# **
I A V
I SB I	United States
\i ^	Environmental Protection Agency
Region IV
INFORMATION MANAGEMENT BRANCH
OFFICE OF POLICY AND MANAGEMENT
REGION IV
COMPUTER SECURITY
POLICY AND PROCEDURES

October 1993

-------
REGION IV COMPUTER SECURITY POLICY AND PROCEDURES
TABLE OF CONTENTS
I.	Overview: Importance of Computer Security		1
II.	Physical and Environmental Controls 		1
III.	Software Copyrights/Licenses and Master Copies 		3
IV.	Unauthorized Use of Computers 		4
V.	EPA-Purchased Software Product Controls 		4
VI.	Employee-Purchased Personal Productivity Software 		5
VII.	Computer Viruses 	5
VIII.	Magnetic Media (Information Storage) Controls		6
IX.	Records Management		7
X.	Disk Organization and File Storage Conventions 		7
XI.	Backups/Disaster Recovery 	8
XII.	Sensitive Data Controls/Password Protection 		9
XIII.	Information Systems Documentation Requirements 		9
XIV.	Region IV Computer Monitoring Procedures 		10

-------
APPENDICES
APPENDIX A: REGION IV INFORMATION MANAGEMENT CONTACTS
APPENDIX B: DISK STORAGE AND HARD DISK/FLOPPY DISKETTE BACKUP
OPTIONS
APPENDIX C: QUICK REFERENCE SHEET
APPENDIX D: DO'S AND DON'TS TO PROTECT YOUR INFORMATION

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 1
I. Overview: Importance of Computer Security
Region IV has made a significant investment in the information we store on
personal computers, local area networks (LAN's) and the mainframe computer in
the National Computer Center (NCC), Research Triangle Park, North Carolina.
Millions of dollars have been spent on computer hardware and software to
establish the current computing environment upon which we have grown to
depend to perform our jobs. The responsibility to protect these investments rests
with the users of the computers. This policy document has been prepared to:
a)	describe both Region IV and national security measures that need to
be taken to ensure the basic physical protection of personal
computers (PC's), mainframe terminals, and the magnetic media upon
which information is stored, and
b)	set forth administrative procedures governing the use of computers
and software.
The EPA Information Security and EPA Information Security for Personal
Computers manuals contain more detailed information about Agency-wide policy
on computer security. All Division Directors and PC Coordinators will have
received copies of these documents. Section 2.3 in the EPA Information Security
Manual addresses implementation of minimal controls for information security;
specifically, information sensitivity determination, risk analysis requirements and an
application certification process are discussed as the three different management
control processes that ensure information resources are adequately protected.
Copies of these manuals can be obtained from Richard Ferrazzuolo, the Regional
Information Security Officer. If you have questions concerning PC and LAN
security, contact either the Region IV Information Center (RIVIC) Help Desk at
X0509 or Mr. Ferrazzuolo at x2316.
II. Physical and Environmental Controls
The following controls for PC's and mainframe terminals are required to prevent
theft and physical damage:
Locate PC's away from heavily travelled areas to the extent possible; they
should be sitting on stable desk tops in a position that can easily be
accessed.
PC's should not be plugged directly into the wall; surge protection devices
have been provided to protect against surges in current. It is mandatory that

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 2
these devices are used. If a PC is missing a surge protector, contact Rick
Shekell in the Automated Data Processing (ADP) Management Section
immediately. A new unit will be supplied from stock.
Physical reconfiguration of equipment can only be made by the Information
Management Branch (1MB). In many cases these modifications will require
additional considerations in order to operate on the LAN, and they must be
performed only by 1MB.
1MB tracks all changes in the Region IV computer inventory system which
contains up-to-date information about each PC and LAN workstation
configuration owned by the Region. It is essential that this information be
kept current at all times.
Computer equipment should not be installed in direct sunlight or in locations
with extreme temperature variations (less than 50 degrees Fahrenheit or
greater than 100 degrees Fahrenheit).
Computer equipment and magnetic storage media are sensitive to
contamination from dirt, smoke, or magnetic fields. Do not eat or drink in
the immediate vicinity of the computer. As per Agency policy, smoking is
not permitted in EPA offices.
Portable PC's require additional security considerations because they are
more vulnerable to theft. Portables should be stored in locked cabinets
when not in use. Employees checking out these PC's from the RIVIC are
required to complete a "Request for Computer Equipment Checkout" sheet.
This form must be signed by both employee and supervisor. When it is
completed, the employee receives a "Computer Equipment Property Pass"
that must remain with the computer at all times in case verification of
authorization to possess this equipment is necessary. The checkout sheet is
then placed in a log book based on the computer's property number. The
log book is maintained by the RIVIC to track portable PC usage within the
office. A calendar is also maintained by the RIVIC to assist in the
determination of the availability of a particular portable PC at any given time.
The tracking of other portable PC's that have been issued to the Divisions is
the responsibility of Custodial Officers assigned to a specific area. These
Custodial Officers will have computer property print outs of this equipment
along with the desktop PC's.

