications and support systems.

4.4

"Computer system" is any interconnected equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception, of data or information. The term includes computers; ancillary equipment; software, firmware, and similar programs; services, including support services; and related resources.

4.5

"Confidentiality protection" is the protection required to protect the agency's sensitive information. Such protection requires access controls such as user IDs/passwords, terminal identifiers, and restrictions on actions like read, write, and delete. Examples of information requiring protection include personnel, financial, proprietary, and certain internal agency information; and information related to investigations, other federal agencies, national resources, and high or new technology protected under an Executive Order or Act of Congress.

4.6

"General support system" is an interconnected technology resource that automates routine office functions. It normally includes hardware, software, information, data, applications, and communications, and provides support for a variety of users and applications. Individual applications support different mission-related functions. Users may be from the same or different offices.

4.7

"Individual accountability" is a requirement that individual users be held accountable for their actions after being notified of the rules of behavior in the use of the system and the penalties associated with the violation of those rules.

4.8

"IT" is information technology.

4.9

"Major application" is an IT application that requires special attention to security due to the risk and magnitude of the harm that would result from the loss, misuse, or unauthorized access to or modification of the information in the application. A breach in a major application might affect many individual application programs, including hardware, software, and telecommunications components. Major applications can be either a major software application or a combination of hardware and software where the only purpose of the system is to support a specific mission-related function.

4.10

"Media" means the magnetic materials used to store data.

4.11

"Networks" include communication capabilities that allow one user or system to connect to another user or system. Networks can facilitate communication between computers within a system, or between computers in different systems. Examples of networks include local area network (LAN) or wide area networks (WAN), including public networks such as the Internet.

4.12

"Office," for the purpose of this manual section only, includes any officially recognized Peace Corps program unit, regardless of whether it is formally designated as an office.

4.13

"Operational controls" are security methods that are implemented and executed by people. (See the definition of "technical controls" below.)

4.14

"Rules of behavior" constitute the requirements, practices, and controls (do's and don'ts) governing the use, security, and acceptable level of risk of an IT system.

4.15

"Sensitive information" or "Sensitive But Unclassified Information" ("SBU Information") is information that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes: (1) information the improper use or disclosure of which could adversely affect the ability of an agency to accomplish its mission, (2) proprietary information, (3) information requiring protection under the Privacy Act, and (4) information protected from disclosure under the Freedom of Information Act. The term does not include classified information.

"Highly sensitive information" is a subset of a sensitive information that is defined/determined by the owner of the system, in this case, by the Peace Corps. This term includes information, the loss, inaccuracy, or unauthorized alteration of which could reasonably be expected to cause significant harm to a person or an organization, including death, injury, legal liability, or financial loss. Typically this information is personnel, investigative, or medical information.

4.16

"Sensitive system" is a system that processes, stores, or transmits sensitive information.

4.17

"Sensitivity" in an information technology environment, is the degree of confidentiality, integrity, and availability requirements of a system.

4.18

"Server" is a machine whose sole purpose is to store and supply data, so that other machines can use it. A server machine also responds to client processes or programs locally, or across a network.

4.19

"Technical controls" consist of hardware and software controls used to provide automated protection to the system or applications. Technical controls operate within the technical system and applications.

4.20

"Users" or "system users" are all Peace Corps employees, contract personnel, and Volunteers Leaders or Coordinators, who use, manage, operate, or supply services to the agency's computer systems. "Privileged users" are users who have special IT privileges, including the privilege to manage, control, provide services for, maintain, administer, and access or control access to the agency's IT systems.

5.0 General IT Security Policy and Goals

5.1 Policies

5.1.1 General Policy

It is the policy of the Peace Corps to ensure the security of the agency's computer systems, including the systems' physical components and the information stored within each system. The security requirements and procedures in this manual section are intended to establish measures that will eliminate or reduce the risk of security threats to the agency's systems to an acceptable level and protect against the financial and program costs that result when information is lost, compromised, or unavailable when needed.

5.1.2 Waivers

Unless otherwise provided, waivers from the requirements of this manual section may be approved and issued by the Director of the Office of Information Resources Management (IRM). Before issuing a waiver of any provision of this Manual Section, the Director of IRM shall ensure that appropriate substitute measures will be taken for a specified time period. The Director of IRM may issue a waiver for unusual circumstances when there is a business need to do so. Waivers must be in writing and shall be issued only for the time period deemed necessary by the Director of IRM. Other waiver provisions are found in Subsections K and L.

5.1.3 Classified Information

Classified information shall NOT be processed or stored on the agency's IT systems. See MS 833, which provides procedures for the handling of classified information.

5.1.4 Penalties for non-compliance

The policies in this manual section are based on and implement federal laws and regulations. As such, there are administrative, civil, and criminal consequences for non-compliance. Disciplinary action may be taken at the discretion of management for violations by IT users of the policies and procedures in this manual section.

5.1.5 Attachments: Approval Authority

Due to the rapid and ongoing changes to federal security procedures and technology capabilities, new or revised attachments to this manual section may be approved by the Chief Information Office in consultation with and after legal clearance by the Office of the General Counsel.

5.2 Goals

The IT security policies and procedures in this manual section are intended to help achieve three goals: the availability, integrity and confidentiality of the agency's systems.

Availability

Computer systems must be available for use in a timely fashion. Any denial of a system's use or substantial delay in a system's processing could adversely affect the ability of an individual, office, or program to conduct business. Accordingly, protections from physical destruction, theft, or virus outbreaks, for example, should be in place.

Integrity

The integrity of the information in the agency's computer systems must be maintained. To achieve its statutory purpose, the agency must be able to rely on the authenticity of the information maintained in its computer systems, such as financial records, e-mails, and program and administrative data. Integrity can be compromised by human error when entering data; when transmitting data from one computer to another; by software bugs or viruses; by hardware malfunctions, such as disk crashes; or by natural disasters, such as fires or floods. The integrity of the agency's systems should be protected by appropriate handling by the user and by utilizing a system architecture designed to protect data from corruption and recover lost or corrupted information.

