PRIVACY POLICY

I.T. Security Policy

“It shall be the responsibility of the I.T. Department to provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorised members of staff, and to ensure the integrity of all data and configuration controls.”

Summary of Main Security Policies

  • Confidentiality of all data is to be maintained through discretionary and mandatory access controls, and wherever possible these access controls should meet with C2 class security functionality.
  • Internet and other external service access is restricted to authorised personnel only.
  • Access to data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment.
  • Only authorised and licensed software may be installed, and installation may only be performed by I.T. Department staff.
  • The use of unauthorized software is prohibited. In the event of unauthorized software being discovered it will be removed from the workstation immediately.
  • Data may only be transferred for the purposes determined in the Organization’s data-protection policy.
  • All diskette drives and removable media from external sources must be virus checked before they are used within the Organization.
  • Passwords must consist of a mixture of at least 8 alphanumeric characters, and must be changed every 40 days and must be unique.
  • Workstation configurations may only be changed by I.T. Dept. staff.
  • The physical security of computer equipment will conform to recognized loss prevention guidelines.
  • To prevent the loss of availability of I.T. resources measures must be taken to backup data, applications and the configurations of all workstations.
  • A business continuity plan will be developed and tested on a regular basis.
  • Intruder detection will be implemented where possible. The user account will be locked after 3 incorrect attempts.
  • The I.T. Department will be notified of all employees leaving the Organization’s employment. The I.T. Department will then remove the employees rights to all systems.
  • Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example a fire safe in the I.T. Department.
  • Auditing will be implemented on all systems to record login attempts/ failures, successful logins and changes made to all systems.
  • I.T. Department staff will not login as root on to UNIX, Linux systems, but will use the su command to obtain root privileges.
  • Use of the admin username on Novell systems and the Administrator username on Windows is to be kept to a minimum.
  • On UNIXand Linux systems, rights to rlogin, ftp, telnet, ssh will be restricted to I.T. Department staff only.
  • Where possible users will not be given access to the UNIX, or Linux shell prompt.
  • Access to the network/servers will be restricted to normal working hours. Users requiring access outside normal working hours must request such access in writing on the forms provided by the I.T. Dept.
  • File systems will have the maximum security implemented that is possible. Where possible users will only be given Read and Filescan rights to directories, files will be flagged as read only to prevent accidental deletion.
  • Servers will be locked in a secure room.
  • Where appropriate the server console feature will be activated.
  • Remote management passwords will be different to the Admin/ Administrator/root password.
  • Users possessing Admin/Administrator/root rights will be limited to trained members of the I.T. Department staff only.
  • Use of the Admin/Administrator/root accounts will be kept to a minimum.
  • Assigning security equivalences that give one user the same access rights as another user will be avoided where possible.
  • Users access to data and applications will be limited by the access control features.
  • Intruder detection and lockout will be enabled.
  • The system auditing facilities will be enabled.
  • Users must logout or lock their workstations when they leave their workstation for any length of time.
  • All unused workstations must be switched off outside working hours.
  • All accounts will be assigned a password of a minimum of 8 characters.
  • Users will change their passwords every 40 days.
  • Unique passwords will be used.
  • The number of grace logins will be limited to 3.
  • The number of concurrent connections will be limited to 1.
  • Network login time restrictions will be enforced preventing users from logging in to the network outside normal working hours.
  • In certain areas users will be restricted to logging in to specified workstations only.

Virus Protection

  • The I.T. Department will have available up to date virus scanning software for the scanning and removal of suspected viruses.
  • Corporate file-servers will be protected with virus scanning software.
  • Workstations will be protected by virus scanning software.
  • All workstation and server anti-virus software will be regularly updated with the latest anti-virus patches by the I.T. Department.
  • No disk that is brought in from outside the Organization is to be used until it has been scanned.
  • All systems will be built from original, clean master copies whose write protection has always been in place. Only original master copies will be used until virus scanning has taken place.
  • All removable media containing executable software (software with .EXE and .COM extensions) will be write protected wherever possible.
  • All demonstrations by vendors will be run on their machines and not the Organization’s.
  • Shareware is not to be used, as shareware is one of the most common infection sources. If it is absolutely necessary to use shareware it must be thoroughly scanned before use.
  • New commercial software will be scanned before it is installed as it occasionally contains viruses.
  • All removable media brought in to the Organization by field engineers or support personnel will be scanned by the IT Department before they are used on site.
  • To enable data to be recovered in the event of a virus outbreak regular backups will be taken by the I.T. Department.
  • Management strongly endorse the Organization’s anti-virus policies and will make the necessary resources available to implement them.
  • Users will be kept informed of current procedures and policies.
  • Users will be notified of virus incidents.
  • Employees will be accountable for any breaches of the Organization’s anti-virus policies.
  • Anti-virus policies and procedures will be reviewed regularly.
  • In the event of a possible virus infection the user must inform the I.T. Department immediately. The I.T. Department will then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it.

Access Control

  • Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
  • Users requiring access to systems must make a written application on the forms provided by the I.T Department.
  • Where possible no one person will have full rights to any system.
  • The I.T. Department will control network/server passwords and system passwords will be assigned by the system administrator in the end-user department.
  • The system administrator will be responsible for the maintaining the data integrity of the end-user department’s data and for determining end-user access rights.
  • Access to the network/servers and systems will be by individual username and password, or by smartcard and PIN number/biometric.
  • Usernames and passwords must not be shared by users.
  • Usernames and passwords should not be written down.
  • Usernames will consist of initials and surname.
  • All users will have an alphanumeric password of at least 8 characters.
  • Passwords will expire every 40 days and must be unique.

