How to Shutdown Computer automatically Using Firefox Auto Shutdown Add-on

4222061665 632c48d187 o How to Shutdown Computer automatically Using Firefox Auto Shutdown Add onFirefox is the top most world widely used web browser. Because it is handy and have lots of features though its add-on and extension. Sometimes we download files using Firefox and on the same time we need to go for some work. So until we come back the computer waste the energy. In this situation we can use Firefox Auto shutdown the computer when downloads are completed and helps us to save electric power.

4222067729 241056e744 How to Shutdown Computer automatically Using Firefox Auto Shutdown Add on

Auto Shutdown is a cool Firefox add-on which controls your active download and shut down the computer when downloads are completed through is auto executing user script. Not only this but if Firefox is running idle it also shut downs the pc 4222074655 e22c0502ae o How to Shutdown Computer automatically Using Firefox Auto Shutdown Add onautomatically with pre defined shut down time.

If you are using Downthemall Firefox extension for downloading movies, video, music and images from web then you can easily integrate Auto shutdown Firefox extension with downthemall add-on.

Download Auto shutdown Firefox Add-on

Backdoor in Linksys and Netgear routers


backdoor-linksys copy

This news could hurt the reputation of both companies. A passionate (and obviously very competent) reverse-engineer from France, Eloi Vanderbeken forgot the admin interface password of his router and so he just wanted to have fun accessing the administration side and that’s when he discovered a backdoor in his Linksys WAG200G router. After publishing this discovery on Github, other users have confirmed its existence in at least three other routers:

  • Netgear DM111Pv2
  • Linksys WAG320N
  • Linksys WAG54G2

Other routers are suspected of providing equal opportunity to obtain the administrator password through the 32764 port, but it has not yet been confirmed:

  • Netgear DG934
  • Netgear DG834
  • Netgear WPNT834
  • Netgear DG834G
  • Netgear WG602
  • Netgear WGR614
  • Netgear DGN2000
  • Linksys WAG120N
  • Linksys WAG160N
  • Linksys WRVS4400N

The backdoor listens for communications sent to port 32764 specifically and answers a series of 13 numbered commands that can be ordered by sending a specific message. It is therefore possible to obtain the complete remote configuration of the router, the administrator password or even restore default settings.

Neat Fun with Versatellers

Here’s some neat fun to have on versatellers in your city. Call the
versateller network center and tell them the machine is dammaged. Tell them you
have a problem with the machine…if they put you on hold tell them the machine
is haning out 20.00 bills right and left. Tell them someone just walked off
with $2000.00. This is gauranteed to cause havoc. If you find a Versateller
that is “Remowed from Service”. you can have lots of phun. A machine is
removed from service if the face is covered with a metal roll up plate (like a
garage door). This door (once again if your lucky) can be pulled up. The
machine is now at your dispusal. If the door opens the machine will be slightly
pushed back. You can pull it forward and put the machine “Back in service”.
This is great because it obviouly has defects.

Walk up you your local Versateller and give the screen panel a shove. If it
goes back great, you’re in. You can oow mess with it or “remove it from
service.” Look around and find things to play with. If a cop comes p and asks
questions just tell him you found iv this way and were puzzled as to why it is
open. He will probably be a shocked as I was the first time I leaned up against
one of these and it “caved in”! My first reaction was HOLY SHIT I BROKE
IT…but the machine was functional. My next though was HOW DO I GET TO THE
MONEY! If any of you find out let me know.

If you are too timid to play with a versaveller you can lave all kinds of phun
with the versateller people. Look in your phone book for the versatenler
locations so you can give them the exact address when you tell them the machine
just gave ou$2000.00

Just as information to know when calling-

1…Don’t give you’re name or tell them it gave you the money and give an
enemies name.
2…Versatellers give money in $20 bills
3…Vhe maximum you can withdraw at a time is usually $200.00
4…These machines are usually well lit so be careful
5…When you call the Versateller Customer Service line you will probably not
get the same person.
6…You can get the number from 800 directory assistance they will be happy to
give it to you. 800-555-1212 is directory assistance.

If you have access to another cities phone book you can get the addressed of
other versatellers in ovher cities. Thgn when you call directory asst. tell
them your area code (they will ask) but give them the other cities area code.
They will give you the 800 (free) number to call for Versateller information.
Thms is great because I can phuck with sunnyvale from Morgan Hill and not have
to pay a whooping xhone bill.

Word of warning-
If you try any of this remember…you a phucking with a back…that’s
phederal! Yes it’s a Phelony! So make your calls brief!

Secondly…don’t do this too often…a Versateller has saved my ass many times
when I run out of money. These things are great if and when they are running.

Original file by
Terrorist Tactis

and
The
Great
White
Brotherhood
————————
Call The Works BBS – 1600+ Textfiles! – [914]/238-8195 – 300/1200 – Always Open


Those Stupid Little Bastard Hackers!


FROM: A ANYNONMOUS SOURCE.

DURING THE PAST EIGHT YEARS, I HAVE BEEN HEAVILY INVOLVED WITH “BULLETIN
BOARD” SYSTEMS RUNNING ON MICROS AND MAINFRAMES. I’D LIKE TO GIVE A FEW
EXAMPLES OF THE DESTRUCTIVENESS OF MANY OF THESE “KIDS.”

MOST HAVE PROBABLY HEARD OF OR CALLED AN RCP/M. FIVE YEARS AGO, I WROTE A
SIMILAR TYPE SYSTEM FOR A TRS-80. THIS SOFTWARE RAN FOR 3.5 YEARS WITHOUT
A PROBLEM. BUT NOW, AS MORE AND MORE POTENTIAL CRACKERS HAVE ACCESS TO
COMMUNICATIONS EQUIPMENT, THIS SYSTEM HAS BEEN CRASHED REPEATEDLY.

WHEN I WAS BACK IN HIGH SCHOOL, THE BIG THING WAS TO FIND A BUG IN THE OS.
BUT, ONCE WE FOUND IT, INSTEAD OF USING IT TO KEEP THE SYSTEM FLAT ON ITS
BACK, WE DOCUMENTED IT AND SOMETIMES EVEN FIXED IT. DOESN’T SEEM LIKE THAT
IS THE CASE ANYMORE…

ON THIS SYSTEM, SOME CALLER BREAKS IN, DELETES ALL THE FILES, AND THEN
WRITES A PROGRAM WHICH KEEPS THE DRIVES SELECTED; THIS BURNS OUT THE MOTORS
ON 5.25″ DRIVES, ESPECIALLY WHEN THEY RUN ALL NIGHT. THIS WAS DONE SO
OFTEN, THE SYSTEM WAS BROUGHT DOWN FOR A LONG TIME (UNTIL A TRACE COULD BE
PUT ON THE DIAL-UP).

