SECURITY
LIBRARIES
MAR 1 5 2004
DEPOSITED BY
UNITED STATES OF AMERICA
Archives
and
Records
Administration

NARA'S SEVEN BASIC RULES
FOR COMPUTER SECURITY
I Keep your passwords to yourself.
> Select an unusual combination of at least eight letters,
numbers, and special characters. (See “Pick a Perfect
Password.”)
> Never write passwords down or post them by your
computer.
> Change passwords at least every 90 days.
2 Protect your computer and files from computer viruses.
> Be sure your computer is running the current version
of your antivirus software.
> Familiarize yourself with the “Virus Detection and
Prevention Tips” in this brochure.
> Contact your System Administrator or User Support
Services if you see anything suspicious or have any
questions regarding your virus software.
3 Log off and lock up.
> Use a screensaver with password protection.
> Log off when you leave your computer unattended.
4 Protect diskettes, CDs, and other computer equipment
from physical hazards.
> Keep your laptop in a safe place.
> Keep diskettes, CDs, and flash drives away from magnets
and the emissions from microwave ovens.
> Keep food and drink away from your work area.
Back up data and store it securely.
5
Use only licensed copies of commercial software.
6
> Do not borrow software.
> Do not install software without NARA authorization.
(See NARA 802, par. 802.7.)
7 Protect your computer files from unauthorized access.
> Share information only with those who should have it.
> Delete or store computer information when immediate
access is no longer needed.

PICK A PERFECT PASSWORD
Creating a secure password is an essential first step in protecting
your computer and the information with which you have been
entrusted. Avoid the following:
> Dictionary words, no matter how long
> Names spelled backwards
> First and last names
> Street and city names
> License plate numbers
> Room numbers, social security numbers, telephone numbers
> Beer and liquor brand names
> Athletic team names
> Days of the week and months of the year
> Repetitive characters (aaaaaaaa, 22222222)
> Common keyboard sequence (qwertyui, asdfghjk)
> Words with random character attached (defense 1, 1defense)
DO USE at least 8 characters—Almost 3 trillion combinations!
Do mix in some special characters: punctuation marks, symbols
(~!@#$%’ &*()+=/P \).
A random eight-character password, designed as we have sug-
gested, would take years for the average computer hacker to
figure out.
HOW TO MAKE A COMPLEX PASSWORD AND REMEMBER IT
(Don't use any of these examples. Make up your own.)
Password Transformations
TRANSFORM SAMPLE WORD PASSWORD
Insert Special Character Autograph Autoğgraph
Shift from “home”
on keyboard
Use Shift Key 1/1/2001 |PFG)
Abbreviations Relative humidity relativelhumid
Computer Xinoyrwe
Transliteration Photograph Fotograf
Use initials NHHO NARA Nhhoºmara
Substitute synonym Coffee break Javarest
Weave vowels and
Consonants -
Enter Aeneteri
Weave words John Mills lmoillnis
Repetition Horse horse Horsehorse
Rotate letters Backwards Dackwarbs

EXPECTATION
As detailed in our Strategic Plan, the mission of the National
Archives and Records Administration is to ensure the ready
access to essential evidence of government—records that doc-
ument the rights of citizens, the actions of government officials,
and the national experience.
To accomplish this objective, NARA is committed to the
implementation and practice of appropriate information tech-
nology security standards to protect its information technology
environment and the confidentiality, integrity, and availability
of the records entrusted to it.
VIRUS THREATS
A “virus” is a computer program that copies itself into a
computer's memory or programs and affects the system by
altering or deleting data, or displaying a malicious message.
At any given time, thousands of viruses threaten our comput-
ers. Computer viruses cost organizations valuable time and
expense associated with preventing, researching, and resolv-
ing virus threats. Because viruses can destroy valuable data,
they should always be taken seriously. Some viruses attach
themselves to normal, useful programs such as MS Word or
GroupWise, “infecting” these programs so that the virus can
spread more easily. Other viruses spread by embedding them-
selves inside documents and spreadsheets that are then spread
to others through email attachments. Still other viruses spread
by disguising themselves as useful documents to trick users
into opening them. In each case, the virus often includes a
“payload” that is designed to damage or delete data on the
infected computer. Many viruses do nothing more than spread
themselves to as many users as fast as possible with the goal
of overloading email systems and network links through mass
duplication.
VIRUS IDENTIFICATION
Viruses come in various forms, but there are clues to help
you detect them. The most common form of virus seen at
NARA is contained in an email attachment. The virus can
be in a Word document (.doc), an Excel spreadsheet (.xls/.xlw),
a zipped document (.2ip), or an image file (.jpg). The viruses
are named this way to trick users into opening them; once
they are opened, the virus instructions are executed and the
damage is done. Some viruses can be easily identified by the
unusual message in the email subject line, but not always.

