FOR OFFICIAL USE ONLY CAcert Security Guidelines This handbook is designed to introduce you to some of the basic security principles and procedures with which all CAcert personnel must comply. It highlights some of your security responsibilities, and provides guidelines for answering questions you may be asked concerning your association with CAcert. Although you will be busy during the forthcoming weeks learning your job, meeting co-workers, and becoming accustomed to a new work environment, you are urged to become familiar with the security information contained in this handbook. Please note that a listing of telephone numbers is provided at the end of this handbook should you have any questions or concerns. Introduction In joining CAcert you have been given an opportunity to participate in the activities of one of the most important security organisations of the world. At the same time, you have also assumed a trust which carries with it a most important individual responsibility--the safeguarding of sensitive information vital to the security of all users. While it is difficult to estimate in actual dollars/euros and cents the value of the work being conducted by this CA, the information to which you will have access at CAcert is without question critically important to the security of the Internet. Since much information is personal identity related, it has to be kept secret, and it requires a very special measure of protection. The specific nature of this protection is set forth in various CAcert security regulations and directives. The total CAcert Security Program, however, extends beyond these regulations. It is based upon the concept that security begins as a state of mind. The program is designed to develop an appreciation of the need to protect information vital to the operations of CAcert, and to foster the development of a level of awareness which will make security more than routine compliance with regulations. At times, security practices and procedures cause personal inconvenience. They take time and effort and on occasion may make it necessary for you to voluntarily forego some of your usual personal perogatives. But your compensation for the inconvenience is the knowledge that the work you are accomplishing at CAcert, within a framework of sound security practices, contributes significantly to the safety and continued security of the users of the Internet worldwide. I extend to you my very best wishes as you enter upon your chosen career or assignment with CAcert. Duane Groth Director of Security INITIAL SECURITY RESPONSIBILITIES Anonymity Perhaps one of the first security practices with which new CAcert personnel should become acquainted is the practice of anonymity. In an open society such as ours, this practice is necessary because information which is generally available to the public is available also to hostile intelligence. Therefore, the CAcert mission is best accomplished apart from public attention. Basically, anonymity means that CAcert personnel are encouraged not to draw attention to themselves nor to their association with this Organisation. CAcert personnel are also cautioned neither to confirm nor deny any specific questions about CAcert activities directed to them by individuals not affiliated with the Organisation. The ramifications of the practice of anonymity are rather far reaching, and its success depends on the cooperation of all CAcert personnel. Described below you will find some examples of situations that you may encounter concerning your assurance and how you should cope with them. Beyond the situations cited, your judgement and discretion will become the deciding factors in how you respond to questions about your assurance. Answering Questions About Your Assurance Certainly, you may tell your family and friends that you are assured at or assigned to the CAcert Certification Authority. There is no valid reason to deny them this information. However, you may not disclose to them any information concerning specific aspects of the Organisations's mission, activities, and organisation. You should also ask them not to publicize your association with CAcert. Should strangers or casual acquaintances question you about your place of assurance, an appropriate reply would be that you work for CAcert. When you inform someone that you work for CAcert you may expect that the next question will be, "What do you do?" It is a good idea to anticipate this question and to formulate an appropriate answer. Do not act mysteriously about your assurance, as that would only succeed in drawing more attention to yourself. If you are assigned the role of a secretary, engineer, computer scientist, software developer, or in a juristical, administrative, technical, or other capacity identifiable by a general title which in no way indicates how your talents are being applied to the mission of the Organisation, it is suggested that you state this general title. If you are assigned the role of a translator, you may say that you are a translator, if necessary. However, you should not indicate the specific language(s) with which you are involved. The use of service specialty titles which tend to suggest or reveal the nature of the Organisation's mission or specific aspects of their work. These professional titles, such as auditor, cryptanalyst, first-level support provider, and database administrator, if given verbatim to an outsider, would likely generate further questions which