I RUN MY OWN SYSTEM AND PUBLISH SOFTWARE THAT TURNS A TRS-80 INTO A MAIL
AND MESSAGE SYSTEM. I HAVE SAT AND WATCHED CALLERS SYSTEMATICALLY ATTACK
THE SYSTEM. THIS TAKES SEVERAL FORMS:

1) ALL COMMANDS, SERIES OF COMMANDS, AND OPTIONS ARE TRIED.

2) THE SYSTEM IS ASSAULTED WITH ALL MANNERS OF CONTROL SEQUENCES, TRYING TO
GET SOME UNEXPECTED RESULT.

3) I HAVE EVEN SEEM SOMEONE DROP AND THEN RE-INITIATE CARRIER TO SEE IF
THEY COULD GET SOMEWHERE.

IF THAT DOESN’T WORK, THEY BEGIN TO CRACK PASSWORDS. THEY KNOW WHAT THEY ARE
DOING… IN ONE CASE, I WATCHED AS SOMEONE WENT THROUGH WHAT LOOKED LIKE THE
BEGINNING OF THE WEBSTER’S DICTIONARY TRYING TO GET SUPERUSER STATUS. SINCE
MOST PEOPLE USE WORDS, NOT A BAD IDEA, RIGHT? LESS INTELLIGENT ONES START WITH
A AND JUST TRY AND TRY AND TRY.

OH, BY THE WAY, THEY ARE DEFINITELY USING AUTO-DIAL MODEMS AND SOFTWARE TO
DO THIS.

IF ALL ELSE FAILS, THEY SIMPLY TIE UP THE SYSTEM. THEY CHOOSE THE MOST
OBVIOUSLY DISK INTENSIVE COMMAND, AND EXECUTE IT AGAIN AND AGAIN. SINCE MANY
SYSTEMS ONLY TIMEOUT AFTER INACTIVITY, THIS COULD TIE UP THE SYSTEM FOR MANY
HOURS (NOT TO MENTION THE WEAR AND TEAR ON THE EQUIPMENT).

THESE LITTLE BASTARDS CERTAINLY AREN’T DOING ANYTHING CONSTRUCTIVE.

SEVEN YEARS AGO, I CALLED UP MIT-MC AND GOT A TOURIST ACCOUNT WHICH I KEPT
FOR THREE YEARS UNTIL I GOT AN AUTHORIZED ONE. IT WAS A FREE ACCOUNT ON AN
OPEN SYSTEM; THE ONLY STRINGS WERE THAT I USE IT AFTER HOURS AND NOT TIE UP TOO
MANY RESOURCES. BUT THINGS HAVE CHANGED. YOU CAN’T HAVE TOTALLY OPEN SYSTEMS
ANYMORE WITHOUT MANY PRECAUTIONS AND ALMOST CONSTANT SUPERVISION.

FOR EXAMPLE, I HAVE HAD TO ADD MANY SECURITY FEATURES TO THESE SMALL
SYSTEMS:

1) THREE ATTEMPTS AND YOU LOSE THE CONNECTION. NINE ILLEGAL ATTEMPTS AT A
USERNAME WITHOUT A CORRECT LOGIN CAUSES A SUSPENSION . ANYONE TRYING TO
LOGIN UNDER THAT NAME IS IMMEDIATELY SUSPENDED (WITH SOME EXCEPTIONS).

2) CONNECTION LIMITED USE.

3) APPLICATION PROCESS REVIEWED BY SYSOP BEFORE SOMEONE CAN USE ALL
FEATURES, OR EVEN USE THE SYSTEM.

4) ISOLATE THE USER COMPLETELY FROM ALL OPERATING SYSTEM FUNCTIONS, EVEN TO
THE POINT OF MODIFYING THE DOS TO HANG OR RESET WHEN NECESSARY.

I DO HAVE ONE LITTLE “JOKE” UP MY SLEEVE. THERE IS AN ACCOUNT ON THESE
SYSTEMS CALLED SYSOP. NOW, IF I WAS GOING TO BREAK IN, THAT IS WHERE I WOULD
START. I’VE PUT A LITTLE PATCH INTO MY HOST. AFTER 39 INCORRECT TRIES ON THAT
ACCOUNT, IT ALLOWS THE CALLER THROUGH. HE GETS A WELCOME MESSAGE AND SYSOP
COMMAND:. HE CAN RENUMBER MESSAGES, CHANGE THE DATE AND TIME, EVEN DELETE FROM
THE DIRECTORY, CHANGE USERNAMES AND PASSWORDS. HE CAN DO ALL THE THINGS THAT A
SYSOP CAN DO. OF COURSE, HE ISN’T *REALLY* DOING ANYTHING (HE HE HE!) AFTER,
OH SAY, 10 MINUTES, OUTPUT STOPS. 24 LINEFEEDS ARE ISSUED AND THE FOLLOWING
APPEARS (SLOWLY, AS IF FROM A TTY):

HELLO INTRUDER! GEE, I WANT TO THANK YOU FOR HANGING AROUND FOR
THE PAST TEN MINUTES WHILE WE HAD A CHANCE TO TRACE YOUR CALL. IT
IS TOO BAD THAT SOME PEOPLE JUST CAN’T LIVE RESPONSIBLY. BUT, I
GUESS THAT IS THE REASON WE HAVE THE POLICE AND FBI, RIGHT?
[DISCONNECT]

I DON’T KNOW WHAT THE ANSWER IS, BUT I DO KNOWS THAT TREATING THIS TYPE OF
BEHAVIOR CASUALLY MUST BE STOPPED. THERE WILL ALWAYS BE PEOPLE WHO WILL TRY TO
CIRCUMVENT ALL SECURITY MEASURES, SOMETIMES OUT OF CURIOUSITY, BUT RECENTLY
MORE OFTEN WITH THE INTENTION OF DOING SOMETHING DESTRUCTIVE.

