module 03

2
Security Policies

Security Policies

By

Students name

Course Name_ year_ term quarter Rasmussen College

Professor’s Name

Deliverable 3: Security Policies

Access Control Policy

1.0 Purpose

The purpose is to implement policies and procedures to ensure that physical access controls exist that ensure that all cardholder data can only be accessed by authorized personnel.

2.0 Scope

This policy applies to all employees, contractors, consultants, and temps who utilize IT resources described herein their assigned job responsibilities.

3.0 Policy

3.1 Facility Access

1. Facility entry controls will be implemented to limit and monitor physical access to systems that process or transmit cardholder data.

2. Physical access to publicly accessible network jacks, wireless access points, gateways, and handheld devices will be restricted.

3.2 Visitors

1. Procedures will exist to help personnel to easily distinguish between employees and visitors in areas where cardholder data is accessible.
2. All visitors will be authorized before entering areas where cardholder data is processed or maintained.
3. All visitors will be given a token, such as a badge or access device, which identifies them as non-employees, and will be required to surrender the device before leaving the facility or on the data of expiration.
4. All visitors to sensitive area must complete a visitor’s log which will be maintained for a minimum of three months, unless otherwise restricted by law.

3.3 Media Controls

1. All media back-ups will be stored in a secure location, preferably in an offsite facility, such as an alternate or backup site, or a commercial storage facility.
2. All paper and electronic media (including computers, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data will be physically secured.
3. Strict control will be maintained over the internal and external distribution of any kind of media that contains cardholder data, such that the media is identified as confidential, and will only be sent by secured and traceable courier.
4. Management will approve in advance any and all media being moved from a secured area.
5. Strict control will be maintained over the storage and accessibility of media that contains cardholder data such that it is inventoried securely stored, and protected by a password.
6. Media containing cardholder data will be destroyed when it is no longer needed for business or legal reasons. The means of destruction will be cross-cut shred, incineration or pulping of hardcopy materials. Electronic data will be destroyed using a method (purge, degauss, or shred) which ensures that cardholder data cannot be reconstructed.

3.4 Individual Access

1. All systems and applications which store critical information will require a unique user name for all users.

2. All unique user names will require a password, token device, or biometrics to authenticate the user.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

N/A

6.0 References

7.0 Revision History

Initial effective date:

Acceptable Encryption Policy

1.0 Purpose

The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

2.0 Scope

This policy applies to all employees and affiliates.

3.0 Policy

Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate’s Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hellman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. ’s key length requirements will be reviewed annually and upgraded as technology allows.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by InfoSec. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

Proprietary Encryption An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.

Symmetric Cryptosystem A method of encryption in which the same key is used for both encryption and decryption of the data.

Asymmetric Cryptosystem A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).

6.0 Revision History

Audit Vulnerability Scan Policy

1.0 Purpose

The purpose of this agreement is to set forth our agreement regarding network security scanning offered by the to the . shall utilize to perform electronic scans of Client’s networks and/or firewalls or on any system at .

Audits may be conducted to:
· Ensure integrity, confidentiality and availability of information and resources
· Investigate possible security incidents ensure conformance to security policies
· Monitor user or system activity where appropriate.

2.0 Scope

This policy covers all computer and communication devices owned or operated by . This policy also covers any computer and communications device that are present on premises, but which may not be owned or operated by . The will not perform Denial of Service activities.

3.0 Policy

When requested, and for the purpose of performing an audit, consent to access needed will be provided to members of . hereby provides its consent to allow of to access its networks and/or firewalls to the extent necessary to allow [Audit organization] to perform the scans authorized in this agreement. shall provide protocols, addressing information, and network connections sufficient for to utilize the software to perform network scanning.

This access may include:
· User level and/or system level access to any computing or communications device
· Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on equipment or premises
· Access to work areas (labs, offices, cubicles, storage areas, etc.)
· Access to interactively monitor and log traffic on networks.

3.1 Network Control.

If Client does not control their network and/or Internet service is provided via a
second or third party, these parties are required to approve scanning in writing if scanning is to occur outside of the LAN. By signing this agreement, all involved parties acknowledge that they authorize of to use their service networks as a gateway for the conduct of these tests during the dates and times specified.

3.2 Service Degradation and/or Interruption. Network performance and/or availability may be affected by the network scanning. releases of any and all liability for damages that may arise from network availability restrictions caused by the network scanning,
unless such damages are the result ’s gross negligence or intentional
misconduct.

