GRAND COUNTY INFORMATION SYSTEMS

Best Practices for Computer use

Martin J. Woros Director of Information Systems

Grand County Colorado The fundamental mission of the Department of Information Systems is to ensure that the County Information Systems are adequate in design and reliable in functionality to accomplish the day to day business and statutory requirements of the general fund departments of the County

Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS Page 1 Introduction

Information is a critical asset. Therefore, it must be protected from unauthorized modification, destruction and disclosure. This brochure describes security concepts and defines steps required to properly safeguard information. It is the responsibility of everyone, each and every employee to become familiar with good security principles and to follow the information protection tips. Did You Know? The first document an outside systems auditor reviews is the organizations technology acceptable use policy. At Grand County, this document is contained in your personnel manual and like all other policies, you are required to be familiar with and follow the guidelines.

User IDs and Passwords

Your user ID is your identification, and its what links you to your actions on the system. Your password authenticates your user ID. Protect your ID and password. Remember, generally, you are responsible for actions taken with your ID and password. Follow these best practices: 1. Your password should be changed periodically. 2. Dont reuse your previous passwords. 3. Dont use the same password for each of your accounts. 4. NEVER tell or share your password with ANYONE. 5. Never use a word found in a dictionary (English or foreign.) 6. If you think your password has been compromised, change it immediately and contact the Systems Administrator at 970-725-3041

Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS Page 2

Tip: Make your password as long as possible - - eight or more characters. Create a password thats hard to guess but easy for you to remember. When possible, use a mix of numbers and letters, special characters or use only the consonants of a word. If you have difficulty in thinking of a password that you can remember, try using the first letter of each word in a phrase, song, quote or sentence. For example, The big Red fox jumped over the Fence to get the hen? becomes TbRfjotF2gth?.

Best Practices
Proper use of your county computer is one of the most important ways of protecting information from corruption or loss. 1. Log off or lock your computer when you are away from your PC. In most cases hitting the Control-Alt-Delete keys and then selecting Lock Computer will keep others out. You will need your password to sign back in, but doing this several times a day will help you to remember your password. 2. Never store data on a local drive, keep your work on a network drive that is backed up nightly 3. Never place sensitive data on a removable jump drive or depend on these drives as a backup. 4. Never tamper with or bypass the virus protection software or the firewalls installed on your equipment. 5. Use Email and Internet only for business purposes

Protecting your Information

During an emergency or disruption, critical information - - the information necessary to run your organizations systems, record activities or satisfy legal and/or business requirementsmay become inaccessible. Grand Counties continuity of operation plan only covers data on secured networked drives, in servers that are backed up nightly. Never store critical data on a local computer drive.
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 3 Firewalls
All county computers connecting to the Internet have been configured to utilize a firewall. Our firewall protection creates a barrier between your computer and the evil lurking on the Internet. Our firewalls are configured to filter out unauthorized or offensive information and prevent intruders from scanning and retrieving personal or sensitive information from your computer. Never disable, modify or bypass Internet protocols or firewall systems found on your computer, networks or other county systems. All new requests for Internet services or connections for Internet use must be directed through Information Systems so that the proper firewall is employed and maintained.

Malicious Code Protection

Malicious code can take forms such as a virus, worm or Trojan. It can hide behind an infected web page or disguise itself in a downloadable game, screen saver or email attachment. Grand County has Virus Protection Software (FPROT) loaded on each workstation, laptop and server

Never obstruct or stop FPROT from updating

Grand County has configured every County email account to first pass mail through a content and virus filter (MXLogic)

Never bypass or disable these protective systems Never download email from an outside email service, Gmail, Yahoo etc. on a county computer Report any failure or absence of your virus protection to Information Systems immediately
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 4
Computer viruses are programs that spread or self-replicate. They usually require interaction from someone to be activated. The virus may arrive in an email message as an attachment or be activated by simply opening a message or visiting a malicious web site. Some viruses consume storage space or simply cause unusual screen displays. There are those who will commandeer your email account and send thousands of emails, clogging the network with traffic and freezing up the county email server. Others simply destroy information. If a virus infects your PC, all the information on your hard drive may be lost and/or compromised. Also, a virus in your PC may easily spread to other machines that share the information you access. Viruses can exhibit many different symptoms. If your computer behaves erratically, employees are advised to contact their Systems Administrator at 970-725-3041. 1. Never use a county computer that you suspect may not have properly functioning virus protection or is behaving erratically. 2. Never install software on a county computer or start an installation process from a file. 3. Information Systems installs all software and stores the source disks for all programs used on your computer. 4. Do not load free software from the Internet on to your county computer. 5. You must be very careful and sure of the attachment files found in emails, files with extensions such as: .bat, .cmd, .exe, .pif, .scr, can be very dangerous. Never open attachments from anyone you don't know or attachments with these extensions 6. Report any messages generated from your virus protection software regarding infections or quarantined files to the Systems Administrator at (970) 725-3041.

Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 5
Spyware and related adware, are software downloaded from a web page through your Internet browser, or by following a link in an email or are installed with freeware or shareware software such as Web Shots or toolbar icons i.e. American flags. Spyware is used to track your Internet activity, redirect your browser to certain web sites or monitor sites you visit. Spyware may also record your passwords and personal information to send to a malicious web site. 1. NEVER load software on a County computer 2. Do not respond to any dialogue boxes that appear unexpectedly; click on X. Clicking on No or Cancel sometimes installs spyware. 4. Beware of visiting web pages which are un-trusted. Use Internet only for business purposes. 5. All County computers must use our Internet content filter to detour Spyware attacks and infections. 6. Leave your Internet Explorer security level set at its default of Medium-high, in most cases leave the popup blocker on unless needed for legitimate reasons. Hoaxes are email messages that resemble chain letters, offer free money, or contain dire warnings and offers that seem to be too good to be true. If you receive a hoax via email, delete it. Sharing hoaxes slows down mail servers and may be a cover for a hidden virus or worm. Social Engineering is an approach to gain access to information through misrepresentation. It is the conscious manipulation of people to obtain information without their realizing that a security breach is occurring. It may take the form of impersonation via telephone or in person and through email. Some emails entice the recipient into opening an attachment that activates a virus. 1. Be very wary of anyone offering you computer or program support that you did not initiate.
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 6
2. Employees should transfer any suspicious calls to the Systems Administrator ext. 141 / 970-725-3041. 3. Bottom line is do not give your password to anyone. Do not participate in phone surveys that ask you questions about your computer or the programs you use. Direct these callers to your Systems Administrator.

Phishing is a scam in which an email message directs the email recipient to click on a link that takes them to a web site where they are prompted for personal information such as a pin number, social security number, bank account number or credit card number. Both the link and web site may closely resemble an authentic web site however, they are not legitimate. If the phishing scam is successful, personal accounts may be accessed. If you receive one of these emails:

1. Do not click on the link. In some cases, doing so may cause

malicious software to be downloaded to your computer.

2. Delete the email message. 3. Do not provide any personal information in response to any
email if you are not the initiator of the request.

Employees only: Find more useful information on ourpage.co.grand.co.us

Links to submit technical support tickets Links to access the county webmail service Information on safe computing practices for children HR forms and information
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 7 Mobile Computing Security

If you use a laptop, remember the following: 1. Secure it with a cable lock or store it in a locked area or locked drawer. 2. Backup your data. Regularly. 3. All County laptops that leave the building must use encryption software and complex passwords. 4. Keep it with you during air and vehicle travel until it can be locked up safely. Do not forget to retrieve it after passing through airport security. 5. Notify IS of the loss of a laptop ASAP so that accounts can be quickly disabled.

Laptops, PDAs and Cell Phones are more easily stolen or misplaced because of their size. Remember, if your laptop is gone, your data is too. Small computer devices carry information that must be protected. Electronic information is now accessible via a variety of means. A person can even download desktop data using the Internet to a cell phone. While convenient to use, some good practices will help protect your information. 1. Use a password to lock your phone if it is used to download email. 2. Report the loss of a phone or a computer to the System Administrator so that the device can be blocked from our network. Smart Phones can be remotely scrubbed if needed. 3. Always allow IS to configure your wireless equipment so that safe guidelines are followed. 4. You will be charged for any non-county business conducted on your mobile phone or air cards.
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 8
Remote Access allows users to access data from outside locations using Internet, or cellular/wireless access on the Internet. Because this form of access is designed for off-site use that may extend after normal business hours, extra measures are required to prevent unauthorized access.

1. All remote access (VPN) to or through County resources must be pre-approved by the County Manager and configured by the Systems Administrator

2. Remote access is allowed from only the counties specified

VPN client.