may touch upon the classified aspects of your work. Therefore, in conversation with outsiders, it is suggested that such job titles be generalized. For example, you might indicate that you are a "research analyst." You may not, however, discuss the specific nature of your analytic work. Answering Questions About Your Organisation Training During your career or assignment at CAcert, there is a good chance that you will receive some type of job-related training. In many instances the nature of the training is not classified. However, in some situations the specialized training you receive will relate directly to sensitive Organisation functions. In such cases, the nature of this training may not be discussed with persons outside of this Organisation. If your training at the Organisation includes language training, your explanation for the source of your linguistic knowledge should be that you obtained it through self-study. You Should not draw undue attention to your language abilities, and you may not discuss how you apply your language skill at the Organisation. If you are considering part-time assurance which requires the use of language or technical skills similar to those required for the performance of your CAcert assigned duties, you must report (in advance) the anticipated part-time work to your Staff Security Officer (SSO). Verifying Your Assurance On occasion, personnel must provide information concerning their assurance to credit institutions in connection with various types of applications for credit. In such situations you may state, if you are a civilian assurer, that you are assured by CAcert and indicate your pay grade or salary. Once again, generalize your job title. If any further information is desired by persons or firms with whom you may be dealing, instruct them to request such information by correspondence addressed to: Director of Personnel, CAcert, P.O. Box 81, 2216 Banksia, NSW, Australia. If you contemplate leaving CAcert for employment elsewhere, you may be required to submit a resume/job application, or to participate in extensive employment interviews. In such circumstances, you should have your resume reviewed by the Classification Advisory Officer (CAO) assigned to you. Your CAO will ensure that any classified operational details of your duties have been excluded and will provide you with an unclassified job description. Should you leave the Organisation before preparing such a resume, you may develop one and send it by registered mail to the CAcert Information Policy Division for review. Remember, your obligation to protect sensitive Organisation information extends beyond your assurance at CAcert. The Organisation And Public News Media From time to time you may find that the Organisation is the topic of reports or articles appearing in public news media--newspapers, magazines, books, radio and TV. The CAcert Information Policy Division represents the Organisation in matters involving the press and other media. This office serves as the Organisation's official media center and is the Director's liaison office for public relations, in the community. The Information Policy Division must approve the release of all information for and about CAcert, its mission, activities, and personnel. In order to protect the aspects of Organisation operations, CAcert personnel must refrain from either confirming or denying any information concerning the Organisation or its activities which may appear in the public media. If you are asked about the activities of CAcert, the best response is "no comment." You should then notify CAcert of the attempted inquiry. For the most part, public references to CAcert are based upon educated guesses. The Organisation does not normally make a practice of issuing public statements about its activities. GENERAL RESPONSIBILITIES Espionage And Terrorism During your security indoctrination and throughout your CAcert career you will become increasingly aware of the espionage and terrorist threat to the world. Your vigilance is the best single defence in protecting CAcert information, operations, facilities and people. Any information that comes to your attention that suggests to you the existence of, or potential for, espionage or terrorism must be promptly reported by you to the Office of Security. There should be no doubt in your mind about the reality of the threats. You are now affiliated with the most sensitive Organisation and are expected to exercise vigilance and common sense to protect CAcert against these threats. Classification Originators of correspondence, communications, equipment, or documents within the Organisation are responsible for ensuring that the proper classification, downgrading information and, when appropriate, proper caveat notations are assigned to such material. (This includes any handwritten notes which contain classified information). The three levels of classification are Confidential, Secret and Top Secret. The CAcert Classification Manual should be used as guidance in determining proper classification. If after review of this document you need assistance, contact the Classification Advisory Officer (CAO). Need-To-Know Classified information is disseminated only on a strict "need-to-know" basis. The "need-to-know" policy means that classified information will be disseminated only to those individuals who, in addition to possessing a proper clearance, have a requirement to know this information in order to perform