Confidentiality

Sensitive information must be protected against unauthorized access or disclosure. Sensitive information is often included in legal, financial, national policy, budget, personnel, contractual, procurement, proprietary, or agency-critical information.

6.0 IT Security Principles of Behavior

The following eight principles reflect federal laws and regulations, underlie the security policies and rules of behavior set out in this manual section, and apply to all Peace Corps system users.

1. Accountability: All system users are accountable for the appropriate use of the information resources entrusted to them and for complying with the policies and procedures set out in this manual section.
2. Confidentiality of Sensitive Information: Sensitive information shall be collected, maintained, disseminated and protected from disclosure to unauthorized individuals or groups, as required by law and the requirements of this manual section.
3. Passwords and User Identification: All system users must protect sensitive information through appropriate use of user identification (ID) and passwords.
4. Hardware: System users shall make reasonable efforts to protect computer hardware equipment for which they are responsible from damage, abuse, and unauthorized use. Computer hardware equipment includes Peace Corps-owned or leased hardware wherever located, including the user?s place of residence or travel location.
5. Reporting: System users must promptly report all security violations, incidents, and vulnerabilities, in accordance with the procedures in this manual section.
6. Privileged Users: Privileged users shall exercise their special positions and computer use privileges in a responsible, professional, and ethical manner.
7. Remote Users: Remote users ( those who operate computer systems in an alternate workplace) must take reasonable precautions at their alternate workplace to protect the systems? hardware, software, and information.
8. Software: Software, including shareware, public domain software, or similar programs, must be authorized prior to its use on Peace Corps computer systems. ALL authorized software must be from reputable sources. Licensing agreements are required for all non-standard software.

7.0 Rules of Behavior

The rules of behavior constitute the requirements, practices, and controls (do's and don'ts) governing the use, security, and acceptable level of risk of an IT system.

7.1 Rules applicable to all users

7.1.1 Rules on Access

The rules on access require users to:

1. Work only with data they have been authorized to use;
2. Limit the number of persons who can access their files or data;
3. NOT retrieve information from a system for someone who is not authorized to access the information;
4. Give information only to persons who have access authority and who need the information to perform their job;
5. NOT attempt to gain access to information they are not authorized to access;
6. NOT give their password to any person, including supervisors or the Help Desk staff;
7. NOT divulge Dial-up or Dial-back modem phone numbers to any person outside of Peace Corps (Dial-back modem lines are not normally allowed outside of the data center without approval); and
8. NOT download, install or run security programs or utilities that reveal weaknesses in the security of the system, such as password cracking programs, on Peace Corps computing systems. Security vulnerability tools are to be used by approved personnel ONLY and use must be limited to a pre-approved period of time.

7.1.2 Rules on System Integrity

The rules on system integrity require users to:

1. Immediately discontinue use of any PC or LAN system or software that shows any indication of being infected with a virus;
2. Protect against viruses and similar malicious programs by using only authorized software and ensuring that ALL incoming software comes from reputable sources.
3. NOT use shareware, public domain software, or similar programs without authorization;
4. NOT change the configuration of or attempt to modify or disable any of the security programs set up on their personal computers, including virus protection software and the password-protection function on screen savers;
5. Ensure that their software is enabled to scan all CDs and diskettes for viruses upon use; and
6. Check incoming e-mail attachments for viruses, especially attachments with .com, .bat, .zip, .exe, or .vbs extensions.

7.1.3 Rules on Availability

The rules on availability require users to:

1. Always store files on an approved network storage location. When the user is not connected to a server, the user shall make backups of locally-stored files until a connection to a server is made;
2. Write-protect backups;
3. Store backups away from originals;
4. Keep storage media away from devices that produce magnetic fields; and
5. Protect disks from spills.

7.1.4 Rules on Hardware and Software

The rules on hardware and software require users to:

1. Take reasonable steps to safeguard computer equipment against waste, loss, abuse, unauthorized use, and misappropriation;
2. Use only that equipment they have been authorized to use;
3. NOT eat, drink, or smoke near computer equipment or media in a manner that would endanger the equipment or media;
4. NOT store highly combustible materials near a computer;
5. NOT move or remove a PC, laptop, or other computer hardware without proper permission.
6. NOT allow a hard drive with any Peace Corps data to be removed from Peace Corps premises without the proper data destruction;
7. Take computer equipment from Peace Corps premises only for official purposes;
8. Promptly report missing computer property;
9. NOT allow anyone to perform maintenance on computer equipment without proper identification and authorization;
10. Only use software they have been licensed to use and only for authorized purposes; and
11. For approved non-standard software, file the software licensing agreements with the vendor within five days of receipt. Such agreements must be signed, and include the software registration number, and a copy of all licensing agreements shall be kept by the purchasing office.

7.1.5 Rules on Disposal

In regard to the disposal of IT property, users shall give the following items to the Computer Security Coordinator for proper disposition:

1. Diskettes and/or tapes containing sensitive information that are no longer in use;
2. Damaged diskettes and/or tapes containing sensitive information; and
3. Computer systems with hard drives which contain sensitive information.

7.1.6 Rules on Unattended Equipment

The rules on unattended equipment require users to ensure that the equipment is properly secured when left unattended. Diskettes, printouts, and other material containing sensitive information must be placed in an appropriate storage container equipped with a lock. At the end of each work day, users must logout from their computers. Users are also prohibited by Section 7.1.2 (d), from changing the configuration of or attempting to modify or disable any security programs, such as screen saver and login passwords requirements, on their personal computers.

7.1.7 Rules on Encryption of Sensitive Information

In regard to sensitive information transmitted across any public communications system, such as the Internet, including information sent over the e-mail system, users shall ensure that an encryption package, approved by the National Institute of Standards and Technology (NIST), is used to encrypt the information.

7.1.8 Rules on Reporting

The rules on reporting require users to:

Report all security violations, incidents, and vulnerabilities to the Peace Corps Information Technology Security Program Manager (IT Security Program Manager) and notify their supervisors, as set out in the incident response procedures in Subsection F. If they are unable to contact the IT Security Program Manager, they shall call the Help Desk to record the incident.

