IT SECURITY POLICY

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

1. POLICY STATEMENT

“It shall be the responsibility of the I.T. Department to provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorized members of staff, and to ensure the integrity of all data and configuration controls.”

Summary of Main Security Policies

1.1. Confidentiality of all data is to be maintained through discretionary and mandatory access controls, and wherever possible these access controls should meet with C2 class security functionality.

1.2. Internet and other external service access is restricted to authorized personnel only.

1.3. Access to data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment.

1.4. Only authorized and licensed software may be installed, and installation may only be performed by I.T. Department staff.

1.5. The use of unauthorized software is prohibited. If the event of unauthorized software being discovered it will be removed from the workstation immediately.

1.6. Data may only be transferred for the purposes determined in the Organization’s data-protection policy.

1.7. All diskette drives and removable media from external sources must be virus checked before they are used within the Organization.

1.8. Passwords must consist of a mixture of at least 8 alphanumeric characters, and must be changed every 30 days and must be unique.

1.9. Workstation configurations may only be changed by I.T. Department staff.

1.10. The physical security of computer equipment will conform to recognized loss prevention guidelines.

1.11. To prevent the loss of availability of I.T. resources measures must be taken to backup data, applications and the configurations of all workstations.

1.12 A business continuity plan will be developed and tested on a regular basis.

2. VIRUS PROTECTION

2.1. The I.T. Department will have available up to date virus scanning software for   the scanning and removal of suspected viruses.

2.2. Corporate file-servers will be protected with virus scanning software.

2.3. Workstations will be protected by virus scanning software.

2.4. All workstation and server anti-virus software will be regularly updated with the latest anti-virus patches by the I.T. Department.

2.5. No disk that is brought in from outside the Organization is to be used until it has been scanned.

2.6. All systems will be built from original, clean master copies whose write protection has always been in place. Only original master copies will be used until virus scanning has taken place.

2.7. All removable media containing executable software (software with .EXE and .COM extensions) will be write protected wherever possible.

2.8. Shareware is not to be used, as shareware is one of the most common infection sources. If it is absolutely necessary to use shareware it must be thoroughly scanned before use.

2.9. New software will be scanned before it is installed as it occasionally contains viruses.

2.10. All removable media brought in to the Organization will be scanned by the IT Department before they are used.

2.11. To enable data to be recovered in the event of a virus outbreak regular backup will be taken by the I.T. Department.

2.12. Management strongly endorses the Organization’s anti-virus policies and will make the necessary resources available to implement them.

2.13. Users will be kept informed of current procedures and policies.

2.14. Users will be notified of virus incidents.

2.15. Employees will be accountable for any breaches of the Organization’s anti-virus policies.

2.16. Anti-virus policies and procedures will be reviewed regularly.

2.17. In the event of a possible virus infection the user must inform the I.T. Department immediately. The I.T. Department will then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it.

3. PHYSICAL SECURITY OF COMPUTER EQUIPMENT

Physical Security of computer equipment will comply with the guidelines as detailed below.

3.1. DEFINITIONS

3.1.1. AREA

Two or more adjacent linked rooms which, for security purposes, cannot be adequately segregated in physical terms.

3.1.2. COMPUTER SUITE

Mainframe, fileserver plus all inter-connected wiring, fixed disks, telecommunication equipment, ancillary, peripheral and terminal equipment linked into the mainframe, contained within a purpose built computer suite.

3.1.3. COMPUTER EQUIPMENT

All computer equipment not contained within the COMPUTER SUITE which will include PC’s, monitors, printers, disk drives, modems and associated and peripheral equipment.

3.1.4. HIGH RISK SITUATION(S)

This refers to any room or AREA which is accessible

  • • At ground floor level

• At first floor level, but accessible from adjoining roof

• At any level via external fire escapes or other features providing access

• Rooms in remote, concealed or hidden areas

3.1.5. LOCKDOWN DEVICE(S)

A combination of two metal plates, one for fixing to furniture, or the building structure, and the other for restraining the equipment which is immobilized when the two plates are locked together. The plate for restraining the equipment should incorporate an enclosure or other mechanism which will hinder unauthorized removal of the outer PC casing and render access to internal components difficult.

3.1.6.APPROVED

Approved Security System.

3.1.7. PERSONAL COMPUTERS (PC’s)

Individual computer units with their own internal processing and storage capabilities.

3.2. CATEGORIES OF RISK

3.2.1. SECURITY LEVEL 1: the security measures detailed in Level 1 are guidelines for all COMPUTER EQUIPMENT not described below.