3.3 Client Point of Contact During the Scanning Period. shall identify in writing a person to be available if the result Scanning Team has questions regarding data discovered or requires assistance.

3.4 Scanning period. and Scanning Team shall identify in writing the allowable dates for the scan to take place.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Revision History

Email Use Policy

1.0 Purpose

To prevent tarnishing the public image of When email goes out from the general public will tend to view that message as an official policy statement from the .

2.0 Scope

This policy covers appropriate use of any email sent from a email address and applies to all employees, vendors, and agents operating on behalf of .

3.0 Policy

3.1 Prohibited Use. The email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any employee should report the matter to their supervisor immediately.

3.2 Personal Use.

Using a reasonable amount of resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a email account is prohibited. Virus or other malware warnings and mass mailings from shall be approved by VP Operations before sending. These restrictions also apply to the forwarding of mail received by a employee.

3.3 Monitoring

employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. may monitor messages without prior notice. is not obliged to monitor email messages.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

Email The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook.
Forwarded email Email resent from an internal network to an outside point.
Chain email or letter Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.
Sensitive information Information is considered sensitive if it can be damaging to or its customers’ reputation or market standing.
Virus warning. Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.
Unauthorized Disclosure The intentional or unintentional revealing of restricted information to people, both inside and outside , who do not have a need to know that information.

6.0 Revision History

Remote Access

Purpose:

The purpose of this policy is to establish an authorized method for controlling mobile computing and storage devices that contain or access information resources at the .

Background/History:

With advances in computer technology, mobile computing and storage devices have become useful tools to meet the business needs at the . These devices are especially susceptible to loss, theft, hacking, and the distribution of malicious software because they are easily portable and can be used anywhere. As mobile computing becomes more widely used, it is necessary to address security to protect information resources at the .

Persons Affected:

employees, consultants, vendors, contractors, students, and others who use mobile computing and storage devices on the network at the .

Policy:

It is the policy of the that mobile computing and storage devices containing or accessing the information resources at the must be approved prior to connecting to the information systems at the . This pertains to all devices connecting to the network at the , regardless of ownership.

Mobile computing and storage devices include, but are not limited to: laptop computers, personal digital assistants (PDAs), plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or owned, that may connect to or access the information systems at the . A risk analysis for each new media type shall be conducted and documented prior to its use or connection to the network at the unless the media type has already been approved by the Desktop Standards Committee. The Desktop Standards Committee will maintain a list of approved mobile computing and storage devices.

Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the . These risks must be mitigated to acceptable levels.

Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive information must use encryption or equally strong measures to protect the data while it is being stored.

Unless written approval has been obtained from the Data Resource Manager and Chief Information Security Officer, databases or portions thereof, which reside on the network at the , shall not be downloaded to mobile computing or storage devices.

Technical personnel and users, which include employees, consultants, vendors, contractors, and students, shall have knowledge of, sign, and adhere to the Computer Use and Information Security Policy Agreement ( 350). Compliance with the Remote Access Standards, the Mobile Media Standards, and other applicable policies, procedures, and standards is mandatory.

Procedures:

Minimum Requirements:

· To report lost or stolen mobile computing and storage devices, call the Enterprise Help Desk at xxx-xxx-xxxx. For further procedures on lost or stolen handheld wireless devices, please see the PDA Information and Procedures section.
· The Desktop Standards Committee shall approve all new mobile computing and storage devices that may connect to information systems at the .
· Any non-departmental owned device that may connect to the network must first be approved by technical personnel such as those from the Desktop Support. Refer to the Mobile Media Standards for detailed information.
· Submit requests for an exception to this policy to the Information Protection Services Office via the Policy Exception Request form (EXEC 205).

Roles and Responsibilities:

Users of mobile computing and storage devices must diligently protect such devices from loss of equipment and disclosure of private information belonging to or maintained by the and they must annually complete the 350. Before connecting a mobile computing or storage device to the network at , users must ensure it is on the list of approved devices issued by the ISD.

The Enterprise Help Desk must be notified immediately upon detection of a security incident, especially when a mobile device may have been lost or stolen.

The Information Protection Services Office is responsible for the mobile device policy at the and shall conduct a risk analysis to document safeguards for each media type to be used on the network or on equipment owned by the .

The Information Systems Division is responsible for developing procedures for implementing this policy. The Desktop Standards Committee will maintain a list of approved mobile computing and storage devices and will make the list available on the intranet.