7.2 Additional Rules for Specialized Users

7.2.1 Rules for Privileged Users and Administrators

Privileged Users and Administrators shall:

1. Protect "privileged accounts passwords" at the highest level demanded by the sensitivity level of the system (privileged accounts passwords include the supervisor, root, and administrator or equivalent, passwords);
2. Develop or run programs for work purposes only;
3. Help train users on the appropriate use and security of the system;
4. Watch for unscheduled or unauthorized programs;
5. Track and notify appropriate staff of all security incidents occurring within their area of responsibility;
6. Take action to reduce damage caused by security incidents, such as, locking up property, logging out of a terminal, and disconnecting a PC with a virus; and
7. Establish virus protection for servers that are available to the public (Internet servers), when possible.

7.2.2 Rules for Privileged Users of Public Access Systems

Privileged users of public access systems, such as the Internet, shall:

1. Transmit, store, or post sensitive information across public access systems ONLY if the information is encrypted or the user is using an encrypted, or otherwise trusted path;
2. Use virus protection software when receiving information from a public access system;
3. Get official approval for any Web pages placed on the Internet;
4. Ensure that information placed on a public access system is approved in accordance with Peace Corps' policies regarding content and security;
5. Ensure that information placed on a public access system is up-to-date, accurate, and true;
6. Ensure that information placed on a public access system reflects the policies of the agency; and
7. Ensure that any distribution or receipt of documents via public access systems does not violate any applicable copyright laws.

7.2.3 Rules for Program Managers and Country Directors

Program Managers and Country Directors shall:

1. Notify security personnel and the Departmental Point-of-Contact whenever the status of a system user terminates or changes;
2. Ensure continued availability of data when a system user terminates by obtaining the user's password, ID, keys to encrypted files, and the user's documentation of tasks;
3. Advise a terminating user of the responsibility to keep sensitive information confidential;
4. Terminate the user's access to information and computer systems immediately, in the event the system user is separated;
5. Report the threat or likelihood of sabotage, as the result of, for example, an unfriendly termination or separation;
6. Ensure that system users are given adequate and appropriate training in the Peace Corps IT Security Awareness, Training, and Education Program;
7. Ensure that IT security is and remains a highly visible aspect of day-to-day operations;
8. Appoint a computer security coordinator;
9. Assign responsibility for the security of each IT system to the computer security coordinator; and
10. Assure that appropriate technical, administrative, physical, and personnel security requirements are included in specifications for the development or acquisition of IT equipment and software.

7.2.4 Policies for Volunteers

The only Peace Corps-provided computer resources Volunteers may use are those specifically designated for Volunteer use. Guidelines and policies regarding Volunteer use of computers can be found in other documents, including "Mandatory Guidelines for Volunteer Computers."

7.2.5 Rules for Departmental Point-of-Contact

The Departmental Point-of-Contact shall notify appropriate account management staff and IRM System Administrators by utilizing the Personnel Tracking System (PTS) whenever a system user terminates or changes status.

8.0 Inspector General Audits and Reviews

The Inspector General shall conduct periodic audits or reviews that test the adequacy of the agency's security safeguards of its sensitive systems, and shall advise the applicable program manager of any problems concerning the application or efficacy of the safeguards.

Subsection B: External Connections Policy

11.0 Purpose

This policy sets out the Peace Corps' minimum security standards for connecting any Peace Corps computer or network to a non-Peace Corps organization. Peace Corps-to- Peace Corps connections using NON-dial-up methods, i.e., wireless, DSL, cable, and other similar methods, are also included in this policy.

12.0 Applicability

This policy is applicable to all Peace Corps owned, leased, and operated computers and networks, including stand-alone and laptop computers.

13.0 Policy

Peace Corps computer or network connections to non-Peace Corps organizations shall generally be made through the Peace Corps Local Area Network/Wide Area Network (LAN/WAN), which is administered by the Office of Information Resources Management (IRM).

14.0 Requirements

14.1

Peace Corps offices that have, or wish to establish, a computer or network connection with a non-Peace Corps organization must submit a request for approval to the Director of IRM. The request shall include information on the type of connection to be established and the business purpose for the connection, and shall certify that the minimum security standards identified in Section 14.2 are met.

14.2

No Peace Corps computer or network shall be connected to, or have the capacity to be directly connected to, any non-Peace Corps organization, unless the organization has the following security measures in place:

1. Fire walls;
2. Anti-virus software, if applicable;
3. The means to ensure that anti-virus software is kept up to date, if applicable;
4. A memorandum of understanding (MOU) that sets out the terms, configurations and dates when the connections and the security safeguards will be in place as outlined in Section 14.4 of this policy; and
5. A security plan that is certified by the connecting organization.

14.3

Once a year, all Peace Corps offices that have established external connections with non-Peace Corps organizations shall conduct an inventory of external connections and then provide a report of the inventory to the IT Security Program Manager. The report shall include the type of connection and the business purpose for that connection, and shall certify that the minimum security measures identified in Section 14.2 are in place.

14.4 Memorandum of Understanding

The MOU between the Peace Corps and a non-Peace Corps organization shall include:

1. A list of interconnected computer systems, including the Internet;
2. A list of unique system identifiers, if appropriate;
3. The name of each system;
4. The name of the organization owning each non-Peace Corps system;
5. The type of interconnection (e.g., TCP/IP, Dial, SNA);
6. A short summary of major concerns or considerations in determining the interconnection;
7. The name and title of authorizing management officials for both Peace Corps and the non-Peace Corps organization;
8. The signature of authorizing management officials for both Peace Corps and the non-Peace Corps organization;
9. A list of any Privacy Act systems of records, if applicable;
10. The sensitivity level of each system;
11. A description of the interaction among systems; and
12. Rules of behavior and any security concerns.

Subsection C: User Accounts Management Policy

17.0 Purpose

The user accounts management policy sets out minimum security standards for user accounts and user access to sensitive information.

18.0 Definitions

18.1

"Account manager" means a technical user who grants or restricts access to a given computer system.

18.2

"Personnel Tracking System" is an agency-maintained database consisting of a series of records that contain contact information about each employee. These records control changes to the staff telephone directory and facilitate payroll from the National Finance Center.