3. Remote email access is allowed to any employee account

through the counties Kerio, webmail interface at mail.co.grand.co.us/ This remote access does not require VPN privileges and is available to any employee, you must know your username and password.

4. Occasionally software support will need to make a connection to your computer to work through an issue. Please notify IS in advance if you are going to need this level of support so that the firewall can be adjusted so as not to block the connection.

Video Conferencing and Go to Meeting... Grand County owns Video conferencing equipment, and with 24 hours prior notice can provide you with access to the equipment. Employees needing to use special WebEx or other meeting software access should contact the IS Department with a request to test at least a day before the event to verify that the firewall will support your session. Door Codes and key fobs These codes and devices are to be treated exactly as passwords described earlier. Report lost or stolen fobs and contact IS if your door code is compromised. Never store a door code on a mobile phone.
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 9
Help Your County IS Department will always be your first line of support for all hardware and software issues. Any questions regarding your PC, software, phones, printers, scanners or any other networked equipment should be directed to the IS Help Desk. For non emergency support submit a trouble ticket by logging onto www2.co.grand.co.us/kayako/ You will need to register the first time you use this service. If you are experiencing an urgent incident you may call the help desk directly at 725-3108, 531-6815 or courthouse ext. 108. Any County employee desiring to add hardware or software to their PC system must contact IS. You may not under any circumstance connect equipment to the Counties network without the approval of the Director of IS. Only Department Heads can direct IS to authorize access to Information resources for employees. This request must be submitted using the IS employee routing form. County owned equipment can never be used to benefit a political candidate or political organization in any way. This includes your email account, cell phone, office phone, computers or other office equipment or supplies. Per county policy, Internet is to be used for professional purposes only. If you need to use Internet for a personal matter, you may use the computer in the lunch room or the internal wireless Internet (on your own equipment) in the Administration Building. Contact IS for the passwords. Grand County uses a content filter to block access to inappropriate websites. The process uses an algorithm to score each site you visit and looks to prevent sexual, violent, racists, and vulgar content. Websites that require and use a large amount of bandwidth like streaming music and video are also blocked so that people using the Internet with a business need have priority on the system. Occasionally a legitimate site will become blocked and can be made accessible by calling or Emailing the Systems Administrator at 970-725-3041
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 10 HIPAA Health Insurance Portability and Accountability Act (HIPAA) of 1996, applies to any county office that maintains, reviews or creates electronic health information records The Security component of HIPAA includes the following guidelines: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software that have been granted access rights. Making health information accessible to health care providers and those responsible for operations and billing while preserving the privacy of the patient is the mandate. Health care administrators and providers must use complex password policies that require periodic changes All computers used to store health information must be located in a secure building with physical access controls such as logging door access locks. Never store Health Information on a local drive or portable device, this includes PDAs, telephones and jump drives. All county laptops must use data encryption software Any unintentional disclosure of protected health information must be immediately reported to the County HIPAA Officer, Lurline Underbrink Curran All computers, recording media and records systems storing protected health information must be disposed of properly by first destroying the device or media. The device or equipment cannot be thrown away or transferred unless the storage device or media is unreadable and unrepairable.
Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html

GRAND COUNTY INFORMATION SYSTEMS

Page 11 Email There is a size limit to email attachments. Do not attempt to send attachments larger than what the mail program can handle. Because technology is constantly changing, the size limitation is also changing. Contact IS to learn what the current limit is. The system will reject attachments larger than the current size limitation. (10 Mb) If files greater than the current size limitation need to be transferred through email, contact IS for instructions on available alternatives. It is strongly recommended that the Employee and Department email aliases be used only for business related messages that are specifically intended for all employees. Be careful addressing emails, don't make the mistake of sending everyone a message intended only for a few! Acknowledgement:
The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a collaborative effort for State and Local Governments in strong partnership with the US Department of Homeland Security.

Grand County Information Systems www.co.grand.co.us 970-725-3042 @2005 Multi-State Information Sharing & Analysis Center (MSISAC) Copies and reproductions of this content, in whole or in part, may only be distributed, reproduced or transmitted for educational and non-commercial purposes. Published by: The Multi-State Information Sharing and Analysis Center (MS-ISAC) http://www.cscic.state.ny.us/msisac/index.html