The National Research Council, which advises the government on technology matter, examines cybersecurity issues including the nature of cybertrheats and common causes of system and network problems.
The agency has developed some controversial policy recommendations, such as making software and system vendors legally responsible for insecure products and systems (Scientists on Cybersecurity, 2002c, p. 38).
The following procedures are recommended for application by internet security professionals:
1. Permission – Use of computer facilities must be authorized by the owner of the information or by a senior manage. Prior permission to use another user’s computer account or user-ID from the owner of the account should be required. All computer or electronic files are considered private unless the owner has explicitly made them available to others.
2. Responsibilities – The user is owner of their data. It is their responsibility to ensure that it is adequately protected against unauthorized access. Keep passwords and accounts confidential; change passwords frequently. Do not leave terminals unattended without logging out first. Do not engage in any activity that is intended to circumvent computer security controls. Do not access the accounts of others with the intent to read, browse, modify, copy or delete files and directories without authorization.
3. Unauthorized Use of Software –Users should be prohibited from loading any software on any computer system (i.e. shareware o freeware software) without approval from the system administrator and your supervisor. Users should be expressly prohibited from using company computers to make illegal copies of licensed or copyrighted software. Copyrighted software must only be used in accordance with its license or purchase agreement.
4. Harassment – Company computer systems are not to be used to harass anyone. This includes the use of insulting, sexist, racist, obscene or suggestive electronic mail, tampering with others’ files invasive access to others’ equipment. Etc.
5. Destruction of Records – Instruct employees how to dispose of old manuals, floppy disks. Shredding and thoroughly erasing floppy disks, removing any information that could be used by an outsider to penetrate a company’s computer system. Recycle ink and toner cartridges.
6. Networks – Disallow use of the company-owned network (or other network accessible by company computers) for any activity other than company business. This includes surfing the Internet, online discussions in newsgroups and bulletin board services, attempting to access other computer systems without authorization, posting commercial messages, and transmitting viruses, worms, or other invasive software.
7. Enforcement – Investigate all alleged abuses of computer resources. Each employee must be responsible for their own actions. A company has the obligation to ensure that its computer resources are used properly and within the guidelines established by the company. The company should have access to all electronic files of its employees. Limiting the access of guilty employees is appropriate. Refer flagrant abuses to senior managers or law enforcement authorities. In extreme cases of flagrant abuse or disregard of computer security guidelines, may result in termination of employment
8. Workplace Monitoring – A company must reserve the right to monitor the computer system for signs of illegal or unauthorized activity. (Alexander, 1995b, p. 59)