18.3

"Departmental Point-of-Contact" is the person(s) for each office who is designated to make necessary changes in the agency's personnel tracking system and submit Help Desk tickets for services required when, for example, an employee begins or terminates employment or is transferred.

19.0 Policy

Before a potential user may access any agency computer system that contains sensitive information, the identity (ID) of the user must be authenticated, and the user must be approved for access and be assigned an initial password for access to the system. A "user account" that tracks, regulates, and secures a user's identity and passwords is established for each user. A separate account is established for each system accessed by a user.

20.0 User Account Management: General

20.1 Authentication of Identity

Authentication of a user's identity is the first step in setting up a user account and is commonly accomplished with such methods as the use of physical keys, account names, passwords, and biometric checks. Acceptable security mechanisms that could be used to identify and authenticate a user's identity include:

1. Password based mechanisms;
2. Smartcards/smart tokens based mechanisms;
3. Biometrics based mechanisms;
4. Password generators;
5. Password locking;
6. PC or workstation locking;
7. Termination of connection after multiple failed logins; and
8. Cryptography with unique user keys.

20.2 Standard Operating Procedures

Account Managers shall draft standard operating procedures for each sensitive computer system they manage. The procedures shall describe the method used to verify the identity of the potential user and the method used to periodically review and verify the accounts on the system for appropriate access rights and account status. They shall also describe how the process will be implemented and who is responsible for the implementation. For a system without the technical capacity to perform the function required under this section (20.2) a manual procedure may be implemented.

Standard operating procedures shall include:

1. Creating a new account
   
   A description of the process used to initiate, verify and create a new user account. Users shall be required to change initial passwords before login will be allowed. All users must have a valid username and password. All usernames must be assigned to a specific user. Generally, only individual accounts for users will be allowed. Requests for shared accounts shall be directed to the Help Desk and must be approved by the IRM Director;
   
   
2. Selecting user names
   
   A description of each account's naming convention, that is, how user names are selected (Each system's naming convention shall be documented);
   
   
3. Changing accounts
   
   A description of the process for changing names or access privileges of an existing account. This is sometimes necessary, for example, when a user changes positions within the agency. Before a user account may be changed, the user's access approval must be independently verified;
   
   
4. Disabling/suspending accounts
   
   A description of the process for disabling or suspending a user account, including the method used to periodically review and verify the accounts on the system for appropriate access rights and account status; and
   
   
5. Suspension dates
   
   Each system account shall have a suspension date set when it is created, unless the system lacks the technical capacity to do so.

20.3 Operating Procedures for Specialized Systems

In addition to the standard operating procedures described in Section 20.2, additional procedures are required for certain systems, as set out below:

1. Network systems
   
   Network systems, which includes file and print sharing, electronic mail and mainframe, shall have the following additional standard operating procedures:
   1. New users of network systems are required to read Sections 5.0 through 7.2.4 which set out the agency's basic security guidelines, and sign a verification that they have done so before they may have access to the network (See Attachment A for the agency's verification form); and
   2. All network accounts shall be given a suspension date when they are created that shall correspond to the expected term of the user's employment. User accounts are required to be disabled or suspended when a user will be absent from work for more than 60 days. Verification of the extension of a user's term of employment is required before an account may be re-enabled. Account managers must remove accounts left in suspension for more than 90 days.
      
      
2. Web-based systems
   
   Web-based systems, which includes accounts created on Extranet servers, shall have the following additional standard operating procedure:
   
   The suspension date of Web accounts shall be set for one year from creation of the account. The suspension date shall be changed only when the account user is re-verified as requiring access. Account managers shall remove accounts left in suspension for more than 90 days.
   
   
3. Application Systems
   
   Application systems, which reside in various locations within the agency's computer system, including the mainframe, Web server, and personal computers, shall have the following additional standard operating procedures:
   1. The suspension date of an application account shall be the date in the particular application's standard operating procedures. The date may be changed only when the user assigned to the account has been re-verified as requiring access. Application accounts shall be disabled or suspended when a user will be away for more than 60 days. Account managers shall remove accounts left in suspension for more than 90 days.
   2. A signed agreement shall be obtained from potential users of highly-sensitive application systems that they will abide by the principles and rules of behavior for the particular system before gaining approval for access.

21.0 Roles and Responsibilities

21.1 Account Holders (users who have accounts)

Account holders shall:

1. Protect their individual account IDs and passwords. It is a violation of Peace Corps policy for users to share their IDs or passwords;
2. Notify their system manager when they need a change in their account status, such as, a name change or extended absence; and
3. When appropriate, notify the IT Security Program Manager in accordance with the Computer Incident Response Capability Policy and Procedures in Subsection F of this manual section.

21.2 Account Managers

Account Managers are responsible for:

1. Drafting and adhering to their standard account management operating procedures and keeping the procedures up-to-date; and
2. Expeditiously removing or disabling accounts, when necessary. When appropriate, they shall notify the IT Security Program Manager in accordance with the Computer Incident Response Capability Policy and Procedures in Subsection F of this manual section.

21.3 Program Managers

Program Managers are responsible for:

1. Notifying their account managers or departmental point-of-contact of the need for new accounts to be created and the appropriate permissions or rights to be assigned to new accounts;
2. Notifying their account manager or departmental point-of-contact of a change in an existing account status for a supervised employee or contractor, such as name changes or extended absences; and
3. Expeditiously notifying account managers of the need for accounts to be removed or disabled. When appropriate, program managers shall notify the IT Security Program Manager in accordance with the procedures set out in Subsection F of this manual section, Computer Incident Response Capability.

21.4 IT Security Program Manager

The IT Security Program Manager:

1. Is responsible for periodically reviewing the standard operating procedures and the controls and processes used by the account managers to manage user accounts; and
2. Will prepare a Computer Security Incident Report in accordance with the Computer Incident Response Capability policy and procedures in Subsection F of this manual section.

Subsection D: Password Policy

25.0 Purpose

The purpose of the password policy is to provide agency security standards for passwords used to authenticate a user's access to sensitive information in the agency's computer systems as required by the Federal Information Processing Standard 112, Password Usage.

26.0 Applicability

This policy applies to all users of the agency's sensitive computer systems.

