This document explains the City’s analog modem acceptable use and approval rules and procedures. This policy covers the use of modems that are to be connected to City computing devices.
This rule covers only those modems that are connected to a device inside City facilities.
There are two important scenarios that involve modem misuse which we attempt to guard against through this policy. The first is an outside attacker who calls a set of phone numbers in the hope of connecting to a device which has a modem attached to it. If the modem answers from inside City premises, then there is the possibility of breaching the City’s internal network through that computer. At the very least, information that is held on that device can be compromised. This potentially results in the loss of sensitive City information.
The second scenario is the threat of anyone with physical access into a City facility being able to use a modem equipped device. In this case, the intruder would be able to connect to the trusted networks of the City through the device’s Ethernet connection, and then call out to an unmonitored site using the modem, with the ability to siphon City information to an unknown location. This could also potentially result in the substantial loss of sensitive information.
All requests for analog communication access – into or exiting from City networks – require preapproval from the Chief Technology Officer or Information Security Manager.
Requesting an Modem Connection
Once approved by a Bureau Director, the individual requesting a modem connection must provide the following information:
- A clearly detailed business case of why other secure connections available at the City cannot be used
- The business purpose for which the modem is to be used
- The software and hardware to be connected to analog phone line and used across the line
- To what external connections the requester is seeking access.
The business case must answer, at a minimum, the following questions:
- What business needs to be conducted over the modem?
- Why a City equipped desktop computer with Internet capability is unable to accomplish the same tasks as the proposed modem?
In addition, the requester must be prepared to answer the following supplemental questions related to the security profile of the request:
- Will the machines that are using the modem be physically disconnected from City’s internal network?
- Where will the modem be placed? An office, cubicle or lab?
- Is dial-in from outside of the City required?
- How many modems are being requested, and how many people will use them?
- How often will the modem be used? Once a week, 2 hours per day, etc.?
- What is the earliest date the modem can be terminated from service as the modem must be removed as soon as it is no longer in use.
- What means will be used to secure the modem from unauthorized use?
- What types of protocols will be run over the modem and analog line?
BTS will install approved anti-virus software on the machine(s) using the modem.
The requester should submit a service request to the BTS Helpdesk. Guidance and resources are available: http://www.portlandoregon.gov/bts/60533
The Chief Technology Officer (CTO) or the Information Security Manager (ISM) will review and rule on all analog modem requests.
Revised rule adopted by the Chief Administrative Officer of the Office of Management and Finance and filed for inclusion in PPD October 29, 2015.