stbc information security manual - team 4

8/8/2019 STBC Information Security Manual - Team 4

http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 1/18

STBC Information Security Manual

CET4884 - Team 4

Troy BarnetteJoseph CosmanoGregory Henson

Rodney LambertDaniel Miller

Gerardo PinedaJonathan Stein




Table of Contents

Introduction..............................................................................................................3

Chapter 1. Program Policies......................................................................................4

1.1 Information Security Program Charter..............................................................4

1.2 Information Security Program Organization........................................................5

1.3 Information Security Audit Program...................................................................6

1.4 Incident Response and Continuity of Business.....................................................8

1.5 Information Security Awareness Program...........................................................9

Chapter 2. Issue Specific Policies.............................................................................11

2.1 Internet Use Policy........................................................................................11

2.2 Email Policy..................................................................................................12

2.3 Information Classification Policy......................................................................13

2.4 Access Control Policy.....................................................................................14

2.5 Malware Control Policy...................................................................................15

Chapter 3. System Specific Policy............................................................................18

3.1 Workstation Security Configuration..................................................................18

References..............................................................................................................19

2




Introduction

This document is prepared to satisfy the requirements of CET4884 (Spring 2010) at theUniversity of Central Florida. Per direction, the formats used in developing this

document are presented in NIST Publication 800-12, Chapter 5: Computer SecurityPolicy.

The Sydney Teddy Bear Company (STBC) is a fictional company for which the students inthe course are employed. For the purposes of this group and assignment, the following

personnel are employees of STBC:

Chief Security Officer: Jonathan Stein

Information Security Directors: Dan Miller, Joseph Cosmano

Information Security Managers: Troy Barnette, Rodney Lambert,

Gerardo Pineda, Gregory Henson

Collaboration in the preparation of this document was done through a shared document

on Google Docs. The original document is located at:

http://docs.google.com/Do c ?

docid=0A d LTUsgiEiQ4ZGM2a3A0b m tfMTAxaGJnYnhiZnc&hl=en

3

http://docs.google.com/Doc?docid=0AdLTUsgiEiQ4ZGM2a3A0bmtfMTAxaGJnYnhiZnc&hl=en









Chapter 1. Program Policies

1.1 Information Security Program CharterAuthors: Joseph Cosmano, Jonathan Stein, Daniel Miller

Information is vitally important to the success of business operations and the viability of STBC (the "Company"); therefore, the Company has an obligation to ensure that its

information is protected against unauthorized disclosure, modification, or destruction.

A risk management approach will be used in establishing the Company's InformationSecurity Program. This requires the identification, assessment, and mitigation of

vulnerabilities and threats that can significantly impact STBC's information assets.

1.1.1 Purpose

The purpose of this policy is to provide guidelines for STBC employees, vendors,

contractors, and visitors which are designed to maintain the confidentiality, integrity, andavailability of our data and confidential customer information. The goal of this policy is to

ensure that the Company operates within all of the legal guidelines and ethical standards

set forth.

1.1.2 Scope

This policy includes physical, logical, and personnel security strategies that apply to allemployees, vendors, contractors, and visitors of STBC.

1.1.3 Responsibilities

The Chief Information Security Officer is responsible for the content of this policy. The

Director of Human Resources is responsible for disseminating the information contained in

this policy as well as disciplinary actions resulting from non-compliance with the policies of the STBC Information Security Program. Together, the CSO and HR Director will arrangesemiannual meetings to review and update the policy, train and educate employees on the

topics covered in the policy, and perform audits to assure that all policy requirements aremet.

1.1.4 Compliance

The Director of Information Technology will appoint an individual as a compliance auditor.

This individual will perform monthly audits to ensure that STBC is operating in compliancewith the policies of the STBC Information Security Program. Any departments or individuals

found to be in breach of compliance will be reported to their appropriate supervisors and the

Human Resources Department.

All STBC employees, vendors, contractors, and visitors will be held accountable by theHuman Resources department to maintain compliance with this policy. Those found to be inbreach of compliance will be subject to disciplinary action up to and including termination of

employment or contract.

