internet & pc policies - sample

8/3/2019 Internet & PC Policies - Sample

1/12

IInntteerrnneett &&

PPCC WWoorrkkSSttaattiioonn

PPoolliicciieess &&

PPrroocceedduurreess

HHaannddiiGGuuiiddee


2/12

Copyright 2007 M. Victor Janulaitis

Copyright 2007 Janco Associates, Inc.

ALL RIGHTS RESERVED

All Rights reserved. No part of this book may be reproduced by any means without

the prior written permission of the publisher. No reproduction or derivation of this

book shall be re-sold or given away without royalties being paid to the authors. All

other publishers rights under the copyright laws will be strictly enforced.

Published by: Janco Associates, Inc.

Park City, UT 84060435 940-9300

[email protected]

Publisher cannot in any way guarantee the procedures and approaches presented in

this book are being used for the purposes intended and therefore assumes no

responsibility for their proper and correct use.

Printed in the United States of America

ISBN 13 978-1-881218-00-5HandiGuide is a registered trademark of M. Victor Janulaitis.
mailto:[email protected]:[email protected]:[email protected]:[email protected]


3/12

iii

License Conditions

This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has

acquired the rights to use it for a SINGLE Disaster Recovery Plan unless the user has purchased a multi-use license. Anyone whomakes an unlicensed copy of or uses the template or any derivative of it is in violation of United States and International copyright

laws and subject to fines that are treble damages as determined by the courts. A REWARD of up to 1/3 of those fines will be paid to

anyone reporting such a violation upon the successful prosecution of such violators.

The purchaser agrees that derivative of this template will contain the following words within the first five pages of that document.

The words are:

2001 - 2007 Copyright Janco Associates, Inc.ALL RIGHTS RESERVED

Easy use steps:

1. Read this License Conditions

2. Print the first two pages of this template

3. Delete the first two pages.

4. Save As your file name

5. Edit replace ENTERPRISE with your enterprises name.

6. Edit replace company logo with your enterprises logo

7. Save As your filename.v001

8. As you modify the plan continue to save the DRP with a name that has an updated version

number.

The Template is saved in two formats. They are

*.doc is in WORD 2003 format

*.docx is in WORD 2007 format

Both of these documents are the same but we have provided them in both

for your use. If you have any questions on these documents please send an email to

[email protected] and reference your order number.

Telephone support can be obtained if you have registered your product by going to

http://www.e-janco.com/register.asp

If you register your product within thirty (30) days of purchase Janco will send you a coupon for 10% off on your

next purchase from any of Janco's direct sites. These include:

http://www.e-janco.com

http://www.itproductivity.org

http://www.ejobdescription.com

http://www.it-toolkits.com
mailto:[email protected]://www.e-janco.com/register.asphttp://www.e-janco.com/http://www.e-janco.com/http://www.itproductivity.org/http://www.itproductivity.org/http://www.ejobdescription.com/http://www.ejobdescription.com/http://www.it-toolkits.com/http://www.it-toolkits.com/http://www.it-toolkits.com/http://www.ejobdescription.com/http://www.itproductivity.org/http://www.e-janco.com/http://www.e-janco.com/register.aspmailto:[email protected]


4/12

i

TABLE OF CONTENTS

TABLE OF CONTENTS ............................................................ IINTRODUCTION ............................................................... 3FOREWORD......................................................................... 5

Scope And Applicability ............................................................................................ 9Book Structure ........................................................................................................... 9

Administrative Management ................................................................................ 9Technology Management................................................................................... 10Asset Protection .................................................................................................. 10Appendix............................................................................................................... 10

ADMINISTRATIVE MANAGEMENT................................. 11MANAGEMENT OVERVIEW .................................................. 13

Base Assumptions And Objectives ....................................................................... 13MANAGEMENT PROCESS .................................................... 17

Executive Management .......................................................................................... 17General Operations Management ......................................................................... 17

Individual Managers And Staff Members ............................................................. 18

Information Technology Resource Group ........................................................ 18Technology Support Staff................................................................................... 19Technology Resources and Information .......................................................... 19

