pj-policies-edited (1)
TRANSCRIPT
Security policies
1
P&J
Security Policies
Table of ContentsAbout P&J Security Policies...................................................................................................4
Company...............................................................................................................................4Policies...................................................................................................................................4Latest date of Policies’ Modification...................................................................................4Development Team...............................................................................................................4
Internet Usage policy...............................................................................................................5Introduction..........................................................................................................................5Scope......................................................................................................................................5Internet, email and Computer usage..................................................................................5Unacceptable use of the Internet by employees includes. Not limited to:.......................5
Email Usage Policy...................................................................................................................7Introduction..........................................................................................................................7Scope......................................................................................................................................7Password Protection.............................................................................................................7Email security.......................................................................................................................7Personal use of email............................................................................................................8
User account and password management..............................................................................9Introduction..........................................................................................................................9Scope......................................................................................................................................9Password creation.................................................................................................................9Password change...................................................................................................................9Password protection.............................................................................................................9
Physical computer room environment and access..............................................................11Introduction........................................................................................................................11Scope....................................................................................................................................11General requirements........................................................................................................11Configuration requirements..............................................................................................11Monitoring...........................................................................................................................12
Visitor and Contractors Policy.............................................................................................13Introduction........................................................................................................................13Scope....................................................................................................................................13Check-In..............................................................................................................................13Information Disclosure......................................................................................................13Network or System Access.................................................................................................14
Desktop security policy..........................................................................................................15Introduction........................................................................................................................15
Security policies
3
Physical security measures................................................................................................15Logical security measures..................................................................................................15Other hardware Security Measures..................................................................................15Software Security Measures..............................................................................................16Other Security Measures...................................................................................................16
Remote Access..................................................................................................................16Data Storage and use.........................................................................................................16User training and awareness.............................................................................................16Accountability...................................................................................................................16
Antivirus Policy......................................................................................................................17Introduction........................................................................................................................17Scope....................................................................................................................................17How to protect.....................................................................................................................17
Router and switch security....................................................................................................19Introduction........................................................................................................................19Scope....................................................................................................................................19Configuration standards....................................................................................................19
New Coming Employees........................................................................................................20Introduction........................................................................................................................20Scope....................................................................................................................................20Procedures...........................................................................................................................20
Departing Employees.............................................................................................................21Introduction........................................................................................................................21Scope....................................................................................................................................21Procedures...........................................................................................................................21
Consequences for Violating Policies.....................................................................................22Introduction........................................................................................................................22Scope....................................................................................................................................22Consequences......................................................................................................................22
POLICIES ACKNOWLEDGEMENT.................................................................................23
REFERENCES.......................................................................................................................24
About P&J Security PoliciesCompanyP&J provides numerous kinds of business management system, which support enterprises suitable tool to manage their business. Our ERP system can manage almost every thing of one’s commerce include human resource management, production management, warehousing management, asset management or even financial management.
As the result, minimize risks to the system is very important to our business. It is not only about protecting our business’s information but also about protecting data for our partners. Any activity that tries to disclose whichever information or to ruin the system will face the court.
PoliciesTo minimize risks to company’s system, make sure that all of these policies’ contents are read and understood. If there is any confusing information in this guidance, please contact IT security department for more information. Every later misunderstand to violate any of these policies will also be penalised. Thus, please do not skip any policy field to avoid unexpected consequences in the future.
Latest date of Policies’ Modification25th November 2014
Development TeamPart 1: BRENDAN NYSSEN - 6859062
User account and password managementPhysical computer room environment and accessRouter and switch security
Part 2: DIXON CHIU - 4973747
Internet Usage policyEmail handling Desktop security policyPolicy for visitors and contractors
Part 3: DINH TIEN DAT VU (Tommy) - 4922115
IntroductionAntivirusPolicy for joining employees Policy for leaving employees Consequences of violations of the policies
Security policies
5
Internet Usage policy
Introduction This is an Internet usage policy applies to all P&J employees who have the access to our computer and the Internet. The Internet used to performance of their work. Violation of these policies may result in disciplinary and or legal proceedings leading up to and including termination of employment. P&J employees can lose hold of the policy violations resulting from personal liability.
ScopeThis policy is covers our company P&J Internet usage to all employees, vendors, and agents operating on behalf of P&J.
Internet, email and Computer usage P&J employees or users are expected to use the Internet responsibly and productively.
Internet access is limited to job-related actives only.
