<< MILITARY COMPUTER SECURITY >> Protecting Sensitive Information In A Vulnerable Storage System By Lola Hobbs, AISD Office of Public Affairs, POPULAR COMMUNICATIONS Compiled by: Master Sergeant Personnel in the Information Systems Security Branch of Airlift Informational Systems Division headquarters are dedicated to protecting Military Airlift Command's computer hardware and software. Microcomputers are now a common piece of equipment in nearly every office place. With the commonality of this equipment comes a greater need for awareness of the sensitivity of information stored on these systems and the physical security of the equipment itself. According to Cindy Hicks, a Worldwide Military Command and Control Systems Automatic Data Processing System Security Officer assigned to the AISD office, "Our office gets involved in the security of the computer even before it is set up in the office place. We talk to the users and review contract specifications and proposals. Then we work with the local security officer in conducting a risk analysis in the area. From the very beginning we need to know what type of information (unclassified, sensitive unclassified, and/or classified) will be processed on the computer." Contrary to general belief, computer security does not involve just classified information. In fact, this probably constitutes a small part of the computer security mission. It also does not deal exclusively with large mainframe security. [too bad] "The microcomputers in the office place are extremely vunerable," said Ms. Hicks. "Managers need to insure that the area where the computer is housed is safe in order to preclude theft and tampering." "Much of the information stored on computers is sensitive or proprietary, such as supply information or flight information. By itself it may not mean anything, but like a puzzle, when the pieces are joined together, they give an important picture," she said. "Another area of concern is personnel information and privacy act information." "We also need to make sure people are aware of the sensitivity of passwords," said Ms. Hicks. "Passwords should not be stored on disk files or written down. They have to be treated as sensitive or classified as the data they access." Another problem dealt with by personnel in the Information Systems Security Branch is use of computers for other than official business. "There have been many documented cases of personnel using the computer to maintain listings of comic books or home video tapes, or using the office computer for managing an intramural sports program. These are obvious cases of fraud, waste and abuse," she said. "There are also many cases of unauthorized personnel gaining access to computer passwords and entering the system. Unfortunately, cases like these cost the government highly in terms of investigations and loss of data base integrity. People from the AISD office attend Air Force-level computer security workshops and Worldwide Military Command and Control Systems conferences in order to keep abreast of the latest information involving computer security. Hicks is the chairperson of the WWMCCS APD System Security Officer Committee. In addition, she is the MAC representative at the WASSO conference. A checklist is available that assesses the vunerability of an organization's small computer. It provides a means of insuring the safety of hardware and software. It is a good tool when it is used. "We need to make everyone aware of computer security," she said. "Unfortunately, our greatest threat comes from within. By working with local security personnel, management, and users, we hope to make everyone aware of potential problems and alleviate them before they start. One way of accomplishing this is with total communication from the very beginning of the information systems acquisition process." << * >>