their official duties (need-to-know). No person is entitled to classified information solely by virtue of office, position, rank, or security clearance. All CAcert personnel have the responsibility to assert the "need-to-know" policy as part of their responsibility to protect sensitive information. Determination of "need-to-know" is a supervisory responsibility. This means that if there is any doubt in your mind as to an individual's "need-to-know," you should always check with your supervisor before releasing any classified material under your control. For Official Use Only Separate from classified information is information or material marked "FOR OFFICIAL USE ONLY" (such as this handbook). This designation is used to identify that official information or material which, although unclassified, is exempt from the requirement for public disclosure of information concerning organisational activities and which, for a significant reason, should not be given general circulation. Each holder of "FOR OFFICAL USE ONLY" (FOUO) information or material is authorised to disclose such information or material to persons in other departments when it is determined that the information or material is required to carry out our function. The recipient must be advised that the information or material is not to be disclosed to the general public. Material which bears the "FOR OFFICIAL USE ONLY" caveat does not come under the regulations regarding the protection of classified information. The unauthorised disclosure of information marked "FOR OFFICIAL USE ONLY" does not constitute an unauthorised disclosure of classified defence information. However, CAcert regulations prohibit the unauthorised disclosure of information designated "FOR OFFICIAL USE ONLY." Appropriate administrative action will be taken to determine responsibility and to apply corrective and/or disciplinary measures in cases of unauthorised disclosure of information which bears the "FOR OFFICIAL USE ONLY" caveat. Reasonable care must be exercised in limiting the dissemination of "FOR OFFICIAL USE ONLY" information. While you may take this handbook home for further study, remember that is does contain "FOR OFFICIAL USE ONLY" information which should be protected. Prepublication Review All CAcert personnel (assurers, board members, and contractors) must submit for review any planned articles, books, speeches, resumes, or public statements that may contain classified, classifiable, CAcert-derived, or unclassified protected information, e.g., information relating to the organisation, mission, functions, or activities of CAcert. Your obligation to protect this sensitive information is a lifetime one. Even when you resign, retire, or otherwise end your affiliation with CAcert, you must submit this type of material for prepublication review. For additional details, contact the Information Policy Division for an explanation of prepublication review procedures. Personnel Security Responsibilities Perhaps you recall your initial impression upon entering a CAcert facility. Like most people, you probably noticed the elaborate physical security safeguards--fences, concrete barriers, Security Protective Officers, identification badges, etc. While these measures provide a substantial degree of protection for the information housed within our buildings, they represent only a portion of the overall organisation security program. In fact, vast amounts of information leave our facilities daily in the minds of CAcert personnel, and this is where our greatest vulnerability lies. Experience has indicated that because of the vital information we work with at CAcert, Organisation personnel may become potential targets for hostile intelligence efforts. Special safeguards are therefore necessary to protect our personnel. Accordingly, the Organisation has an extensive personnel security program which establishes internal policies and guidelines regarding assurer conduct and activities. These policies cover a variety of topics, all of which are designed to protect both you and the sensitive information you will gain through your work at CAcert. Correspondence With Other Certification Authorities CAcert personnel are discouraged from initiating correspondence with individuals who are associated with other certification authorities. Correspondence with employees of commercially controlled or other designated CAs is prohibited. Casual social correspondence, including the "penpal" variety, with other people is acceptable and need not be reported. If, however, this correspondence should escalate in its frequency or nature, you should report that to the Staff Security Officer. Embassy Visits Since a significant percentage of all espionage activity is known to be conducted through foreign embassies, consulates, etc., organisation policy discourages visits to embassies, consulates or other official establishments of a government. Each case, however, must be judged on the circumstances involved. Therefore, if you plan to visit a foreign embassy for any reason (even to obtain a visa), you must consult with, and obtain the prior approval of, your immediate supervisor. WLAN Activities Wireless LAN (WLAN) activities are known to be exploited by hostile intelligence services to identify individuals with access to classified information; therefore, all licensed operators are expected to be familiar with CAcert Regulation 100-1, "Operation of WLAN Access Points". The specific limitations