Risk Analysis Program Components .................................................................... 21Software Control and Security ........................................................................... 21Hardware Control and Security ......................................................................... 21Internet / Intranet Control and Security ............................................................ 21Network Control and Security ............................................................................ 21Logical Access Controls ..................................................................................... 22Software Development Controls........................................................................ 22

RESPONSIBILITIES.............................................................. 23Manager, IT Support Resource Group ................................................................. 24Manager, Enterprise Operational Group .............................................................. 24Steering Committee................................................................................................. 25Manager Internet and PC Control and Security................................................... 25All Enterprise Managers (Enterprise Groups, Departments and Divisions) .... 26Asset Owners ........................................................................................................... 26

PC Support Managers ........................................................................................ 28Users..................................................................................................................... 28Help Desk ............................................................................................................. 28

Outside Information Technology Services ........................................................... 29Applicability .......................................................................................................... 30Responsibilities When Using Information Technology Services .................. 30Outside Information Technology Services - Basic Policies ........................... 31


5/12

INTERNET AND PCWORK STATION

POLICIES AND PROCEDURES HANDIGUIDE

ii

TECHNOLOGY MANAGEMENT...................................... 35JUSTIFICATION,ACQUISITION, AND SUPPORT ....................... 37

Guidelines................................................................................................................. 37Functional Needs ................................................................................................ 38Software Needs ................................................................................................... 38Hardware Configuration...................................................................................... 39Back up/Recovery ............................................................................................... 42LAN Back ups ...................................................................................................... 42Documentation .................................................................................................... 42

Supported Configurations....................................................................................... 44Support Organization .......................................................................................... 44Registration.......................................................................................................... 44Hardware .............................................................................................................. 44Software ............................................................................................................... 46Connectivity.......................................................................................................... 46Hardware and Software Inventory..................................................................... 47Adoption of Non-Standard Hardware or Software .......................................... 47

APPLICATION DEVELOPMENT .............................................. 49What is an Application? .......................................................................................... 52Relation to Support Groups .................................................................................... 53Project Conceptualization and Justification ......................................................... 53Notifying the Information Technology Department ............................................. 54Technical Assistance .............................................................................................. 54Project Approval ...................................................................................................... 55Selecting the Best Alternative................................................................................ 55Development Assistance ........................................................................................ 56Development ............................................................................................................ 56

Monitoring............................................................................................................. 56Testing .................................................................................................................. 56Final Certification ................................................................................................ 57Installation ............................................................................................................ 57

Implementation ........................................................................................................ 57Conversion ........................................................................................................... 57Training................................................................................................................. 58Documentation .................................................................................................... 58Support ................................................................................................................. 58

Application Development - Small Development .................................................. 59Reasons for Documentation .............................................................................. 59Standards ............................................................................................................. 59Special Items ....................................................................................................... 60

Application Development - Typical Development ............................................... 61Documentation .................................................................................................... 63Departmental Reports ........................................................................................ 63

Typical Work Plan - Two Month Effort .................................................................. 64TRAINING........................................................................... 67

Hardware Training ................................................................................................... 67Operating System Training .................................................................................... 68Application Software Training ................................................................................ 68

Sources of Training ................................................................................................. 69

Supplier Training ................................................................................................. 69Local Experts ....................................................................................................... 69Third Party Training Organizations ................................................................... 69User Support Center........................................................................................... 70Special Training................................................................................................... 70

Enterprise Staff........................................................................................................ 70Contractor Personnel .............................................................................................. 71

LOCAL AREA NETWORKS (LANS) ........................................ 73


6/12

TABLE OF CONTENTS

iii

Features .................................................................................................................... 73Physical Components ............................................................................................. 74

Workstations ........................................................................................................ 75Network Cables ................................................................................................... 75

Network Adapters .................................................................................................... 75File Servers .......................................................................................................... 75Network Peripherals............................................................................................ 76Network Operating System ................................................................................ 76Configuration ............................................................................................................ 76

Users ......................................................................................................................... 76Network Supervisors........................................................................................... 77Regular Network Users ...................................................................................... 77Network Operators .............................................................................................. 77

