PERSONAL COMPUTERS

Declassified in Part - Sanitized Copy Approved for Release 2012/08/23 CIA-RDP95-00972R000100190003-8 2 3 SEP 1193 MENORANDUN FOR: Chief, Management Liaison Staif, Uftice of Communications ATTEN.1IOt : ma ion Systems Security Group, Os 25X1 SUbJECT: Personal Computers 1. It has recently come to the attention of the Oil ice of Security, Information Systems Security Group (US/ISSG), that Oiiice of Communications (tit) components are purchasing Personal Computers (PC's) anu individuals are also bringing in tiieir own PC's and software for use within ti6ency facilities. This type of act ivi is contrary to existing Agency notices ana ISSG polic y. 2. i e purchasing of Pi's anu use of privately owneu PC's, without cooruination with ISSG, are in conflict with "Alin Contol Officer Bulletin Coordination Requirements Prior to the Acquisition of Personal Computers," AUP CG. Fulletin 83-O0i. This bulleti i n s derived from 3. While ISSG policy noes not disallow the use of PC's, we uo require that components iniorui us of their plans to purchase PC's and submit to ISSG a memorandum that they have read and are in compliance with Policy Number 14 (attaetheu). 1SSG does not allow the use of employee-owned Pt.'s in agency facilities. Furtnermore, ISSG security proceaures require that once magnetic meoia (i.e., floppy disks) enters an Agency facility file media is t no to be removed. 4. In order to assist us in fulfilling our responsi- bilities, please inform 1SSG of plaeus for complying with the attached policies ano torwaru us a list of all PC's useu by both foreign and domestic eowponeats. Additionally, please alert all UC components that purchases of PC's must be coordinatcu with ISSG, toe Utfice of Data Processitsg, anu tile Office of 1_o isti g cs Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8  Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8 ~.,~..NrI!16NR1NL. 25X1 5. Please submit any questions to 25X1 extension ~1 Your prompt attention to 25X1 appreciated. cc: ODP/MS I :, Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8  Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8 Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8  Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8 Policy Number 14 - Personal Computers* for Headquarters' ApriliCations 1 The Office of Security feels strongly that the use of personal computers should. be restricted to si.tua1ti,ons where the- most stringent controls can be- exercised. Their use poses formidable security problems and.should be discouraged. 2. Experience to date clearly indicates that the use of unclassified word and data processing equipment in classified work areas creates'a very real threat of contamination of the unclassified, system. This is especially true of these small, "user friendly' computer systems. In fact, the smaller and more "friendly" the system, the greater the potential security risk- This contamination occurs in spite of conscientious efforts on _th.e.-.part of well intentioned individuals to prevent such occurrences- For -th-is reason, all word and data lished in Headquarters work areas will be accom i p ng process presumed to be classified. Thus, such processing will be- handled- and controlled accordingly. POLICY ~ 1 ce? o Security policy -is to -restrict the- use' 1 . _== - of personal ,_.-.. - er..s to omly those-app-Li.cations which can be nd i ency a solidly-justif ed for.reasons such as effic substantial cost savings and where demonstrably robust security controls exist. PROVISIONS 1. :In those selected cases where sufficient management.-; processing of Agency official.information ioa work-related -capacity may be approved providing: a.,-The use of personal computer equipment, in each case, is approved by the operating official or-his designee, and the Office of Security. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - * A personal computer is defined as one which (a) is-easily. transportable, (b) possesses -limited software capabilities, and (c) requires few or no special devices for hook-up and operation. ** The Headquarters Building, the Agency. training centers and Agency owned or leased facilities located in the Washington D.C. metropolitan area. Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8  Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8 b. The personal computer equipment is ,coPEST approved, or otherwise controlled, in accordance with standards published by the Office of Communications. c. The operating official or his designee creates, publishes, and promulgates written procedures designed to securely control the use of personal computers, and all associated magnetic media and print_d output. PROCEDURES 1. Procedures must be published and coordinated with, and concurrence received from, the Office of Security. This document must include strict procedures to: a.. Maintain positive segregation of classified processing from unclassified activities. b.: Provide for the use of unique identification Labels for all. magnetic media associated with and used for-processing with personal computers. c. .Pro.idr-for the labeling of all personal colter generated output, including unclassified:. -~ sifi :perso=nal computer printed output . from A Provide-for: the def inite segregation of verify. that. only- the intended data is reieaseu..- . ,_ magnetic media from the facility. If data recorded on such magnetic media needs to be removed from Agency control, the data must be dumped to a factory fresh ._ - -- L_ r.. -----t #. *-c'moval of all personal computer. . - -_ f program/project .printed output. computer systems. media used. fart/ diagnostics and; maintenaace_or parsvaai F Fire.:,;.4 a- fnr the strict control of. all magnetic... designee, and the Office of Security. g.-% -Prevent the removal of personal computers from the Agency controlled area without: proper sanitization and the written approval of the operating official, or his h. Prevent the relocation of personal computers . within the program/project area without the written approval of the operating official. or his designee, and the Office of Security. Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8  Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8 GENERAL 1. All personnel should be aware of the volatile/non- volatile memory' characteristics of Although most personal computers have volatile* memory, there are some personal computers which have non-volatile'* memory. Also, some personal. computers, whose basic: desigr is categorized as -volatile,:-, employ a battery, a `capacitato-i~-, or some other device to retain the data in memory for a period of time after a power failure, often for several days. Wherever possible, personal computers with volatile memory and no memory sustaining device should be used. Where such computers are not suitable, personal. computers with non-volatile memory may be used. provided memory is sanitized prior to power OFF at close of business in accordance with established procedures. In . those-instances where-a memory sustaining device is employed, a positive disconnect feature must be employed to clear memory at close of business or when unattended. 2..= Maintenance -of personal computers also presents a problem which---must be assessed .as experience is gained.: Thus, for the-present, personal computers requiring maintenance most, ossessing aic: l p be repaired _by-staff or contractor personne c om?* ntS software, -and the computers- themselves- ,;,,. _ae acquired through approved Agency sources - Secarrty: only,and_agp by the Office- of 4' Auxiliary storage media associated with personal- e d t ap computers, usually in.tbe form of floppy disks an e with present d anc cassettes, will be destroyed in accor regulations for non-soluble materials.. 5.. Personally owned personal computers will not b s g ki - area n allow";-1711 Agency classified wor ,. ester system and pUUi. L L1WM ------ security audits by,the Information System Security Group, Office of Security. - - - - - - - - - - - --- - - - - - - - - Volatile memory does not retain the data recorded thereon after power OFF. * Non-volatile memory does retain the data after power OFF, thus, the data is available upon restoration of power. Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8  STAT Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8 Next 2 Page(s) In Document Denied Iq Declassified in Part - Sanitized Copy Approved for Release 2012/08/23: CIA-RDP95-00972R000100190003-8