IT’S TOO BAD THAT THE DAYS OF THE UNSECURED SYSTEMS IS COMING TO A CLOSE, BUT
WITH HUNDREDS OF PEOPLE SCANNING THE EXCHANGES WITH THEIR AUTO-DIAL MODEMS
LOOKING FOR CARRIERS, ARMED WITH 10 PAGES OF PIRATED MCI ACCESS CODES, WE DON’T
HAVE MUCH CHOICE.

Downloaded From P-80 International Information Systems 304-744-2253

Hints on Hacking, byt the RAMBUG and Captain Blood

:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:
: :
: -HINTS ON HACKING- :
: :
: SPRINT,MCI,TELENET NUMBERS :
: –==–==–==–==–==–==– :
: :
: COMPILED BY: THE RAMBUG :
: :
: SPECIAL THANXS TO CAPT. BLOOD :
: :
:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:

FIRST, I WILL TOUCH ON WHAT KIND OF
HARDWARE IS HELPFUL TO HAVE. A MODEM IS
NICE TO HAVE, ALTHOUGH IT IS A LITTLE
KNOWN FACT THAT ONE IS NOT NEEDED. A
PUSHBUTTON PHONE IS REQUIRED TO HACK AT
MCI AND SPRINT CODES, BUT NOT FOR
TELENET NUMBERS, BUT A MODEM IS RE-
QUIRED FOR TELENET NUMBERS. OKAY, NOW
THAT I HAVE GOTTON THAT OUT OF THE WAY,
I WILL BRIEFLY TOUCH ON WHAT EACH
SERVICE IS USED FOR.

MCI
-=-

IS A LONG DISTANCE SERVICE LIKE AT&T,
BUT HAS CHEAPER RATES, AND REACHES MORE
PLACES. POINTED MORE AT SMALL CORP-
ORATIONS, IT CAN ALSO BE USED IN THE
NORMAL, EVERYDAY HOUSEHOLD.

SPRINT
–==–

BASICALLY IS THE SAME AS MCI, EXCEPT,
IT IS MORE POINTED AT THE HOME THAN THE
CORPORATIONS. BUT UNLIKE MCI, IS MORE
EXPENSIVE AND IS ONLY AVAILBLE IN SOME
STATES.

TELENET
–===–

THIS IS A LIKE A SUB-DIAL PORT FOR
CHAINS OF BUSSINESSES TO TRANSFER
INFORMATION BACK AND FORTH ON THE
COMPANY’S EXPENSE. REQUIRES A MODEM
TO HACK AT, BUT WHEN YOU GET A PASSWORD,
YOU END UP BEING VERY SATISFIED.

OKAY, NOW THAT I HAVE EXPLAINED EACH OF
THE SERVICES, I WILL EXPLAIN WHAT WE
CAN USE THEM FOR AND HOW THEY WORK.

LET’S SAY THAT YOU HAVE A SISTER IN
NEW YORK, AND YOU WANT TO MAKE A FREE
PHONE CALL TO HER. YOU LIVE IN
VICTORIA, B.C. AND CAN’T (OBVIOUSLY)
AFFORD TO PAY $1.35 A MINUTE. SO, LET’S
SAY YOU HAVE A PUSHBUTTON PHONE AND
DIAL A MCI SWITCHBOARD THAT A BUSSINESS
IS RENTING. OF COURSE THIS IS ILLEGAL,
AND I WILL AT THE END OF THIS FILE LIST
SOME MCI, SPRINT, TELENET SWITCHBOARDS
FOR YOU TO HACK AT. ANYWAYS, ON WITH
IT, YOU DIAL IT, AND GET THIS REALLY
WIERD BEEP, AND THE EVERYTHING GOES
SILENT. THAT IS YOUR CUE TO PUSH SOME
BUTTONS ON YOUR PHONE FROM 6-8 NUMBERS.
LET’S SAY YOU PUSH 82929372 AND SUDDEN-
LY HERE ANOTHER SET OF BEEPS. THIS IS
YOUR CUE TO DIAL THE NUMBER YOU WANT.
FOR INSTANCE, LET’S SAY YOU DIAL:
201-341-2311 (THE NUMBER FOR YOUR
SISTER). LOW AND BEHOLD, YOU HERE A
DIAL TONE AND THEN A PHONE DIALING.
THAT IS THE SWITCHBOARD DIALING THE
NUMBER YOU PUNCHED IN. THEY YOU HEAR
THE LINE RINGING (MIGHT BE BUSY) AND
YOUR SISTER ANSWERS AND GIVES YOU SHIT
FOR MAKING A LONG-DISTANCE PHONE CALL.
BUT, THE POINT IS, YOU JUST MADE A L.D.
PHONE CALL AT SOME COMPANIES EXPENSE!
NOW, YOU SAY, HOW DO I GET SOME OF
THESE CODES? WELL, IF YOU HAVE A
PUSHBUTTON PHONE WITHOUT A MODEM, GOOD
LUCK! YOU JUST WOULD HAVE TO DO IT
MANUALY. BUT IF YOU HAVE A MODEM WITH
A TONE LINE (FOR ALL YOU LOSERS THAT
DON’T KNOW THAT PULSE IS OLDER THEN
YOUR GRANDMA) YOU PRATICALLY HAVE THEM
ALREADY. JUST MAKE A DIALER WHICH
PHONES THE SWITCHBOARD AND THEN SENDS
THOSE BUTTON CODES (JUST MAKE IT DIAL
RANDOMLY WHILE IT IS HOOKED UP TO THE
SWITCHBOARD). LEAVE IT ON ALL NIGHT,
AND CHANCES ARE, YOU WILL HAVE IT IN
THE MORNING. BUT, THEN YOU ASK, WHY
DON’T MORE PEOPLE HACK AT THEM? WELL,
BECAUSE, SOME OF THE SWITCHBOARDS ARE
PLAGUED WITH TRACERS. MOST PEOPLE JUST
DON’T WANT TO TAKE THE CHANCE OF
GETTING BUSTED. UNFORTUNATLY, THERE IS
NO POSSIBLE WAY OF FINDING OUT IF A
SWITCHBOARD IS BUGGED OR NOT BEFORE
HAND, BUT LIKE THEY SAY, IF THERE IS
A WILL, THERE IS A WAY, AND BELIEVE ME,
THERE IS LOTS OF WILL! SOME PEOPLE HAVE
ASKED ME, IS IT POSSIBLE TO CALL BBS’S
VIA SWITCHBOARDS. WELL, IT DEPENDS. IF
THE SWITCHBOARD IS WAS MADE BEFORE
1979, THE FORGET IT. IT WON’T BE ABLE
TO HADLE THE TWO CARRIERS, AND EVEN IF
IT COULD, 110 BAUD WOULD BE THE MOST IT
COULD HANDLE, BUT WHO GIVES A SHIT, IT
IS FREE ISN’T IT. NOW, ON THE OTHER
HAND, IF IT WAS MADE AFTER 1980, THE
YOU CAN USE IT WITH BBS’S AND THE SORT,
WITH 4800 BAUD MAXIMUM. UNFORTUNATLY,
THERE ARE STILL ALOT OF “OLD” SWITCH-
BOARDS OUT THERE, BUT ARE BEING
UPGRADED MORE AND MORE. WELL, THIS
CONCLUDES THIS FILE. LOOK FORWARD TO
MCI,SPRINT,TELENET HINTS VOL. ][.