Security ..................................................................................................................... 77Directory Rights ................................................................................................... 78

Back up ..................................................................................................................... 80BACK UP &RECOVERY....................................................... 81

Data Storage And Media Protection...................................................................... 82Labeling ................................................................................................................ 83Storage ................................................................................................................. 83Retention Schedule............................................................................................. 83Disposal Of Sensitive Information..................................................................... 83Back up Program and Schedule ............................................................................ 84Creating a Back up Program ............................................................................. 85Monitoring the Back up Program....................................................................... 86LAN/Wide Area Local Area Networks (WANs) ............................................... 86Recovering From Back up Media...................................................................... 87CD / DVD Back up .............................................................................................. 88Hard Disk Back up .............................................................................................. 88Application Software Back up............................................................................ 89PC File Back ups................................................................................................. 89Back up Software ................................................................................................ 89Documentation..................................................................................................... 90Storage of Back up ............................................................................................. 90

Naming Conventions ............................................................................................... 90SERVICE REQUESTS .......................................................... 91

Policies ...................................................................................................................... 93Process ..................................................................................................................... 94

Opening A Service Request .............................................................................. 95Identify Need and Prepare Service Request ................................................... 95Log and Assess SR ............................................................................................ 95Prioritize and Approve SR .................................................................................. 96Analyze SR and Design Solution ...................................................................... 96Review and Approve Design Solution .............................................................. 96Modify Programs and Test ................................................................................. 97Conduct User Acceptance Testing ................................................................... 97Move New/Modified Programs into Production ............................................... 98Implement Changes in User Environment ....................................................... 98Close Service Request ....................................................................................... 98

Priority Setting .......................................................................................................... 98Service Request....................................................................................................... 98

Status Reporting.................................................................................................. 99ELECTRONIC COMMUNICATION ......................................... 100

Electronic Communication Usage Guidelines ................................................... 100Electronic Mail ................................................................................................... 100Blogs ................................................................................................................... 102


7/12



iv

INTERNET ........................................................................103Internet Characteristics ......................................................................................... 104

Electronic Mail (e-mail) ..................................................................................... 105File Transfer Protocol (FTP) ............................................................................ 105Gopher................................................................................................................ 105Home Page ........................................................................................................ 105TCP/IP Network Protocol ................................................................................. 106Telenet................................................................................................................ 106USENET Newsgroups ...................................................................................... 106Internet - World Wide Web (WWW) ............................................................... 106

Security Concerns ................................................................................................. 107Firewalls ............................................................................................................. 108Screening Router.............................................................................................. 108Dual-Homed Gateway ...................................................................................... 109Screening Router and Bastion Host ............................................................... 110Encryption .......................................................................................................... 110

Policy and Procedures .......................................................................................... 111Pitfalls...................................................................................................................... 111

Service Installation ............................................................................................ 112Hardware ................................................................................................................ 112Software .................................................................................................................. 113

ASSET PROTECTION ...................................................115CONTROLS ......................................................................117

Acceptable Uses for PCs and Controls .............................................................. 117Risks Due to Lack of Controls ............................................................................. 119Types of Controls .................................................................................................. 121Logging And Audit Trails ...................................................................................... 125

Accountability..................................................................................................... 125Reconstruction of Events ................................................................................. 125Information to Be Recorded............................................................................. 125Tracing Transactions ........................................................................................ 126Support Information .......................................................................................... 126Retention Period of Documentation and Audit Trail Data ............................ 126Need for Source Documents ........................................................................... 126Audit Logs In The Mainframe Environment ................................................... 126

Satisfactory Compliance....................................................................................... 129BUSINESS RESUMPTION PROGRAM ...................................131

Critical Function Analysis ..................................................................................... 132BRP Procedures for Critical Data........................................................................ 133Back up Criteria ..................................................................................................... 133Back up Procedures .............................................................................................. 134Storage Criteria ...................................................................................................... 134Business Recovery Procedures .......................................................................... 135Requirements for Recovery ................................................................................. 135Recovery Guidelines ............................................................................................. 135Restoring Damaged Equipment .......................................................................... 136Recovery Management......................................................................................... 136Contingency Planning ........................................................................................... 137