4




1.2 Information Security Program OrganizationAuthors: Rodney Lambert, Troy Barnette

1.2.1 Purpose

Effective organization and direction from upper-management are essential to the success of an Information Security Program. The goal of this policy is to clearly define the organization

of roles in the Company with respect to the implementation of the Information SecurityProgram.

1.2.2 Scope

This policy includes the supervisory, logistical, and administrative roles of employees of

STBC in regards to maintaining and organized Information Security Program.


The assignment of responsibilities flows from the CEO down to STBC's employees andvendors. All users play a role in keeping information secure at the Sidney Teddy Bear

Company.

• Chief Executive Officer The CEO appoints the Information Security Officer. Thisperson may also appoint employees to assist the Information Security Officer.

• Chief Information Security Officer This employee is responsible for thecoordination of the Information Security Program. The CISO will work throughout the

facility with employees who have access to valuable information. The CISO's major

objective is to utilize risk management to implement and administer a successfulInformation Security Program.

• Vice Presidents of Sales, Operations, Administration and area managers Thisgroup is responsible for identifying information assets "owned" by their areas and

ensuring adequate security for those assets. In addition, they will ensure that theemployees in their specific areas operate within the guidelines of the Information

Security Program and all associated policies.• Information Security Team This team is tasked with developing and implementing

security controls throughout the workplace, delegating access to users, and resolvingsecurity-related conflicts. The Chief Information Security Officer is a primary

member of this team.

• Computer Security Incident Response Team This team is comprised of members

of the Information Security Team. They are responsible for ensuring theeffectiveness of controls implemented for safeguarding the Company's information

assets, and investigating, responding to, assessing and minimizing the damagecaused by information security incidents.

1.2.4 Compliance

The Chief Information Security Officer shall ensure that the requirements andresponsibilities established by this policy are effectively implemented, and that suchresponsibilities are met by all members of the Information Security Program Organization.

1.3 Information Security Audit ProgramAuthor: Gregory Henson

5




An effective Audit Program is essential to verifying the functionality of the policies andcontrols implemented in respect to Information Security. Audits ensure that company

assets - physical or otherwise - are having the desired effect upon information security andcan be changed to keep pace with new threats.

1.3.1 Purpose

This policy will provide the Company with guidelines for conducting security audits. Thepurpose of security audits is to assess threats and to revise the controls and policies

designed to ensure information security. Audits will assess Information Security controls for

compliance and adequacy in respect to established policies and procedures.

• Some reasons for audits include:

• Compliance with current security policy and procedures• Investigate possible security breaches through security logs

• Schedule penetration and vulnerability testing

1.3.2 Scope

All communication and computer equipment owned by STBC and the Company's

information assets will be covered by this policy. Audits will be conducted to testeffectiveness and conformity with STBC policies. At the conclusion of an audit, a

detailed report will be submitted to the Chief Information Security Officer.


All audits are the responsibility of the Chief Information Security Officer. All audit

findings will be documented for concurrence and non-concurrence. Any irregularities orsecurity issues found by the audit team will be reported to the Chief Information

Security Officer. All changes to the audit policy will be review by the STBC IT staff and

approved by senior management.

Audit responsibilities

Information Security Directors:

• Sensitivity of data

• Encryption and Authentication

• Review of security log

• Report of findings includingsuggested corrective action

• Review hiring policies• Emergency

• Data and records backup

Information Security Managers:

• Network firewalls

• Workstation anti-virus

software

• Workstation password

• Open ports

• Servers

• VPN

• Patches

• Report of findings including

suggested corrective action

• Physical facilities

1.3.4 Compliance

Audits are to be preformed as scheduled. Any deviation from the audit schedule should bereported to the CISO. All auditors will be held to the highest level of integrity and ethical

standards. Any auditor found in noncompliance with this policy will be subject disciplinaryaction.

6




Audit Controls, Techniques and Procedures

Control Activities Control Techniques Audit Procedures

Sensitivity of Data Check security for data that is

segmented by classification.Network drive, file folders anddirectory need to be secured perclassification.

