You are on page 1of 3
DEPARTMENT OF THE ARMY U.S. ARMY SOLDIER SUPPORT INSTITUTE “10000 HAMPTON PARKWAY ar FORT JACKSON, SOUTH CAROLINA 29207-7028 "OCT 09 2007 ATSG-CG MEMORANDUM FOR ALL Soldier Support Institute (SSI) Personnel SUBJECT: Policy Memorandum # 25 - Security of Information Technology (IT) Equipment 1. References: a. Memorandum, HQ TRADOC, ATIM, 30 May 07, subject, TRADOC Policy Letter 16, Security of Government-owned or Leased Information Technology (IT) Equipment b. Memorandum, HQ TRADOC, ATIM-S, 31 Oct 06, subject: Guidance on Protecting Data-At-Rest. c. Memorandum, HQ TRADOC, ATIM- Identifiable Information (PID. 20 Sep 07, subject: ‘eporting the Loss of Personally 4. AR 735-5 Polices and Procedures for Property Accountability, 28 Feb 05. €. AR 190-51, Security of Unclassified Army Property (Sensitive and Non-sensitive), 30 Sep 98. £. AR 25-55, Department of the Army Freedom of Information Act Program, 1 Nov 87. 2, AR 380-5, Department of the Army, Information Security Program, 29 Sep 00. h, AR 25-2, Information Assurance, 14 Nov 03. i. Uniform Code of Military Justice. 2. Applicability. This policy applies to, and is binding on, all military and civilian personnel assigned, attached, detailed, or on temporary duty with Soldier Support Institute. 3. Enforceability. Violations of this policy are punitive, Military personnel violating this policy may be subject to action under the Uniform Code of Military Justice and/or adverse administrative action Civilian employees who violate this policy may also be subject to adverse action or discipline in accordance with the applicable laws and regulations. 4. Purpose. This policy provides guidance on the security of government-owned or lease IT equipment, and associated data. IT equipment covered under this policy letter is defined as computers, removable media, and personal digital assistants (PDAS). 5. As you know, across the Army and TRADOC there have been a number of reports of lost or stolen computers. Computers are high-value items requiring extra security precautions and more importantly, these computers frequently contain sensitive information or PII. The loss of computers or other IT equipment affects business ATSG-CG ‘SUBJECT: Policy Memorandum #25, Security of Information Technology (IT) Equipment processes, causes reductions in production and triggers notification requirements. Each individual having responsibility for IT equipment must ensure the equipment and information on it are protected. 6. The following mandatory procedures will be followed: a. AILIT equipment removed from the workplace for travel or other purposes must be approved by a supervisor. These computers must be protected by an Army-approved hard drive encryption solution and must be labeled IAW reference 1a, b. If traveling by vehicle, computers and other IT equipment must be locked in the trunk of the vehicle; otherwise, the equipment must be retained in the user’s possession. If the vehicle has no trunk, the equipment must not be left in the vehiele. . If traveling by public conveyance (airplane, bus, train, etc...), IT equipment will be hand-carried and under visual observations at all times. If the computer case is too large to carry on the airplane, the computer will be removed and hand-carried onto the airplane. 4. IT equipment will not be left in an unattended, unsecured personal residence or hotel where it could be pilfered. IF IT equipment is left unattended in the residence or hotel, all windows and doors must be locked, and equipment must be locked in a safe, cabinet, or secured with a cable lock to an immovable object. «. Laptop computers will not be left unattended and unsecured in the workplace. If not under direct observation or control, laptop computers must be in a locked office, locked in an appropriate container (e.g, safe, closet, cabinet), ot secured to an immobile object with a cable lock. Laptop computers will not be left in such a manner that an unknown person could freely enter the workplace and depart with IT equipment. £, Supervisors must ensure sensitive information or PII contained on IT equipment, as defined in paragraph 4 of this memorandum, is not subject to unnecessary risks of loss or compromise. Any sensitive information or PII removed from the workplace must have been approved for such removal by a supervisor. 2. At this time, Army-approved solutions for encrypting removable media are very limited. When approved solutions become available, removable media containing sensitive information or PII must be encrypted before they are removed from the workplace. 7. Additionally, I expect users and supervisors to consider the following security measures: a. Encrypting hard drive(s) of workplace computers that contain sensitive information or PII », Storing files (containing sensitive information or PII) on Army Knowledge Online (AKO). 8. Procedures for reporting loss: a. In the event of lost/stolen IT equipment on the installation, users must immediately report the loss to the military law enforcement officials. If the loss occurs off post, contact the local police instead. ATSG-CG SUBJECT: Policy Memorandum #25, Security of Information Technology (IT) Equipment b, Ifthe loss/stolen IT equipment contained PII (suspected or confirmed), then users and supervisors ‘must follow the guidelines in reference Ie and use the US-CERT web-based reporting system, https:/forms.us-cert.gov/report . At the same time the US-CERT is notified, submit an e-mail notification to PILREPORTING@US.MIL, and to the Information Management Officer, SSI with the following information: organization involved, date of incident and number of personnel potentially impacted, brief synopsis, and point of contact information. 9. Liability for the loss or theft of IT equipment shall be evaluated IAW paragraph 6 and 7 of this policy letter and reference 1d. Failure to follow this policy and other guidance on laptop security may constitute negligence and could subject the violator to personal financial liability. 10. Although portions of this policy arc punitive, commanders, commandants and directors are reminded to consider their full range of options for addressing misconduct and to dispose of the case at the lowest appropriate level consistent with the gravity of the misconduct. 11. This policy supersedes SSI Policy Memorandum #25, dated, 16 Jul 07, subject above and is effective immediately and will remain in effect until rescinded or superseded. 12, The proponent of this policy is the Information Technology Division, Soldier Support Institute. 13, “READINESS STARTS HERE! Vor GNacte ROSE A. WALKER Colonel, AG Commanding