3.2.2. SECURITY LEVEL 2: these guidelines apply where a single room or AREA contains PC’s where the total replacement value of this hardware is LESS than 20,000 per room or AREA.

3.2.3. SECURITY LEVEL 3: these guidelines apply where a single room or AREA contains PC’s where the total replacement value of this hardware is between 20,000 and 50,000 per room or AREA.

3.2.4. SECURITY LEVEL 4: these guidelines apply where a single room or AREA contains PC’s where the total replacement value of this hardware is in excess of 50,000 per room or AREA.

3.2.5. COMPUTER SUITE

These guidelines apply to the location or room comprising the purpose built

Computer suite.

3.3. REQUIRED PHYSICAL SECURITY

The table below summarizes the required features for each Security Level.

Security Level
NoSecurity Features1234
1Security Markingxxxx
2Locking of PC casesxxxx
3Sating of computers away from windowsxxxx
4HIGH RISK SITUATION window locksxxxN/A
5Blinds for observable windowsxxxx
6If no intruder alarm, all PC’s and COMPUTER EQUIPMENT have a LOCKDOWN DEVICExxN/AN/A
7Intruder alarm installed by APPROVED Company xxx
8Protection of signal transmission to Alarm Receiving Centre xN/AN/A
9Assessment of location of intruder alarm protection xxx
10Walk test of movement detectors xxx
11Check that movement detectors are not obscured xN/AN/A
12Anti-masking intruder alarm sensors in room or AREA  xN/A
13Break glass alarm sensors  xx
14Individual alarm zoning of the room or AREA  xN/A
15Improved protection of signal transmission to Alarm Receiving Centre  xN/A
16Minimum room or AREA construction  xN/A
17Door specification for entry to room or AREA  xx
18Anti-masking intruder alarm sensors in room and access routes   x
19Alarm shunt lock on door   x
20Visual or audio alarm confirmation   x
21Superior protection of alarm signal transmission   x
22Improved room or AREA construction   x
23All external opening windows to have locks   x
24HIGH RISK SITUATION windows to have shutters/bars   x

Where an entry is shown as N/A (not applicable) this is due to a higher specification being required thereby removing the necessity for the lower security feature.

3.3.1. Security Marking

All computer hardware should be prominently security marked by branding or etching with the name of the establishment and area postcode. Advisory signs informing that all property has been security marked should be prominently displayed externally. The following are considered inferior methods of security marking; text comprised solely of initials or abbreviations, marking by paint or ultra violet ink (indelible or otherwise), or adhesive labels that do not include an etching facility.

3.3.2. Locking of PC cases

PC’s fitted with locking cases will be kept locked at all times.

3.3.3. Sating of Computers

Wherever possible, COMPUTER EQUIPMENT should be kept at least 1.5 meters away from external windows in HIGH RISK SITUATIONS.

3.3.4. Opening Windows

All opening windows on external elevations in HIGH RISK SITUATIONS should be fitted with key operated locks.

3.3.5. Blinds

All external windows to rooms containing COMPUTER EQUIPMENT at ground floor level or otherwise visible to the public should be fitted with window blinds or obscure filming.

3.3.6. Lockdown Devices

For any item of COMPUTER EQUIPMENT which is not directly covered by an intruder alarm, the processing unit should have a LOCKDOWN DEVICE fitted to the workstation.

LOCKDOWN DEVICES should conform to loss prevention standards. Mobile workstations are unlikely to be suitable for these devices.

When it is impossible or undesirable to anchor hardware, such equipment can be moved to a security store or cabinet outside normal hours of occupation.

3.3.7. Intruder Alarm

An intruder alarm incorporating the following features should be installed.

Installation, maintenance and monitoring by an APPROVED company.

3.3.8. Location of Intruder Alarms

Detection devices should be located within the room or AREA and elsewhere in the premises to ensure that unauthorized access to the room or AREA is not possible without detection. This should include an assessment as to whether access is possible via external elevations, doors, windows and roof lights.

3.3.9. Walk test

A walk test of movement detectors should be undertaken on a regular basis in order to ensure that all PC’s are located within the alarm-protected area. This is necessary due to the possible ongoing changes in the position of

            furniture, screens and partitions, which may seriously impede the field of

            cover provided by existing detection devices.

For any PC which is not directly covered by an intruder alarm, the processing unit should have a LOCKDOWN DEVICE.

3.3.10. Check Detectors

Maintenance Managers should ensure, as part of their normal duties at locking up time, that internal space detectors have not been individually obscured or had their field of vision restricted.