Review log files.

Review and assess policy andprocedures.

Encryption and Authentication Cryptographic systems are usedfor customer data andauthentication is used to verifyemployees of their identification.

Assess customer purchasingwebsite for encryption. Reviewemployee identification.

Review of security log System log file will record allactivity within STBC.

Verify all systems are generatinglog files. Review log fileclassification.

Review hiring policies Background checks will beperform on all prospectiveemployees. Security policies willbe reviewed and signed by allprospective employees.

Review policy for hiring. Reviewemployee files.

Emergency An emergency plan has beendocumented and reviewed bypersonnel.

Review policy

Interview personnel

Data and records backup Backup all records and data at aset time interval. Store dataoffsite

Review backup policy.

Review federal and localrequirements.

Network firewalls Firewalls are to be installed toprotect computer systems fromoutside attacks.

Review firewall policy.

Check firewall software for recentupdates.

Review log files.

Workstation anti-virus software Install anti-virus software on allworkstation and update softwarewith new virus definition.

Verify workstation for currentanti-virus software and up to datevirus definition.

Workstation password Passwords are to unique, at least6 characters and expire every 30days.

Review password policy.

Test workstations for compliance.

Open ports Close all unused ports to preventunauthorized access to systems.

Scan each workstation for openports.

Servers Servers will periodically bebacked-up. Servers will beinstalled in a climate controlledroom. Server entrance should be

Verify server rooms are lockedand clean of debris. Check airtemperature.

7




keep locked at all times.

VPN VPN will allow personnel the

ability to work offsite.

Review VPN policy.

Verify personnel, accesscredentials, and encryptionmethods.

Patches Software patches will be installed

as necessary. All patches will beapproved by senior managementbefore installation.

Verify software patches are up to

date.

Reports Report will be written after eachaudit and stored for futurereference.

Review audit report policy.

Physical facilities All employees entering STCBfacilities will display an ID badgeat all times. Badge readers willallow authorized employees intoareas of high security. Doorsleading outside will be keptlocked.

Review facilities security policy.

Verify employees.

Verify facilities outside perimeter.

1.4 Incident Response and Continuity of BusinessAuthor: Gerardo Pineda

Preparedness is essential in dealing with a breach of security or natural disaster. A wellprepared disaster response plan combined with a timely and effective response can

determine the difference between a minor incident and a severe business impacting

disaster.

1.4.1 Purpose

This policy defines the general response and reporting procedures to follow in the eventof a security incident or breach. In the event of an information security breach or

natural disaster that would effect the integrity or value of the company or its customersthrough unauthorized access or exploitation from open resources, a response will be

conducted with the appropriated personnel that will assess and handle the incident,developing a response plan and preventing further negative impact. A thorough and

concise reporting would be created that would determine the cause and impact of suchincidents, addressing any vulnerabilities or flaws in the system.

1.4.2 Scope

This policy has effect upon all aspects of information security, response and

documentation of incidents that may affect all levels of information systems resourcesowned and used by the company. Such incidents may include misuse of data,

8




exploitation of open resources, theft of valuable data or systems, corruption of software,propagation of malware and/or any other incident that may jeopardize the availability

and consistency of the Company's information systems. This policy does not includedamages to systems owned by employees or any individual not employed by the

company, unless the system otherwise contributed to the incident.


All suspicious events and/or information security incidents shall be immediately reported to

the Chief Information Security Officer (CISO). An immediate escalation shall be

implemented in which the CISO will determine the severity of the suspicious event and/orincident in order to contain any systems or environment with security breaches that may

affect the overall performance of the company. Affected systems may include those withnetwork security breaches, malware infection, communication failure and/or any data

mishandling. All suspicious events and/or incidents shall be contained and eliminated assoon as there are detected to minimize or eradicate any further propagation that may

complicate or affect the availability of information systems.