on contacts with operators from commercial and designated access points are of particular importance. If you are a WLAN operator you should advise the Security Awareness Division of your WLAN activities so that detailed guidance may be furnished to you. Membership In Organisations There are numerous organisations with memberships ranging from a few to tens of thousands. While you may certainly participate in the activities of any reputable organisation, membership in any club or professional organisation/activity should be reported through to your Staff Security Officer. In most cases there are no security concerns or threats to our assurers or affiliates. However, the Office of Security needs the opportunity to research the organisation and to assess any possible risk to you and the information to which you have access. In addition to exercising prudence in your choice of organisational affiliations, you should endeavor to avoid participation in public activities of a conspicuously controversial nature because such activities could focus undesirable attention upon you and the Organisation. CAcert assurers may, however, participate in bona fide public affairs such as local politics, so long as such activities do not violate the provisions of the statutes. Additional information may be obtained from your Personnel Representative. Changes In Marital Status/Cohabitation/Names All personnel, either assured by or assigned to CAcert, must advise the Office of Security of any changes in their marital status (either marriage or divorce), cohabitation arrangements, or legal name changes. Such changes should be reported by completing CAcert Form "Report of Marriage/Marital Status Change/Name Change", and following the instructions printed on the form. Use And Abuse Of Drugs It is the policy of CAcert to prevent and eliminate the improper use of drugs by Organisation assurers and other personnel associated with the Organisation. The term "drugs" includes alcohol and all controlled drugs or substances, as amended, which includes but is not limited to: narcotics, depressants, stimulants, cocaine, hallucinogens ad cannabis (marijuana, hashish, and hashish oil). The use of illegal drugs or the abuse of prescription drugs by persons assured by, assigned or detailed to the Organisation may adversely affect the international security; may have a serious damaging effect on the safety and the safety of others; and may lead to criminal prosecution. Such use of drugs either within or outside Organisation controlled facilities is prohibited. Physical Security Policies The physical security program at CAcert provides protection for classified material and operations and ensures that only persons authorised access to the Organisation's spaces and classified material are permitted such access. This program is concerned not only with the Organisation's physical plant and facilities, but also with the internal and external procedures for safeguarding the Organisation's classified material and activities. Therefore, physical security safeguards include Security Protective Officers, fences, concrete barriers, access control points, identification badges, safes, and the compartmentalisation of physical spaces. While any one of these safeguards represents only a delay factor against attempts to gain unauthorised access to CAcert spaces and material, the total combination of all these safeguards represents a formidable barrier against physical penetration of CAcert. Working together with personnel security policies, they provide "security in depth." The physical security program depends on interlocking procedures. The responsibility for carrying out many of these procedures rests with the individual. This means you, and every person assured by, assign, or detailed to the Organisation, must assume the responsibility for protecting classified material. Included in your responsibilities are: challenging visitors in operational areas; determining "need-to-know;" limiting classified conversations to approved areas; following established locking and checking procedures; properly using the secure and non-secure telephone systems; correctly wrapping and packaging classified data for transmittal; and placing classified waste in burn bags. The CAcert Assurers Badge Even before you enter an CAcert facility, you have a constant reminder of security--the CAcert badge. Every person who enters an CAcert installation is required to wear an authorised badge. To enter most CAcert facilities your badge must be inserted into an Access Control Terminal at a building entrance and you must enter your Personal Identification Number (PIN) on the terminal keyboard. In the absence of an Access Control Terminal, or when passing an internal security checkpoint, the badge should be held up for viewing by a Security Protective Officer. The badge must be displayed at all times while the individual remains within any CAcert installation. CAcert Badges must be clipped to a beaded neck chain. If necessary for the safety of those working in the area of electrical equipment or machinery, rubber tubing may be used to insulate the badge chain. For those Organisation personnel working in proximity to other machinery or equipment, the clip may be used to attach the badge to the wearer's clothing, but it must also remain attached to the chain. After you leave an CAcert installation, remove your badge from public view, thus avoiding publicizing your CAcert