3.3.11. Anti-Masking Intruder Alarm

Anti-masking intruder alarm movement sensors are recommended to immediately detect a movement within the room or AREA.

3.3.12. Break Glass Alarm Sensors

Break Glass alarm sensors to detect forced entry through external windows of the room or AREA are recommended.

3.3.13. Alarm Zoning

The ability to zone the intruder alarm from the main control panel should be provided to enable authorized usage of other areas of the building outside normal hours, whilst retaining alarm detection within the room or AREA.

3.3.14. Improved Protection of Signal Transmission

Unless telephone wires directly enter the protected premises underground, signaling to the Alarm Receiving Centre should be by monitored direct line.

3.3.15. AREA Construction

Partitions separating the room or AREA from adjoining rooms and corridors should be a minimum of 100mm solid non lightweight block work or brickwork devoid of glazing or other openings except for protected doors as defined below. If glazing is essential for lighting or other purposes, it should be upgraded by being supplemented internally with 1.5mm mesh, security shutters or bars or supplemented with 7.5mm laminated glass.

3.3.16. Intruder Alarm Sensors on Access Routes

Anti-masking intruder alarm movement sensors are recommended to immediately detect a movement within the room of AREA and any internal corridors or rooms giving access to the room or AREA.

3.3.17. Alarm Confirmation

Visual or audio alarm confirmation should be provided at the monitoring facility for all conventional detection within the room or AREA.

3.3.18. External Windows to Have Locks

All opening windows within the perimeter of the room or AREA should be fitted with key-operated window locks.

3.3.19. HIGH RISK SITUATIONS

Where the room or AREA is classified as being in a HIGH RISK SITUATION the following additional protection should be provided.

Windows to external elevations should be fitted with security shutters or bars instead of locks.

Any door in the external elevation should be provided with a security shutter where practical. Considerations should be given to replacement of fire exit doors which cannot be secured in this fashion, and any other doors designated as fire escapes by the Fire Prevention Officer, with proprietary security doors and frames fitted with a four point locking bolt and an alarm vibration sensor.

3.4. COMPUTER SUITE

3.4.1. The computer suite should be housed in a purpose built room.

3.4.2. Partitions separating the room or AREA from adjoining rooms and corridors should be a minimum of 150mm solid non lightweight block work or brickwork devoid of glazing or other openings except for protected doors as defined below. Where glazing is essential for lighting or other purposes this should be protected by bars.

3.4.3. Secure doors giving access to the room or AREA, from within the building, should be solid timber at least 45mm thick and unglazed. The locking should be by 2 mortise deadlocks with registered keys, a micro switch being available for an alarm shunt lock. Door fittings should comprise 3 hinges, supplemented by 2 hinge bolts if outward opening doors.

 3.4.4. The computer suite should contain an adequate air conditioning system to provide a stable operating environment to reduce the risk of system crashes due to component failure.

3.4.5. No water, rain water or drainage pipes should run within or above the computer suite to reduce the risk of flooding.

3.4.6. The floor within the computer suite should be a raised false floor to allow computer cables to run beneath the floor and reduce the risk of damage to computer equipment in the case of flooding.

3.4.7. Power points should be raised from the floor to allow the smooth shutdown of computer systems in case of flooding.

3.4.8. Where possible generator power should provided to the computer suite to help protect the computer systems in the case of a mains power failure.

3.4.9. Access to the computer suite is restricted to IT Department staff.

3.4.10. All contractors working within the computer suite are to be supervised at all times and the It Department is to be notified of their presence and provided with details of all work to be carried out, at least 48 hours in advance of its commencement.

4. ACCESS CONTROL

4.1. Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.

4.2. Users requiring access to systems must make a written application on the forms provided by the I.T Department.

4.3. Where possible no one person will have full rights to any system. The I.T. Department will control network/server passwords and system passwords will be assigned by the system administrator in the end-user department.

The system administrator will be responsible for the maintaining the data integrity of the end-user department’s data and for determining end-user access rights.

4.4. Access to the network/servers and systems will be by individual username and password or by smartcard and PIN number/biometric.

4.5. Usernames and passwords must not be shared by users.

4.6. Usernames and passwords should not be written down.

4.7. Usernames will consist of initials and surname.

4.8. All users will have an alphanumeric password of at least 8 characters.

4.9. Passwords will expire every 40 days and must be unique.

4.10. Intruder detection will be implemented where possible. The user account will be locked after 3 incorrect attempts.

4.11. The I.T. Department will be notified of all employees leaving the Organization’s employment. The I.T. Department will then remove the employee’s rights to all systems.

4.12. Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example a fire safe in the I.T. Department.