Definitions:

CD: A compact disc (sometimes spelled disk) is a small, portable, round medium made of molded polymer (close in size to the floppy disc) for electronically recording, storing, and playing back audio, video, text, and other information in digital form.

DVD: The digital versatile disc stores much more than a CD and is used for playing back or recording movies. The audio quality on a DVD is comparable to that of current audio compact discs. A DVD can also be used as a backup media because of its large storage capacity.

Flash Drive: A plug-and-play portable storage device that uses flash memory and is lightweight enough to attach to a key chain. The computer automatically recognizes the removable drive when the device is plugged into its USB port. A flash drive is also known as a keychain drive, USB drive, or disk-on-key. A keychain drive, which looks very much like an ordinary highlighter marker pen, can be used in place of a floppy disk, Zip drive disk, or CD.

Handheld wireless device: A communication device small enough to be carried in the hand or pocket and is also known as a Personal Digital Assistant (PDA). Various brands are available, and each performs some similar or some distinct functions. It can provide access to other internet services, can be centrally managed via a server, and can be configured for use as a phone or pager. In addition, it can include software for transferring files and for maintaining a built-in address book and personal schedule.

Media Type: For the purpose of this policy, the term “media type” is interchangeable with “mobile device.” Not to be confused with media makes, models, or brands.

Media Type Model: Refers to the brand of media device such as Sony, Treo, or IBM.

Mobile Devices: Mobile media devices include, but are not limited to: PDAs, plug-ins, USB port devices, CDs, DVDs, flash drives, modems, handheld wireless devices, and any other existing or future media device.

Modems: A device that modulates and demodulates information so that two computers can communicate over a phone line, cable line, or wireless connection. The connection talks to the modem, which connects to another modem that in turn talks to the computer on its side of the connection. The two modems talk back and forth until the two computers have no further need of either modem’s translation services.

PDA: The Personal Digital Assistant is also known as a handheld. It is any small mobile hand-held device that provides computing and information storage and retrieval capabilities for personal or business use, often for keeping schedule calendars and address book information handy. Many people use the name of one of the popular PDA products as a generic term, such as Hewlett-Packard’s Palmtop and 3Com’s PalmPilot.

Plug-In: Programs that can easily be installed and used as part of your Web browser. A plug-in application is recognized automatically by the browser, and its function is integrated into the main HTML file that is being presented. Among popular plug-ins is Adobe’s Acrobat, a document presentation and navigation program that provides a view of documents just as they look in the print medium. There are hundreds of plug-in devices.

Wireless Networking Cards: Mobile device for wireless internet connectivity from a laptop. This card allows mobile users the ability to access a secured connection to the internet via a specified vendor.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2006 All Ri

Removable Media

1.0 Overview

Removable media is a well-known source of malware infections and has
been directly tied to the loss of sensitive information in many
organizations.

2.0 Purpose

To minimize the risk of loss or exposure of sensitive information
maintained by and to reduce the risk of acquiring malware
infections on computers operated by .

3.0 Scope

This policy covers all computers and servers operating in .

4.0 Policy

staff may only use removable media in
their work computers. removable media may not be
connected to or used in computers that are not owned or leased by the
without explicit permission of the info
sec staff. Sensitive information should be stored on removable media
only when required in the performance of your assigned duties or when
providing information required by other state or federal agencies. When
sensitive information is stored on removable media, it must be
encrypted in accordance with the Acceptable Encryption
Policy:http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.pdf
Exceptions to this policy may be requested on a case-by-case basis by
-exception procedures.

5.0 Enforcement

Any employee found to have violated this policy may be subject to
disciplinary action, up to and including
termination of employment.

6.0 Definitions

Removable Media: Device or media that is readable and/or writeable by
the end user and is able to be moved from computer to computer without
modification to the computer. This includes flash memory devices such
as thumb drives, cameras, MP3 players and PDAs; removable hard drives
(including hard drive-based MP3 players); optical disks such as CD and
DVD disks; floppy disks and any commercial music and software disks not
provided by .

Encryption: A procedure used to convert data from its original form to
a format that is unreadable and/or unusable to anyone without the
tools/information needed to reverse the encryption process.

Sensitive Information: Information which, if made available to
unauthorized persons, may adversely affect , its programs,
or participants served by its programs. Examples include, but are not
limited to, personal identifiers and , financial information,

Malware: Software of malicious intent/impact such as viruses, worms,
and Spyware.

7.0 Revision History

Original Issue Date:

***Add in Three additional polices***

Rasmussen College