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 3
III. Software Copyrights/Licenses and Master Copies
Some personal computers in Region IV may have WordPerfect, Lotus 1-2-3,
dBase or Multimate installed while other PC's may be configured to access
the LAN directly for specific applications. The remaining PC's will also have
access to a variety of standard agency software on the LAN. The
mainframe computers will have standard agency software installed.
When we buy software, we are purchasing a license agreement with the
manufacturer whereby we are prohibited from duplicating either the
software or documentation. In general, there are two types of software
licenses: single-machine and site. A single-machine license allows the user
to install the master copy of the software on one PC only. With a site
license, the software may be installed on more than one PC or a LAN file
server, typically for a higher fee. Copying single-machine software,
therefore, for use on another computer is a violation of the license
agreement. Making copies of software for personal use not only violates
copyright laws, but is a theft of government property. Using unauthorized
copies of software on EPA computers is also illegal, even if such copies are
obtained from sources outside EPA. Willful violations of U.S. copyright law
may result in potential for personal liability.
EPA-purchased software shall be used exclusively on EPA owned computers.
However, there may be cases where EPA owned software could be
authorized for use on home computers, e.g., as part of the proposed
Flexiplace program. Exceptions to this policy will be handled on a case-by-
case basis.
All master copies of software purchased by 1MB will be stored in the RIVIC
to ensure accountability and control. Software purchased by the Divisions
will be stored in the Divisions to also ensure accountability and control.
(1MB approval on procurement requests is still required on all software
purchases.) This is required for security purposes as well as to facilitate
region-wide software upgrades. Software vendors require that we either
destroy or return the master diskettes for each copy of the software that is
to be upgraded.
Software packages purchased by contractors for installation on EPA's LAN
and stand-alone PC's are subject to the same ADP procurement approval
requirements as software purchased by EPA, i.e., prior approval by the
Region's Information Management Branch. Divisions are responsible for
storing these contractor-purchased software packages. Project Officers for
all EPA contracts are responsible for being knowledgeable of all contractual
requirements regulating the contractors' use of computer hardware and

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 4
software for EPA business. Questions regarding such requirements should
be directed to the contracting official.
1MB will conduct unannounced, random audits of Region IV computers; should
illegal or unauthorized software be located on an employee's computer, appropriate
disciplinary action may be warranted by management. For additional information
on 1MB controls, see Section XIV, Region IV Computer Monitoring Procedures on
page 10.
IV. Unauthorized Use of Computers
Computers have been made available by EPA for use by its employees in the
conduct of EPA business. Use of these computers is not allowed for personal
business of any kind, even if it is done on the employee's own time. Training and
practice on EPA computers shall be directed toward developing skills to be used to
perform job related tasks.
PC games and other non-work related software are strictly prohibited from being
installed and/or executed on EPA computers.
V. EPA-Purchased Software Product Controls
1MB approval is required on Procurement Requests for Region IV software
procurement. Generally 1MB will not approve software procurement that are
inconsistent with the Agency's and Region's software standards. Contracts have
been established by the Office of Information Resources Management (OIRM) to
obtain computer software which are based upon a thorough requirements analysis
and are consistent with the Agency's long-term strategic plans. Software
standards are issued by the Director of the National Data Processing Division
(NDPD) after consultation and concurrence by the Director of the OIRM at EPA
Headquarters. If an office has questions regarding software procurement, contact
the PC Site Coordinator (IMB's ADP Management Section Chief) before initiating
any Procurement Requests.
There may be exceptions in which an application has specific requirements that are
not met by Agency standard software. In this case, advance notification should be
sent, via ccMail to the PC Site Coordinator (see Appendix A). Agency resources
are best spent on compatible software which has been tested prior to delivery and
for which user support has been committed. Organizations which acquire non-
standard software should be aware of their inherent and potential liability caused
by not being part of the Agency's standard architecture.

