S Montana# Dept* of ; Avidif Infafnation 1997 Services Division Coins "IT" right Sl'MEMTS COLLECTION • CNTANA STATT UUftAKVi '• a i 5 X | HELENA, U ' ~-; X:ilTxT*xXax^f: ;:fx fxT aaaiaax xaa:-xa;:;axaaxXTxaa mmm& wm- ii\mmm. A guide to properly using and protecting Montana’s Information Technology resoi March 1997 MONTANA STATE LIBRARY 3 0864 0009 9614 3 Published by: Information Services Division Department of Administration State of Montana 25 N. Roberts 1 Mitchell Building, Room 229 PO Box 200113 MT Helena, 59620-0113 Phone: 406/444-2700 Fax: 406/444-2701 Internet: www.mt.gov/isd March 1997 Doing "IT" Right! A guide to properly using and protecting Montana's Information Technology resources March 1997 This publication was developed by the Information Technology Managers Group Training Subcommittee. The input and expertise of the NetWare Managers Group has been invaluable. Additional copies of Doing "IT” Right! are available from the Information Services Division at 406/444-2700. The State of Montana attempts to provide reasonable accommodations for any known disability that may interfere with a person participating in any service, program or activity of the State. Alternative accessible formats of this document will be provided upon request. 1 Table of Contents Introduction 5 Laws and Rules 6 Legal Guidance 6 Federal Law 6 Montana Law 6 Use of Equipment 6 Administrative Rules of Montana 6 Montana Operations Manual 6 Policies 7 and Theft Destruction 7 Unauthorized Mainframe Access 7 Unauthorized Network and PC Access 7 Reporting Procedures 8 Computer Use 8 Unlawful Use of a Computer 8 Theft Consequences 9 Care of IT Equipment 9 Security 10 Location 10 Care of Data 10 Accuracy 10 Confidentiality 10 Security 11 Protection and Backup 11 Disaster Recovery 11 Virus Scanning 1 Viruses 11 Scanning Software 12 Software Licensing 13 ............................. Software Definitions 13 .............................. License Definitions 14 Copyright Laws ................................ 15 Access is .............................. Data Dissemination 16 Logon IDs .................................... 16 .................................... Passwords 16 Logging Off the System 17 . Remote Access \i State Standards - Hardware and Software 18 Benefits of State Standards 18 . Possible Disadvantages of State Standards 19 . Current Standards 19 . Frequently Asked Questions 21 Appendices 23 MCA A - Section 2-15-1 14 IT Security Responsibilities ofDepartments 23 . . B MCA - Section 45-2-101 Pertinent Definitions 25 . C MCA - Section 45-6-301 Theft 30 . D MOM - Section 1-0250.00 Information System Security 32 . MOM Section 1-0250.10 Information Access Control .................... 37 MOM Section 1-0250.20 Public Access to Central Computer 39 MOM Section 1-0250.30 Home Access to Central Computer 42 . E - Section 2-12-102 APvM ........................ 44 F - SummitNet Acceptable Use Policy (abbreviated) ........ 45 Glossary ofAcronyms 46 ! introduction Information Technology (IT) is the employment of computer hardware, software, networks and telecommunications. The State of Montana uses IT to conduct business, deliver services and education, communicate with colleagues and clients, and make decisions. As a state employee, it is your responsibility to safeguard the state's IT investment by following these guidelines: Use state property for state (appropriate) purposes. Protect state property; keep it safe and secure. Use state property within the limits of that property. Protect the state from liability resulting from the misuse of the property; use property legally. State information technology property includes not only the computers you work on, but also the software you use and the data you create . It is the responsibility of each department director to promote the importance of security matters by ensuring that all employees are provided with security training commensurate with their responsibilities. This guide will help state employees learn proper, secure and legal use of state information technology, including system hardware, software and data. March 1997 5 Doing "IT" Right . Laws and Rules Legal Guidance Few laws relate solely to information technology, but other existing laws have been modified to include computer hardware, software and data. Federal Law. It is a federal crime to use or distribute unlicensed copies of copyrighted software. Federal laws relating to copyrights, patents, and interstate theft apply to the information technology arena. Generally, copyright laws apply to software; patent laws apply to hardware; and laws on theft can apply to hardware, software and data. Montana Law. Several Montana laws refer to the illegal use of information technology resources. See Appendix B> Appendix C and the Theft and Destruction section of this booklet. MCA Use ofEquipment. Section 2-2-121 (Montana Code Annotated). “A public officer or a public employee may not use public time, facilities, equipment, supplies, personnel, or funds for the officer's or employee's private business purposes...” ARM Administrative Rules ofMontana provides guidance on using . the state’s telecommunications systems for the conduct of state business. These rules are being interpreted as having an effect beyond traditional telephone usage (see Appendix E). MOM Montana Operations Manual. The does not include legal issues MOM in its automated information systems section. The does provide guidance, for the agency director, regarding system design controls; system documentation; protecting software rights; system security, including requiring system-security training for employees; and home access. MOM The objective of the policy on computer security, 1-0250.00 (Appendix D), is to prevent the intentional or unintentional Doing "IT" Right! 6 March 1997 modification; destruction or disclosure; or misuse of data and information technology resources. Policies Each agency has specific usage policies that cover software, . hardware, network and other telecommunication devices. For example, games and game playing on state-owned equipment are generally prohibited. and Theft Destruction Improper or inappropriate use of IT resources may constitute theft or cause damage to the state’s property or public image. Violators will be dealt with in accordance with the agency's discipline handling policy. Unauthorized Mainframe Access. All unauthorized-access attempts against protected data on the state's mainframe will cause a violation. Agency security officers are provided a daily report showing activity against protected data on the mainframe. This report shows either logging information about data activity or violation information for access attempts made to protected resources. These reports are reviewed by the security officer, and violators are contacted, if necessary. Often a department’s IT manager also reviews this report to provide a level of checks and balances. When a user receives a message indicating a violation, he or she should contact the agency security officer to have the problem resolved. Unauthorized Network and PC (Personal Computer) Access. Unauthorized attempts to access network data will be monitored by agency network administrators. Specific networks may have policies outlining how violations will be enforced. For example, the SummitNet Acceptable Use Policy describes a three-tier approach to monitoring and enforcement (see Appendix F). March 1997 7 Doing "IT" Right! Reporting Procedures. Most agencies have a Loss Control Officer who is responsible for communicating losses to authorities. This includes notifying local law officers, Legislative Audit Division, Attorney General’s Office, Risk Management and Tort Defense Division, and building security. Computer Use Section 45-6-311 MCA. As used in Section 45-6-311 . MCA, the term "obtain the use of" means to instruct, communicate with, store data in, retrieve data from, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, or computer network or to cause another to instruct, communicate with, store data in, retrieve data from, cause input to, cause output from, or otherwise make use of any resources of a computer, computer system, or computer network. MCA. Unlawful Use ofa Computer. Section 45-6-311 A 1) person commits the offense of unlawful use of a computer if the person knowingly or purposely: a) obtains the use of any computer, computer system, or computer network without consent of the owner; b) alters or destroys, or causes another to alter or destroy, a computer program or computer software without consent of the owner; or c) obtains the use of or alters or destroys a computer, computer system, computer network, or any part thereof as part of a deception for the purpose of obtaining money, property, or computer services from the owner of the computer, computer system, computer network, or part thereof or from any other person. A 2) person convicted of the offense of unlawful use of a computer involving property not exceeding $500 in value shall be fined not to exceed $500, or be imprisoned in the county jail for a term not to Doing "IT" Right! 8 March 1997