Lan Security

Hubs & Switches

  • LAN equipment, hubs, bridges, repeaters, routers, switches will be kept in secure hub rooms. Hub rooms will be kept locked at all times. Access to hub rooms will be restricted to I.T. Department staff only. Other staff, and contractors requiring access to hub rooms will notify the I.T. Department in advance so that the necessary supervision can be arranged.

Workstations

  • Users must logout of their workstations when they leave their workstation for any length of time. Alternatively Windows worksations may be locked.
  • All unused workstations must be switched off outside working hours.

Wiring

  • All network wiring will be fully documented.
  • All unused network points will be de-activated when not in use.
  • All network cables will be periodically scanned and readings recorded for future reference.
  • Users must not place or store any item on top of network cabling.
  • Redundant cabling schemes will be used where possible.
  • Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example a fire safe in the I.T. Department.

Monitoring Software

  • The use of LAN analyzer and packet sniffing software is restricted to the I.T. Department.
  • LAN analyzers and packet sniffers will be securely locked up when not in use.
  • Intrusion detection systems will implemented to detect unauthorized access to the network.

Servers

  • All servers will be kept securely under lock and key.
  • Access to the system console and server disk/tape drives will be restricted to authorized I.T. Department staff only.
  • Electrical Security.
  • All servers will be fitted with UPS’s that also condition the power supply.
  • All hubs, bridges, repeaters, routers, switches and other critical network equipment will also be fitted with UPS’s.
  • In the event of a mains power failure, the UPS’s will have sufficient power to keep the network and servers running until the generator takes over.
  • Software will be installed on all servers to implement an orderly shutdown in the event of a total power failure.
  • All UPS’s will be tested periodically.

Inventory Management

  • The I.T. Department will keep a full inventory of all computer equipment and software in use throughout the Company.
  • Computer hardware and software audits will be carried out periodically via the use of a desktop inventory package. These audits will be used to track unauthorized copies of software and unauthorized changes to hardware and software configurations.

Server Specific Security

  • This section applies to Windows, UNIX, Linux and Novell servers.
  • The operating system will be kept up to date and patched on a regular basis.
  • Servers will be checked daily for viruses.
  • Servers will be locked in a secure room.
  • Where appropriate the server console feature will be activated.
  • Remote management passwords will be different to the Admin/ Administrator/root password.
  • Users possessing Admin/Administrator/root rights will be limited to trained members of the I.T. Department staff only.
  • Use of the Admin/Administrator/root accounts will be kept to a minimum.
  • Assigning security equivalences that give one user the same access rights as another user will be avoided where possible.
  • Users access to data and applications will be limited by the access control features.
  • Intruder detection and lockout will be enabled.
  • The system auditing facilities will be enabled.
  • Users must logout or lock their workstations when they leave their workstation for any length of time.
  • All unused workstations must be switched off outside working hours.
  • All accounts will be assigned a password of a minimum of 8 characters.
  • Users will change their passwords every 40 days.
  • Unique passwords will be used.
  • The number of grace logins will be limited to 3.
  • The number of concurrent connections will be limited to 1.
  • Network login time restrictions will be enforced preventing users from logging in to the network outside normal working hours.
  • In certain areas users will be restricted to logging in to specified workstations only.

UNIX & Linux Specific Security

  • Direct root access will be limited to the system console only.
  • I.T. Department staff requiring root access must make use of the su command.
  • Use of the root account will be kept to a minimum.
  • All UNIX and Linux system accounts will be password protected, lp etc.
  • rlogin facilities will be restricted to authorized I.T. Department staff only.
  • ftp facilities will be restricted to authorized I.T. Services staff only.
  • telnet facilities will be restricted to authorized users.
  • ssh facilities will be restricted to authorized users.
  • Users access to data and applications will be limited by the access control features.
  • Users will not have access to the $ prompt.
  • All accounts will be assigned a password of a minimum of 8 characters.
  • Users will change their passwords every 40 days.

WAN Security

  • Wireless LAN’s will make use of the most secure encryption and authentication facilities available. 8.2 Users will not install their own wireless equipment under any circumstances.
  • Dial-in modems will not be used if at all possible. If a modem must be used dial-back modems should be used. A secure VPN tunnel is the preferred option.
  • Modems will not be used by users without first notifying the I.T. Department and obtaining their approval. 8.5. Where dial-in modems are used, the modem will be unplugged from the telephone network and the access software disabled when not in use.
  • Modems will only be used where necessary, in normal circumstances all communications should pass through the Organization’s router and firewall.
  • Where leased lines are used, the associated channel service units will be locked up to prevent access to their monitoring ports.
  • All bridges, routers and gateways will be kept locked up in secure areas.
  • Unnecessary protocols will be removed from routers.
  • ssh facilities will be restricted to authorized users.
  • The preferred method of connection to outside Organizations is by a secure VPN connection, using IPSEC or SSL.
  • All connections made to the Organization’s network by outside Organizations will be logged.

TCP/IP & Internet Security

  • Permanent connections to the Internet will be via the means of a firewall to regulate network traffic.
  • Permanent connections to other external networks, for offsite processing etc., will be via the means of a firewall to regulate network traffic.
  • Where firewalls are used, a dual homed firewall (a device with more than one TCP/IP address) will be the preferred solution.
  • Network equipment will be configured to close inactive sessions.
  • Where modem pools or remote access servers are used, these will be situated on the DMZ or non-secure network side of the firewall.
  • Workstation access to the Internet will be via the Organization’s proxy server and website content scanner.
  • All incoming e-mail will be scanned by the Organization’s e-mail content scanner.


© 2017 Global Infonet Inc.