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 5
VI. Employee-Purchased Personal Productivity Software
An employee's personally-owned commercial and public domain software can be
installed on an Agency computer as long as all of the following conditions are met
by the employee:
o PC Site Coordinator is notified in advance. (Upon issuance of this
policy the employee shall notify the PC Site Coordinator of all copies
of this type of software that is currently installed on EPA computers).
o No software license agreement is violated.
o Diskettes are scanned using virus scanning software available on LAN
before copying data or executing commands.
o Storing Agency data in non-standard format using personally-owned
software is prohibited.
o Storing the software on LAN file servers is prohibited.
o The software is properly segregated from EPA software (e.g.,
separate subdirectories on PC's).
o The license for the software is produced upon request.
Use of personally-owned database software, other than FOCUS, CUPPER and
dBASE III+/IV for EPA multi-user system development may only be permitted with
prior 1MB approval. Personally-owned database software is also strongly
discouraged in the development of single-user systems (i.e. a personal project
tracking system).
Users are reminded that they are personally responsible for what is on their hard
drives, especially those programs that are privately purchased and placed on the
hard drives.
VII. Computer Viruses
A computer virus is an extra program hidden within an apparently normal program
or software package referred to as the virus "host" or "Trojan Horse". Like a
biological virus, the computer virus has two important characteristics: it can

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 6
replicate itself and it can cause harm or mischief. This replicating ability means
that a virus can quickly spread via shared diskettes, networks, electronic bulletin
boards, or file servers as programs or files are stored, executed, uploaded or
downloaded. Potentially infected host software include any of our standard
software packages. Truly malicious viruses can modify or destroy programs and
data.
To detect and combat viruses, a number of specialized programs or software
"vaccines" have been developed. However, the development of a set of generic
procedures to ensure the integrity of non-EPA computer products, public domain
software, EPA application software and data diskettes is not possible.
Due to the serious nature of software viruses and the severe damage that
can occur, all disks must be scanned by virus detection software prior to
installation or use on any EPA computer. All Region IV PC's on the LAN are
being scanned daily to identify viruses that may have been imported from
external sources, such as infected floppy disks. Also, some of the more
recently issued laptops have been equipped with virus detection software.
Failure to detect viruses may result in destruction of government property
(software and data), therefore, it is imperative that virus detection software
scan all new or re-configured computers. When a virus has been detected
by the existing virus-scanning program, a message will appear on the screen;
the user should stop using the PC immediately; the user should then contact
either the Help Desk (x0509) or LAN Administrator (x2316). Trained
specialists will be dispatched and they will remove the virus and take all
precautionary measures necessary to prevent the virus from infiltrating the
LAN.
VIII. Magnetic Media (Information Storage) Controls
Virtually all information on computers in Region IV is stored on magnetic media in
the following forms:
Diskettes
Fixed disks (hard disks) inside the PC
Large capacity fixed disks inside the LAN file servers
Cartridge tapes
Removable disk cartridges (Bernoulli cartridges)
Mainframe disk storage
Computer users need to treat magnetic media with special care. Flexible diskettes
are especially susceptible to damage.

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 7
Keep diskettes away from magnetic fields, such as radios, TV's or
microwave ovens.
Do not bend diskettes, or write (with hard tipped pens) on them.
Store diskettes in their jackets when not in use - these jackets are
made of a special material designed to protect the disks. Store the
diskette in its jacket in a diskette file container to prevent dust
damage.
All information that is accessed by more than one user should be stored on the
LAN or mainframe depending on the application. Sensitive data should be stored
on the mainframe and secured via the RACF mainframe security facility or placed in
a LAN directory that has limited user rights. Contact the ADP Management
Section for more details. Information can also be stored on the PC local hard drive,
if one exists, or on floppy diskettes. Confidential data should be stored on
diskettes and filed in a secure storage location; it should never be stored on the
LAN or local PC's.
IX.	Records Management
Electronic media such as diskettes and hard drives, which are used to store data
from documents, are covered by the same federal regulations governing the
destruction of paper records. Users should know the legal definition of an official
"record" and exercise caution when deleting computer files of stored documents.
If assistance is needed to decide whether or not a document can be destroyed,
please call the Records Management Officer at x2316.
X.	Disk Organization and File Storage Conventions
Users should be aware of the ability to create directories and subdirectories which
enable them to better organize their files. Some PC's used in common areas may
be set up so that each user has a different directory under his/her own name to
store data files and other large documents. However, other PC's in common areas
without this capability may require users to store information on diskettes.
The use of file extensions within file names to further identify files is recommended
(i.e., "training.doc" might indicate to a user that this file is a document or text file,
whereas "training.dat" might indicate that the file is a data file which is in non-
readable format).
Some standard file extensions are recommended as follows:

