Cyber Security Awareness Required Read

Due to the recent amount of incidents on site the WEMS cyber security team has created this document to remind all users to always be aware of what you do while on DOE owned computers.

Below are some of the major problems we have seen recently onsite;

Release of PII

This is an incident that is reportable to DOE. In order to protect against this, we use a software called ENTRUST. This gives us the ability to encrypt emails before sending them out. Remember to always encrypt an email containing PII before sending it. Failing to do so can result in a security infraction reportable to DOE. PII is considered any information that can uniquely identify a person. You should also encrypt any email that contains any information that is sensitive. Two examples of sensitive information are; Export Control Information (ECI) and Unclassified Controlled Information (UCI).

Protect Your Password

§  Passwords are for “Official Use Only”

§  You are the only person with a need-to-know

§  If written, the document must be secured so only you have access

§  Don't let others watch you enter your password

§  Don’t use your work password on other systems

If a device requires a connection to a computer’s USB Port, serial port, or parallel port:

§  Item must be tagged with a DOE property number

§  The USB Port must be enabled for the device type

§  User must possess a Portable Media Access Pass

§  Software must be installed by a Desktop Support Technician

If an item requires a connection to a GSS network port:

§  Item must be tagged with a DOE property number

§  Network Administrators must be advised that the device will be connected

§  A WEMS IT Technician must plug the device into the network port.

Spam Control

All incoming email is checked for SPAM

§  Items identified as SPAM will not be delivered

§  SPAM filters are routinely reviewed for legitimate email that may have been caught in error

§  Users must still scrutinize their email (inbox and junk mail folders) for items not yet identified as SPAM.

Note: Some SPAM may not meet the criteria to be trapped by the SPAM filters.
Users must still scrutinize their email or suspected SPAM or Phishing emails

Visiting Internet Sites

§  Be careful about providing personal or sensitive information to an internet site.

§  Be aware that you may get viruses from any internet site.

§  Just because a website is not blocked does NOT mean it is safe.

§  Do not download anything to your assigned computer without first checking with WEMS cyber security.

Sending Emails

§  Always double checks to make sure you are sending the information to the right people.

§  Always encrypt sensitive information (i.e. PII, UCI or ECI).

§  Do not open suspicious emails, or go to sites they recommend.

§  Sending out PII or OUO can result in a security infraction reportable to DOE.

Inappropriate Use

§  Personal use of email or Internet access that may cause congestion that could impede the performance of a network or portions of a network:

•  Opening large file attachments (e.g. music, video, or graphics)

•  Using continuous data streams (e.g. continuous stock quotes or weather and news update services)

•  Participating in social networking websites or online chat rooms

•  Access to streaming video or audio websites

•  Sending or receiving online greeting cards

§  Use for a commercial pursuits not related to a DOE contract:

•  Emails associated with outside employment or business ventures

•  Selling or trading merchandise over the internet or by email

•  For-profit activities such as fundraisers

•  Using IT equipment or staff to pursue personal or corporate projects not specified in the DOE contract.

•  Unauthorized modification to the configuration of equipment or applications

•  Unauthorized acquisition, use, reproduction, transmission, or distribution of data or applications. Includes information subject to copyright, trademark, or intellectual property rights beyond fair use

•  Releasing DOE information to public forums without review and approval by a Classification Officer. This includes placing information on external websites, discussing DOE projects on “chat room” sites, or releasing information to news groups. This can result in a security infraction reportable to DOE.

If you have any questions you can contact the WEMS Cyber Security Department,

Brian Kirkendall, Cyber Security Manager ext. 3853

Doug Young, Information Systems Security Officer ext 2729

J.B. Kidd Cyber Security Specialist ext 4368

James Morgan Cyber Security Analyst ext 3338