|
| .: Document Index :. |
Document ID: KFA93P02
Maintained by: Bjornar Simonsen
Date: 14 Jun Juche 93 Rev.: 3.00
Document Status: APPROVED
Approved by: Zo Sun IL
Applies to: Everyone
1 Definitions
A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide.
1.1 Security Roles
We have defined the following seven categories found in the RFC2196 to include these categories:
| RFC2196 role | KFA role |
| Site Security Administrator | KFA International Committee |
| Information Technology Technical Staff | KFA International Committee |
| Administrators of large user groups within the organization | KFA Official Delegates |
| Security Incident Response Team | KFA International Committee |
| Representatives of the user groups affected by the security policy | KFA members |
| Responsible Management | KFA President |
| Legal Counsel | does not apply |
Security properties of information
Confidentiality - The Confidentiality of the information is defined as the property of ensuring that information is accessible only to those authorised to have access through the prevention of the unauthorised disclosure of sensitive information to unauthorised individuals or organisations.Integrity - The Integrity of the information is defined as the property of safeguarding the accuracy and completeness of information and processing methods through the prevention of unauthorised modifications to information, the accuracy of which is relied upon.
Availability - The Availability of the information is defined as the property of ensuring that authorised users have access to information and associated assets when required and the prevention of unauthorised withholding of information or resources.
2.1 Anonymity
The KFA lets every member who posts to the Forum check a checkbox to send a message anonymously.
2.2 Privacy
See section 3
2.3 Authentication
We provide passwords for each member to uniquely identify each members access to our Forum.
2.4 Communication
We communicate with our members via e-mail or via the Forum (least expensive). Due to computer security issues, however, we must ask users to remain vigilant about security threats on the internet, specifically against computer viruses, insecure network environments (internet cafe's), or other security risks. When possible, we reccommend using encryption via https:// i.e. SSL when browsing e-mail. [Note: for korea-dpr.com mailusers this is not yet possible before we change servers the next few weeks]
For special needs, we provide support for our members to assist them in keeping their PC free from viruses and getting things to work. For questions, ask support@korea-dpr.com.
2.5 Security Rules - Note: These rules are mostly written for KFA Official Delegates and Administrators, but may also apply to members
2.5.1 Passwords are personal - never give away your password to someone else
2.5.2 Passwords must not be written down, but should be memorized.
2.5.3 Do not send confidential information via e-mail by using the "Reply to All" button or "Forward" button.
2.5.4 Do not post confidential information on the Forum.
2.5.5 Confidential information is defined as: Personal information about yourself or another member.
2.5.6 Never give out information about other members, not even to other KFA members.
2.5.7 If you are unsure about granting access or giving out sensitive information, just say no. Report all strange events to korea@korea-dpr.com. Better say no one time too many than one time too few.
2.5.8 Our most important objective is to protect the identity and private information about our members who support the DPRK or who wants to learn about the DPRK regardless of nationality or political position.
3. Privacy Policy
The korea-dpr.com domain is a government system of the Democratic People's Republic of Korea, operated by the Korean Friendship Association.
When you look at this web site, our server makes a record of your visit and logs the following information for statistical purposes – the user's server address, the user's top level domain name (for example .com, .org .net and so forth), the date and time of visit to the site, the pages accessed and documents downloaded, the previous site visited, and the type of browser used. No attempt will be made to identify users or their browsing activities except, in the unlikely event of a security or other investigation, we may inspect the logs or we may have a law enforcement agency inspect the logs.
We will only record your e-mail address if you send us a message. It will only be used for the purpose for which you have provided it and will not be added to a mailing list unless supplied for that reason. We will not use your e-mail address for any other purpose, and will not disclose it, without your consent. KFA members will automatically be added to our mailing list, which is very low traffic (approx 10-20 messages each year).
You should note however that there are risks associated with using the Internet as a transmission medium in that when you send information over the Internet it might be possible for other people to see what you are sending. If this is of concern to you, then you should use other methods of communication.
We respect the privacy of any individual. When accessing the KFA Forum, we store a "Cookie" on your computer which is used for tracking your visits to our forum. All access to the Forum, including to our webpage, is logged by your IP address and browser details. Any information we collect about you is kept strictly confidential.
Each KFA member has the possibility of sending anonymous messages to the forum by checking the checkbox "Anonymous" which keeps the Forum from displaying the real name of the person posting the article.
Users residing in South Korea should be aware of the risks imposed by the National Security Law that bans any contact or interaction with DPRK related sites.
4 Document Classifications
A classification level must be assigned to information when that information is determined to be sensitive or confidential. A classification level indicates the relative importance of classified information to KFA Security and thereby determines the specific security requirements applicable to that information.
CONFIDENTIAL EYES ONLY shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause grave damage to the privacy of KFA members, the disruption of services running on the korea-dpr.com webserver. Any electronic message or e-mail containing this level of classification must be destroyed or deleted after reading, and it may not be forwarded or printed. Typical example is usernames and password combinations.
SENSITIVE shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the individual person's reputation, or expose a members private or real name, address, phone number or other privilegded information. Such information must be stored safely during the processing of that particular information about members or staff, or internal organization security. All documents carrying this level of classification must be destroyed after its use, and stored safely until no longer needed. This classification is used on our membership database and mailing list, including the administration system used by each OD. Any mail sent by a KFA official to another KFA Official containing information about members private details automatically receives the classification of SENSITIVE, even if such classification is not given.
CONFIDENTIAL <PERSON> or <GROUP> shall be applied to information, the unauthorized disclosure of which reasonably could be expected to result in damage to the KFA or its members, but when the target recipient(s) of the message is limited, example CONFIDENTIAL KFA PRESIDENT, or CONFIDENTIAL OD ONLY.
INTERNAL shall be applied to information, that should be kept internally in the organization, particularly for situations when information needs to be verified by official sources before releasing it into the public.
PUBLIC / FOR IMMEDIATE RELEASE can be applied to information that is intended for release to the press, public, or otherwise, that contain news or public announcements, and which does not contain any private information about our members or anything that could disrupt the operation of the korea-dpr.com webserver or affect the security of our organization. The information released must also be confirmed to be official by atleast one trusted official source (for example the KCNA). Note: this classification is sometimes not printed on the document.
5 Reporting abuse
Any abuses should be reported to abuse@korea-dpr.com.
6 Revision History
This document was first created 12.06.Juche 93 (Draft)
Revised second time 14 Jun Juche 93 (approved)
Revised third time 11 April Juche 94 (revised)