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 8
filename.mem (memos), filenameAtr (letter), filename.doc (documentation),
fi/enameAst (lists), filename.tmp (temporary files), filename.pf (primary
merge file), filename.si (secondary merge file), and filename.msg (mail
messages)
PC users should refer to software reference manuals to become familiar with
automatic extensions appended by certain commercial software packages. This
familiarity will help facilitate identification of data files versus required system files
and will help avoid erroneous file deletions, for example, while cleaning file
directories. Call RIVIC (x0509) if there are any questions.
XI. Backups/Disaster Recovery
Unfortunately, most computer users learn from a bad experience that backups are
critical to information security. Certain EPA systems require routine backups of
data. Procedures for creating these backups are documented separately in the
manual written for the system. Most computer applications, however, provide
relatively crude backup utilities which do not guarantee the user that their
information will be secure; these applications, such as WordPerfect, will create a
backup file of each document the user creates but this file is overwritten every
time a new file is created. The key to really secure backups is to make a copy of
your information and store it on separate media in a different, preferably remote,
location.
As a minimal control, make regular backups of all documents or data
files. A precise set of criteria for determining how often to make
backups cannot be provided - how active the data file is and how long
it took to create are key factors to consider.
Several different means for making backups are available (see
APPENDIX C: Disk Storage and Hard Disk/Floppy Disk Backup
Options).
Contact the RIVIC if there are any special security requirements that
need to be addressed.
Note that most information stored on the mainframe computers and
some LAN file servers is backed up automatically on a daily basis
while other LAN file servers are backed up on the average every three
or four days. If information has been stored via this media,
information can be restored in most cases, upon request. Contact the
LAN Administrator or the Computer Room for more details.

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 9
XII. Sensitive Data Controls/Password Protection
Varying levels of password protection may be applied to the information we store
on magnetic media. Controls are already in place for access to the Region IV LAN
and the EPA mainframe. Additional password protection measures may be
implemented as necessary, based upon information sensitivity level assessments.
Those who are interested in learning more about the criteria for evaluating
information sensitivity should contact the Regional Information Security Officer;
those who wish to incorporate more password protection should contact the ADP
Management Section at X2316.
Computer users must not abuse their password and User-ID privileges.
Violators of password protection expose the Agency to unnecessary
risk and potential irreparable harm caused by unethical users damaging
computer resources, accessing and disclosing sensitive information, or
committing other fraudulent acts.
Users must also be aware of some important facts regarding file
management on common-use computers. Files which are erased from
a magnetic disk using only the standard DOS "DEL" or "ERASE"
commands are not actually erased from the computer disk - they are
only marked for deletion. For this reason, until they have been
overwritten, they can be "unerased" using commercially available
utility programs. Additionally, some software systems use work files
that are temporarily stored on disk which are deleted by the system
when they're no longer needed, bur are still recoverable by utility
programs. If a user is working with a confidential file and wishes to
ensure that this file cannot be recovered by a utility program, after
being deleted, he/she should contact the RIVIC.
Log off the mainframe or remote computers in between uses. At the
end of each work day, log off the LAN and turn off PC's. During the
work day if a user will be away from his/her desk for a short time, the
user should at least return the PC to the main LAN menu. If the user
is away for an extended period of time, he/she should log off the LAN
but may leave on the PC.
XIII. Information Systems Documentation Requirements
Agency information on magnetic media is typically accessed via either a
commercial software package, such as WordPerfect, or an application developed
in-house^ such as a dBase budget tracking system. Therefore, it is necessary that
users of this information have sufficient documentation to operate the software

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 10
package or application. Commercial packages are purchased with manufacturer's
documentation, and a myriad of other publications are typically available, as well,
to provide a user with reference information. We must rely on the developers of
in-house systems to provide comprehensive documentation for use of their
systems, to ensure that those using the system will be able to access the
information they require. The developers of all new, more than one-time use
applications to be used in the Region, must abide by the following strict guidelines:
Document functional requirements (needs) analysis
Document system specifications
Maintain hard copies of program code
Document all codes to explain logic
Provide comprehensive user documentation and quick reference
sheets
Provide training (optional)
XIV. Region IV Computer Monitoring Procedures
The Region IV Information Management Branch has implemented control
procedures to monitor the effectiveness of the guidelines Liated within this
document. They are as follows:
1.	Inventory Audits
1MB will perform announced and unannounced inventory audits of all
computer hardware and software owned and installed in the Region. In
conjunction with these manual audits conducted by 1MB personnel, all
inventory may possibly be monitored with automated LAN software. This
software will verify the data manually collected for each computer
configuration. All potential problems and violations of regional/software
licensing policies will be noted and reported for further action.
2.	Software Usage Monitoring
1MB will also collect statistics on software accessed by PC's; this
information will help 1MB assess regional software support requirements.