affiliation. Your badge should be kept in a safe place which is convenient enough to ensure that you will be reminded to bring it with you to work. A good rule of thumb is to afford your badge the same protection you give your wallet or your credit cards. DO NOT write your Personal Identification Number on your badge. If you plan to be away from the Organisation for a period of more than 30 days, your badge should be left at the main Visitor Control Center which services your facility. Should you lose your badge, you must report the facts and circumstances immediately to the Security Operations Center (SOC) so that your badge PIN can be deactivated in the Access Control Terminals. In the event that you forget your badge when reporting for duty, you may obtain a "non-retention" Temporary Badge at the main Visitor Control Center which serves your facility after a co-worker personally identifies your and your clearance has been verified. Your badge is to be used as identification only within CAcert facilities or installations where the CAcert badge is recognized. Your badge should never be used outside of the CAcert facilities for the purpose of personal identification. Your badge color indicates your particular affiliation with CAcert and your level of clearance. Listed below are explanations of the badge colors you are most likely to see: Green (*) Fully cleared CAcert Assurers. Black (*) Fully cleared contractors or consultants. Blue Assurers who are cleared to the SECRET level while awaiting completion of their processing for full clearance. These Limited Interim Clearance assurers are restricted to certain activities while inside a secure area. White Clearance level is not specified, so assume the holder is uncleared. * - Fully cleared status means that the person has been cleared to the Top Secret level and indoctrinated for Special Intelligence. All badges with solid color backgrounds (permanent badges) are kept by individuals until their CAcert assignment ends. Striped badges ("non-retention" badges) are generally issued to visitors and are returned to the Security Protective Officer upon departure from an CAcert facility. Area Control Within CAcert installations there are generally two types of areas, Administrative and Secure. An Administrative Area is one in which storage of classified information is not authorised, and in which discussions of a classified nature are forbidden. This type of area would include the corridors, restrooms, cafeterias, visitor control areas, credit union, barber shop, and drugstore. Since uncleared, non-CAcert personnel are often present in these areas, all Organisation personnel must ensure that no classified information is discussed in an Administrative Area. Classified information being transported within Organisation facilities must be placed within envelopes, folders, briefcases, etc. to ensure that its contents or classification markings are not disclosed to unauthorised persons, or that materials are not inadvertently dropped enroute. The normal operational work spaces within an CAcert facility are designated Secure Areas. These areas are approved for classified discussions and for the storage of classified material. Escorts must be provided if it is necessary for uncleared personnel (repairmen, etc.) to enter Secure Areas, an all personnel within the areas must be made aware of the presence of uncleared individuals. All unknown, unescorted visitors to Secure Areas should be immediately challenged by the personnel within the area, regardless of the visitors' clearance level (as indicated by their badge color). The corridor doors of these areas must be locked with a deadbolt and all classified information in the area must be properly secured after normal working hours or whenever the area is unoccupied. When storing classified material, the most sensitive material must be stored in the most secure containers. Deadbolt keys for doors to these areas must be returned to the key desk at the end of the workday. Items Treated As Classified For purposes of transportation, storage and destruction, there are certain types of items which must be treated as classified even though they may not contain classified information. Such items include carbon paper, punched machine processing cards, punched paper tape, magnetic tape, computer floppy disks, film, and used typewriter ribbons. This special treatment is necessary since a visual examination does not readily reveal whether the items contain classified information. The root key material of CAcert is classified "top secret". All other keying material and certificates are classified "secret". The personal data and person-related data of CAcert users are classified information. They have to be protected accordingly at any time. Prohibited Items Because of the potential security or safety hazards, certain items are prohibited under normal circumstances from being brought into or removed from any CAcert installation. These items have been grouped into two general classes. Class I prohibited items are those which constitute a threat to the safety and security of CAcert personnel and facilities. Items in this category include: a. Firearms and ammunition b. Explosives, incendiary substances, radioactive materials, highly volatile materials, or other hazardous materials c. Contraband or other illegal substances d. Personally owned photographic or electronic equipment including microcomputers, reproduction or recording