Computer User’s Guide to the Protection of Information
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is
responsible or developing standards, providing technical
assistance, and conducting research for computers and related
systems. These activities provide technical support to government
and industry in the effective, safe, and economical use of
computers. With the passage of the Computer Security
Act of 1987 (P.L. 100-235), NIST’s activities also include the
development of standards and guidelines needed to assure the
cost-effective security and privacy of sensitive information in
Federal computer systems. This guide is just one of three
brochures designed for a specific audience. The “Executive Guide
to the Protection of Information Resources,” and the “Managers
Guide to the Protection of Information Resources” complete the
This guide was written by Cheryl Helsing of Deloitte, Haskins &
Sells in conjunction with Marianne Swanson and Mary Anne Todd of
the National Institute of Standards and Technology.
Today’s computer technology, with microcomputers and on-line
access, has placed the power of the computer where it belongs, in
YOUR hands. YOU, the users, develop computer applications and
perform other data processing functions which previously were
only done by the computer operations personnel. These advances
have greatly improved our efficiency and effectiveness but, also
present a serious challenge in achieving adequate data security.
While excellent progress has been made in computer technology,
very little has been done to inform users of the vulnerability of
data and information to such threats as unauthorized
modification, disclosure, and destruction, either deliberate or
accidental. This guide will make you aware of some of the
undesirable things that can happen to data and will provide some
practical solutions for reducing your risks to these threats.
WHO IS RESPONSIBLE FOR PROTECTING DATA AND INFORMATION?
The statement that “security is everyone’s responsibility” is
absolutely true. Owners, developers, operators and users of
information systems each has a personal responsibility to protect
these resources. Functional managers have the responsibility to
provide appropriate security controls for any information
resources entrusted to them. These managers are personally
responsible for understanding the sensitivity and criticality of
their data and the extent of losses that could occur if the
resources are not protected. Managers must ensure that all users
of their data and systems are made aware of the practices and
procedures used to protect the information resources. When you
don’t know what your security responsibilities are, ASK YOUR
MANAGER OR SUPERVISOR.
WHAT IS “SENSITIVE” DATA?
All data is sensitive to some degree; exactly how sensitive is
unique to each business environment. Within the Federal
Government, personal information is sensitive to unauthorized
disclosure under the Privacy Act of 1974. In some cases, data is
far more sensitive to accidental errors or omissions that
compromise accuracy, integrity, or availability. For example, in
a Management Information System, inaccurate, incomplete, or
obsolete information can result in erroneous management decisions
which could cause serious damage and require time and money to
rectify. Data and information which are critical to an agency’s
ability to perform its mission are sensitive to nonavailability.
Still other data are sensitive to fraudulent manipulation for
personal gain. Systems that process electronic funds transfers,
control inventories, issue checks, control accounts receivables
and payables, etc., can be fraudulently exploited resulting in
serious losses to an agency.
One way to determine the sensitivity of data is to ask the
questions “What will it cost if the data is wrong? Manipulated
for fraudulent purposes? Not available? Given to the wrong
person?” If the damage is more than you can tolerate, then the
data is sensitive and should have adequate security controls to
prevent or lessen the potential loss.
WHAT RISKS ARE ASSOCIATED WITH THE USE OF COMPUTERS?
Over the past several decades, computers have taken over
virtually all of our major record-keeping functions. Recently,
personal computers have made it cost-effective to automate many
office functions. Computerization has many advantages and is here
to stay; however, automated systems introduce new risks, and we
should take steps to control those risks.
We should be concerned with the same risks that existed when
manual procedures were used, as well as some new risks created by
the unique nature of computers themselves. One risk introduced by
computers is the concentration of tremendous amounts of data in
one location. The greater the concentration, the greater the
consequences of loss or damage. Another example is that computer
users access information from remote terminals. We must be able
to positively identify the user, as well as ensure that the user
is only able to access information and functions that have been
authorized. Newspaper accounts of computer “hackers,” computer
virus attacks, and other types of intruders underscore the
reality of the threat to government and commercial computer
HOW MUCH SECURITY IS ENOUGH?