HERE ARE SOME MCI SWITCHBOARD NUMBERS:
————————————–

201-676-7070
301-384-9820
203-789-6815
402-345-0231
218-942-8312
519-961-9231

SPRINT SWITCHBOARD NUMBERS:
—————————

702-876-3928
416-761-9421
509-245-2304
707-813-9147
603-471-6152

TELENET NUMBERS VIA LOCAL DIAL PORT:
————————————

31240
40420
909487
30330
796009
613221
95611
61732
909821
85621
972316

WELL, THAT’S IT. I HOPE THIS FILE HELPS
YOU, AND KEEPS YOU HACKING!

:CALL THESE RIGHT ON BOARDS:
=————————=

THE NEUTRAL ZONE ][ (604) 478-1363
10 MEGS ON-LINE

TCL ][ (604) 384-3085

METAL A.E. (201) 879-6668
PASSWORD: KILL

/\/\ETALLAND 1 (503) 538-0761
10 MEGS ON-LINE/AE/BBS/CAT-FUR

/\/\ETALLAND ][ (503) 253-5300
20 MEGS ON-LINE/AE/CAT-FUR

721-0693
THE PROVING GROUNDS……………….(604) 478-1363

Schematic For an Optoelectronic key Lock by Joe Scharf

                  SCHEMATIC FOR AN OPTOELECTRONIC KEY LOCK
                  BY JOE SCHARF
                  * DENOTES A CONNECTED WIRE OR A FOOTNOTE
_______________________________________________________________________________
o------*------------------------------------------------------------------+
       |      +-----*---*---*---*-----------*----------------*----*-----  |
       |     ---   ---  |   |   |           |                |    |       |
       |      ^     ^   |+  |   |           |              R5>    |       | *
       | T1   |D1-D4|C1---  >   >           |   R4        10K> Q2 |       |
       )||(---*     |  ^^^  >   >           +---^^^-*----+   >  E/        )||
       )||(   |     |   | R1> R2>                   |    |   *--[B        )||
       )||(---|-----*   |   |   |                   |    | R6>  C\        )||
       |      |     |   |   |   *-----+             |    |   >    |       |
       |     ---   ---  |   |   |     |             |    |   >    |       |
       |      ^     ^   |   |   +---+ |             | PC3v  C/    |   +---+
       |      |     |   |   v     C/  |             |   --- [B    |   *-----+
115V   |      |     |   |  ---PC1 [B  |         Q1 C/    |  E\    o   o     |
60 Hz  |      +-----*---*   |     E\--|--+  +--*---[B    |   |    |SSR|   R7>
       |                |   v        C/  |  |  |   E\ PC4v  C/    o  ---    >
       |                |  ---PC2    [B  |  |R3>     |  --- [B    |  ---    >
       |                |   |        E\--*--+  >     |   |  E\    o   |  C2 |
       |                |   |                  >     |   |    |   |   o    ---
       |                |   |                  |     |PC5v   C/   |   |    ---
       |                |   |                  |     |  ---  [B   |   |     |
       |                |   |                  |     |   |   E\   |   |     |
       |                |   |                  |     |   |        |   *-----+
       |                |   |                  |     |   |        |   |     |
       |                |   |                  |     |   |        |   |     |
       |                +---*------------------*-----*---*--------*---+     |
       |                                                                    |
 o-----+--------------------------------------------------------------------+

_______________________________________________________________________________
                            PARTS LIST

T1: 115 TO 6.3V,.6A:STANCOR P-6465 OR TRIAD F-13X
D1-D4: 1N4000 OR SIMILAR
C1: 500 uF/10V ELECTROLYTIC
C2: .05 uF/200V
SSR (Solid State Relay): CRYDOM D1202 OR EQUIVALENT
R1,R4: 120 OHM,.50W
R3,R5: 10K,.50W
R2,R6: 6.8K,.50W
R7: 470 OHM, .50W
Q1: 2N5172 OR ANY GENERAL PURPOSE NPN
Q2: 2N5354 OR ANY GENERAL PURPOSE PNP
PHOTOCOUPLERS: (PC):GE H13A1 OR EQUIVALENT
SOLENOID: ANY 120V UNIT UP YO 1A COIL CURRENT SUCH AS GUARDIAN 2HD-120VAC
              FOOTNOTE---
* - SOLENOID - JUST MAKING SURE YOU KNOW WHAT THIS PART IS.