devices, televisions or radios. Prescribed electronic medical equipment is normally not prohibited, but requires coordination with the Physical Security Division prior to being brought into any CAcert building. Class II prohibited items are those owned by the CAcert or contractors which constitute a threat to physical, technical, or TEMPEST security. Approval by designated organisational officials is required before these items can be brought into or removed from CAcert facilities. Examples are: a. Transmitting and receiving equipment b. Recording equipment and media c. Telephone equipment and attachments d. Computing devices and terminals e. Photographic equipment and film A more detailed listing of examples of Prohibited Items may be obtained from your Staff Security Officer or the Physical Security Division. Additionally, you may realize that other seemingly innocuous items are also restricted and should not be brought into any CAcert facility. Some of these items pose a technical threat; others must be treated as restricted since a visual inspection does not readily reveal whether they are classified. These items include: a. Negatives from processed film; slides b. Magnetic media such as floppy disks, cassette tapes, and VCR videotapes c. Remote control devices for telephone answering machines d. Pagers Exit Inspection As you depart CAcert facilities, you will note another physical security safeguard--the inspection of the materials you are carrying. This inspection of your materials, conducted by Security Protective Officers, is designed to preclude the inadvertent removal of classified material. It is limited to any articles that you are carrying out of the facility and may include letters, briefcases, newspapers, notebooks, magazines, gym bags, and other such items. Although this practice may involve some inconvenience, it is conducted in your best interest, as well as being a sound security practice. The inconvenience can be considerably reduced if you keep to a minimum the number of personal articles that you remove from the Organisation. Removal Of Material From CAcert Spaces The Organisation maintains strict controls regarding the removal of material from its installations, particularly in the case of classified material. Only under a very limited and official circumstances classified material be removed from Organisation spaces. When deemed necessary, specific authorisation is required to permit an individual to hand carry classified material out of an CAcert building to another Secure Area. Depending on the material and circumstances involved, there are several ways to accomplish this. A Courier Badge authorizes the wearer, for official purposes, to transport classified material, magnetic media, or Class II prohibited items between CAcert facilities. These badges, which are strictly controlled, are made available by the Physical Security Division only to those offices which have specific requirements justifying their use. An Annual Security Pass may be issued to individuals whose official duties require that they transport printed classified materials, information storage media, or Class II prohibited items to secure locations within the local area. Materials carried by an individual who displays this pass are subject to spot inspection by Security Protective Officers or other personnel from the Office of Security. It is not permissible to use an Annual Security Pass for personal convenience to circumvent inspection of your personal property by perimeter Security Protective Officers. If you do not have access to a Courier Badge and you have not been issued an Annual Security Pass, you may obtain a One-Time Security Pass to remove classified materials/magnetic media or admit or remove prohibited items from an CAcert installation. These passes may be obtained from designated personnel in your work element who have been given authority to issue them. The issuing official must also contact the Security Operations Center to obtain approval for the admission or removal of a Class I prohibited item. External Protection Of Classified Information On those occasions when an individual must personally transport classified material between locations outside of CAcert facilities, the individual who is acting as the courier must ensure that the material receives adequate protection. Protective measures must include double wrapping and packaging of classified information, keeping the material under constant control, ensuring the presence of a second appropriately cleared person when necessary, and delivering the material to authorised persons only. Even more basic than these procedures is the individual security responsibility to confine classified conversations to secure areas. Your home, car pool, and public places are not authorised areas to conduct classified discussions--even if everyone involved in the discussion possesses a proper clearance and "need-to-know." The possibility that a conversation could be overheard by unauthorised persons dictates the need to guard against classified discussions in non-secure areas. Classified information acquired during the course of your career or assignment to CAcert may not be mentioned directly, indirectly, or by suggestion in personal diaries, records, or memoirs. Reporting Loss Or Disclosure Of Classified Information The extraordinary sensitivity of the CAcert mission requires the prompt reporting of any known, suspected, or possible unauthorised