No matter how many controls or safeguards we use, we can never
achieve total security. We can, however, decrease the risk in
proportion to the strength of the protective measures. The degree
of protection is based on the value of the information; in other
words, how serious would be the consequences if a certain type of
information were to be wrongfully changed, disclosed, delayed, or
All Federal computer system users share certain general
responsibilities for information resource protection. The
following considerations should guide your actions.
Treat information as you would any valuable asset.
You would not walk away from your desk leaving cash or other
valuables unattended. You should take the same care to protect
information. If you are not sure of the value or sensitivity of
the various kinds of information you handle, ask your manager for
Use government computer systems only for lawful and authorized
The computer systems you use in your daily work should be used
only for authorized purposes and in a lawful manner. There are
computer crime laws that prescribe criminal penalties for those
who illegally access Federal computer systems or data.
Additionally, the unauthorized use of Federal computer systems or
use of authorized privileges for unauthorized purposes could
result in disciplinary action.
Observe policies and procedures established by agency
Specific requirements for the protection of information have been
established by your agency. These requirements may be found in
policy manuals, rules, or procedures. Ask your manager if you are
unsure about your own responsibilities for protection of
Recognize that you are accountable for your activities on
After you receive authorization to use any Federal computer
system, you become personally responsible and accountable for
your activity on the system. Accordingly, your use should be
restricted to those functions needed to carry out job
Report unusual occurrences to your manager.
Many losses would be avoided if computer users would report any
circumstances that seem unusual or irregular. Warning signals
could include such things as unexplainable system activity that
you did not perform, data that appears to be of questionable
accuracy, and unexpected or incorrect processing results. If you
should notice anything of a questionable nature, bring it to your
Security and Control Guidelines
Some common-sense protective measures can reduce the risk of
loss, damage, or disclosure of information. Following are the
most important areas of information systems controls that assure
that the system is properly used, resistant to disruptions, and
Make certain no one can impersonate you.
If a password is used to verify your identity, this is the key to
system security. Do not disclose your password to anyone, or
allow anyone to observe your password as you enter it during the
sign-on process. If you choose your own password, avoid selecting
a password with any personal associations, or one that is very
simple or short. The aim is to select a password that would be
difficult to guess or derive. “1REDDOG” would be a better
password than “DUKE.”
If your system allows you to change your own password, do so
regularly. Find out what your agency requires, and change
passwords at least that frequently. Periodic password changes
keep undetected intruders from continuously using the password of
a legitimate user.
After you are logged on, the computer will attribute all activity
to your user id. Therefore, never leave your terminal without
logging off — even for a few minutes. Always log off or
otherwise inactivate your terminal so no one could perform any
activity under your user id when you are away from the area.
Safeguard sensitive information from disclosure to others.
People often forget to lock up sensitive reports and computer
media containing sensitive data when they leave their work areas.
Information carelessly left on top of desks and in unlocked
storage can be casually observed, or deliberately stolen. Every
employee who works with sensitive information should have
lockable space available for storage when information is not in
use. If you aren’t sure what information should be locked up or
what locked storage is available, ask your manager.
While working, be aware of the visibility of data on your
personal computer or terminal display screen. You may need to
reposition equipment or furniture to eliminate over-the-shoulder
viewing. Be especially careful near windows and in public areas.
Label all sensitive diskettes and other computer media to alert
other employees of the need to be especially careful. When no
longer needed, sensitive information should be deleted or
discarded in such a way that unauthorized individuals cannot
recover the data. Printed reports should be finely shredded,
while data on magnetic media should be overwritten. Files that
are merely deleted are not really erased and can still be
Install physical security devices or software on personal
The value and popularity of personal computers make theft a big
problem, especially in low-security office areas. Relatively
inexpensive hardware devices greatly reduce the risk of equipment
loss. Such devices involve lock-down cables or enclosures that
attach equipment to furniture. Another approach is to place
equipment in lockable cabinets.
