Administrative Rule Adopted by Office of Management and Finance Pursuant to Rule-Making Authority
This document explains the City’s analog modem acceptable use and approval rules and procedures. This policy covers the use of modems that are to be connected to computers and computing devices.
This rule covers only those modems that are to be connected to a device inside City buildings. It does not pertain to modems that are connected into employee homes, PBX desktop phones, wireless modems used in portable computing devices or fax machines.
There are two important scenarios that involve modem misuse, which we attempt to guard against through this policy. The first is an outside attacker who calls a set of phone numbers in the hope of connecting to a computer or system which has a modem attached to it. If the modem answers from inside City premises, then there is the possibility of breaching the City’s internal network through that computer. At the very least, information that is held on that computer alone can be compromised. This potentially results in the loss of sensitive City information.
The second scenario is the threat of anyone with physical access into a City facility being able to use a modem equipped computer. In this case, the intruder would be able to connect to the trusted networking of the City through the computer's Ethernet connection, and then call out to an unmonitored site using the modem, with the ability to siphon City information to an unknown location. This could also potentially result in the substantial loss of vital information.
The general policy is that requests for computers or other intelligent devices to be connected to modems from within City will not be approved for security reasons. Modems represent a significant security threat to the City, and active penetrations have been launched against such lines by hackers. Waivers to this policy may be granted on a case by case basis.
Requesting an Modem Connection
Once approved by a Bureau Director, the individual requesting a modem connection must provide the following information:
• A clearly detailed business case of why other secure connections available at the City cannot be used
• The business purpose for which the modem is to be used
• The software and hardware to be connected to analog phone line and used across the line
• To what external connections the requester is seeking access.
The business case must answer, at a minimum, the following questions:
• What business needs to be conducted over the modem?
• Why a City equipped desktop computer with Internet capability is unable to accomplish the same tasks as the proposed modem?
In addition, the requester must be prepared to answer the following supplemental questions related to the security profile of the request:
• Will the machines that are using the modem be physically disconnected from City’s internal network?
• Where will the modem be placed? An office, cubicle or lab?
• Is dial-in from outside of the City required?
• How many modems are being requested, and how many people will use them?
• How often will the modem be used? Once a week, 2 hours per day, etc?
• What is the earliest date the modem can be terminated from service as the modem must be removed as soon as it is no longer in use.
• What means will be used to secure the modem from unauthorized use?
• What types of protocols will be run over the modem and analog line?
• Will BTS approved anti-virus software be installed on the machine(s) using the modem?
The Chief Technology Officer (CTO) or the Information Security Manager (ISM) will review and rule on all analog modem requests
Authorized by Ordinance No. 179999 passed by Council March 15, 2006 and effective April 14, 2006.
Revised rule adopted by Chief Administrative Officer of Office of Management and Finance and filed for inclusion in PPD April 17, 2012.