A thorough and concise investigation shall be put into action that would examine evidence

of the security breach. Evidence may include affected systems, log files, maliciouscodes/scripts, network penetration logs and any other activity that may pertain to the

suspicious event and/or incident. Additionally, thorough documentation will be generatedand kept on all affected systems, the environment and potential evidence such as external

media (diskette, external hard drive, Zip drives, etc.) that may be recorded for futurereference.

The degree of all damages shall be determined by the CISO from all collected data and

he/she will then determine any further action to be taken. If the severity of the incident is of

high risk such as to cause systems to be removed from the network, a managerialnotification shall be required in order to address any critical action.

The CISO shall be responsible for the development of a Disaster Response Plan in

collaboration with the Information Security Team. The CISO will be responsible for securingorganizational approval and necessary funding, while the IST will determine technicalrequirements.

1.4.4 Compliance

All Incident Response personnel shall comply with the above procedures in order to ensure

system and network control. Failure to comply with such procedures may result indisciplinary action up to and including termination of employment.

1.5 Information Security Awareness Program

Author: Jonathan Stein

Securing an organization's information starts with securing the front-lines: the users of the

organization's information systems. A successful security program can be directly tied tosecurity awareness, so training and compliance are fundamental to achieving this goal. This

policy intends to create an Information Security Awareness Program with the express goalof educating the Company's network users on what they can do to provide for Information

Security, as well as teaching them to identify bad practices and threats to security.

9




1.5.1 Purpose

All users who are granted access to STBC information systems must be aware of the

importance of protecting the Company's information assets. The purpose of the InformationSecurity Awareness Program Policy is to provide guidelines to the Company and its

employees on the development, implementation, and review of information securityeducation programs and to foster a culture of continued learning in regards to Information

Security.

1.5.2 Scope

All persons who have been granted access to STBC information systems and/or data,including full-time and part-time employees, contractors, vendors, temporary workers, and

others granted access are covered by this policy.


The Information Security (IS) department will be responsible for developing and maintaining

an Information Security Awareness training program. Alternatively, a commerciallyavailable program may be purchased so long as it meets the minimum requirements set

forth below.

The Human Resources (HR) department will be responsible for ensuring that all currentemployees, new hires, and others as determined by the scope of this policy adequately

complete the training in accordance with this policy.

At a minimum, the selected education program must cover the following topics: viruses,

spyware, world wide web use, information classification, best practices, worst practices,encryption, backup procedures, physical security, passwords, and social engineering

techniques such as phishing.

New hires must undergo training prior to being granted access to the Company'sinformation systems. The program must be reviewed and revised annually to reflect the

latest developments in information security threats. All employees must undergo annual

retraining and recertification in this program following the annual review.

In the event of a significant development in network security - such as a major threat or

security incident on the Company network - special training should be developed internallyand deployed to users in a responsively fast manner in order to address the Company's

needs in response to the development. Recommendations for this requirement will comefrom any Chief or Director of Information Security.

Users who are found in violation of any Information Security related policy will have theirnetwork access privileges revoked until such time as they have completed a review of the

training program established by this policy as directed by the Director of Human Resources.

1.5.4 Compliance

All managers are responsible for supervising their subordinates' use of STBC informationsystems. Users who do not satisfy the requirements of this policy will have their

network access privileges revoked, and may be subject to disciplinary actions up to andincluding termination of employment or contract.

10




found in violation of the policy will be subject to disciplinary action up to and includingtermination and possible legal action.

2.1.6 Points of Contact and Supplementary Information

Any issues regarding the statutes of this policy may be referred to the Director of

Information Security. Issues of non-compliance should be referred to the Director of Human Resources.

2.2 Email PolicyAuthor: Daniel Miller

2.2.1 Issue Statement

Email is possibly the most often used means of communications in business today. It is

essential that email systems are constantly available, secure, and capable of handling the

communications needs of the entire company.

However, email introduces several caveats which must be addressed. It is well known thatemail may often appear impersonal, and subtleties such as intonation and meaning may be

lost or misconstrued by the recipient of a message. In addition, email can be a primarythreat vector for the introduction of viruses and malware and the unauthorized disclosure of

sensitive information.

