Idaho Transportation

Office of Communications
P.O. Box 7129
Boise, ID 83707
Fax: 208.334.8563


Cyber security an important issue for employees
And Forrest Anderson, cyber security officer

First of two parts:

What does Cyber Security mean to ITD employees?

The policy of the state of Idaho is to ensure the confidentiality, integrity, and availability of information provided to the State by its citizens. The state is required to protect information from unauthorized access, modification, destruction or disclosure, and to ensure the physical security of information.

The department has a responsibility and an obligation to ensure all information generated, acquired by or on behalf of, or held by ITD within its business and information systems is appropriately secured.

All ITD employees share a responsibility for the security and integrity of the department's information systems. There are well established processes for protecting the information systems and data currently in use by the department which include:

  • Network backups
  • Anti-virus/anti-spyware programs
  • Security updates
  • Firewalls
  • Network access controls
  • Vulnerability scanning
  • Security event management and auditing
  • Monitoring and blocking of inappropriate or potentially dangerous internet activity
  • E-mail content and attachment filtering
  • Incident response and
  • Disaster recovery processes

These defense strategies have been effective in protecting department systems and data but can be made less effective through deliberate or misguided actions of users of the various systems. It is extremely important that all employees take seriously their responsibilities to safeguard the systems and data they use.

Here are just a few things employees should consider:

  • Clicking on email attachments or opening emails from unknown senders – Most people know that this is not a good idea and yet seem unable to resist the temptation. Department email goes through several levels of anti-virus scanning, spam and attachment filtering before reaching the employees mailbox to minimize the risks but they still exist.

    Some people accessing home email from work fail to realize that their home email may not be subject to the same rigorous scanning we use and may expose the department to something potentially destructive.
  • Installing unauthorized applications – The department maintains standardized software applications to support the business of the Department and to facilitate the productivity of its employees. The installation of an unauthorized application may cause conflicts, support problems and downtime. There is also the risk of introducing some kind of potentially malicious program which could damage or otherwise compromise important systems or information.

    Many so called free programs may contain more than expected or wanted. Also many of the file sharing applications for the download or sharing of music and pictures can potentially violate computer use policy and competes with limited network resources which are needed for legitimate applications. Instant Messaging may fall into this category if not used for legitimate purposes and IM attachments may contain potentially harmful programs.
  • Turning off or attempting to disable automated security tools – Sometimes there is a temptation to attempt to turn off or circumvent anti-virus scanning and software patch updates because of the perception that it interferes with real work. What we need to understand is these are important parts of working in a networked environment.

    These tools not only protect the systems you are working on but also the systems you may be connecting to as part of the network. If you are experiencing problems it is important that you work with your system administrators to resolve the issues instead of attempting to bypass these tools.
  • Surfing inappropriate and potentially illegal or dangerous Web site's– Internet access on department computers and networks is meant to facilitate the employee’s ability to do their work. Certain Web sites are blocked because they may violate computer use policies or represent a potential legal risk to the department. These include categories such as Adult, Gambling, Racism/Hate, Militancy/Extremism and Games.

    Some Web sites are blocked because they represent a potential security risk for the employee or the department. These sites may contain spyware, potentially malicious applications such as Trojans, Viruses and Worms or may try to steal personal information. The department uses internet monitoring and blocking tools which do a good job but may not be 100% effective. Employees are expected to be conscientious about their online activity
  • Exposing or sharing passwords or access tokens – Despite continuous urging to the contrary, estimates are that 1 in 3 people write down or save their password somewhere near their computer. A sticky note stuck to the monitor or even under the keyboard or in a desk drawer is not a good security practice.

    The network account and password is what provides the unique identification needed to determine access permissions. By compromising that account and password you may be allowing someone to assume your identity on the system. Once they gain access to the system it may be possible to launch other attacks or obtain permissions which may not be appropriate. Some common exploits of computer systems will begin by trying to get unsuspecting people to give out or otherwise share their password. Do not leave computers logged in when unattended and use automated password protected screen savers where possible.
  • Giving out or posting personally identifiable information – Use caution and discretion when filling out online surveys and forms or posting personally identifiable or department information. Try to determine how the information is to be used and if it will be protected.

    Many people receive spam as a result of having innocently given out their email address on a survey, web page or posting to an online chat room. Too much information about who you are and what you do can also be used in identity theft or by others who may be trying to access or compromise a system by impersonating you. No reputable company will send you an email requesting personal information such as account numbers or passwords.

    No one from Nigeria wants to give you money. Read those agreements before you click ‘I accept’. Remember anything posted to the internet remains forever and may not be a good representation of yourself or the department.

The first step in eliminating or protecting something from potential risk is to understand the threat. Once those threats are understood a strategy for remediation can be developed. Cyber Security is about implementing appropriate remediation strategies to protect the employee, the information and the systems of the department based on the classifications of these assets.

The more sensitive or valuable an asset is to the department the more important the processes are to protect them. Cyber Security is not about making everything so restrictive that people cannot function or accomplish their jobs. It must have balance, be cost effective and meaningful and it depends on everyone’s participation and support.

If you have any Cyber Security related questions, comments or concerns you can call me, ITD's Cyber Security Officer at 334-8158 or contact me via e-mail at . You also can address e-mail to

Published 9-28-07