-------
Region IV Computer Security Policy and Procedures
October 1993
Page 11
3.	LAN Environment Monitoring
The Region IV LAN environment is continuously monitored by software
which enables detection of numerous hardware, software or electrical
problems that might adversely affect our computing environment.
4.	Information Center Support Services
Through the RIVIC, 1MB provides regional PC users with a wide range of
services to help protect and maintain our computer environment. Services
include virus scanning, training on proper hardware/software management
procedures, and data recovery and disk repair, where feasible. Please find
additional information on 1MB support services in Appendix C: Disk Storage
and Hard Disk/ Floppy Diskette Backup Options.
5.	PC Division Coordinators
Within each Division there is a PC Division Coordinator to help define needs
and allocate computer hardware and software. Responsibilities of these
coordinators include communication between 1MB and Division management,
enforcement of Region IV PC policies, identification of Division PC needs,
review of PC inventory reports, and oversight of all PC/LAN related division-
wide projects.
For further information about Region IV computer monitoring controls, contact the
Information Management Branch.

-------
APPENDIX A
Region IV INFORMATION MANAGEMENT CONTACTS
Donald J. Guinyard
(Senior Information Resource Management Official)	X4728
Assistant Regional Administrator for Policy and Management
Jack P. Sweeney 	X2316
Chief, Information Management Branch (1MB)
Clifford R. Davis (PC Site Coordinator) 	X2316
Chief. Automated Data Processing Section. 1MB
Rebecca Kemp	X2316
Chief, Information Services Section. 1MB
Rick Shekell	x2316
Chief, Operations & Telecommunications Staff
Patrick Boyle 	X2316
Information Center Team Leader
Alan Kamali	X231 6
Region IV Local Area Network (LAN) Administrator
Priscilla Pride	x4216
Head Librarian. Region IV Library, LAI
Jim Whittington	x2316
Records Management Officer
Computer Room	X2316
Region IV Information Center (RIVIC) Help Desk	X0509
Athens LAN Administrator, John Schacke, EPA Contractor . . . .706-546-3624

-------
PC DIVISION COORDINATORS
Cindy Kessler	 706-546-3133
Environmental Services Division
Merci Lopez		x4450
Water Management Division
Shirley Huskins 	x1565
Office of Policy and Management
Cheryl McMenamin	x2335
Office of Regional Counsel
Greg Glahn 	x21 89
Air. Pesticides, and Toxics Management Division
Harold Key	x2930
Waste Management Division

-------
APPENDIX B
DISK STORAGE
AND
HARD DISK/FLOPPY DISKETTE BACKUP OPTIONS
DISK STORAGE OPTIONS:
There are four different storage areas where data can reside and they are as follows:
Floppy diskettes (3.5" or 5.25")
PC local hard disk
LAN file server
Mainframe Storage - DASD (accessed via Arbiter or SEND utility, described
below)
The main considerations in choosing a storage area are security, frequency of access,
and convenience. All information that is accessed by more than one user should be
stored on the LAN or mainframe depending on the application. Confidential files should
be stored on the LAN or mainframe, or placed in a LAN directory that has limited user
rights. Other types of information can be stored on the PC local hard drive, if one
exists, or on floppy diskettes. Please note that PC hard disks and floppy diskettes must
be backed-up by the individual user to ensure data integrity. Other factors to consider
when choosing between hard and floppy disks are as follows:
Error Rates:
Vulnerability:
Security:
Cost:
Portability:
Access Time:
Organization:
Hard disks may unexpectedly "crash" (the disks become unreadable) and chances are
great, 
-------
HARD DISK AND FLOPPY DISKETTE BACKUP OPTIONS:
There are three PC hard disk and one floppy diskette backup options and they are as
follows:
From PC Hard Disk to Floppy Disk:
The entire disk or portions of it may be copied to floppy disks for backup purposes. This option is
available to all users; however, it may be very time consuming and should be employed to back up
only those files which have been altered. Please contact the Information Center (RIVIC) if this
procedure is necessary.
From PC Hard Disk to Mainframe DASD:
The entire disk or portions of it may be copied to mainframe DASD via ARBITER. This option is
available to all users that have active mainframe User-IDs. Special device drivers are also required for
the PC and are to be included in the CONFIG.SYS file on the hard disk. If a large volume of data (2
MB or more) is to be backed-up, the procedure is to be run after 5 p.m. so that the network will not
be overloaded. Please contact the LAN Administrator to obtain the software and procedures.
From PC Hard Disk to Tape:
The entire hard disk may be backed up to a tape, similar to a video recording tape, using a backup
tape unit. Contact the RIVIC for assistance.
From Floppy Disk to Floppy Disk:
This option should be used to back up all information stored on floppy disks. The user has the choice
of using the DOS "diskcopy" command (to both format and exactly replicate the data on a disk), or
the DOS "copy" command. Care must be taken not to overwrite the original data.
Please consult the Information Center, at X0509, to obtain information about any of
these options except paragraph no. 2 which will require assistance from the LAN
Administrator.

