Accepable Use and User Policies - Information Systems and Internet
advertisement
Information Security Policies: User/Employee use policies Overview Format of policies Usage of policies Example of policies Policy cover areas References Homework Questions 2 Format of Policies Purpose Scope Action can be taken once the policy is violated Definitions What can or can’t use for the system Enforcement Which part of the system is covering Who is applying to the policies Policy The need of the policies Define keywords in the policy Revision History Stated when and what have been changed 3 Usage of Policies Policy Standard A document that outlines specific requirements or rules that cover a single area A collection of system-specific or proceduralspecific requirements that must be met by everyone Guideline A collection of system specific or procedural specific “suggestions” for best practice Not require, but strongly recommended 4 Example of Policies 5 Example of Policies 6 Example of Policies 7 Policy cover areas Acceptable Use Information Sensitivity Ethics E-mail Anti-Virus Password Connection 8 Acceptable Use Policy General outline for all others policies Protecting employees, partners and companies from illegal or damaging actions Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use 9 Information Sensitivity Policy To determine what information can/can’t be disclosed to non-employee Public Declared for public knowledge Freely be given to anyone without any possible damage Confidential Minimal Sensitivity: More Sensitive: General corporate information; some personal and technical information Business, financial, and most personnel information Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company 10 Ethics Policy Defines the means to establish a culture of openness, trust and integrity Executive Commitment Employee Commitment Promote a trustworthy and honest atmosphere Maintaining Ethical Practices Treat everyone fairly, have mutual respect Company Awareness Honesty and integrity must be top priority Reinforce the importance of the integrity message Unethical Behavior Unauthorized use of company information integral to the 11 success of the company will not be tolerated E-mail Policy General usage To prevent tarnishing the public image Prohibited use Personal Use Can’t used for any disruptive or offensive messages Can/Can’t use for personal usage Monitoring No privacy for store, send or receive massages Monitor without prior notice 12 E-mail Policy Retention Determine how long for an e-mail to retain Four main classifications Instant Messenger Correspondence Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read Only apply to administrative and fiscal correspondence Encrypted Communications Stored in decrypted format 13 E-mail Policy Automatically Forwarding To prevent unauthorized or inadvertent disclose of sensitive information When Approved by the appropriate manger Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy 14 Anti-Virus Policy To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in autoprotect stage Scan a storage media for virus before use it Never open any e-mail from unknown source Never download files from unknown source Remove virus-infected computers from network until verified as virus-free 15 Password Policy A standard for creation of string password Contain both upper and lower case characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered Frequency of change passwords 16 Password Policy Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an email message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family members 17 Connection Policy Remote Access Defines standards for connecting to the company’s network from any host or network externally General Same consideration as on-site connection General Internet access for recreational use for immediate household is permitted Requirement Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or e-mail password to anyone Installed the most up-to-date anti-virus software 18 Connection Policy Analog/ISDN Line Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer Scenarios & Business Impact Facsimile Machines Physically disconnect from computer/internal network Computer-to-Analog Line Connections Outside attacker attached to trusted network A significant security threat Requesting an Analog/ISDN Line Stated why other secure connections can’t be use 19 Connection Policy Dial-in Access To protect information from being inadvertently compromised by authorized personnel using a dial-in connection One-time password authentication Connect to Company’s sensitive information Analog and non-GSM digital cellular phones Reasonable measure to protect assets Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months 20 Connection Policy Extranet Describes the third party organizations connect to company network for the purpose of transacting business related to the company In best possible way, Least Access Valid business justification Point of Contact from Sponsoring Organnization Approved by a project manager Pertain the Third Party Connection Agreement Establishing Connectivity Provide a complete information of the proposed access 21 Connection Policy Modifying Access Terminating Access Notifying the extranet management group Security and Connectivity evolve accordingly Access is no longer required Terminating the circuit Third Party Connection Agreement Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. Must be signed by both parties 22 Connection Policy 23 Connection Policy Virtual Private Network (VPN) Security Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network Force all traffic to and from PC over VPN tunnel Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min. inactivity Only approved VPN client can be used 24 Connection Policy Wireless Communication Defines standards for wireless systems used to connect to the company network Access Points and PC Cards Approved Technology Use approved products and security configurations Encryption and Authentication Register and approved by InfoSec Drop all unauthenticated and unencrypted traffic Setting the SSID Should not contain any identifying informaiton 25 Reference The SANS Security Policy Project Information Security Policies & Computer Security Policy Directory http://www.information-security-policies-and-standards.com RFC 1244 – Site Security Handbook http://www.sans.org/resources/policies http://www.faqs.org/rfcs/rfc1244.html Google http://www.google.com 26 Reference 27 Reference 28 Homework 1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented 2. Define presented usage of policies Tips: Policy document’s format is located in slide 3 Policy’s usage are located in slide 4 You may find more information in SANS 29 Questions Any questions? 30