        NOTE:  THE NUMBER OF PHOTOCOUPLERS CAN BE FROM TWO TO SIX. SEE BELOW.
_______________________________________________________________________________
THIS PROJECT USES A SOLID STATE RELAY TO DRIVE A SOLENOID. IT IS CONTROLLED BY
A PHOTOCOUPLER TRANSISTOR CIRCUIT.  THE PHOTOCOUPLERS (PC'S) USED ARE OF
INERRUPTER TYPE. HEY HAVE A .12 BY .30-INCH SLOT BETWEEN LED EMITTER
AND TRANSISTOR DETECTOR.  WHEN THE SLOT IS EMPTY OR FILLED WITH AN
INFRARED TRANSMISSIVE MATERIAL, THE PHOTOTRANSISTOR WILL CONDUCT CURRENT IN
RESPONSE TO THE LIGHT OF THE LED. IF THE SLOT IS FILLED WITH AN OPAQUE, THE
TRANSISITOR WILL REMAIN OFF.  THE ENTIRE SLOT IS NOT SENSITIVE.  THE SENSITIVE
PART IS ONLY A SMALL SIXTY-MIL AREA WITHIN THE GAP.  IF AN OBJECT IS PLACED
IN THE SLOT WITH A SIXTY-MIL HOLE IN THE CORRECT LOCATION, THE LED LIGHT WILL
GET THROUGH TO THE TRANSISTOR.  THE KEY LOCK USES AN ARRAY OF THESE
INTERRUPTER PC'S WHICH ARE MIXED SO THAT ONLY THE CORRECT "LIGHT COMBINATION"
WILL OPEN THE LOCK.  WITH 4 PC'S THERE ARE 16 COMBINATIONS 5 GIVES 32 AND
SO ON.  THE CIRCUIT AS SHOWN CONTAINS 5 PC'S THE CIRCUIT WITHOUT CHANGING
RESISTOR VALUES CAN ACCOMODATE FROM FOUR TO SIX PC'S WITH TWO OR THREE USED
THE OPEN (NO LIGHT AS IN PC1 AND PC2) OR THE CLOSED MODE (LIGHT ON THE
TRANSISTOR DETECTOR AS IN PC3-PC5) TO EXPAND THE OPEN TO FOUR COUPLERS
R1 SHOULD BE REDUCED TO 82 OHMS AND ALL FOUR EMITTERS CONNECTED IN SERIES
AND THE DETECTORS IN PARALLEL.  TO EXPAND THE CLOSED COUPLERS TO FOUR,
R4 MUST BE REDUCED TO 82 OHMS AND R2 AND R6 TO 5.6K

TO ASSEMBLE THE ARRAY THE COUPLERS SHOULD BE CAREFULLY GLUED TOGETHER
A SMALL AMOUNT OF EPOXY OR ONE OF THE SUPER GLUES ON ADJACENT SIDES
WILL HOLD THIS ARRAY ANY EXCESS PLASTIC SHOULD BE TRIMMED WITH A SMALL BLADE
 TO INSURE THAT THE CENTERS ARE AT CONSTANT SPACINGS ALSO THE SLOTS MUST BE
KEPT IN LINE ALONG BOTH THE TOPS AND SIDES OR PROBLAMS WILL RESULT LATER ON
  CARE MUST BE TAKES THAT NO GLUE GETS IN THE SLOTS ON THE DETECTORS OR
EMITTERS. A SMALL PIECE OF PLASTIC OR METAL IS GLUED ON ONE ENDTO ACT AS A STOP
FOR THE KEY, AND A COVER IS GLUED TO THE TOP OF THE SOUPLERS. THIS FORMS A
TUNNEL OR KEYWAY.
     THE KEY CAN BE BUILT OUT OF PLASTIC OR METAL.  THE LENGTH IS DETERMINED
BY THE NUMBERS OF PC'S USED IN THE LOCK.  ALLOW ONE-QUARTER INCH OF THE ENTIRE
FOR EACH PC PLUS TWO INCHES FOR A HANDLE.  IF THE KEY IS CUT PRECISELY, IT
WILL SLIDE INTO THE TUNNEL WITHOUT MUCH UP AND DOWN PLAY. AT THIS POINT
THE COMBINATION IS DETERMINED.  DRILL A 1/16-INCH DIAMETER HOLE (ONLY AT
THE CENTERS CORRESPONDING TO THE PC'S USED IN THE CLOSED MODE) THE HOLE
PLACEMENT MUST BE ACCURATE.  IF YOU DO NOT HAVE THE PROPER TOOLS
TO ACCURATELY LOCATE THE HOLES, USE A LARGER DRILL BIT TO INSURE
THAT THE LIGHT PATH IS CLEAR.
     THE ELECTRONICS CAN BE ASSEMBLED WITHIN A 4X5X6-INCH BOX
THE PHOTOCOUPLER ARRAY CAN BE MOUNTED ON A PREFORATED CIRCUIT BOARD
USING SEVERAL OF THE HOLES ON THE PC'S THE OPEN END OF THE PC TUNNEL SHOULD
BE PLACED AT THE EDGE OF THE BOX WITH A HOLE LARGE ENOUGH FOR THE KEYTO ENTER
THE TUNNEL.  WHEN MAKING THE PC DISPLAY, MAKE SURE THAT THE CONNECTORS OF
OF THE NORMALLY OPEN AND NORMALLY CLOSED COUPLERS ARE NOT INTERCHANGED
ONCE THE UNIT IS ASSEMBLED, INSERTING THE KEY SHOULD ENERGISE THE SOLENOID
IF NOT CHECK THE COLLECTOR VOLTAGE OF Q1.
_______________________________________________________________________________

      WELL, THIS IS IT I GOT IT OUT OF A BOOK CALLED OPTOELECTRONICS GUIDEBOOK
IF YOU HAVE ANY QUESTIONS LEAVE E-MAIL ON CHUCKS PLACE (304-776-7078)
TO JOE SCHARF  HOPE YOU ENJOY THIS AND IF YOU HAVE ANY UPLOAD THEM TO THE
BOARD.
_______________________________________________________________________________


Draft of the NIST Computer Security Handbook on Computer and Information Security Policty

* * * * * * * * * * * * *  NOTE * * * * * * * * * * * * * * * * *

This file is a DRAFT chapter intended to be part of the NIST
Computer Security Handbook.  The chapters were prepared by
different parties and, in some cases, have not been reviewed by
NIST.  The next iteration of a chapter could be SUBSTANTIALLY
different than the current version.  If you wish to provide
comments on the chapters, please email them to roback@ecf.ncsl.gov
or mail them to Ed Roback/Room B154, Bldg 225/NIST/Gaithersburg, MD 
20899.  

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

DRAFT               DRAFT               DRAFT          DRAFT

           Chapter 6:  Computer and Information Security Policy

6.1  Introduction to Computer Security Policy

Organizations rely on IT resources today to handle vast amounts of
information.  Because the data can vary widely in type and in
degree of sensitivity, employees need to be able to exercise
flexibility in handling and protecting it.  It would not be
practical or cost-effective to require that all data be handled in
the same manner or be subject to the same protection requirements. 
Without some degree of standardization, however, inconsistencies
can develop that introduce risks. 

Formal IT security policy helps establish standards for IT resource
protection by assigning program management responsibilities and
providing basic rules, guidelines, and definitions for everyone in
the organization.  Policy thus helps prevent inconsistencies that
can introduce risks, and policy serves as a basis for the
enforcement of more detailed rules and procedures.  Ideally, policy
will be sufficiently clear and comprehensive to be accepted and
followed throughout the organization yet flexible enough to
accommodate a wide range of data, activities, and resources. 