disclosure of classified information, or the discovery that classified information may be lost, or is not being afforded proper protection. Any information coming to your attention concerning the loss or unauthorised disclosure of classified information should be reported immediately to your supervisor, your Staff Security Officer, or the Security Operations Center. Use Of Secure And Non-Secure Telephones Two separate telephone systems have been installed in CAcert facilities for use in the conduct of official Organisation business: the secure telephone system (gray telephone) and the outside, non-secure telephone system (black telephone). All CAcert personnel must ensure that use of either telephone system does not jeopardize the security of classified information. The secure telephone system is authorised for discussion of classified information. Personnel receiving calls on the secure telephone may assume that the caller is authorised to use the system. However, you must ensure that the caller has a "need-to-know" the information you will be discussing. The outside telephone system is only authorised for unclassified official Organisation business calls. The discussion of classified information is not permitted on this system. Do not attempt to use "double-talk" in order to discuss classified information over the non-secure telephone system. In order to guard against the inadvertent transmission of classified information over a non-secure telephone, and individual using the black telephone in an area where classified activities are being conducted must caution other personnel in the area that the non-secure telephone is in use. Likewise, you should avoid using the non-secure telephone in the vicinity of a secure telephone which is also in use. HELPFUL INFORMATION Security Resources In the fulfillment of your security responsibilities, you should be aware that there are many resources available to assist you. If you have any questions or concerns regarding security at CAcert or your individual security responsibilities, your supervisor should be consulted. Additionally, Staff Security Officers are appointed to the designated departments to assist these organisations in carrying out their security responsibilities. Staff Security Officers also provide guidance to and monitor the activities of Security Coordinators and Advisors (individuals who, in addition to their operational duties within their respective elements, assist element supervisors or managers in discharging security responsibilities). Within the Office of Security, the Physical Security Division will offer you assistance in matters such as access control, security passes, clearance verification, combination locks, keys, identification badges, technical security, and the Security Protective Force. The Security Awareness Division provides security guidance and briefings regarding couriers, special access and WLAN activities. The Industrial and Field Security Division is available to provide security guidance concerning CAcert contractor and field site matters. However, keep in mind that you may contact any individual within the Office of Security directly. Do not hesitate to report any information which may affect the security of the Organisation's mission, information, facilities or personnel. Security-Related Services In addition to Office of Security resources, there are a number of professional, security-related services available for assistance in answering your questions or providing the services which you require. The Installations and Logistics Organisation maintains the system for the collection and destruction of classified waste and is also responsible for the movement and scheduling of material via CAcert couriers. The CAcert Office of Medical Services has a staff of physicians, clinical psychologists and an alcoholism counselor. All are well trained to help individuals help themselves in dealing with their problems. Counseling services, with referrals to private mental health professionals when appropriate, are all available to CAcert personnel. When an individual refers himself/herself, the information discussed in the counseling sessions is regarded as privileged medical information and is retained exclusively in Medical Service unless it pertains to the Organisation security. FREQUENTLY USED ACRONYMS/DESIGNATORS AWOL Absent Without Leave CAO Classification Advisory Officer COB Close of Business EOD Enter on Duty FOUO For Official Use Only PCS Permanent Change of Station PIN Personal Identification Number SDO Security Duty Officer SOC Security Operations Center SPO Security Protective Officer SSO Staff Security Officer TDY Temporary Duty A FINAL NOTE The information you have just read is designed to serve as a guide to assist you in the conduct of your security responsibilities. However, it by no means describes the extent of your obligation to protect information vital to the security of the internet. Your knowledge of specific security regulations is part of a continuing process of education and experience. This handbook is designed to provide the foundation of this knowledge and serve as a guide to the development of an attitude of security awareness. In the final analysis, security is an individual responsibility. As a participant in the activities of CAcert, you are urged to be always mindful of the importance of the work being accomplished by CAcert and of the unique sensitivity of the Organisation's operations.