Job-relate activities include research and educational tasks.
All Internet data that is composed, transmitted and received by P&J computer systems. It’s therefore subject to disclosure for legal reasons or to other appropriate third parties.
The installation of the software such as instant messaging technology is strictly prohibited.
All websites and downloads may blocked by P&J if they are not safe or harmful and not productive to business.
Unacceptable use of the Internet by employees includes. Not limited to:
Hacking into unauthorized website.
Passing off personal views as representing those of the organization.
Sharing information like (confidential material, trade secrets or proprietary
information)
Stealing, using, or disclosing someone else password without permission.
Sending or posting information that is defamatory to the company
Using of Gambling
Using of Shopping
Using of communicate with non-company using
Using of watching video (e.g. YouTube, yahoo video, vine...)
Using of social media (e.g. Facebook, Google+, instagram...)
Browsing sexual website
Download any program without P&J allow
Play games
Changing proxy server
Use VPN on our internet
Security policies
7
Email Usage Policy
IntroductionP&J makes email available to its employees where relevant and useful for their jobs. This email usage policy describes the rules governing email use at the company. It also sets up the staff members are expected to behave when using the email.
This document:
Specifies the organization's policy of confidentiality, integrity and availability of e-mail protection system.
Establish the organization and responsibility of the user e-mail system. Provide a reference document on this policy.
ScopeThis policy is covers our company P&J email address and applies to all employees, vendors, and agents operating on behalf of P&J.
Password ProtectionUsers are asked to change the initial password given to them as soon as possible, and keep your password confidential at all times. Provided to the individual user's e-mail account should not be shared or transferred. Users have a responsibility to use their e-mail account at any time.
Email securityUsed inappropriately, email can be a source of security problems for the company. Users of this company email system MUST NOT:
Open email attachments from unknown sources, in case they contain a virus, Trojan, spyware or other malware.
Disable security or email scanning software. These tools are essential to protect the business from security problems.
Send confidential company data via email. The IT department can advise on appropriate tools to use instead.
Access another user’s company email account. If they require access to a specific message, they should approach their line manager or the IT department.
Employees MUST always be considered when using e-mail security company's systems and data if you need help and guidance from your line manager and the company's IT department.
Personal use of emailP&J still allows employees to use our company email account for personal reasons, with the following stipulations:
Personal email use should be of a reasonable level and restricted to non-work times, such as breaks and during lunch.
All rules described in this policy apply equally to personal email use. For instance, inappropriate content is always inappropriate, no matter whether it is being sent or received for business or personal reasons.
Personal email use MUST NOT affect the email service available to other users. For instance, sending exceptionally large files by email could slow access for other employees.
Users may access their own personal email accounts at work, if they can do so via our Internet connection.
Security policies
9
User account and password managementIntroductionPasswords are important for any security system and must be implemented. Passwords for any system must comply with the company standard, poorly chosen passwords may result in unauthorized access. All users and anyone with access to the system must have a password and are responsible for taking the appropriate steps to secure their passwords.
ScopeThe purpose of this policy is to establish and maintain a standard for the creation of passwords, security of passwords and the frequency of change.
Password creation- All users MUST comply with the password construction guidelines
- Users MUST NOT use the same passwords for P&J accounts as well as non-company accounts.
- Any user that has multiple accounts in the company MUST have different passwords for each account.
- While creating a password try to incorporate phrases, symbols and numbers.
Password change- All system-level accounts such as root, enable, NT admin and application administration
accounts MUST be changed on at the minimum of a quarterly basis.- All user-level accounts such as email, web and desktop computers MUST be changed at
least every six months.- Password cracking or guessing may be performed on a periodic or random basis. If a
password is cracked or guessed during one of these scans the user will be required to change it to comply with the password construction guidelines.
Password protection- Passwords MUST NOT BE shared with anyone.
- All passwords MUST be treated as sensitive, confidential information.
- Passwords MUST NOT BE sent via emails or in any other form of electronic communication.
- DO NOT reveal a password on questionnaires or security forms.
- DO NOT use hint at the format of the password.
- DO NOT write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
- DO NOT use the “remember password” feature on programs or web pages.
- If a user suspects that his/her password has been compromised, the problem MUST be reported and change all passwords.