2.2.2 Statement of the Organization's Position

Much of the communication within STBC is through email. As such, it is very important thatwe maintain a high level of quality and professionalism within those communications. In

addition to ensuring professionalism, the company must also ensure the availability of emailsystems and prevent exposure to security threats.

2.2.3 Applicability

This policies applies to all personnel who have an email account with STBC.

2.2.4 Roles and Responsibilities

The Chief Information Security Officer shall be responsible for the enforcement of this

policy.

The Director of Information Technology shall establish maximum attachment size limits, file-

extension blacklists, mailbox quotas, spam filters, and other necessary restrictions followinga thorough review of email needs and habits in the company. These restrictions shall be

reviewed on a semi-annual basis, or at the request of any Director or Chief of the Company.

2.2.5 ComplianceSTBC reserves the right to monitor all email communications. This is to ensure the quality of service to clients, vendors, and business partners. This will also ensure that all

communications are business related and free of impropriety. STBC-provided emailaccounts are for business use only.

The Department of Information Technology shall implement and enforce all controls andrestrictions established by the Director of IT.

12




Sending or forwarding emails with pornography or discriminatory content will be treated asharassment and will be dealt with accordingly.

Any violation of this policy will be directed to the Chief Information Security Officer. Theinfractions of the employee will be documented and recorded in the employee's personnel

file.


Any questions or issues with these policies are to be directed to the offices the Chief Information Security Officer.

Employees may reference the following website for information on email-writing. W ritingEffective Email http://jerz.setonhill.edu/writing/e-text/e-mail.htm

2.3 Information Classification PolicyAuthor: Gregory Henson


All employees at STBC have a responsibility to protect information from destruction or

unauthorized access. The disclosure of sensitive data can cause damages to thecompany, and as such, data classification can aid in ensuring that such data is properly

marked in order to adequately protect it.

2.3.2 Statement of the Organization’s Position

STBC has the obligation to protect its customer and employees, and the implementation

of an information classification scheme will help to fulfill this. STBC will comply withlocal and federal regulation as they pertains to the classification of information.

2.3.3 Applicability

All data - on paper copy or electronic media - will be covered by this policy. All personnel

granted access to classified information shall be required to have a signed non-disclosureagreement in their personnel file.


A senior manager who is considered the "owner" of a piece of information, or its

"stakeholder", is solely responsible for classifying such information. Written authorizationfrom the stakeholder must be obtained in order to change a classification.

All employees are responsible for safeguarding information protected under a classification

level.

The Human Resources Department shall be responsible for conducting background checks to

identify any personnel who may not warrant clearance to classified information.

2.3.5 Compliance

All information used, created or owned by STBC should be classified into the following

categories:

• Unclassified Public: Data that is not critical or confidential to the company,

employees or customer. Examples of unclassified public would include but arenot limited to product brochures, newsletters and public web site information.

13




• Proprietary: Data that is regulated by management. Examples of proprietarydata would include but are not limited to security and financial information and

operating procedures.• Customer Confidential: Data that contains customer information and is

regarded as having the highest level of confidentiality and integrity. Thisinformation is considered critical to the company and it customers. The company

must comply with all local, state and federal regulations. Examples of customerconfidential data would include but are not limited to customer credit cards

numbers, bank data, phone number and street addresses.• Company Confidential: Data that contains company information and is

regarded as having the highest level of confidentiality and integrity. Thecompany must comply with all local, state and federal regulations. Examples of

company confidential data would include but are not limited to employeeinformation, contracts and accounting information.

Any violation of this policy will be directed to senior management for investigation. Allinfractions will warrant an audit of this policy. An incident report will be generated for

future records. Any employee found in violation of the policy will be subject to disciplinary

action up to and including termination and possible legal action.


Information Security issues or questions should be directed to the office of the Chief

Information Security Officer. Policy compliance questions should be directed to the HumanResource office.