27.0 General Policies

27.1

It is the policy of the Peace Corps to limit access to the agency's computer systems to authorized users. To control access to its systems, the agency shall issue passwords to all system users and shall use access control methods contained within and controlled by the operating systems, security subsystems, or database management systems (e.g., file attributes, access control lists, security rules, object-oriented security labels, and database schemes). Stored passwords shall be encrypted using a NIST- approved secure encryption method and systems will be programmed so that passwords will not be displayed on the monitor. In addition, each operating system shall be programmed to automatically require re-authentication of the user's ID after a specified period of inactivity has been detected.

27.2

Each system user will be issued a password and a user ID for accessing the agency's computer systems. Users shall take reasonable precautions to protect their passwords and IDs and shall not share them with any person and shall never display their passwords on the monitor.

27.3

The agency reserves the right to monitor compliance with its password policy by installing or running security programs or utilities which have the capacity to reveal misuse of a password by individual users. If technically feasible, each operating system and application control shall be programmed to monitor compliance with this policy.

28.0 Policies for Sensitive Systems

28.1

Peace Corps contractors with Peace Corps IT responsibilities must ensure that all Peace Corps multi-user sensitive information systems, desktops, and laptops under their purview have and use a password mechanism that authenticates the identity of each person who accesses any of the sensitive systems for which they are responsible. This does not apply to personal digital assistants (palm pilots) or those information systems intended for unrestricted public access, such as Web servers.

28.2

Each office within the agency with a computer system that includes sensitive information:

1. Shall designate an individual to be responsible for implementation of the password policy;
2. Is restricted from using clear-text reusable passwords; and
3. Is responsible for documenting a procedure that verifies the identity of a new user before issuing the user's initial password.

29.0 Types of Passwords: Technical Requirements

29.1 Operating System Passwords

1. An initial password for accessing the network will be issued to each user by a system administrator. The system administrator shall verify the user's identity according to the Accounts Management Policy in Subsection C of this manual section before issuing the initial password. After accessing the system with the initial password, the user shall select a new password. New passwords may contain some non-alpha/numeric characters.
2. A user operating system password:
   1. Shall have a minimum length;
   2. Shall have a preset lifetime (Systems shall have an automated mechanism to ensure that users change their passwords at a pre-set interval. For systems without the technical capacity to do so, a manual process must be used to ensure compliance with this requirement.);
   3. Shall be changed as soon as possible, but within one business day after a password has been or is suspected of being compromised, or in response to a management directive; and
   4. Shall be suspended after a pre-determined number of invalid password attempts.
3. Password Reuse
   
   For systems without the technical capacity to do so, the system shall be protected against reuse of a network password by a given user. The system will store used passwords for a given user. See § 3.2 for exemptions for overseas posts.

29.2 Mainframe Passwords

29.2.1

An initial password for accessing the mainframe will be issued to each user by the system administrator (Peace Corps' mainframe includes two operating systems: VM and VSE. Each operating system includes various application systems.). The system administrator shall verify the user's identity before issuing the password.

29.2.2

A user must first enter a valid network password. Then the user shall enter the initial mainframe password provided by the system administrator. Users will then be required to select a new mainframe password after signing on with the initial password.

29.2.3

To access applications within the two operating systems in the mainframe (VM and VSE), a user also needs an application password for each application. See Section 29.5 in this subsection.

29.2.4

For systems with the technical capacity to do so, application passwords shall be at least six characters in length. For systems without the technical capacity to do so, the mainframe passwords shall be at least four characters in length.

29.2.5

All mainframe application passwords shall have a maximum password lifetime of 90 days. Systems with the technical capacity to do so shall have an automated mechanism to ensure that users change their passwords at an interval not greater than 90 days. In addition, passwords shall be changed:

1. As soon as possible, but within one business day after a password has been or is suspected of having been compromised; or
2. In response to a management directive.

29.2.6

Unless they lack the technical capacity to do so, all systems with password access shall be set to suspend password log-ins after five invalid attempts.

29.2.7

Unless they lack the technical capacity to do so, mainframe systems shall be protected against reuse of a password by a given user. The mainframe systems shall be set to store five previously used passwords for a given user.

29.3 Privileged Account Passwords

29.3.1

Access to a privileged account by a system administrator must first be approved by the Director of IRM. (A higher level of authentication is required for access to a privileged account due to the extraordinary capabilities and powers inherent in this level of access.) System administrators may then issue their own passwords.

29.3.2 Password Selection

The general process for selecting an account password is set out in Section 29.1. In addition, a privileged account password shall:

1. Be at least twelve characters in length; and
2. Have a maximum lifetime of 90 days (Systems shall have an automated mechanism to ensure that users change their passwords at an interval not greater than 90 days. If automated mechanisms are not technically possible, a manual process must be used to ensure compliance with this requirement); and
3. Be protected against reuse of a password by a given user. The system will store up to five previous passwords.

29.4 Service Account Passwords

29.4.1

Service account passwords are passwords already programmed into a computer system to permit the automatic transfer of information from one computer server to another without the assistance of a user.

29.4.2

The process for selecting a password is set out in Section 29.1.

29.4.3

All service account passwords shall also have:

1. At least 12 characters; and
2. A maximum lifetime of one year.

29.4.4

Unless the system lacks the technical capacity to do so, it shall be protected against the reuse of a service account password. Service account passwords shall not be reused within a five-year period.

29.4.5

Auto-logon features shall not be used where a user's ID and passwords are maintained on the system in script form (clear text executable instructions or parameter values) or where the system does not require the user to enter the information for identification and authentication purposes.

29.4.6

No service account shall be configured to log on interactively to a network device, unless the system lacks the technical capacity to comply.

29.4.7

All vendor-supplied or developer-supplied default passwords (passwords provided for initial entry to a system) shall be changed before any product is put into use.

29.5 Application Passwords

29.5.1

Applications reside in various locations within the agency's computer system, including the mainframe, Web server, and personal computers. To gain access to an application that contains sensitive information, a user must enter a valid application password.

29.5.2

An initial application password will be issued to the user by a system administrator after the administrator verifies the user's identity in compliance with the agency's User Accounts Management Policy in Subsection C. To access an application, the user must first enter a valid network password and then enter the initial application password provided by the system administrator. The user must then select a new application password.