Security policies
11
Physical computer room environment and accessIntroductionSecurity systems are important for any server room and MUST be implemented. System MUST comply with the company standards for security any imperfection may result in unauthorized access to sensitive information. Unsecure and vulnerable servers continue to be a major entry point for malicious threats. Anyone with access to the system MUST take the appropriate steps when entering and exiting the server room. The purpose of this policy is to establish and maintain a secure system that can only be accessed by authorized personnel only.
ScopeThe purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by P&J. All employees, contractors, consultants and temporary staff MUST adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by cisco or registered under a cisco-owned internal network domain.
General requirements- All internal servers installed at P&J MUST BE owned by an operational group that is
responsible for system administration.- All server configuration guides MUST BE approved and established by each
operational group.- Servers MUST BE registered within the corporate enterprise management system.
- For security compliances and maintenance purposes authorized personnel may monitor audit equipment, systems, processes and network traffic as with the Audit policy.
Configuration requirements- Operating system configuration MUST BE in correspondence with the approved
guidelines.- Access to services should be logged and/or protected through access-control methods
such as a web application firewall, if possible.- Whenever a security update is ready it should be installed as soon as practical.
- Servers MUST BE physically located in an access-controlled environment.
- ALWAYS use standard security principles of least required access to perform a function.
- Continuously utilize standard security standards of slightest obliged access to perform a capacity.
- Servers are particularly disallowed from working from uncontrolled cubicle areas.
Monitoring- All security related events MUST BE logged and kept for the following lengths of
time:o All security related logs will be kept online for a minimum of 1 week
o Daily incremental tape backups will be kept for a minimum of 1 month
o Weekly full tape backups of logs will be kept for a minimum of 1 month
o Monthly full backups will be kept for a minimum of 2 years
- Any security attacks will be reported to the appropriate department.
Security policies
13
Visitor and Contractors Policy
Introduction The purpose of this document is to provide guidance for visitors P&J Building, as well as sponsorship for employees Visitors P&J.
ScopeThis policy applies to all visitors of P&J, and any transfer of employees who sponsored visitors.
Check-In All visitors MUST go through to reach the designated entrance. All passengers MUST present government-issued photo identification at check-in. All visitors MUST by their sponsors in check when employees are met. Any visitor cannot sponsor another visitor.
Pets are not allowed; however, help animals such as guide dogs are allowed. In some cases may need to be arranged in advance.
All visitors electronic device (laptops, other computer devices, cell phones, etc.) will be checked as in laptops, computers and related equipment check-in / checkout process as described.
Information DisclosureVisitors should not require access to the information they do not belong to or work being performed. Confidential nature or otherwise inappropriate, business documents, customer information, financial forecasting, currently any comments litigation matters, the future direction of future product or business, or request information or request a statement of the company name (such as might be asked the reporter or lawyer) will be reported to the CSO's office, and shall be processed according to this document.
Network or System Access
Consultants or other needs of Internet network access can freely enter and explore wireless network visitors. On-line access to the network needs to terms and network usage. The only visitor badge number on the back is used to verify the proposed regarding access to the network on the web.
Who needs access to the production network of IT travellers need from their sponsor's employees, who will arrange a temporary certificate of competence and service desk. Part of this process will require visitors to review the Acceptable Use Policy. After the credentials are arranged activity on the network will be subject to the Acceptable Use Policy. Visitor’s staff credentials do not under any circumstances allowed.
Security policies
15
Desktop security policy
IntroductionThis is a Desktop security policy applies to all P&J employees who have the access to our computer (Desktop) and the Internet. The Desktop used to performance of their work. Violation of these policies may result in disciplinary and or legal proceedings leading up to and including termination of employment. P&J employees can lose hold of the policy violations resulting from personal liability.
Physical security measures Desktops MUST be secured to a desk or other appropriate point. Also the desktop
MUST BE locking. Any removable media such as USB, CD-ROM, (floppy disk) or external hard drive
should be removed unless is necessary. Desktops MUST be full turn of when employees finish their work or left their work.
If employees are on breaks or lunch breaks the Desktop MUST turn off or switch to logoff.
Logical security measures Full disk encryption MUST be used with P&J Desktop anytime possible. Desktop BIOS passwords MUST be used to prevent BIOS on the settings from the
being changed. Desktops MUST be configured. That they can’t be booted from another external
media (e.g. external hard driver, USB…) when in normal use Implement procedures and processes in relation to the provision and maintenance of
anti-virus and other security software on Desktop.