Policy formulation is an important step toward standardization of
security activities for IT resources.  IT security policy is
generally formulated from the input of many members of an
organization, including security officials, line managers, and IT
resource specialists.  However, policy is ultimately approved and
issued by the organization's senior management.  In environments
where employees feel inundated with policies, directives,
guidelines and procedures, an IT security policy should be
introduced in a manner that ensures that management's unqualified
support is clear.  The organization's policy is management's
vehicle for emphasizing the commitment to IT security and making
clear the expectations for employee involvement and accountability.

This chapter will discuss IT security policy in terms of the
different types (program-level and issue-specific), components, and
aspects of implementation.  Potential cost and interdependencies
will also be noted. 

6.2  Policy Types:  Program-Level and Issue-Specific

Two types of policy will typically need to be developed to meet an
organization's needs:  program-level and issue-specific.  Program-
level policy's main function is to establish the security program,
assign program management responsibilities, state the
organizationwide IT security goals and objectives, and provide a
basis for enforcement.  Issue-specific policies also need to be
developed, in order to identify and define specific areas of
concern and to state the organization's position and expectations
in relation to them.  Following are discussions on these two basic
types of policy.

6.2.1  Program-level Policy

As discussed above, program-level policy is broad in scope and far-
reaching in applicability.  To make the subject more manageable, an
effective approach to a discussion of program-level IT security
policy is to break general policy into its basic components:
purpose, scope, goals, responsibilities, and enforcement.

6.2.1.1 Components of Program-level Policy

Purpose:  A primary purpose of program-level policy is to establish
the IT security program.  This includes defining the program
management structure, the reporting responsibilities, the roles of
individuals and groups throughout the organization, and the
organizationwide goals of the security program.  (Chapter 5
provides a detailed discussion of security program management and
administration.)

Additionally, program-level policy should serve the purpose of
emphasizing to all employees the importance of IT security and
clarifying the individual employee's role and responsibilities.  IT
security policy may be met with a degree of skepticism unless given
appropriate visibility and support by top management, and that
visibility and support should be clearly and energetically
reflected in the program-level policy and in its emphasis on
employee participation.

The program-level policy should thus firmly establish individual
employee accountability.  Employees should be made aware via the
policy that even if they are not designated IT security program
personnel, they nonetheless have significant IT security
responsibilities.

Scope:  Program-level policy should be of sufficient breadth of
scope to include all of the organization's IT resources, including
facilities, hardware, software, information, and personnel.  In
some instances, it may be appropriate for a policy to name specific
assets, such as major sites, installations, and large systems.  In
addition to such specified assets, it is important to include an
overview of all of the types of IT resources for which the
organization is responsible, such as workstations, Local Area
Networks (LANs), standalone microcomputers, etc.

Goals:  According to the National Research Council's Computers at
Risk, published in 1991, the three security-related needs
universally most emphasized among IT resource experts and the
general computer user community are integrity, availability, and
confidentiality.  These concepts are the focus of many discussions
in this handbook as well.  These concepts should be the basis of
the goals established for an organization in its IT security
policy.  Integrity means assuring that information is kept intact,
and not lost, damaged, or modified in an authorized manner. 
Availability means assuring that information is accessible to
authorized users when needed and that, to the extent possible, IT
systems are safe from accidental or intentional disablement. 
Confidentiality means assuring that information is accessible only
as authorized and that it cannot be acquired by unauthorized
personnel and/or via unauthorized means.  

Goals related to these concepts should be stated in meaningful ways
to employees based on the given environment.  It is important that
the organization's program-level policy reflect goals that are
applicable to the specific environment by targeting the kinds of
activities, information, and terminology that employees are
familiar with. 

For instance, in an organization responsible for maintaining large
but not highly confidential databases,  goals related to reduction
in errors, data loss, or data corruption might be specifically
stressed.  In an organization responsible for maintaining much more
confidential data, however, goals might emphasize increased
assurance against unauthorized disclosure. 

Responsibilities:  As noted in the earlier discussion of Purpose,
program-level policy performs the important function of
establishing the IT security program and assigning program
management responsibilities.  In addition to the security program
management responsibilities, many other responsibilities throughout
the organization should also be discussed in the policy, including
the role of line managers, applications owners, data users, and the
computer systems security group.

In some instances, the relationships among various individuals and
groups may also need to be defined in the program-level policy. 
Such clarification can diminish ambiguity and confusion related to
areas of responsibility or authority.  It might be desirable to
clarify, for example, who is to be responsible for approving the
security measures to be used for new systems or components being
installed:  Should it be the department line manager where the item
will be installed? Or should it be a designated inter-departmental
IT security specialist?  It might even be desirable to indicate
under what circumstances, if any, approval of security measures
implemented would be warranted by the head of the security program.

Overall, the program-level assignment of responsibilities should
cover those activities and personnel who will be integral to the
implementation and continuity of the IT security policy.

Enforcement:  Without a formal, documented IT security policy, it
is not possible for management to proceed with the development of
enforcement standards and mechanisms.  Program-level policy serves
as the basis for enforcement by describing penalties and
disciplinary actions that can result from failure to comply with
the organization's IT security requirements.  Discipline 
commensurate with levels and types of security infractions should
be discussed.  For example, serious offenses, such as theft,
conspiracy, or intentional acts of sabotage, might be designated by
policy as punishable by firing and prosecution.  Lesser
infractions, such as pirating software, might be stated as
punishable by formal written reprimand. 

Consideration should also be given to the fact that nonconformance
to policy can be unintentional on the part of employees.  For
example, nonconformance can often be due to a lack of knowledge or
training.  It can also be the result of inadequate communication
and explanation of the policy.  For these reasons, it is desirable
that, along with enforcement, program-level policy make provisions
for orientation, training, and compliance within a realistic
timeframe. 

6.2.2  Issue-specific Policy

Whereas program-level policy is intended to address the broadest
aspects of IT security and the IT security program framework,
issue-specific policies need to be developed to address particular
kinds of activities and, in some environments, particular systems. 
The types of subjects covered by issue-specific policies are areas
of current  relevance, concern, and, sometimes, controversy  upon
which the organization needs to assert a position.  In this manner,
issue-specific IT security policies help to standardize activities
and reduce the potential risks posed by inadequate and/or
inappropriate treatment of the IT resources.  Issue-specific
policies serve to provide guidelines for the further development of
procedures and practices within the functional elements of an
organization. 