Responsibilities.................................................................................................. 137Planning Activities ................................................................................................. 139

Function Of Planning Activities ....................................................................... 139Development Activities ..................................................................................... 139Planning Manual................................................................................................ 140Maintenance Activities...................................................................................... 140

Plan Activation And Recovery ............................................................................. 140SECURITY........................................................................143


8/12

TABLE OF CONTENTS

v

PC Processing Area Classification...................................................................... 144Criteria ................................................................................................................ 144Classification Categories.................................................................................. 145

Work Stations and Remote Terminals................................................................ 146Attended terminals ............................................................................................ 146Unattended terminals........................................................................................ 147

Management Control Tools .................................................................................. 147Staff Member Security .......................................................................................... 148Review ................................................................................................................ 148

Risky Practices .................................................................................................. 148Violations ............................................................................................................ 148Management Action .......................................................................................... 149

Responsibilities ...................................................................................................... 149Sensitive Positions ................................................................................................ 150Network Security.................................................................................................... 151

Vulnerabilities..................................................................................................... 151Exploitation Techniques ................................................................................... 151Reasons for Security ........................................................................................ 152Responsibilities.................................................................................................. 152

FACILITY REQUIREMENTS ................................................. 155Physical Plan Considerations .............................................................................. 155Processing Location .............................................................................................. 156Construction Standards .................................................................................... 157

Protection From Water Damage ..................................................................... 158Air Conditioning ................................................................................................. 158Entrances And Exits.......................................................................................... 159Interior Furnishings ........................................................................................... 159

Fire Protection........................................................................................................ 160ACCESS CONTROL ........................................................... 163

Separation of Duties .............................................................................................. 163Least Privilege........................................................................................................ 164Individual Accountability ....................................................................................... 164

Category I - Processing Areas ........................................................................ 165Category II - Processing Areas ....................................................................... 165Category III - Processing Areas ...................................................................... 165Category IV - Processing Areas ...................................................................... 165

Definitions Of PC Access Control Zones ........................................................... 166Public Areas ....................................................................................................... 166Controlled Areas................................................................................................ 166

Responsibilities ...................................................................................................... 166Levels Of Access Authority .................................................................................. 167

Permanent Access ............................................................................................ 167Temporary Access ............................................................................................ 167

Implementation Requirements............................................................................. 167Protection Of Supporting Utilities ........................................................................ 168Resource Protection.............................................................................................. 169

Network Components ....................................................................................... 169Wire Closets....................................................................................................... 169Terminal And Remote Job Entry Devices ...................................................... 169Dial-Up Controls ................................................................................................ 170Message Authentication ................................................................................... 170Encryption .......................................................................................................... 171Exceptions.......................................................................................................... 172

Software and Data ................................................................................................. 172Resources To Be Protected............................................................................. 173Basic Standards ................................................................................................ 174Controllability ..................................................................................................... 176Integrity ............................................................................................................... 176


9/12



vi

PASSWORDS ...................................................................177Identification....................................................................................................... 177Authentication.................................................................................................... 177Standards for Passwords ................................................................................. 178Authorization Verification ................................................................................. 178

APPENDIX........................................................................181HARDWARE/SOFTWARE SUPPORTED FORMS.....................183

Supported Software............................................................................................... 183Supported PCs - Standalone ............................................................................... 183Supported PCs - Networked ................................................................................ 185Supported Add-In Boards ..................................................................................... 186Unsupported Hardware ......................................................................................... 187Unsupported Software .......................................................................................... 188


10/12

13

MANAGEMENT OVERVIEW

A common concern in many enterprise-wide operational management approaches

is needed to maximize value, while protecting technological resources and data

assets. In addition, they need to assure the availability of support for these new

tools.

The purpose of this HandiGuide is to provide an enterprise with the tools to

effectively and efficiently manage all of the capital and information resources

associated with PC and workstation operations. This includes both PC operations

and the development of application in the enterprise.