Other hardware Security Measures DO NOT leave the desktop unattended in the office overnight DO NOT unplug any wire to take away the desktop DO NOT try to open or take the cover off of the desktop Any damage from the desktop, monitor, mouse or keyboard. Please contact to the
Security of P&J DO NOT try to change any hardware on the desktop
Software Security Measures DO NOT install or download any unknown sources software or program on the
Internet or removable device. Games and non-company-related application is NOT ALLOWED on P&J desktop.
For example, “Call of Duty”, “ATB”, some video player Desktop should not be installing any unnecessary software. Any user on the desktop does NOT ALLOW installing any type malware like vires,
worm or Trojan horse.
Other Security Measures
Remote Access Remote access from a Desktop to P& J systems MUST BE achieved in accordance with the organisation’s P&J, any defined requirements for the protection or use of the P&J service(s) concerned.
Data Storage and useSensitive data, including information about a patient stored in a P&J desktop should be maintained at the desired minimum effective commercial use in order to minimize the risks and impact should a violation occur.
User training and awareness Users of our Desktop MUST BE given appropriate training and instruction in the use of the Desktop and its security functionality. This should include their responsibility for safety on the Desktop and their obligation to comply.
Accountability Our P&J's registration desktops and data security responsibilities to be assigned to individuals and together track the employment status of these people.
Security policies
17
Antivirus PolicyIntroduction
Virus – A program which modifies certain files that are designed to replicate on their own. Viruses may or may not have a "payload" - a set of instructions that may be executed only under certain conditions, such as a particular date each year or after so many file "infections".
Trojan - Named for the Trojan horse from ancient Greek history - these programs are installed on a system by an unsuspecting user either thinking that he or she is running some other type of program (e.g. a computer game), or as a result of some other activity such as reading an attachment to an e-mail message. Once installed, such programs may allow others to access and virtually "take over" the system across the network.
Worm – A software program that is able to replicate itself, spreading from one computer to the next, which uses the network (usually e-mail) to send copies of themselves to other systems.
Malware - Many malicious programs, often referred to as malware, exhibits qualities of a virus, a worm, or a trojan. It can manifest with characteristics of two or all three-program types.
(“Brief Introduction to Viruses, Trojans, and Worms”, Information Technology Services, Oct 2010, Nov 2014, <https://its.vanderbilt.edu/brief-introduction-viruses-trojans-and-worms>)
ScopeAs mentioned above, protecting devices from the infection of virus, trojan horse, worm, malware or any other type of malicious coding is very important. When trying to protect any individual devices from the attack of malicious program, it means that the risk of the whole system is decreased and ensure for the better working environment.
This policy is applied to all users, who connect to P&J network system.
How to protect1. All devices MUST have its own trusted anti-virus software with the latest version, virus
definition database, and be actively running in order to join the enterprise’s network.
The lists of trusted anti-virus software are:
Microsoft Security Essentials Comodo Kaspersky Lab Norton by Symantec Avast Antivirus, McAfee Bitdefender AVG Technologies
Avira GmbH
All of supported anti-virus software is available from the corporate download site.
2. Anti-virus software MUST be configured to allow AUTOMATIC UPDATE and schedule to scan the whole system at least once a week.
3. All devices MUST be configured to allow automatic update operation system.
4. NEVER disable antivirus software unless the lab testing needs to do so in orders to avoid the conflicts with it. Enable the antivirus software after the lab test.
5. NEVER disable the firewall.
6. NEVER download or open any attachment from any unknown emails.
7. NEVER download or open any files (especially executable files) from suspicious or untrustworthy source.
8. Uninstall any unused software from the system.
9. Completely delete all spam and junk mails without forwarding them by empty the trash folder.
10. DO NOT share disk directly with read and write permission unless it need to implement any specific tasks which are authorised by the organisation.
11. Any removable disks MUST be fully scanned before using.
12. Regularly back-up data and store them at the safe place.
Security policies
19
Router and switch securityIntroductionTo cover the minimum requirements for security for switches and routers there are a number of protocols that must be acknowledged. The base security design for all switches and switches associated with a generation organize or utilized as a part of a creation limit at or for the benefit of P&J.
ScopeAll parties that use the system MUST comply with the policies in place with company.
Configuration standards- No local user accounts are to be configured onto the router.
- Passwords for router and switches MUST be kept in an encrypted form.