29.5.3

Passwords for existing applications shall be at least four characters in length. When existing applications are revised or new applications are added to the system, passwords for the revised or new applications must be at least six characters in length.

29.5.4

All application passwords shall have a maximum lifetime of 90 days. When possible, systems shall have an automated mechanism to ensure that users change their passwords on time. If the system lacks the technical capacity to have an automated mechanism, a manual process shall be used. Passwords shall also be changed:

1. As soon as possible, but within one business day after a password has been or is suspected of having been compromised; or
2. In response to a management directive.

29.5.5

Unless the system lacks the technical capacity to do so, the computer system shall be protected against reuse of an application password by a given user. To protect against reuse, the system shall store up to five previous passwords.

Subsection E: Remote Access Policy

34.0 Purpose

The purpose of the remote access policy is:

1. To ensure the security of the agency's computer systems when the systems are accessed by users from a location other than their official work sites; and
2. To provide reasonable access to the agency's computer systems for dial-up remote access users.

35.0 Definition/Applicability

"Remote access" is used in this policy to mean the establishment of a dial-up computer communications connection by a Peace Corps user through or to Peace Corps offices from anywhere other than the user's official work location. Peace Corps-to-Peace Corps connections using NON-dial-up methods, i.e., wireless, DSL, cable, and other similar methods, are included in the External Connections policy. This remote access policy is applicable to all Peace Corps owned, leased, and operated computers and networks, including stand-alone and laptop computers.

36.0 Policies

36.1 General Policies

36.1.1

Remote access is available only to authorized users, as approved by their office head and either the Chief Information Officer (CIO) or the IRM Director. Approved use of remote access is for business use only. Approval to use remote access does not, in itself, constitute approval for extension of regular working hours or overtime approval. Non-business hour use of remote access must not conflict with authorities and procedures contained in MS 630.

36.1.2

Only Peace Corps computers, communications equipment, and software systems may be used for permissible dial-up remote access. The use of personally-owned computers or communications equipment or software is specifically prohibited.

36.1.3

Individual user IDs and passwords are required for remote access. The selection and use of user IDs and passwords is governed by the Peace Corps Password Policy in Subsection D of this manual section.

36.1.4

Any approval granted for remote access shall be made to a specific individual for specific purposes. Approval shall not be transferred under any circumstances or used for any purpose other than those specifically stated in the approval.

36.1.5

Total log-on/connect time is governed by the Laptop Dial-Out Procedures For Domestic Users (Dial-Out Procedures). The user's connection will be automatically terminated if any call lasts past the time credited to the user under the Dial-Out Procedures.

36.1.6

After a specific period of idle time, (See the Dial-Out Procedures), the user's current session will be automatically terminated. Idle time is defined as no keyboard or mouse use.

36.1.7

Remote access to Peace Corps information resources may be revoked for cause without prior notification at any time.

36.1.8

Unless the system lacks the technical capacity to do so, the remote user's access will be restricted to network resources and services approved via the Peace Corps Laptop Checkout Form.

36.1.9

Notwithstanding MS 643, Limited Personal Use of Government Office Equipment, use of remote access for personal use or gain is prohibited.

36.2 Access From Overseas Locations

36.2.1

The policies and procedures governing access to the domestic data center resources by domestic users traveling overseas are set out in the agency's Laptop Dial-Out Procedures For Domestic Users.

36.2.2

The policies and procedures governing access to the domestic data center resources with laptops issued by overseas posts to sub-regional users (Rovers) who have obtained prior approval for a Headquarters Exchange account are set out in the agency's Overseas Information Technology (IT) Manual.

36.3 Technical Support

36.3.1

Users shall be provided with appropriate agency equipment and technical support for remote access work they have been assigned by their supervisors.

36.3.2

Technical support is not available to employees in connection with their use of personally-owned computers, communications systems and equipment, or software systems, under any circumstances.

Subsection F: Computer Security Incident Response Capability (CIRC)

39.0 Purpose and Applicability

The purpose of the Computer Security Incident Response Capability (CIRC) program is to set out policies and procedures for reporting and responding to computer security incidents on the agency's computer network. The policy applies to all users of the agency's computer systems.

40.0 Definitions

40.1

"Computer Security Incident" means an unexpected, unplanned event that has or could have a negative impact on information technology resources in the agency's computer systems, requires immediate action to prevent further negative impact, and violates security policies or circumvents security mechanisms. Also see Subsection H for the reporting requirements for malicious code or computer virus incidents.

40.2

"Threat" means any activity, intentional or unintentional, with the potential for causing harm to an automated information system or activity.

40.3

"Vulnerability" means a flaw or weakness in a computer system, such as in the security procedures, hardware, design, or internal controls, that may allow harm to the system.

41.0 Incident Categories

A computer security incident includes any denial of service caused by, but is not limited to, the following incident categories:

1. System Compromise (System privileges are acquired by an unauthorized user);
2. Information Compromise (Unauthorized access to password files, protected or restricted data or system resources, and/or software or code);
3. Misuse (An authorized user violates federal laws or regulations and/or agency policies regarding the proper use of computer resources, installs unauthorized or unlicensed software, causes physical destruction, or accesses resources and/or uses privileges that have not been assigned to the user);
4. Denial of Service (Resources are unavailable for use by the authorized user);
5. Hostile Probes (The act of using one or more systems to scan targeted systems or networks with the intent to conduct or to gather information for unauthorized or illegal activities);
6. Intrusion (Access by unauthorized individuals to agency systems that bypass authentication mechanisms or exploit system vulnerabilities); and
7. Theft (The unauthorized removal of information, computer equipment or other computer system property).

42.0 Incident Response Priorities

A user's response to a security incident shall be governed by the following priorities:

1. Priority one: protect human life and safety;
2. Priority two: protect classified and extremely sensitive data; prevent exploitation of classified or sensitive systems, networks or sites;
3. Priority three: protect computer property and data, including Privacy Act, scientific, managerial, and other data;
4. Priority four: prevent damage to the systems (e.g., loss or alteration of system files, damage to disk drives); and
5. Priority five: minimize disruption of computer resources (including processes). It is better in many cases to shut a system down or disconnect the system from the network than to risk additional damage to other data or systems.