When data is stored on a hard disk, take some steps to keep
unauthorized individuals from accessing that data. A power lock
device only allows key-holders to turn on power to the personal
computer. Where there is a need to segregate information between
multiple authorized users of a personal computer, additional
security in the form of software is probably needed. Specific
files could be encrypted to make them unintelligible to
unauthorized staff, or access control software can divide storage
space among authorized users, restricting each user to their own
Avoid costly disruptions caused by data or hardware loss.
Disruptions and delays are expensive. No one enjoys working
frantically to re-enter work, do the same job twice, or fix
problems while new work piles up. Most disruptions can be
prevented, and the impact of disruptions can be minimized by
advance planning. Proper environmental conditions and power
supplies minimize equipment outages and information loss. Many
electrical circuits in office areas do not constitute an adequate
power source, so dedicated circuits for computer systems should
be considered. Make certain that your surroundings meet the
essential requirements for correct equipment operation. Cover
equipment when not in use to protect it from dust, water leaks,
and other hazards.
For protection from accidental or deliberate destruction of data,
regular data backups are essential. Complete system backups
should be taken at intervals determined by how quickly
information changes or by the volume of transactions. Backups
should be stored in another location, to guard against the
possibility of original and backup copies being destroyed by the
same fire or other disaster.
Maintain the authorized hardware/software configuration.
Some organizations have been affected by computer “viruses”
acquired through seemingly useful or innocent software obtained
from public access bulletin boards or other sources; others have
been liable for software illegally copied by employees. The
installation of unauthorized hardware can cause damage,
invalidate warranties, or have other negative consequences.
Install only hardware or software that has been acquired through
normal acquisition procedures and comply with all software
licensing agreement requirements.
Ultimately, computer security is the user’s responsibility. You,
the user, must be alert to possible breaches in security and
adhere to the security regulations that have been established
within your agency. The security practices listed are not
inclusive, but rather designed to remind you and raise your
awareness towards securing your information resources:
PROTECT YOUR EQUIPMENT
Keep it in a secure environment
Keep food, drink, and cigarettes AWAY from it
Know where the fire suppression equipment is located and know
how to use it
PROTECT YOUR AREA
Keep unauthorized people AWAY from your equipment and data
Challenge strangers in your area
PROTECT YOUR PASSWORD
Never write it down or give it to anyone
Don’t use names, numbers or dates which are personally
identified with you
Change it often, but change it immediately if you think it has
PROTECT YOUR FILES
Don’t allow unauthorized access to your files and data
NEVER leave your equipment unattended with your password
activated – SIGN OFF!
PROTECT AGAINST VIRUSES
Don’t use unauthorized software
Back up your files before implementing ANY new software
LOCK UP STORAGE MEDIA CONTAINING SENSITIVE DATA
If the data or information is sensitive or critical to your
operation, lock it up!
BACK UP YOUR DATA
Keep duplicates of your sensitive data in a safe place, out of
your immediate area
Back it up as often as necessary
REPORT SECURITY VIOLATIONS
Tell your manager if you see any unauthorized changes to your
Immediately report any loss of data or programs, whether
automated or hard copy
For Additional Information
National Institute of Standards and Technology
Computer Security Program Office
Gaithersburg, MD 20899
For further information on the management of information
resources, NIST publishes Federal Information Processing
Standards Publications (FIBS PUBS). These publications deal with
many aspects of computer security, including password usage, data
encryption, ADP risk management and contingency planning, and
computer system security certification and accreditation. A list
of current publications is available from:
Standards Processing Coordinator (ADP)
National Computer Systems Laboratory
National Institute of Standards and Technology
Technology Building, B-64
Gaithersburg, MD 20899
Phone: (301) 975-2817