- Features that MUST BE disabled:o Ip direct broadcast
o Incoming packets at the router/switch sourced with invalid addresses such as
RFC1918 addresses o TCP small services
o UDP small Services
o All source routing and switching
o All web services running on router
o Cisco discovery protocol on Internet connected interfaces
o Telnet, FTP, and HTTP services
o Auto-configuration
- The following services should be disables unless justification is provided:o Cisco discovery protocol and other discovery protocols
o Dynamic trunking
o Scripting environments, such as the TCL shell
- The password encryption and NTP MUST BE configuration
- All routing updates might be carried out utilizing secure routing updates.
- All default strings such as public or private MUST BE removed
- All routers MUST have a banner that warns all unauthorized users that it is prohibited to access this network.
- Dynamic routing protocols MUST use authentication in routing updates sent to neighbours.
New Coming EmployeesIntroduction
To ensure that any new coming employees have their access on job; they need to be given an account with suitable authorizations to access company’s system based on their job requirements. Thus, system administrator must log all information of their granting access.
ScopeThis policy is applied to all P&J managers, IT department and department of security.
Proceduresi. Before new employees are granted their authorizations, their manager MUST provide
the access requirement checklist in written document to IT department.ii. The request document need to state exactly what resources and applications does the
new staff need to do the job.iii. Network administrator(s) check for the requests from the requirement document to
approve then create and grant them their authorisations to access Company’s system.iv. Network administrator(s) MUST then DOCUMENT all their access’s granting
information including: All authorizations. Granted date and time. Effective time of access. Confirmed person (joining employees’ manager). Granted person(s).
v. Finally, Network Security Department MUST provide them the company’s security policies and get their sign on the acknowledgement of the document before active their access to the system.
Security policies
21
Departing EmployeesIntroduction
When an employee about to leave, there is uncertain who will disclose the company’s commerce and who will not. Therefore, it is necessary to disable all old employees’ electrical account together with their physical keys to any enterprise’s resources.
ScopeThis policy is applied to all P&J managers, IT department and department of security.
Proceduresi. When any employees are going to leave company, their manager MUST write a
document to notify IT department.ii. The document MUST contain all details of the employee including:
His/her name. Employee number. Job position. His/her manager/direct manager. Date and time of leaving. Reason for leaving.
iii. On the last day of departing employee, make sure these following actions are made at the end time of its working hours (18:00): All their accounts that are used to connect to the system such as company’s
domain, servers, network access or any resources are disabled. All their company’s email accounts, phone number and cell phone are shut off. All physical keys of organization MUST be RETURNED. The employee’s workstation is SCANNED and SEARCHED. Ensuring that employee will not disclosure any enterprise’s information even after
he/she left the job by getting his/her signature on the Information Disclosure Commitment.
Consequences for Violating PoliciesIntroduction
P&J put violating policy at the high-risk matter. Therefore, whichever mistaken actions related to company’s policies will be penalized corresponding to violator’s fault.
ScopeIt is applied to all members of P&J enterprise including managers, leaders, any staffs, seasonal staffs and any others who work and use the organization’s system.
Consequences If the faulty affects company’s commercial includes the first time, the penalty is made
by the agreement of head office group members. It could be a writing warning, suspension of account, force to quit the job right away or go to the court if it is extremely affect the enterprise’s business.
To violate any of these policies at the first time incidentally without making any serious result to the company, a verbal warning is applied.
The second incidentally violating the policies that does not impact on enterprise, a writing warning is applied.
All accounts of employee are suspended to wait for the head office’s decision at the third incidental violating the policies.
If there are any chances after the third violating but the violator keeps his/her infringe, he/she might MUST quit the job immediately or delaying for a short period of time depending on the decision of the head leader.
Note: the decision is made by the head leader is based on the job’s progress that the violator doing. It depends on the priority and the essential level of the job.
Security policies
23
POLICIES ACKNOWLEDGEMENT
I understand that when I signed this acknowledgement off, I state that I have read and understood all above policies documentation without any confuses.
I agree to abide by the provisions set out in these documents at all times during my placement with P&J.
Signature: _______________________________________
Printed Name: ____________________________________
Date: _________________________
REFERENCES
"Information Security Policy Templates", SANS Information Security Training | Cyber Certifications | Research, viewed November2014, <http://www.sans.org/security-resources/policies>
"Brief Introduction to Viruses, Trojans, and Worms", Information Technology Services, Oct 2010, viewed November 2014, <https://its.vanderbilt.edu/brief-introduction-viruses-trojans-and-worms>