2
Security Policies
Security Policies
By
Students name
Course Name_ year_ term quarter Rasmussen College
Professor’s Name
Deliverable 3: Security Policies
Access Control Policy
1.0 Purpose
The purpose is to implement policies and procedures to ensure that physical access controls exist that ensure that all cardholder data can only be accessed by authorized personnel.
2.0 Scope
This policy applies to all
3.0 Policy
3.1 Facility Access
1. Facility entry controls will be implemented to limit and monitor physical access to systems that process or transmit cardholder data.
2. Physical access to publicly accessible network jacks, wireless access points, gateways, and handheld devices will be restricted.
3.2 Visitors
1. Procedures will exist to help personnel to easily distinguish between employees and visitors in areas where cardholder data is accessible.
2. All visitors will be authorized before entering areas where cardholder data is processed or maintained.
3. All visitors will be given a token, such as a badge or access device, which identifies them as non-employees, and will be required to surrender the device before leaving the facility or on the data of expiration.
4. All visitors to sensitive area must complete a visitor’s log which will be maintained for a minimum of three months, unless otherwise restricted by law.
3.3 Media Controls
1. All media back-ups will be stored in a secure location, preferably in an offsite facility, such as an alternate or backup site, or a commercial storage facility.
2. All paper and electronic media (including computers, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data will be physically secured.
3. Strict control will be maintained over the internal and external distribution of any kind of media that contains cardholder data, such that the media is identified as confidential, and will only be sent by secured and traceable courier.
4. Management will approve in advance any and all media being moved from a secured area.
5. Strict control will be maintained over the storage and accessibility of media that contains cardholder data such that it is inventoried securely stored, and protected by a password.
6. Media containing cardholder data will be destroyed when it is no longer needed for business or legal reasons. The means of destruction will be cross-cut shred, incineration or pulping of hardcopy materials. Electronic data will be destroyed using a method (purge, degauss, or shred) which ensures that cardholder data cannot be reconstructed.
3.4 Individual Access
1. All systems and applications which store critical information will require a unique user name for all users.
2. All unique user names will require a password, token device, or biometrics to authenticate the user.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Definitions
Term Definition
N/A
6.0 References
7.0 Revision History
Initial effective date:
Acceptable Encryption Policy
1.0 Purpose
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.
2.0 Scope
This policy applies to all
3.0 Policy
Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate’s Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hellman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by InfoSec. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.
Symmetric Cryptosystem A method of encryption in which the same key is used for both encryption and decryption of the data.
Asymmetric Cryptosystem A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).
6.0 Revision History
Audit Vulnerability Scan Policy
1.0 Purpose
The purpose of this agreement is to set forth our agreement regarding network security scanning offered by the
Audits may be conducted to:
· Ensure integrity, confidentiality and availability of information and resources
· Investigate possible security incidents ensure conformance to
· Monitor user or system activity where appropriate.
2.0 Scope
This policy covers all computer and communication devices owned or operated by
3.0 Policy
When requested, and for the purpose of performing an audit, consent to access needed will be provided to members of
This access may include:
· User level and/or system level access to any computing or communications device
· Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on
· Access to work areas (labs, offices, cubicles, storage areas, etc.)
· Access to interactively monitor and log traffic on
3.1 Network Control.
If Client does not control their network and/or Internet service is provided via a
second or third party, these parties are required to approve scanning in writing if scanning is to occur outside of the
3.2 Service Degradation and/or Interruption. Network performance and/or availability may be affected by the network scanning.
unless such damages are the result
misconduct.
3.3 Client Point of Contact During the Scanning Period.
3.4 Scanning period.
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Revision History
1.0 Purpose
To prevent tarnishing the public image of
2.0 Scope
This policy covers appropriate use of any email sent from a
3.0 Policy
3.1 Prohibited Use. The
3.2 Personal Use.
Using a reasonable amount of
3.3 Monitoring
4.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
5.0 Definitions
Term Definition
Email The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook.
Forwarded email Email resent from an internal network to an outside point.
Chain email or letter Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.
Sensitive information Information is considered sensitive if it can be damaging to
Virus warning. Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.
Unauthorized Disclosure The intentional or unintentional revealing of restricted information to people, both inside and outside
6.0 Revision History
Remote Access
Purpose:
The purpose of this policy is to establish an authorized method for controlling mobile computing and storage devices that contain or access information resources at the
Background/History:
With advances in computer technology, mobile computing and storage devices have become useful tools to meet the business needs at the
Persons Affected:
Policy:
It is the policy of the
Mobile computing and storage devices include, but are not limited to: laptop computers, personal digital assistants (PDAs), plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or
Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the
Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive
Unless written approval has been obtained from the Data Resource Manager and Chief Information Security Officer, databases or portions thereof, which reside on the network at the
Technical personnel and users, which include employees, consultants, vendors, contractors, and students, shall have knowledge of, sign, and adhere to the Computer Use and Information Security Policy Agreement (
Procedures:
Minimum Requirements:
· To report lost or stolen mobile computing and storage devices, call the Enterprise Help Desk at xxx-xxx-xxxx. For further procedures on lost or stolen handheld wireless devices, please see the PDA Information and Procedures section.