43.0 Order of Incident Responses

Under the CIRC program, the preferred order of responses to a security incident is as follows:

1. Isolate the incident;
2. Determine the who, what, where, when, how, and why of the incident;
3. Assure the integrity of critical systems;
4. Maintain and restore data;
5. Maintain and restore service;
6. Avoid recurrence; and
7. Identify the source of the incident and report the source to the proper authorities.

44.0 Roles and Responsibilities

44.1 The IT Security Program Manager is responsible for:

1. Implementing and maintaining the CIRC program;
2. Serving as a central clearinghouse for all reported intrusion incidents, security alerts, bulletins and other security related material;
3. Ensuring additional CIRC program resources for all security incidents, as needed;
4. Disseminating to all IT system managers prompt advisories of system threats, operating system vulnerabilities, and tracking all reported security incidents, trends, and impacts;
5. Monitoring the resolution of all incidents;
6. Assisting system administrators with security incident identification, handling and resolution;
7. Serving on the agency's Computer Emergency Response Team ("CERT" or "Response Team");
8. Serving as the agency's emergency contact person for IT incidents; and
9. Ensuring that general and privileged users are aware of their duties and responsibilities as outlined in this policy.

44.2 System Administrators are responsible for the following:

1. Identifying individuals who are responsible for reporting incidents to the IT Security Program Manager;
2. Providing timely reports to the IT Security Program Manager on a security incident in the following order: (1) a verbal report as soon as possible after detection of a security incident; (2) a written preliminary report containing as much information as possible, within two working days of the security incident; (3) a status report every 10 days when a security incident is expected to take more than 30 days to resolve; and (4) a written final report within 5 working days of the resolution of a security incident;
3. Developing, implementing and maintaining internal incident response procedures and coordinating those procedures with the IT Security Program Manager;
4. Identifying individuals to serve on the CERT; and
5. Reviewing, at least on a quarterly basis, the agency's security incident policies and procedures.

44.3 All users are responsible for the following:

1. Reporting any suspected security incidents, threats, or vulnerabilities to the agency's Help Desk;
2. Reporting any suspected security incidents, threats, or vulnerabilities to their immediate supervisor; and
3. Reviewing the IT security policies on a regular basis, and staying up-to-date on the procedures for reporting security incidents.

45.0 Security Incident Response Procedures

45.1 Procedures for Initial Response

The initial response to a domestic and overseas security incident shall include:

1. Investigating the incident to determine the cause of the security incident;
2. Determining a way to prevent additional harm to the agency's computer systems;
3. Assessing the impact and damage of the security incident;
4. Implementing solutions for recovering from the incident and preventing additional harm;
5. Following all applicable security incident response procedures.

45.2

Specific procedures to be used for domestic security incidents are set out in Attachment B to this manual section.

Subsection G: Electronic Mail Policy

48.0 Purpose

The purpose of this policy is to establish standards and guidelines for the use of the agency's electronic mail (E-mail) system to help employees use the system properly, reduce the risk of intentional or inadvertent misuse, and ensure that official records transferred via E-mail are properly handled.

49.0 Policies

49.1 Standard Use of E-mail

Agency employees shall use the Peace Corps E-mail system for official and authorized purposes only, except as permitted under MS 643 Limited Personal Use of Government Office Equipment. Employees are expected to use common sense, good judgment, and propriety in their use of the system.

49.2 E-mail and Privacy

Agency employees should have no expectation of privacy when using the Peace Corps E-mail system. Although certain employees with special access privileges are expressly prohibited from reading others' E-mail, they may do so if authorized by appropriate senior management officials or if technical or administrative problems create a situation in which it is necessary for such employees to read message text. In addition, E-mail messages are government property and agency officials may have access to those messages whenever there is a legitimate governmental purpose for doing so.

49.3 E-mail Records Management

The National Archives and Record Administration (NARA) has issued standards for the management of federal records created or received on E-mail. Specifically, the National Archives and Records Administration Management Guide Series (1995) states that electronic record keeping systems must be designed to ensure the security and integrity of records, preservation of records for the time they are needed, and migration of data to other agency systems or subsequent systems. If messages that are made or received through E-mail do not show the complete names of senders, addressees, and the date of transmission, users should take reasonable steps to preserve the mail envelope information sheet, distribution list, or other screen that contains any of that information that is not on the message itself. In addition, E-mail receipts should be maintained.

Agency offices shall establish the standard requirements for retention of electronic messages based on their individual policies. Offices are responsible for ensuring that employees are familiar with the legal requirements for creation, maintenance, and disposition of records on E-mail systems. Records management officers and records custodians should emphasize to users that E-mail messages are generally considered to be public records subject to retention.

49.4 General Use Requirements

49.4.1

All users of the Peace Corps electronic resources are expected to utilize such resources in a responsible, ethical and legal manner consistent with applicable federal laws.

49.4.2

Each user shall be provided an E-mail account for conducting official agency business. This account shall be the only account the employee or contractor may use to conduct official agency business.

49.4.3

All E-mail messages created and stored on agency computers or networks are the property of the agency and may be accessed by the agency.

49.4.4

The content and maintenance of an E-mail mailbox is the responsibility of the person to whom the E-mail account is assigned.

49.4.5

All employees shall use E-mail as they would any other type of official agency communications tool. This means that when E-mail is created and sent, the sender should ensure that the communications comply with the agency's E-mail guidelines and manual sections.

49.4.6

The agency shall provide access to E-mail to non-Peace Corps personnel, such as contractors, temporary employees, or other government agencies.

49.4.7

The agency reserves the right to review and monitor all employee E-mail communications. Electronic mail messages may be retrieved by the agency even though they have been deleted by the sender and the reader. Inappropriate messages may be grounds for disciplinary action.

49.4.8

Only authorized E-mail software may be used for conducting agency business.

49.4.9

All E-mail messages must contain the name and E-mail address of the sender and a subject heading that reflects the content of the message without divulging highly-sensitive information.

