Misuse of an automated information system is sometimes illegal, often unethical, and always reflects poor judgment or lack of care in following security rules and regulations. Misuse may, unintentionally, create security vulnerabilities or cause damage to important information. A pattern of inability or unwillingness to follow rules for the operation of computer systems raises serious concerns about an individual's reliability and trustworthiness.
As we store more and more information in computer databases, and as these databases become more closely linked in networks, more people have broader access to more information than ever before. Computer technology has magnified many times the ability of a careless or disaffected employee to cause severe damage.
Related: Search for security clearance jobs.
This topic discusses rules for using your computer. You should also read Computer Vulnerabilities, which describes in nontechnical language the security and other vulnerabilities of computer networks that make some of these rules necessary.
Owing to the magnitude of problems that can be caused by misuse of computer systems, Misuse of Technical Information Systems is now one of the 13 criteria used in adjudicating approval and revocation of security clearances for access to classified information. See Adjudicative Guidelines for Determining Access to Classified Information.
Many aspects of computer use are governed by your organization's policy rather than by federal government regulation. Many government agencies and defense contractors specify the security procedures and prohibited or inappropriate activities discussed below.
Security Rules
The following are basic rules for secure use of the computer.
- Do not enter into any computer system without authorization. Unauthorized entry into a protected or compartmented computer file is a serious security violation and is probably illegal. It can be a basis for revocation of your security clearance. Whether motivated by the challenge of penetrating the system or by simple curiosity to see what is there, unauthorized entry is a deliberate disregard for rules and regulations. It can cause you to be suspected of espionage. At a minimum, it violates the need-to-know principle and, in some cases, is an invasion of privacy.
- Do not store or process classified information on any system not explicitly approved for classified processing. See Security of Hard Drives.
- Do not attempt to circumvent or defeat security or auditing systems without prior authorization from the system administrator, other than as part of a system test or security research authorized in advance.
- Do not install any software on your computer without the approval of your system administrator.
- Do not use another individual’s user ID, password or identity.
- Do not permit an unauthorized individual (including a spouse, relative or friend) access to any sensitive computer network.
- Do not reveal your password to anyone -- not even your computer system administrator. See Passwords.
- Do not respond to any telephone call from anyone whom you do not personally know and asks questions about your computer, how you use your computer or about your user ID or password. See "Social Engineering."
- If you are the inadvertent recipient of classified material sent via email or become aware of classified material on an open bulletin board or web-site, you must report this to the security office.
- Do not modify or alter the operating system or configuration of any system without first obtaining permission from the owner or administrator of that system.
- Do not use your office computer system to gain unauthorized access to any other computer system.
Related: Does your resume pass the 6-second test? Get a FREE assessment.
Inappropriate Use
Many offices permit personal use of office equipment when it involves minimal expense to the organization; is performed on your personal, nonwork time; does not interfere with the office's mission; and does not violate standards of ethical conduct.
The following activities are considered to be misuse of office equipment:
- The creation, download, viewing, storage, copying or transmission of sexually explicit or sexually oriented materials can cause you to be fired from your job. See discussion under Email.
- Annoying or harassing another individual, for example through uninvited email of a personal nature or using lewd or offensive language, can cause you to be fired from your job. See discussion under Email.
- Using the computer for commercial purposes or in support of "for-profit" activities or in support of other outside employment, business activity (e.g., consulting for pay, sales or administration of business transactions, sale of goods or services) or gambling.
- Engaging in any outside fundraising activity, endorsing any product or service, participating in any lobbying activity or engaging in any prohibited partisan political activity.
- The creation, copying, transmission or retransmission of chain letters or other unauthorized mass mailings.
- Any activities that are illegal, inappropriate or offensive to fellow employees or the public. Such activities include hate speech or material that ridicules others on the basis of race, creed, religion, color, sex, disability, national origin or sexual orientation.
- Use for posting office information to any external news group, chat room, bulletin board or other public forum without prior approval.
- Any personal use that could cause congestion, delay or disruption of service to any office equipment. This includes sending pictures, video or sound files, or other large file attachments that can degrade computer network performance.
- The unauthorized acquisition, use, reproduction, transmission or distribution of any controlled information. This includes copyrighted computer software; other copyrighted or trademarked material or material with intellectual property rights (beyond fair use); privacy information; and proprietary data or export-controlled data or software.
There are two big problems with email. One is the increased risk of accidental security compromise. The other is sending inappropriate materials by email, which has caused many people to be fired from their jobs.
Security Risks with Email
As a result of the internet and email, there has been a sharp increase in security incidents involving the accidental disclosure of classified and other sensitive information. One common problem occurs when individuals download a seemingly unclassified file from a classified system, then fail to review this file carefully before sending it as an attachment to an email message. Too often, the seemingly unclassified file actually has some classified material or classification markings that are not readily apparent when the file is viewed online. Sending such material by email is a security violation, even if the recipient has an appropriate security clearance, as email can easily be monitored by unauthorized persons. See Email Pitfalls in Computer Vulnerabilities.
More important, even if the downloaded file really is unclassified, the electronic version of that file may have recoverable traces of classified information. This happens because data is stored in "blocks." If a file does not take up an entire block, the remainder of that block may have recoverable traces of data from other files. (See Security of Hard Drives for further explanation of this problem.) Your system administrator must follow an approved technical procedure for removing these traces before the file is treated as unclassified.
