which the user will be operating and to the units security measures. The purpose of the initial briefing
is to make sure that the computer user understands:
Why security? A computer can be "user friendly," or a computer can be secure, but it cannot be both.
To the user, security means that it is going to be harder to get his work done. An essential ingredient
of the training program is threat awareness; users must be made aware of the threats involved with
processing classified information. Through training, users will understand why security is required
and accept it.
Who is responsible for what? Everybody is responsible for security, but each person in the unit has
specific responsibilities. The computer user must be informed of the commanders responsibility for,
and interest in, security. The user must be informed that the commander has appointed an ISSO and
TASOs as security experts, should be told who they are, and how to contact one of them. The user
must understand that he is responsible for complying with the units security measures, and
contacting the ISSO or TASO if he has a problem or question regarding computer security.
Part E: Periodic Security Training
Computer users must also be given periodic refresher training, preferably on an annual basis like the
other security training required by AR 380-5. The purpose of periodic training is to remind personnel
of security policies and procedures, remind personnel of their security responsibilities, and make
sure they are aware of any new policies and procedures. Periodic training can consist of formal
instruction, security bulletins, security posters, films or video tapes, or a combination of these training
Part F: PC Security Measures
Most of the Army's 400,000 or so computers are small computers, also known as PCs. The security
of these PCs and other "office automation systems," like word processors, is on of the biggest
problems facing the Army today. Practically every unit in the Army uses PCs for typing, information
filing and retrieval, sending and receiving electronic mail, and other information processing tasks.
Although PCs perform essentially the same functions as large computer systems, PCs have some
characteristics which present special security problems. In general, the differences between large
computer systems and PCs (and the source of those special problems) are physical access, built-in
security features, and the nature of the information processed.
Traditionally, large computer systems were found only in a centralized data processing department.
They were located in a central computer room, and were provided with considerable physical and
environmental protection. Built-in security features, such as password systems, protected
information from unauthorized access. The information itself was often in the form of large volumes
of unprocessed "raw data."
Today's electronic office presents unique security problems as computing has moved out of the
computer room and into the work area. The typical office is an open environment, and the office PCs
are scattered throughout the work area on tables and desks. Most PCs do not support, or are not