49.4.10

Shared/Office E-mail boxes may only be used to receive E-mail. Senders must be identified as an individual, whenever possible.

49.4.11

Broadcast messages (messages to multiple offices) may only be sent by pre-approved designees.

49.5 Rules of Behavior

49.5.1 Prohibitions

The following uses of E-mail systems are prohibited:

1. Use of the Agency's E-mail system that could cause congestion, delay, or disruption of service to any government system (for example, video, sound or other large file attachments can degrade the performance of the entire network);
2. Using non-agency issued E-mail accounts for official agency business;
3. Using the agency E-mail system for business purposes other than agency business, including using the system for private commercial activities;
4. Using or sending anonymous E-mail for any purpose (E-mail communications must accurately identify the sender);
5. Using the E-mail system to intentionally misrepresent oneself or the agency;
6. Using the E-mail system to participate in any non-work related "chat room;"
7. Using the E-mail system to send or forward any information that can be interpreted as sexually implicit or explicit, or derogatory toward any racial, religious, or ethnic group. Harassing or obscene material shall also not be sent, printed, requested, displayed, or stored. Also, the system shall not be used for any mass mailing, such as, SPAM, chain letters, and/or JUNK MAIL.
8. Using E-mail to improperly disclose sensitive information, or to communicate unethical information or information that could be perceived to be a conflict of interest;
9. Using E-mail for unlawful activities, including any communication that violates security policies, federal laws, or regulations;
10. Using E-mail to send classified or agency proprietary information;
11. Using E-mail for malicious activities, such as, knowingly activating and/or propagating computer viruses, or other malicious codes, or purposefully disguising the true content of an E-mail message with a subject or title that is not reflective of the message content; and
12. Joining electronic discussion groups, e.g., listservs or Usenet newsgroups, that are not related to agency business.
13. Permitting others (supervisors, secretaries, assistants, or any other subordinate) to use your E-mail accounts as their own.

49.5.2 Safety Requirements

Every user of the agency's E-mail system is expected to help protect the E-mail services by:

1. Allowing virus scanning software to check incoming E-mail attachments for viruses using the desktop Anti-virus software (Users shall not disable or re-configure the desktop Anti-virus software); and
2. Checking his electronic mail often and properly disposing of messages that are no longer needed.

Subsection H: Malicious Code (Computer Virus): Prevention and Corrective Action

54.0 Purpose

The purpose of the malicious code policy is to set out the corrective actions to be taken should any type of malicious code be detected on the Peace Corps network or computer systems.

55.0 Definitions

55.1

"Malicious code" is any computer program code or software which intentionally hides its full intent and purpose with the effect of harming or degrading computer and/or network resources or performance. Although "malicious code" is an umbrella term which includes viruses, worms, Trojans, and macros, it is used interchangeably throughout this manual section with "computer virus" and "virus."

55.2

"Media" means the magnetic materials used to store data.

55.3

"Write-protect" means to mark a computer file or disc so that its contents cannot be modified or deleted. Write-protected files and media can only be read; a user cannot edit, append data to, or delete such files.

56.0 Applicability

The POLICY in this subsection applies to all Peace Corps network users and system administrators, file servers, Web servers and e-mail servers, including those overseas. The PROCEDURES, on the other hand, apply only to agency users located in the United States. Procedures for non-domestic users are in the Computer Support Manual for Macintosh users and the Technical Support Specialist Manual for PC users (users of personal computers).

57.0 Policies

57.1

All network users shall take reasonable precautions, according to their roles and responsibilities, to avoid the possibility of a malicious code being introduced into the agency's equipment and networks.

57.2

Only authorized software shall be installed and used on Peace Corps' equipment and networks.

58.0 Roles and Responsibilities

58.1 Users

Users shall:

1. NOT change the configuration of or attempt to modify or disable any of the security programs set up on their personal computers, including virus protection software and the password-protection function on screen savers;
2. Ensure that a computer that is infected or suspected of being infected is disconnected from networks to reduce the risk of spreading a virus; and
3. Notify the agency Help Desk immediately upon the detection or suspicion of any malicious code stored or transmitted on the agency's network and related computer equipment and media, and cooperate fully with efforts by technical support staff to address the problem.

58.2 System Administrator

System Administrators shall:

1. Make regular backups of data on their systems as a precaution against data loss;
2. Ensure that an anti-virus report log from the servers is available to the IT security staff when requested;
3. Configure the anti-virus software to notify a user that a virus was detected or cleaned from data or e-mail belonging to the user;
4. Configure application or system logs to record and retain information regarding infections that are detected;
5. Keep anti-virus signature file updates and application programs up-to-date with vendor releases for servers and workstations;
6. Use all available tools and procedures compatible with a system's technical capacity to guard against the placement or storage of malicious codes on the agency's servers;
7. For file servers:
   1. Implement a regular schedule for virus signature file updates from the vendor to be loaded onto the servers and desktops;
   2. Configure distribution file server systems to do a virus signature "pushdown" when a new virus is identified by authorized personnel as requiring immediate action that cannot wait for the monthly update; and
   3. To initiate a regular schedule (daily or nightly) for scanning viruses, which shall require scanning at least once a day;
8. For desktops:
   1. Configure real-time automatic scan of removable media, e.g., floppy disks and CDs, upon use;
   2. Implement a regular, weekly schedule for virus scans of all hard drives on PCs and laptops; and
   3. If feasible, lock desktop anti-virus client settings so users cannot turn off the client protection;
9. For e-mail:
   1. Configure real-time automatic scan of e-mail attachments when received or opened by the user; and
   2. Configure e-mail servers to automatically strip off and quarantine e-mail attachments considered or known to be potentially harmful or threatening. E-mail administrators shall determine whether the attachment is appropriate to be forwarded to the user. If not, the attachment shall be deleted and the user shall be notified.

58.3 IT Security Program Manager

The IT Security Program Manager shall:

1. Report widespread infection levels that result in a major impact to the computer system or network availability to proper federal authorities;
2. Help coordinate resources in the event of a widespread virus "outbreak;" and
3. Advise network and system administrators of new virus threats.

Subsection I: Web-Based Services Policy: Internet/Intranet/Extranet