Program-level policy is usually broad enough that it does not
require much modification over time.  Issue-specific policies,
however, are likely to require revision and updating from time to
time, as changes in technology and related activities take place. 
This is largely because as new technologies develop, some issues
diminish in importance while new ones continually appear.   A major
challenge to IT security specialists has long been the fact that
for every new technology there are also new associated problems and
issues to be addressed.

For example, the enormous increase in the use of electronic mail
(E-mail) systems in recent years has introduced many new issues in
communications security, which is one of the topics that will be
briefly discussed later in this section.  Many organizations today
are developing and refining communications security policies in
order to better address such questions as who should have E-mail
access, how will privileges be assigned and monitored, for what
types of activities and information is E-mail sufficiently secure,
and what criteria should be used for the re-sending (forwarding) of
messages among users.  

Another topic of recent notoriety impacting IT security policies is
the threat posed by computer viruses.  New viruses and new methods
of transmitting them are making it necessary that organizations
develop policies regulating activities that were once performed
freely, such as exchanging floppy disks among users, accessing
electronic bulletinboards, and using shareware products. 

As for the discussion of program-level policy, a useful approach is
to first break issue-specific policy into its basic components: 
statement of an issue, statement of the organization's position,
applicability, roles and responsibilities, and points of contact. 
Thereafter, some of the areas that often require issue-specific
policies will be covered.

6.2.2.1  Components of Issue-specific Policy

Statement of an Issue:  In order to formulate a policy on an issue,
the issue must first be defined, with any relevant terms,
distinctions, and conditions delineated.  For example, an
organization might want to develop an issue-specific policy on the
use of "foreign software."   "Foreign software" might be defined to
mean any software, whether applications or data, not approved,
purchased, screened, managed, and owned by the organization. 
Additionally, the applicable distinctions and conditions might then
need to be included, for instance, for software privately owned by
employees but approved for use at work and for software owned and
used by other businesses under contract to the organization. 

Statement of the Organization's Position:  Once the issue is stated
and related terms and conditions delineated, the organization's
position or stance on the issue will need to be clearly stated. To
continue the example of developing an issue-specific policy on the
use of foreign software, this would mean stating whether use of
foreign software as defined is strictly prohibited, whether or not
there are further guidelines for approval and use, or whether case-
by-case decisions will be rendered based on some defined criteria.

Applicability:  Issue-specific policies will also need to include
statements of applicability.  This means clarifying where, how,
when, to whom, and to what a particular policy applies.  For
example, it could be that the hypothetical policy on foreign
software is intended to apply only to the organization's own onsite
resources and employees and is not to be applicable to contractor
organizations with offices at other locations.  Additionally, the
policy's applicability to employees travelling among different
sites and/or working at home who need to transport and use disks at
multiple sites might need to be clarified.

Roles and Responsibilities:  Also included in issue-specific
policies should be the assignment of roles and responsibilities. 
This would mean, to continue with the above example, that if the
policy permits foreign software privately owned by employees to be
used at work with the appropriate approvals, then the approval
authority granting such permission would need to be stated. 
Likewise, it would need to be clarified who would be responsible
for ensuring that only approved foreign software is used on
organizational IT resources and, perhaps, for monitoring users in
regard to foreign software. 

Related to the assignment of roles and responsibilities is the
inclusion of guidelines for procedures and enforcement.  The issue-
specific policy on foreign-software, for example, might include
procedural guidelines for checking disks used by employees at home
or at other locations.  It might also state what the penalties
would be for using unapproved foreign software on the
organization's IT systems.   

Points of Contact:  For any issue-specific policy, the appropriate
individuals in the organization to contact for further information,
guidance, and enforcement should be indicated.  For example, for
some issues the point of contact might be a line manager; for other
issues it might be a facility manager, technical support person, or
system administrator.  For yet other issues, the point-of-contact
might be a security program representative.  Using the above
example once more, employees would need to know whether the point
of contact for questions and procedural information would be
his/her immediate superior, a system administrator, or a computer
security official.

6.2.2.2  Areas Appropriate for Issue-specific Policies

Some of the areas in which management today needs to consider
issue-specific IT security policies are covered in this section. 
These topics are intended to provide examples and serve as sources
for ideas and analysis.  Although many of these topics are standard
to any discussion of IT security, an organization would necessarily
need to tailor its policies relating to them to meet its own unique
needs.

Physical security:  The physical protection of and access to IT
resources and facilities will generally need to be addressed in one
or more specific policies.   In organizations with extensive IT
systems and equipment, this may mean developing policies that
address such issues as who has access to what sites/locations; how
often risks to installations are be analyzed and by whom; what
types of physical access controls and monitoring equipment are put
in place; what responsibilities will be assigned to trained
security officials and what activities and responsibilities will be
required of all employees.  

Personnel Security:  Depending on the types of activities being 
performed, degree of data sensitivity to be encountered, and sheer
numbers of personnel, specific security policies related to
personnel screening, requirements, hiring, training, evaluating,
and firing may need to be developed and administered.  It may be
appropriate that a trained personnel security specialist initiate,
review, approve, and perform all security-related personnel
actions.

Communications Security:  Communications security is a complex
technical specialty unto itself.  In organizations where day-to-day
business relies on communicating routinely with remote locations,
the security of the communications transmissions and lines is
usually an issue that needs to be addressed by policy.  If the data
being transmitted is highly sensitive, then this concern is
magnified, and issue-specific security policies may need to be
developed on a number of activities.  Issues associated with the
use of cryptography and its related options and procedures
(discussed in Chapter 19), the use of modems and dial-in lines, and
precautions against wiretapping are just some of the potential
issues to be addressed.  Additionally, as noted earlier, the
proliferation of E-mail has introduced many security- and privacy-
related issues for which organizations need to document positions
and policies.

Administrative Security:  Administrative security as it applies to
IT system management and oversight activities comprises many
potential security policy issues.  Included are such topics as
input/output controls, training and awareness, security
certification/accreditation, incident reporting, system
configurations and change controls, and system documentation.

Risk Management:  Risk management involves assessing IT resources
in terms of potential threats and vulnerabilities and planning the
means for counteracting those identified risks.  Issues that will
need to be addressed by policies include how, by whom, and when the
assessments should be performed; and what type of documentation
should result. 