2.4 Access Control PolicyAuthor: Gerardo Pineda

2.4.1 Issue StatementStrict access controls that maintain availability of data are an important requirement of securing information. It is vital to guarantee information and resources are properly

protected against illicit access and improper alteration that may cause harm or jeopardizethe integrity and value of the company. The goal of the access control policy to ensure that

data is available to authorized personnel at any time they may need it without limitation totheir geographical or logical location.


All access to classified information shall be limited to personnel with appropriate credentials.

Unique user identification shall be given to all system users by the Chief Information

Security Officer (CISO) to ensure access to sensitive information on a need-to-know basis.

2.4.3 Applicability

This policy applies to all employees, vendors and contractors of STBC who are granted

access to the Company's information assets, with special consideration for access toclassified information.


The Chief Information Security Officers (CISO) shall be required to maintain and submitaccount activation and/or termination requests. In addition, the CISO shall establish

14




procedures for responding to the event of unauthorized access to confidential informationwhose disclosure would jeopardize the company’s value or its customer’s privacy.

The Department of Information Technology shall be responsible for network-, systems-, andapplciations- level implementation of access controls.

The Department of Human Resources shall be responsible for distributing identification

badges and keys to all employees for physical security needs.

The Department of Operations shall be responsible for maintaining locks on doors torestricted areas, maintaining id-badge reading systems, and maintaining surveillance

systems.

2.4.5 Compliance

Each person will be responsible for the confidentiality of their access credentials. Users arenot to share or otherwise make known to others any information about their unique user ID,

passwords, or other credentials that would allow others to access confidential, restricted and

unclassified material. Additionally, the CISO shall ensure users are aware of whatinformation they have or do not have access to.

All users shall be responsible for locking or logging off when they leave their system

unattended. Such practice will increase system security. Systems shall be deployed withan automatic inactivity lock procedure that would increase data safekeeping for unattended

systems that may be used to obtain information by unauthorized personnel.

All employees must display ID badges when on company property, and keys to secured

areas shall be assigned only to essential personnel.

In the event of an unauthorized access incident, a report shall be given to the CISO for

thorough examination. The CISO will then direct the implementation of measures to prevent

future incident.

Failure to comply with this policy will be referred to senior management for disciplinary

action. Any unauthorized disclosure of classified information will conclude in termination of employment and/or possibly legal action.


Questions about this policy, as well as access requests in regards to protected informationmay be directed to the office of the Chief Information Security Officer.

2.5 Malware Control PolicyAuthor: Rodney Lambert


Malware is malicious code which may infect a computer and introduce a security threat suchas a "keylogger" or "backdoor". There are many kinds of malware, including viruses,

trojans, worms, and adware. They have the potential to expose the company's sensitiveinformation to the outside world and hamper the performance and functionality of the

computer network.

By keeping malware free from our computers, we can add value to the over all goal and

mission of the STBC organization.

15





The Company must protect information systems against malware. The primary goal is to

ensure the security of our information, employees and customers and to gain a highperformance from the network. Management would like to ensure all employees can

reliably and securely access their workstations and information at all times.

2.5.3 Applicability

This policy applies to all physical assets attached to the STBC network whether on-site orremotely connected. It also applies to company property or any property a SBTC employee

may own.

All employees, vendors, and contractors will be responsible for compliance with this policy.


The Director of Information Security shall ensure that all computer workstations, servers,and other hardware are configured in compliance with this policy. All employees are

otherwise responsible for informing the Computer Security Incident Response Team of anysuspicious processes or behaviors encountered on their workstation.

2.5.5 Compliance

No employee is to disable, alter, reconfigure, or otherwise tamper with any software or

other product intended to detect malware installed on their workstation or on the network.

The company will install a mainstream antivirus/antimalware software and software firewallon all workstations and servers to ensure our computer’s are running at optimal speeds.

Additional measures, such as a hardware filter may be implemented at the direction of the

CISO.

The Information Technology Department will block web sites that may contain malware

which could harm our computers.

