HR: Employee Handbook: Computer Security Awareness for New Employees
 
 Employee Responsibilities

Every employee who uses a SAO computer has responsibilities that are described in Smithsonian Staff Handbook 1600. The following are some key points from that document.

Use SAO computers carefully, appropriately, and responsibly. As a general rule, use SAO computers only for SAO related work.

Do not copy software in violation of copyright law or software licensing agreements.

Do not hack or attempt to use computing resources for which you do not have authorization.

Protect your password(s), change them as required, and do not share accounts.

Scan new software for computer viruses before executing it.

Protect sensitive data (e.g. personal, financial) according to the procedures established for the system that processes it. Protect the data regardless of the media (floppy disks, hard disks, or paper).

Back up data when it changes, in order to provide the basis for recovering from a virus or a physical disaster.

Electronic Mail and Internet

Electronic mail is a common form of communication within the Smithsonian Astrophysical Observatory. Many legal and ethical questions need to be settled as a result of this technology. Some Smithsonian Astrophysical Observatory's policies include:

Electronic Mail

Do not send harassing, obscene, fraudulent, or defamatory E-mail.

E-mail is not confidential like a letter sent through the U.S. Post Office. Although E-mail will ordinarily be treated as confidential, confidentiality is not guaranteed. There are instances where system administrators will need to access messages for system maintenance purposes. System administrators are authorized to take any action needed to protect their systems. Illegal activity will be investigated under the auspices of the Inspector General. E-mail is not like a telephone conversation. A mail message can become part of the official record, particularly when such messages are saved (messages are automatically saved by a backup program on a daily basis in many mail systems). Use caution in sending E-mail pertaining to issues that may become (legally) controversial.

Internet

Many SAO computers are connected to the Internet. The internet is an electronic highway that allows users to access computers throughout the world. Our membership on this network is a privilege that is dependent on adherence to ethical and acceptable use policies which your system administrator should make available to you.

COMPUTER MISUSE

Misuse of computer resources includes, but is not limited to physical misuse, unauthorized access, improper use, illegal use, interfering with others, improper experimentation, and improper alteration of system files. Some examples follow. Note that examples from any category may be illegal, not just those specifically cited as illegal.

Physical Misuse

Modifying or removing computer equipment, software, or peripherals without proper authorization.

Unauthorized Access

Accessing computers, computer software, computer data, or networks without authorization, whether or not SAO owns these resources.

Taking advantage of another user's naivete or negligence to gain access to any computer account, data, software, or file. This includes examining, copying, renaming, changing, or deleting files belonging to someone else without the owner's permission; and actions such as using the terminal of someone who has failed to log off.

Improper Use

Using computer resources for a purpose other than the purpose for which they were intended or authorized.

Any use that would be considered defamatory or obscene.

Participating in activities that promote computer crime or misuse, including but not limited to posting passwords, account numbers, credit card numbers, and system vulnerabilities on bulletin boards.

Writing or executing programs to bypass security mechanisms, steal passwords or data, or "crack" passwords.

Illegal Use

Violating any software licensing or copyright.

Copying or redistributing copyrighted computer software, data, or reports without proper, recorded authorization.

Reproduction of copyrighted software documentation, except as explicitly permitted by the copyright holder.

Any use that violates Federal, state, or local laws or regulations.

Interfering with Other Users

Harassing or threatening other users or interfering with their access to SAO computing facilities.

Sending fraudulent mail or breaking into another user's electronic mailbox.

Encroaching on others' use of computing resources (e.g., tying up a multi-user computer with game playing, sending frivolous or excessive messages, attempting to crash or tie up a computer).

Disclosing or removing proprietary or sensitive information, software, printed output, or magnetic media without the explicit permission of the owner.

Reading another user's data or programs on a display screen, as printed output, or via electronic means (e.g., electronically eavesdropping or intercepting data transmissions) without the owner's explicit permission.

Improper Experimentation

Testing the security mechanism of another computer.

Creating, offering, or releasing malicious or destructive programs such as viruses, worms, logic bombs, and Trojan horse programs.

Any use that might compromise the security mechanisms of another SAO computer.

Improper Alteration of System Files

Unauthorized modification of accounting system files or audit trails to alter or delete records of use.

Unauthorized modification of system files to change user privileges or passwords.

Modification of system files to intentionally cause the system to crash.

Investigating Computer Misuse

The system administrator can take immediate action if necessary to protect the integrity of the system when he or she suspects computer fraud or abuse.

Note: Monitoring of electronic transmissions, or logging them for subsequent investigation, is not permitted unless all users (authorized and unauthorized) are warned of this possibility in advance.

Investigation of possible computer abuse is justified if either the Computation Facility System Security Officer or the Computation Facility System Administrator:

Is an eyewitness to a computing abuse,

or

Observes an unusual degradation of service or other aberrant behavior on the system, network, or server and has evidence that implicates the user as the source of the problem,

or

Receives a complaint of computing abuse or degradation of service and has evidence that leads to a user's computing activity as the probable source of the problem or abuse.

Penalties may include the restriction or loss of computing privilege and other disciplinary actions. Any actions taken by the SAO do not preclude enforcement of Federal, state, or local laws, which may result in additional penalties.

The organizations that sponsor Bitnet and Internet have formal policies governing their use. As a member of these networks, the SAO is bound to adhere to their ACCEPTABLE USE POLICIES, which users should obtain from the System Security Officer or the network administrator.

If a VIOLATION of these policies occurs while using non-SAO computing resources, the penalty will be the same as it would be for a violation using SAO resources, if:

the violation originates from an SAO computer network, or

the violation occurs in performance of SAO work, or

the original access was granted under the auspices of the SAO.

For additional information contact:

Van McGlasson, Computation Facility Manager, 496-7508

Return to Table of Contents

 
 

Section Photo