· The
· Any non-departmental owned device that may connect to the
· Submit requests for an exception to this policy to the Information Protection Services Office via the Policy Exception Request form (EXEC 205).
Roles and Responsibilities:
Users of mobile computing and storage devices must diligently protect such devices from loss of equipment and disclosure of private information belonging to or maintained by the
The Enterprise Help Desk must be notified immediately upon detection of a security incident, especially when a mobile device may have been lost or stolen.
The Information Protection Services Office is responsible for the mobile device policy at the
The Information Systems Division is responsible for developing procedures for implementing this policy. The Desktop Standards Committee will maintain a list of approved mobile computing and storage devices and will make the list available on the intranet.
Definitions:
CD: A compact disc (sometimes spelled disk) is a small, portable, round medium made of molded polymer (close in size to the floppy disc) for electronically recording, storing, and playing back audio, video, text, and other information in digital form.
DVD: The digital versatile disc stores much more than a CD and is used for playing back or recording movies. The audio quality on a DVD is comparable to that of current audio compact discs. A DVD can also be used as a backup media because of its large storage capacity.
Flash Drive: A plug-and-play portable storage device that uses flash memory and is lightweight enough to attach to a key chain. The computer automatically recognizes the removable drive when the device is plugged into its USB port. A flash drive is also known as a keychain drive, USB drive, or disk-on-key. A keychain drive, which looks very much like an ordinary highlighter marker pen, can be used in place of a floppy disk, Zip drive disk, or CD.
Handheld wireless device: A communication device small enough to be carried in the hand or pocket and is also known as a Personal Digital Assistant (PDA). Various brands are available, and each performs some similar or some distinct functions. It can provide access to other internet services, can be centrally managed via a server, and can be configured for use as a phone or pager. In addition, it can include software for transferring files and for maintaining a built-in address book and personal schedule.
Media Type: For the purpose of this policy, the term “media type” is interchangeable with “mobile device.” Not to be confused with media makes, models, or brands.
Media Type Model: Refers to the brand of media device such as Sony, Treo, or IBM.
Mobile Devices: Mobile media devices include, but are not limited to: PDAs, plug-ins, USB port devices, CDs, DVDs, flash drives, modems, handheld wireless devices, and any other existing or future media device.
Modems: A device that modulates and demodulates information so that two computers can communicate over a phone line, cable line, or wireless connection. The connection talks to the modem, which connects to another modem that in turn talks to the computer on its side of the connection. The two modems talk back and forth until the two computers have no further need of either modem’s translation services.
PDA: The Personal Digital Assistant is also known as a handheld. It is any small mobile hand-held device that provides computing and information storage and retrieval capabilities for personal or business use, often for keeping schedule calendars and address book information handy. Many people use the name of one of the popular PDA products as a generic term, such as Hewlett-Packard’s Palmtop and 3Com’s PalmPilot.
Plug-In: Programs that can easily be installed and used as part of your Web browser. A plug-in application is recognized automatically by the browser, and its function is integrated into the main HTML file that is being presented. Among popular plug-ins is Adobe’s Acrobat, a document presentation and navigation program that provides a view of documents just as they look in the print medium. There are hundreds of plug-in devices.
Wireless Networking Cards: Mobile device for wireless internet connectivity from a laptop. This card allows mobile users the ability to access a secured connection to the internet via a specified vendor.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2006 All Ri
Removable Media
1.0 Overview
Removable media is a well-known source of malware infections and has
been directly tied to the loss of sensitive information in many
organizations.
2.0 Purpose
To minimize the risk of loss or exposure of sensitive information
maintained by
infections on computers operated by
3.0 Scope
This policy covers all computers and servers operating in
4.0 Policy
their work computers.
connected to or used in computers that are not owned or leased by the
sec staff. Sensitive information should be stored on removable media
only when required in the performance of your assigned duties or when
providing information required by other state or federal agencies. When
sensitive information is stored on removable media, it must be
encrypted in accordance with the
Policy:http://www.sans.org/resources/policies/Acceptable_Encryption_Policy.pdf
Exceptions to this policy may be requested on a case-by-case basis by
5.0 Enforcement
Any employee found to have violated this policy may be subject to
disciplinary action, up to and including
termination of employment.
6.0 Definitions
Removable Media: Device or media that is readable and/or writeable by
the end user and is able to be moved from computer to computer without
modification to the computer. This includes flash memory devices such
as thumb drives, cameras, MP3 players and PDAs; removable hard drives
(including hard drive-based MP3 players); optical disks such as CD and
DVD disks; floppy disks and any commercial music and software disks not
provided by
Encryption: A procedure used to convert data from its original form to
a format that is unreadable and/or unusable to anyone without the
tools/information needed to reverse the encryption process.
Sensitive Information: Information which, if made available to
unauthorized persons, may adversely affect
or participants served by its programs. Examples include, but are not
limited to, personal identifiers and , financial information,
Malware: Software of malicious intent/impact such as viruses, worms,
and Spyware.
7.0 Revision History
Original Issue Date:
***Add in Three additional polices***
Rasmussen College
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more