To minimize risk, do not open any email attachments unless
jou know the sender. Don't panic if you discover a virus or
worm. If a message appears on the screen, write it down.
Turn off your computer immediately, and report the incident
to User Support Services.
VIRUS HOAXES
Far more common than an actual virus is the virus hoax.
Virus hoaxes are email messages written to “warn” people
about the dangers of a virus that does not really exist. The
purpose of a virus hoax is to frighten people into forwarding
the message as widely as possible, to overload email systems,
cause confusion, and generate help desk calls.
Virus hoaxes can be identified by looking for specific characteristics:
The original author of the hoax message is seldom identified
by name.
The virus is described as “the worst yet” and is said to be un-
detectable or incurable. Exaggerated claims, as well as techni-
cal-sounding language, are intended to fool non-technical users
into believing the message.
To appear credible, many hoaxes state that the information
comes straight from Microsoft, AOL, or IBM. A similar tactic
states falsely that the warning was recently broadcast on CNN.
A request or plea to forward the email message to a large
number of people.
As a general rule, any virus warning you receive from a source,
other than NARANET Services, should be disregarded.
VIRUS DETECTION AND PREVENTION TIPS
We recommend these tips:
Think before you open attachments. Do not open any e-mail
attachments from unknown, suspicious, or untrustworthy
sources. Think about it. Is it possible that this person would
send you this e-mail? If in doubt, get help from User Support
Services. Also exercise caution when downloading files from
the Internet. Ensure that the source is legitimate.
Just because you have scanning software doesn't mean it
will recognize a new virus or worm that has just been re-
leased. The average virus hits the street 46 days after discovery.
Usually enough time for vendors to update anti-virus signa-
tures; but it is not unusual for a virus to hit the street early,
catching many vendors and System Administrators by surprise.
Delete chain emails and junk email. Do not forward or reply
to any of them. It is “SPAM” mail and clogs up the network.
System performance can be a clue. Our System Administrators
are very good at their jobs, but you are our first line of defense
against viruses. You may have a virus if it seems to take much
longer to save small files now than in the past; if the drive access
light seems to come on frequently for small tasks; or if it takes
a lot longer than usual to load a program. These symptoms by
themselves don't always mean you have a virus, but should
serve as a red flag to the possibility of infection.
Check your antivirus software periodically to be certain it is the
latest version. User Support Services can help.
Back up your files on a regular basis. Many people save cur-
rent projects on their local drive until they are done, but System
Administrators only back up the network drives. So take a
moment to back up that important project you've been working
on for weeks to a network drive. Disasters are just that. They
don't give notice, they don't RSVP, and they don't ask if they
can come back when it's more convenient for you. You can
either back them up to diskettes, or on a networked drive.
Contact User Support Services if you have any questions.
|NOTIFY YOUR SUPERVISOR OF ANY
SU SPICIOUS COMIPUTER ACTIVITY
STOP
1/e Spread of Viruses
CALL USER SUPPORT Slºry CES
301-837-202()
Monday–Friday, 6 A.M.–10 P.M.
Saturday, 8 A.M.–5 P.M.
E
=
=
National Archives and Records Administration
Revised 2004
i
=