4.13. Auditing will be implemented on all systems to record login attempts/failures, successful logins and changes made to all systems.

4.14. Use of the admin username on Novell systems and the Administrator username on Windows is to be kept to a minimum.

4.15. Default passwords on systems such as Oracle and SQLServer will be changed after installation.

4.16. On UNIX and Linux systems, rights to rlogin, ftp, telnet, ssh will be restricted to I.T. Department staff only.

4.17. Access to the network/servers will be restricted to normal working hours. Users requiring access outside normal working hours must request such access in writing on the forms provided by the I.T. Department.

4.18. File systems will have the maximum security implemented that is possible. Where possible users will only be given Read and File scan rights to directories, files will be flagged as read only to prevent accidental deletion.

5. LAN Security

Hubs & Switches

5.1. LAN equipment, hubs, bridges, repeaters, routers, switches will be kept in secure hub rooms. Hub rooms will be kept locked at all times. Access to hub rooms will be restricted to I.T. Department staff only. Other staff and contractors requiring access to hub rooms will notify the I.T. Department in advance so that the necessary supervision can be arranged.

Workstations

5.2. Users must logout of their workstations when they leave their workstation for any length of time. Alternatively Windows workstations may be locked.

5.3. All unused workstations must be switched off outside working hours.

Wiring

5.4. All network wiring will be fully documented.

5.5. All unused network points will be de-activated when not in use.

5.6. All network cables will be periodically scanned and readings recorded for future reference.

5.7. Users must not place or store any item on top of network cabling.

5.8. Redundant cabling schemes will be used where possible.

Monitoring Software

5.9. The use of LAN analyzer and packet sniffing software is restricted to the I.T. Department.

5.10. LAN analyzers and packet snuffers will be securely locked up when not in use.

5.11 Intrusion detection systems will implemented to detect unauthorized access to the network

Servers

5.12. All servers will be kept securely under lock and key.

5.13. Access to the system console and server disk/tape drives will be restricted to authorized I.T. Department staff only.

Electrical Security

5.14. All servers will be fitted with UPS’s that also condition the power supply.

5.15. All hubs, bridges, repeaters, routers, switches and other critical network equipment will also be fitted with UPS’s.

5.16. In the event of a mains power failure, the UPS’s will have sufficient power to keep the network and servers running until the generator take over.

5.17. Software will be installed on all servers to implement an orderly shutdown in the event of a total power failure.

5.18. All UPS’s will be tested periodically.

Inventory Management

5.19. The I.T. Department will keep a full inventory of all computer equipment and software in use throughout the Company.

5.20. Computer hardware and software audits will be carried out periodically via the use of a desktop inventory package. These audits will be used to track unauthorized copies of software and unauthorized changes to hardware and software configurations.

6. Server Specific Security

6.1. The operating system will be kept up to date and patched on a regular basis.

6.2. Servers will be checked daily for viruses.

6.3. Servers will be locked in a secure room.

6.4. Where appropriate the server console feature will be activated.

6.5. Remote management passwords will be different to the Admin/Administrator/root password.

6.6. Users possessing Admin/Administrator/root rights will be limited to trained members of the I.T. Department staff only.

6.7. Use of the Admin/Administrator/root accounts will be kept to a minimum.

6.8. Assigning security equivalences that give one user the same access rights as another user will be avoided where possible.

6.9. Users access to data and applications will be limited by the access control features.

6.10. Intruder detection and lockout will be enabled.

6.11. The system auditing facilities will be enabled.

6.12. Users must logout or lock their workstations when they leave their workstation for any length of time.

6.13. All unused workstations must be switched off outside working hours.

6.14. All accounts will be assigned a password of a minimum of 8 characters.

6.15. Users will change their passwords every 40 days.

6.16. Unique passwords will be used.

6.17. The number of grace logins will be limited to 3.

6.18. The number of concurrent connections will be limited to 1.

6.19. Network login time restrictions will be enforced preventing users from logging in to the network outside normal working hours.

6.20. In certain areas users will be restricted to logging in to specified workstations only.

7. Wide Area Network Security

7.1. Wireless LAN’s will make use of the most secure encryption and authentication facilities available.

7.2 Users will not install their own wireless equipment under any circumstances.

7.3. Dial-in modems will not be used if at all possible. If a modem must be used dial-back modems should be used. A secure VPN tunnel is the preferred option.

7.4. Modems will not be used by users without first notifying the I.T. Department and obtaining their approval.

7.5. Where dial-in modems are used, the modem will be unplugged from the telephone network and the access software disabled when not in use.