All elements of the enterprises technology management, control and oversight

should be structured to maximize its value. This includes:

Cost effective utilization of the resources;

Protection from damage which might result from accidental or

intentional events; or Actions that might breach the confidentiality of enterprise records,

result in fraud or abuse, or delay meeting of the enterprises

objectives.

BASE ASSUMPTIONS AND OBJECTIVES

There are a number of base assumptions associated with the operational

management of the PC environment which were used in the creation of this

HandiGuide:

Integrated management of all components including operationalmanagement is necessary for all technology hardware, operating

and application software, data, and network linkages. Each of

these components must be considered from a total-system

perspective (i.e., the cost effective use and protection of

information must be considered from its origination to its final

destruction, to include all processes affecting the information).


11/12



14

Operational management of technology resources requiresextensive policies, responsibility assignment and procedures to

provide the necessary operational framework and infrastructure.

Operational management complies with the intent of prevailing

privacy legislation regarding safeguards and with the ForeignCorrupt Practices Act.

Operational management requires documentation, justification,and administrative controls which are cost-effective, prudent and

operationally efficient.

Good operational management requires monitoring theimplementation of selected metrics4, controls and procedures.

This includes the definition of the functions necessary to ensure

compliance with stated guidelines within this book.

Operational management guidelines, as presented in this book, should be considered as theminimum standard for all technology based applications and supporting manual activities.

Given these assumptions we have tried to achieve several very specific objectives

in this HandiGuide. The first and foremost is to provide a tool with which readers

can create their own operational management manual for individual PC sites or

applications, as well as a manual that covers all of Information Technology in the

entire enterprise5. With that as a primary objective, the other objectives are:

Provide a uniform set of rules and guidelines for dealing with allknown and recognized aspects of the technology operations

affecting the enterprise and its operations.

Provide pragmatic rules to ensure that all sensitive information6handled by computer and manual systems is protected in relationto the risk of loss, inadvertent or deliberate disclosure, fraud,

misappropriation, misuse, sabotage or espionage of enterprise

assets. This includes:

Provide tools to minimize and prevent damage to theenterprises business operations due to misuse, poor or

inappropriate-design of all technology-based applications.

Protect property and rights of contractors, vendors and otherorganizations.

4Information Systems, Information Technology, and Communications Metrics HandiGuide and Metrics HandiGuide for the Internet and Information

Technology published by Janco Associates both provide a base level definition of necessary metrics.

5Readers of this book can submit a letter on their company letterhead to request the inclusion in part or in entirety of sec tions of this HandiGuide in

company manuals. The primary requirements are the inclusion of Janco Associates, Inc.s copyright and the use of the final document is forinternal use

only (i.e. not for resale).

6For the purposes of this document, sensitive information includes, but is not restricted to, that information which must be safeguarded so enterprise

assets are not misused or abused in any fashion.


12/12

ADMINISTRATIVE MANAGEMENT

MANAGEMENT OVERVIEW

15

Provide a method to disseminate institutional learning7

on the

technological operating environment within an enterprise.

Ensure the integrity and accuracy of all enterprise information.

Protect enterprises technology hardware, application and

operations from incidents of hardware, software or network failureresulting from human carelessness, intentional abuse or accidental

misuse of the system.

Ensure the ability of all enterprise technology applications andInformation Technology operations to survive business

interruptions and to function adequately after recovery.

With the use of this material, based upon an active and continuous risk analysis

program, an enterprise should be able to create a process where the following

elements of technology operational management can be successfully integrated and

implemented:

Ability to audit all transactions and processes impacting enterpriseinformation resources and operational outputs;

Ability to have traditional physical security controls andaccountability with manual as well as automated processes;

Ability in the systems development review and testing proceduresto ensure enterprises operational and senior management

objectives are met in all technology designs, implementations and

operations;

Ability to deny access to technology resources based upon adefined access requirement plan; and

A realistic and exercised business resumption program8.

7

This is the information that is learned by and known to members of an enterprise that is normal and necessary to conduct business within the enterprise

on a day-to-day basis.

8

A template for a Disaster Recovery Plan in Word or HTML format can be obtained from the site www.e-janco.com.