Related: Discover your perfect career path and get customized job recommendations based on your military experience and vocational interests with Military.com's Military Skills Translator + Personality Assessment.
Some organizations have found it necessary to lock their computer drives to prevent any downloading of files from the classified system. If an individual wishes to download and retransmit an unclassified file from a classified system, the file must be downloaded and processed by the system administrator to remove electronic traces of other files before it is retransmitted.
Inappropriate Materials
Sending email is like sending a postcard through the mail. Just as the mailman and others have an opportunity to read a postcard, network eavesdroppers can read your email as it passes through the internet from computer to computer. Email is not like a telephone call, where your privacy rights are protected by law.
The courts have repeatedly sided with employers that monitor their employees' email or internet use. In an American Management Association poll, 47% of major companies reported that they store and review their employees' email. Organizations do this to protect themselves against lawsuits, because the organization can be held liable for abusive, harassing or otherwise inappropriate messages sent over its computer network. In the same poll, 25% of companies reported that they have fired employees for misuse of the internet or office email. 4
In the past couple of years, The New York Times fired 23 employees for exchanging off-color email. Xerox fired 40 people for inappropriate internet use. Dow Chemical fired 24 employees and disciplined another 230 for sending or storing pornographic or violent material by email. 1
Several years ago, Chevron Corp. had to pay $2.2 million to plaintiffs who successfully brought a suit of sexual harassment, in part because an employee sent an email to co-workers listing the reasons why beer is better than women. 2
Security of Hard Drives
Secrets in the computer require the same protection as secrets on paper. This is because information can be recovered from a computer hard drive even after the file has been deleted or erased by the computer user. It is estimated that about a third of the average hard drive contains information that has been "deleted" but is still recoverable. 3
When you delete a file, most computer operating systems delete only the "pointer," which allows the computer to find the file on your hard drive. The file itself is not deleted until it is overwritten by another file. This is comparable to deleting a chapter heading from the table of contents of a book, but not removing the pages on which the chapter is written. Some networks may be configured to "wipe," or purge, the hard drive when information is deleted, but most are not.
Computers on which classified information is prepared must be kept in facilities that meet specified physical security requirements for processing classified information. If necessary to prepare classified information on a computer in a non-secure environment, use a removable hard drive or laptop that is secured in an approved safe when not in use. Alternatively, use a typewriter.
Check with your security office concerning rules for traveling with a laptop, on which classified or other sensitive information has been prepared. Laptop computers are a particular concern owing to their vulnerability to theft.
Computer Passwords
Passwords are used to authenticate an individual’s right to have access to certain information. Your password is for your use only. Lending it to someone else is a security violation and may result in disciplinary action against both parties. Never disclose your password to anyone. Memorize it; do not put it in writing. If you leave your terminal unattended for any reason, log off or use a screen lock. Otherwise, someone else could use your computer to access information they are not authorized to have. You will be held responsible if someone else uses your password in connection with a system transaction.
Change your password regularly. Use a password with at least six -- and preferably eight -- characters and consisting of a mix of upper- and lower-case letters, numbers and special characters, such as punctuation marks This mix of various types of characters makes it more difficult for a hacker to use an automated tool called a "password cracker" to discover your password. Cracking passwords is a common means by which hackers gain unauthorized access to protected systems.
For additional information on selecting a strong password and why this is so important, see Passwords and the case studies in Computer Vulnerabilities.
"Social Engineering"
"Social engineering" is hacker-speak for conning legitimate computer users into providing useful information that helps the hacker gain unauthorized access to their computer system.
The hacker using social engineering usually poses as a legitimate person in the organization (maintenance technician, security officer, inexperienced computer user, VIP, etc.) and employs a plausible cover story to trick computer users into giving useful information. This is usually done by telephone, but it may also be done by forged email messages or even in-person visits.
Most people have an incorrect impression of computer break-ins. They think they are purely technical, the result of technical flaws in computer systems that the intruders exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip through security barriers. Lack of security awareness or gullibility of computer users often provides an easy stepping stone into the protected system if the attacker has no authorized access to the system at all.
For additional information see "Social Engineering" and the two case studies in Computer Vulnerabilities.
Related: For the latest veteran jobs postings around the country, visit the Military.com Job Search section.
Related Topics:
References
1. Larry Armstrong, "Someone to Watch Over You," Business Week, July 10, 2000, p. 189. Todd R. Weiss, "Dow Fires More Employees Over Inappropriate E-Mails." CNN.com, September 19, 2000.
2. Anna Davison, "Is Your E-Mail Being Monitored?" Monterey County Herald, July 29, 2000, p. E1.
3. Alex Markels, The messy business of culling company files. The Wall Street Journal, May 22, 1997, p. B1
4. "Big-Bro Is Eyeing your E-Mail," Business Week, June 4, 2001, p. 30.
The Next Step: Find the Right Veteran Job
Whether you want to polish up your resume, find veteran job fairs in your area, or connect with employers looking to hire veterans, Military.com can help. Sign up for a free Military.com membership to have job postings, guides and advice, and more delivered directly to your inbox.