-------
APPENDIX D
DO's AND DON'Ts
TO
PROTECT YOUR INFORMATION!
QUICK REFERENCE SHEET	October 1993
BEWARE!!
MOST COMMON THREATS:
DO
DON'T
Computer Viruses
•	Virus Scan all
new, non-EPA
software
•	Report incidence
of viruses to the
RIVIC immediately
•	Avoid use of non-
EPA software (i.e.
public domain)
• Violate copyright
laws
Dust/Dirt
• Clean drive heads
• Leave disks
uncovered
Carelessness
•	Backup to floppy
disk
•	Set up automatic
backup features
(such as available
in WordPerfect)
•	Organize sub-
directories and use
consistent file
naming
conventions
•	Store important
information in the
share directory on
the LAN
•	Exceed normal
storage limitations
on disk (75%-80%
full is optimal)
•	Delete or overwrite
files in haste
Lack of Knowledge
• Attend basic
computer training
seminars
• Be afraid to ask for
help
Sabotage
•	Password protect
sensitive
information
•	Report suspicious
incidents
• Share your
password with
ANYONE
CONTACT THE INFORMATION CENTER FOR
ADDITIONAL INFORMATION OR ASSISTANCE: X0509

-------
APPENDIX C
QUICK REFERENCE SHEET		October 1993
COMPUTER SECURITY POLICY
SUMMARY
Excerpted from the Region IV Computer Security Policy Manual (October 1993):
Physical Controls
Install computers on stable desk tops with proper ventilation. Turn PC's off each
night. PARK the hard disk prior to moving the PC. Label all manuals; store near
the PC to facilitate reference. Do not moaify physical configuration of equipment
without prior approval.
Software Copyrights/Licenses and Master Copies
Duplication of software for use on another computer is a violation of the license
agreement and is considered theft of government property.
Unauthorized Use of Computers
PC games and other non-work related software are strictly prohibited from being
installed and/or executed on EPA computers.
Personally-Owned Software Product Controls
Use of personally-owned software other than CLIPPER, FOCUS, and dBASE III +/IV
for multi-user systems may only be permitted with prior 1MB approval. Mandatory
virus-scanning is also required before any non-EPA software can be loaded on an
agency computer.
Computer Viruses
A computer virus, much like a human virus, can be transferred from an infected
source to any type of disk via many channels. Users who strictly adhere to
software license agreement and non-EPA software policies will greatly decrease
exposure to virus infection.
Magnetic Media (Information Storage) Controls
Keep diskettes away from magnetic fields. Do not bend, touch, or write on
diskettes. Store diskettes in tneir jackets when not in use. All information
accessed by more than one user is to be stored on the LAN or mainframe
depending on the application. Confidential Business Information (CBI) is to be
stored on diskette.
Disk Organization and File Storage Conventions
Create directories and subdirectories on the PC hard disk as well as floppy disks for
better organization and retrieval of files. The use of file extensions within file
names to further identify files is recommended.
Backups/Disaster Recovery
The key to really secure backups is to make a copy of information and store it on
separate media, in a different, preferably remote, location. Several different means
for making backups are available. Information stored on the LAN or mainframe can
be restored in most cases, upon request.
Sensitive Data Controls/Password Protection
Password protection for certain documents or personal computer systems may be
established. If there is a need for limited user access to certain information files,
call the LAN Administrator.

-------