Information System ( IS ) Security Policies S 2 Networking, Inc. Statement of Authority and Scope <Company Name > ("the Company") uses an internal information systems (IS) network ("the network") with access to external IS networks, including, but not limited to, the Internet. The network exists to further the Company's business. Every person using the network is expected and required to treat the network and its components as a business asset. Users have access via the network to information with a wide range of sensitivity levels; this policy is intended to provide a guide to protecting and ensuring the appropriate use of this information, consistent with those sensitivity levels. Definitions Device A computer (workstation, laptop, server, etc.), networking device (router, switch, hardware firewall, etc.), storage unit (drive array, CD jukebox, etc.), printer, or any other hardware unit interconnected with other hardware units and its associated software system, including configuration and other operationally necessary files. Information Systems (IS) network A set of devices that has been interconnected both physically and logically to exchange information. Integrity The condition in which data or information is trusted to be unaltered from its previously known state. No unknown or unauthorized modifications have been made. Network resources The devices comprising the network, their constituent components, and the information (programs and data) input to, stored thereon, or output from it. Security The process of managing access and modification rights (such as read, write, change, delete, execute, etc.) to network resources. User Any person accessing the network or one of its constituent devices, whether directly or indirectly connected (to include connecting from another, external network). It includes employees , contractors, owners / partners , and any other person. Intended Audience This policy applies to all personnel: Company employees, including managerial employees Company owners, partners, and others with an equity stake Company contractors Any other user of the Company's network resources Responsibilities The security and integrity of the information stored on and accessed via the network is the responsibility of all users. While certain individuals or positions may be assigned particular duties with respect to the network's operation or its inputs or outputs, that does not absolve any other user of their aforementioned responsibility. Acceptable Use Policy The network is a Company asset, to be used for the Company's legitimate business purposes. Such purposes must be approved by the Company's management. The Company may allow users to engage in limited personal use of the network (such as browsing the Internet), but such permission is entirely discretionary on the Company's part and subject to change. If any limited personal use has previously been allowed, the Company will clearly indicate to all personnel the new usage policy. Any copying of network resources for personal use is never acceptable; software copying for business use will solely be in accordance with the relevant license agreements. Any other use beyond the acceptable use policy, by any user, shall be deemed an unacceptable use. Unacceptable use of the network or any of its component devices may be grounds for disciplinary action, to include termination, or legal action, at the Company's sole discretion. Prior inaction by the Company concerning any occurrence of a user's unacceptable use does not constitute or imply the Company's endorsement or acceptance of such use, nor does it negate the Company's right later to take disciplinary or legal action, as deemed appropriate by the Company, against such users. Authentication, Authorization, and Accounting ( AAA ) Policy The following describes the standards by which network use will be validated and recorded: Authentication methods shall be used to verify the identity of users. Authorization methods shall be used to verify a user's access to network resources. Accounting methods shall be used to record which users accessed sensitive network resources, when those accesses occurred, and the duration of such accesses . Together, AAA provides an audit trail capability to assure network and information integrity, as well as supporting any response to security incidents. Remote Access Policy Remote access to the network by any user shall be permissible only for the advancement of the Company's business. Remote access shall not be permitted to compromise the network's security or integrity, nor that of any of its resources. The Company may therefore require those granted remote access to demonstrate that they have taken appropriate precautions on the systems they use for such remote access, and on any systems connected to them. Incident Response Policy The Company recognizes that no security is perfect, and unacceptable use, data compromise, network abuse, intrusion, or other incidents may occur despite the Company's efforts to prevent them. The Company will monitor the network resources for unacceptable use and will act promptly when any such unacceptable use is detected . The Company will: Determine the nature of the unacceptable use, Determine its entry point into the network, Take corrective action to prevent further unacceptable use, Determine the extent of unacceptable use, Determine whether malicious software ("malware") has been installed, Determine whether the Company's data and/or network integrity have been compromised, Repair the network and/or restore the data from backups , if necessary. These actions may be taken, at least in part, in parallel. The persons performing these actions shall keep permanent records ("logs") of the observations and actions. These logs are the property of the Company and fall under the purview of this policy as they are created; they will be used to establish the extent of any damage to the Company, and may be used in support of legal proceedings , as the Company deems appropriate. Personnel Departure Policy This policy applies to all personnel departures from the Company, whether voluntary or involuntary. No departing personnel are authorized to copy or remove any information from the network, or to alter any information before their departure except as required in the ordinary course of their work before the effective date of departure. All network accounts will be disabled or removed, and all authorizations will be discontinued, by the network administrator immediately upon the termination of work by the departing user. Internetworking with Other Entities The Company's network may interwork with other entities' networks (such as those of business or process partners). The Company will make every reasonable effort to assure itself that the other entities with which it exchanges information will treat any information so exchanged with substantially equivalent care. The company will also protect information received from other entities, or via other entities' networks, as though that information originated within the Company's network. Appendix A: Points of Contact Network Administration Name ________________________________________________________ Telephone _____________________________________________________ Mobile ________________________________________________________ Email _________________________________________________________ Network Security Name _________________________________________________________ Telephone ______________________________________________________ Mobile _________________________________________________________ Email __________________________________________________________ Management/Other Name __________________________________________________________ Telephone ______________________________________________________ Mobile _________________________________________________________ Email __________________________________________________________ Appendix B: Network Resources and Protection Levels The Company has designated the following Protection Levels for its network resources: Level 1 protection shall be applied to business-critical network resources. Loss of these resources or questionable integrity in them when present threatens the continuing existence of the Company. The underlying assumption is that of no access unless specifically authorized by the Company's management. Level 1 protection shall include strict AAA, with access limited on a strict "need-to-know" basis. Level 2 protection shall be applied to those network resources whose compromise (actual loss or loss of integrity) may cause serious damage to the Company. Authentication and authorization technologies will be applied in Level 2 protection; accounting may or may not be applied, on a resource-by-resource basis. Level 3 protection shall be applied to Company proprietary information. All users accessing Level 3 information shall be authenticated; authorizations will be granted on an individual or group membership basis. Accounting may or may not be applied, on a case-by-case basis. Level 4 protection shall be applied to all other network resources. Authentication will be required for access to all network resources; authorizations may be global for all authenticated users in Level 3 protection, but will not generally include users external to the Company. Exceptions (such as contractors needing access to fulfill their obligations) may be granted access on a case-by-case basis. In addition, the entire network will be protected from external threats by implementing a firewall at every connection to external networks, antivirus software installed and aggressively used on every workstation, and filtering configurations on network connecting devices (routers and switches). Each network device will be periodically examined for malware; the following periods apply: Workstations ___________________________________ Servers/storage _________________________________ Routers/switches ________________________________ Other devices ___________________________________ Level 1 Protected Network Resources: ______________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ Level 2 Protected Network Resources: ______________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ Level 3 Protected Network Resources: ______________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ Level 4 Protected Network Resources: ______________________________ ________________________________________________________________ ________________________________________________________________ ________________________________________________________________ Appendix C: Technologies Employed Perimeter Security ________________________________________________ Network Monitoring/Intrusion Detection ______________________________ Network Administration ___________________________________________ AAA Authentication ___________________________________________________ Authorization ____________________________________________________ Accounting ______________________________________________________ Remote Access __________________________________________________ AntiVirus |