7.6 Modems will only be used where necessary, in normal circumstances all communications should pass through the Organization’s router and firewall.

7.7. Where leased lines are used, the associated channel service units will be locked up to prevent access to their monitoring ports.

7.8. All bridges, routers and gateways will be kept locked up in secure areas.

7.9. Unnecessary protocols will be removed from routers.

7.10 The preferred method of connection to outside Organizations is by a secure VPN connection.

7.11. All connections made to the Organization’s network by outside organizations will be logged.

8. TCP/IP & Internet Security

8.1. Permanent connections to the Internet will be via the means of a firewall to regulate network traffic.

8.2. Permanent connections to other external networks, for offsite processing etc., will be via the means of a firewall to regulate network traffic.

8.3. Where firewalls are used, a dual homed firewall (a device with more than one TCP/IP address) will be the preferred solution.

8.4. Network equipment will be configured to close inactive sessions.

8.5. Where modem pools or remote access servers are used, these will be situated on the non-secure network side of the firewall.

8.6. Workstation access to the Internet will be via the Organization’s proxy server and website content scanner.

  • 8.7 All incoming e-mail will be scanned by the Organization’s e-mail content scanner.

9. Voice System Security

9.1. The maintenance port on the PBX will be protected with a secure password.

9.2. Call accounting will be used to monitor access to the maintenance port and abnormal call patterns.

9.3. Internal and external call forwarding privileges will be separated, to prevent inbound calls being forwarded to an outside line.

9.4. The operator will endeavor to ensure that an outside call is not transferred to an outside line.

9.5 Use will be made of multilevel passwords and access authentication where available on the PBX.

9.6. Voice mail accounts will use a password with a minimum length of six digits.

9.7. The voice mail password should never match the last six digits of the phone number.

9.8. The caller to a voice mail account will be locked out after three attempts at password validation.

9.9. Dialing calling party pays numbers will be prevented.

9.10. Telephone bills will be checked carefully to identify any misuse of the telephone system.

10. Glossary

Access ControlThe process of limiting access to the resources of a system only to authorized programs, processes, or other systems.
Audit TrailA chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure, or an event in a transaction from its inception to final results.
AuthenticateTo verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
AuthorizationThe granting of access rights to a user, program, or process.
C2 SecurityAmerican security classification generally accepted world-wide, classifying the level of security provided.
CEProducts which meet the essential requirements of European Community directives for safety and protection carry this mark. Products which carry the CE mark may be sold anywhere in the community.
Discretionary Access ControlA means of restricting access to objects based upon the identity and need to know of the user, process, and/or groups to which they belong.
File SecurityThe means by which access to computer files is limited to authorized users only.
FirewallA device and/or software that prevents unauthorized and improper transit of access and information from one network to another.
FtpFile transfer protocol. Protocol that allows files to be transferred using TCP/IP.
HubNetwork device for repeating network packets of information around the network.
IdentificationThe process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names.
InternetWorld wide information service, consisting of computers around the globe linked together by telephone cables.
LAN AnalyzerDevice for monitoring and analyzing network traffic. Typically used to monitor network traffic levels. Sophisticated analyzers can decode network packets to see what information has been sent.
LaptopSmall portable computer.
Mandatory Access ControlA means of restricting access to objects based upon the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity.
ModemDevice which allows a computer to send data down the telephone network.
PasswordA protected, private character string used to authenticate an identity.
PBXPrivate branch exchange – small telephone exchange used internally within an organization.
RloginRemote login. Protocol that allows a remote host to login to a UNIX host without using a password.
SharewareSoftware for which there is no charge, but a registration fee is payable if the user decides to use the software. Often downloaded from the Internet or available from PC magazines. Normally not that very well written and often adversely effects other software.
TelnetProtocol that allows a device to login in to a UNIX host using a terminal session.
UPSUninterruptible power supply. Device containing batteries that protects electrical equipment from surges in the mains power and acts as a temporary source of power in the event of a mains failure.
UsernameA unique symbol or character string that is used by a system to identify a specific user.
VirusComputer software that replicates itself and often corrupts computer programs and data.
Voice MailFacility which allows callers to leave voice messages for
People who are not able to answer their phone. The voice messages can be played back at a later time.

38 thoughts on “IT SECURITY POLICY

  1. I do believe all the ideas youve presented for your post They are really convincing and will certainly work Nonetheless the posts are too short for novices May just you please lengthen them a little from subsequent time Thanks for the post

Leave a Reply

Your email address will not be published. Required fields are marked *

Get 30% off your first purchase

X
error: Content is protected !!