The company will provide at no cost to all employees antivirus/antimalware software to

protect their home computers and/or portable computers which may be used for STBCbusiness. The software chosen may be the same as used internally by the company, or a

different product may be chosen, so long as it provides highly-reliable antivirus andantimalware protection and regular updates at no cost to the employee. Vendors and

Contractors will not be provided with the software.

Anyone found disseminating malicious code intentionally or otherwise will be dealt with

severely. The Director of Human Resources is responsible for disciplinary action arising fromviolations of this policy. Depending on the severity of the offense, a written warning may be

issued and documented in the employee's personnel file. The second offense will result intermination and possible legal action. Contractor or vendors found in violation of this policy

may be subject to termination of contract and/or possible legal action.2.5.6 Points of Contact and Supplementary Information

Questions or issues regarding this policy should be directed to the Director of Information Security. Employees may obtain copies of free antivirus software from the

office of the Director of Information Security.

16




Chapter 3. System Specific Policy

3.1 Workstation Security ConfigurationAuthor: Joseph Cosmano

3.1.1 Security Objectives

In conjunction with our overall security policy, our system specific policy is designed toensure the confidentiality, integrity, and availability of STBC data. Specifically, the security

objective can be further defined to provide privileged users with the resources needed toefficiently perform their job duties while minimizing the risk of security breach or negative

impact to STBC or it's customers. The implementation of system specific security measuresshould be prioritized based on constraints to ensure that the overall security objectives

meet or exceed managements expectations.

3.1.2 Operational Security Rules• Physical access to workstations are limited to authorized personnel only.

• Use of workstations are only for sanctioned business functions.Workstation operating systems must be kept up to date by applying vendor supplied patches on regularintervals. "Zero Day" exploits will be handled as quickly as possible.

• Workstations are required to be password protected and configured toautomatically lock after 5 minutes of inactivity.

• Passwords must be of sufficient strength, which is defined as using at least 10alphanumeric and special characters of varying in case that do not match

dictionary words.

• The maximum acceptable password age is 30 days. After 30 days users must berequired to change their password to a unique password not used in at least 5

cycles of age expiration.• Workspaces must be kept clean and clear of sensitive information.• Food and drinks are not permitted near workspaces.

• Anti-Virus software will be installed and kept up to date on all workstations.• No hardware or software will be installed onto the workstations by non-IT staff.

• Any portable workstations must use full disk encryption.

3.1.3 Policy Implementation

STBC will implement both technical and non-technical controls to ensure that operationalsecurity policy is enforced. Hardware devices in combination with software will be used

to enforce and audit policy compliance. Despite the best efforts to implement policy thatwill meet our security needs while sufficiently protecting our assets, the dynamic nature

of business may require special cases where operation outside of normal policy may be

required. Departmental mangers will bring these scenarios to the attention of the ITDirector who can authorize such changes to be made.

17




References

"Data Classification Security Policy." 12 April 2004. The George Washington University.10 April 2010 <http://my.gwu.edu/files/policies/DataClassificationPolicy.pdf>.

Department of Homeland Security. "Open Storage Area Standards for CollateralClassified Information." 22 February 2005. Department of Homeland Security. 10 April

2010<http://www.dhs.gov/xlibrary/assets/foia/mgmt_directive_11046_open_storage_area_s

tandards_for_collateral_classified_information.pdf>.

Mitnick, Kevin D and William L Simon. The Art of Deception. Indianapolis: WileyPublishing, 2002.

"Sample Information Security Program Charter." 9 March 2009. HORSE - Holistic

Operational Readiness Security Evaluation. 26 March 2010<http://www.lazarusalliance.com/horsewiki/index.php/Sample_Information_Security_Pr

ogram_Charter:>.

Sans Institute. "SANS Workstation Security Policy." 2008. SANS Institute. 3 Apr 2010

<http://www.sans.edu/resources/student_projects/200802_002.doc>.

USGAO. "Federal Information Systems Audit Control Manual." 2 February 2009. US

Government Accountability Office. <http://www.gao.gov/new.items/d09232g.pdf>.Whitman, Michael. Principles of Information Security. Canada: Thomson, 2009.

18

stbc information security manual - team 4

Documents