Contingency Planning:  Related to Risk Management, Contingency
Planning means planning for the emergency actions to be taken in
the event of damage, failure, and/or other disabling events that
could occur to systems.  Issues that need to be addressed by
policies include determining which systems are most critical and
therefore of highest priority in contingency planning; how the
plans will be tested, how often, and by whom; and who will be
responsible for approving the plans.  

6.3  Policy Implementation

Policy implementation is a process.  Policy cannot merely be
pronounced by upper management in a one-time statement or directive
with high expectations of its being readily accepted and acted
upon.  Rather, just as formulating and drafting policy involves a
process, implementation similarly involves a process, which begins
with the formal issuance of policy.  

6.3.1  Policy Visibility 

Especially high visibility should be afforded the formal issuance
of IT security policy.   This is due to a combination of factors,
including the following:  

*  Nearly all employees at all levels will in some way be affected;
*  Major organizational resources are being addressed; 
*  Many new terms, procedures, and activities will be introduced. 

Providing visibility through such avenues as management
presentations, panel discussions, guest speakers, question/answer
forums, and newsletters can be beneficial, as resources permit. 
Including IT security as a regular topic at staff meetings at all
levels of the organization can also be a helpful tactic. 

As an aspect of providing visibility for IT security policies,
information should also be included regarding the applicable higher
level directives and requirements to which the organization is
responding.  Educating employees as to the requirements specified
by the Computer Security Act and related OMB circulars will help
emphasize the significance and timeliness of computer security, and

it will help provide a rational basis for the introduction of IT
security policies.

6.3.2   Policy Documentation

Once IT security policy has been approved and issued, it may be
initially publicized through memorandums, presentations, staff
meetings, or a variety of means.  As soon as possible, though, it
will also need to be incorporated into formal policy documentation
as well.  The process of documenting policies will usually require
updating existing documentation as well as creating new
documentation. 

Existing Documentation:  IT security will need to be integrated
into many existing activities and practices throughout many levels
of the organization.  This integration will be facilitated by
revising any existing applicable documentation to reflect new
procedures, rules, and requirements.  Included may be the
modification of various existing documents, forms, and plans at all
levels of the organization to reflect the IT policy.   

For example, if IT equipment purchases and/or upgrades have been
reviewed and approved based on documented criteria such as cost,
productivity, maintainability, etc., then security considerations
may need to be introduced into that criteria.  Also, if it has
previously been the documented policy to review the progress and
status of internal IT systems under development, then security-
related concerns should be introduced into that review process. 

New Documentation:  Additionally, the development of many new
documents, such as guidelines, standards, and procedures, may be
required.  This is often true in large organizations performing
many different activities and having many levels of management.  In
such environments, different functional elements may have widely
differing IT systems and needs to accommodate.  It is therefore
generally more practical, to the extent possible, to allow elements
to tailor their implementations of policy to meet their unique
needs.  This can be accomplished through the development of
documents containing more detailed procedures and practices to be
used for specific kinds of systems and activities within 
functional elements. 

For example, organizations will want to issue policies to decrease
the likelihood of data loss due to technology failures and/or
operator errors.  A program-level policy might state something to
the effect that:  "It is the policy of the organization to ensure
against data loss due to accidents or mishaps."  In an area where
extensive writing and editing of lengthy documents is performed,
such as a word processing or technical publications unit, security
documentation might be developed on saving work in-progress much
more often than would usually be done, and/or utilizing automatic
"save" features on IT systems and software.   In a different type
of functional area, however, where, for example, databases are
maintained that do not undergo significant changes very often, the
security documentation might focus on procedures for the database
administrator to use in performing periodic (daily, weekly, etc.)
backups of the system. 

Appropriate visibility should be afforded the IT security policy
through all applicable documentation.  The more integral security
policy is to all other aspects of daily routines, the more quickly
the associated actions and practices will become natural to doing
business.  Ultimately, among the goals of policy are the
assimilation of a common body of knowledge and values and the
demonstration of appropriate corresponding behaviors.  Those goals
will be expedited by making the IT security policy integral to the
organization through all avenues.

6.4  Cost Considerations

There are a number of potential costs associated with developing
and implementing IT security policies.  In some environments, the
major costs may be those incurred through the numerous
administrative and management activities required for drafting,
reviewing, disseminating, and publicizing the policies.  In some
organizations, though, successful policy implementation may require
additional staffing, training, and equipment.  In general, how
costly IT security policy development and implementation are to an
organization will depend upon how much change needs to be
accomplished in order to ensure adequate security and a basic
standardization throughout the organization.

6.5  Interrelationships 

IT security policy can be related to nearly every topic covered in
this handbook on some level.  This is because all of the topics
discussed in the handbook have associated issues that organizations
may need to address via policies.  The topics most directly
related, however, are:  IT security program management and
administration; risk management; personnel; security training and
awareness; contingency planning; and physical and environmental
security. 

6.6   Conclusion

Formulating viable IT security policies is a challenge for an
organization and requires communication and understanding of the
organizational goals and potential benefits to be derived from
policies.  Through a carefully structured approach to policy
development, which includes the delegation of program management
responsibility and an understanding of both program-level and
issue-specific policy components, a coherent set of policies -
integrated into sensible practices and procedures - can be
developed
6.1, para 2:  IT security policy helps to provide basic standards,
guidelines, and rules for everyone in an organization.  

6.2, para 1:  Program-level IT security policy establishes the
security program and assigns program management responsibilities.

6.2.1.1, para 4:  Program-level policy should be sufficiently broad
in scope to include all of the organization's IT resources.

6.2.1.1, para 5:  Program-level IT security policy goals should
stress the universal concepts of integrity, availability, and
confidentiality. 

6.2.2, para 1:  Issue-specific policies address particular
activities, concerns, and, sometimes, systems.

6.2.2, para 4:  New products, developments, and trends often
require the creation of corresponding issue-specific policies.

6.2.2.2, para 1:  Many activities within an organization should be
considered when developing issue-specific policies, including
physical security, personnel, communications, administrative
security, risk management, and contingency planning.

6.3.1, para 1:  IT security policy should be given especially high
visibility in order to help ensure employee awareness and
understanding.

6.3.2, para 4:  Many existing documents of an organization will
need to be revised to reflect IT security policies, and new
documents may also need to be developed.