Concerns Regarding Information Security "Orientation" Program

TO: Gerry McAteer

President, NTEU Chapter 273

FROM: David Redenbaugh

Executive Vice President, NTEU Chapter 273

DATE: December 6, 2001

SUBJECT: FDIC’s Securitiy Awareness Orientation for All Employees

The FDIC is requiring all employees to complete an information security awareness program by year end. The problem is that it is not just an "orientation." Employees are required to certify that they agree with the program and will comply with its content. All FDIC employees have been directed to agree with the program’s content. Yesterday, RD Masa directed all DOS SF personnel to agree with it. Today, ARD Mayher and FOS Johnson have directed personnel in my office to agree. I have serious reservations about much of the content. Additionally, my impression is that being ordered to sign (digitally) something saying you agree with it when you don’t under the implied threat of discipline for insubordination seems inherently coercive. If I were asked to certify that I have reviewed the material, I would not have much of a problem with it. However, they are directing us to go a step beyond that and "agree" with everything in the program and all referenced material.

Given the number of problems that I have with the program, I find it hard to believe that this has been reviewed by the NTEU at the national level. What we are being ordered to do is a change in working conditions. If the NTEU has not been given the opportunity to bargain over impact and implementation, it would appear to be an unfair labor practice. The use of coercion could also be an unfair labor practice.

The orientation itself is 41 pages long. When referenced laws, OMB documents, presidential decision directives, and FDIC directives are included, employees would have to read hundreds of pages of material, which they are not provided official time to do. Employees are in effect being asked to sign something without being able to read all the associated material they are being held accountable for.

Issues that could adversely impact our bargaining unit members are listed below:

Part I – Introduction

Discusses a hypothetical example of an employee sending a print job to the wrong printer, resulting in confidential information being viewed by unauthorized persons.

Problem: All our employees are human and will make mistakes. Implied in this example is that the full range of disciplinary actions will be employed for inadvertent errors that people will make, no matter how careful they are.

Part II – Federal Laws and Regulations

Five laws, one OMB circular, and one presidential decision directive are referenced as applying to the FDIC (with the implication that FDIC employees are responsible for understanding and abiding by these documents). Links are provided to the complete text of these documents.

Problem: The program does not have full summaries of the content of these documents. Such summaries should have been sent to the NTEU for review. Most employees do not have the legal training and expertise to read and understand these documents on their own. Also, the amount of material is more than employees have time to review.

Part III – FDIC Directives

A list of 12 FDIC directives is provided, along with an extremely brief 3-4 sentence description of each one.

Problem: These directives constitute well over a hundred pages of material, most of which is not described in the orientation. Employees have not been provided official time to read these directives.

Part IV – Consequences of Security Violations

States that security violations can be punished with discipline up to suspension, demotion, removal, and criminal and civil penalties.

Problem: This reference is in a document that states that saving a file to a hard drive instead of a disk (daily practice for every examiner) is a security violation, or making a mistake on a printer selection is a security violation. Some of the security violations that are listed in the document are unreasonable, restrict us from carrying out our jobs in an efficient manner, or are impossible to comply with. It is wrong to threaten severe punishment for what amounts to doing our job with a reasonable amount of care.

Part V – General Rules of Behavior

"…You are expected to go beyond the stated rules…"

Problem: This is an ambiguous standard. Employees will never be able to know if they are in the clear or not.

States that, "you should never store sensitive information in an easily accessible place. This includes your computer’s hard drive and unprotected diskettes or CD’s." "Although it is a common practice to save draft documents to your hard drive, this is not the most secure method and should be avoided. Diskettes, CD’s, and network drives are backed up on a regular basis."

Problem: Field examiners do not have CD burners and do not work on a network. Working off of diskettes is impractical and time consuming. Our core report of examination preparation software, GENESYS, must be stored and run off a hard drive.

The program states: "Take great care when eating or drinking around your computer." If it stopped at that point, it would be fine. However it continues, "Generally, the simplest rule is the safest: keep all food and drink away from your computer systems."

Problem: Field examiners often work in extremely confined spaces at banks, with a very limited amount of table top to work on. It is impossible to have coffee, juice, or water without having it near the computer. Additionally, many examiners need to eat their lunch in the same spot. It is not practically possible for a field examiner to keep all food and drink away from their computer systems.

The program states, "If you have important and/or confidential information on a diskette or CD, take care to store it properly in a locked drawer."

Problem: Field examiners do not have locked drawers. The most secure thing we have is a leather examiner bag with a lock that can be easily opened with a paper clip. The lock can also be cut out of the leather with a pair of scissors. Even with the bag locked, you can reach your hand in the side of the bag to remove an item such as a disk. Examiners have no means for securing disks during examinations, other than maintaining them on their person at all times.

Security Tips

The program states: "Do not write passwords down."

Problem: With the multitude of passwords that FDIC users must maintain, it is not reasonably possible to remember them without writing them down. This conflicts with another guideline in the program that requiring passwords to be composed of a mixture of random letters and numbers, which are inherently difficult to remember. Additionally, FDIC examiners have at least fifteen work related passwords to remember. A list of such passwords is provided below:

ACF2

Network

Windows

Power on

Screen saver

Entrust

Employee Personal Page

Employee Express

Thrift Savings Plan

T. Rowe Price

MCI Card

Long Distance Phone Access

Code to access building

PIN for government credit card

GENESYS