Professional Documents
Culture Documents
Deve Letech Security Policy
Deve Letech Security Policy
Deve Letech Security Policy
IT SECURITY POLICY
TABLE OF CONTENTS
1. POLICY STATEMENT
2. VIRUS PROTECTION
3. PHYSICAL SECURITY OF COMPUTER EQUIPMENT
3.1. DEFINITIONS
3.2. CATEGORIES OF RISK
3.3. REQUIRED PHYSICAL SECURITY
3.4. COMPUTER SUITE
4. ACCESS CONTROL
5. PHYSICAL LAN SECURITY
Develetech Industries
IT Security Policy
1. POLICY STATEMENT
ItshallbetheresponsibilityoftheITServicesDepartmenttoprovideadequate
protectionandconfidentialityofallcorporatedataandproprietarysoftwaresystems,
whetherheldcentrally,onlocalstoragemedia,orremotely,toensurethecontinued
availabilityofdataandprogramstoallauthorizedmembersofstaff,andtoensurethe
integrityofalldataandconfigurationcontrols.
SummaryofMainSecurityPolicies
1.1.
Confidentialityofallcompanydataistobemaintainedthroughdiscretionaryand
mandatoryaccesscontrols,andwhereverpossibletheseaccesscontrolsshould
meetwithC2classsecurityfunctionality.
1.2.
Internetandotherexternalserviceaccessisrestrictedtoauthorizedpersonnel
only.
1.3.
Accesstodataonalllaptopcomputersandmobiledevicesistobesecured
throughencryptionorothermeans,toprovideconfidentialityofcompanydatain
theeventoflossortheftofcompanyequipment.
1.4.
Onlyauthorizedandlicensedsoftwaremaybeinstalled,andinstallationmayonly
beperformedbyITServicesstaff.
1.5.
Theuseofunauthorizedsoftwareisprohibited.Intheeventofunauthorized
softwarebeingdiscovered,itwillberemovedfromtheworkstationimmediately.
1.6.
Datamayonlybetransferredforpurposesregisteredunderthecompanysdata
protectionregistration.
1.7.
Allremovablemediafromexternalsourcesmustbeviruscheckedbeforetheyare
usedwithinthecompany.
1.8.
Passwordsmustconsistofamixtureofatleastsixalphanumericcharacters,must
bechangedevery40days,andmustbeunique.
1.9.
WorkstationconfigurationsmayonlybechangedbyITServicesstaff.
1.10.
Thephysicalsecurityofcomputerequipmentwillconformtotheguidelineslaid
downbythecompany'sinsurancecompany.
1.11.
TopreventthelossofavailabilityofcompanyITresources,measuresmustbe
takentobackupdata,applications,andtheconfigurationsofallworkstations.
2. VIRUS PROTECTION
2.1.
ITServiceswillhaveavailableuptodatevirusscanningsoftwareforthe
scanningandremovalofsuspectedviruses.
2.2.
Corporatefileserverswillbeprotectedwithvirusscanningsoftware.
2.3.
Workstationsusedbyuserswhoregularlyneedtobringindatafromoutsidethe
companywillbeprotectedbyvirusscanningsoftware.
2.4.
AllworkstationswillbeperiodicallyscannedbyITServices.
2.5.
Nomediathatisbroughtinfromoutsidethecompanyistobeuseduntilithas
beenscannedonastandalonemachinethatisusedfornootherpurposeandnot
connectedtothenetwork.Thescanningsoftwareonthismachinewillbeupdated
regularly.
2.6.
Allsystemswillbebuiltfromoriginal,cleanmastercopieswhosewrite
protectionhasalwaysbeeninplace.Onlyoriginalmastercopieswillbeuseduntil
virusscanninghastakenplace.
2.7.
Allmediacontainingexecutablesoftwarewillbewriteprotectedwherever
possible.
2.8.
Alldemonstrationsbyvendorswillberunontheirmachinesandnotthe
companys.
2.9.
Sharewareisnottobeused.Ifitisabsolutelynecessarytouseshareware,itmust
bethoroughlyscannedbeforeuse.
2.10.
Newcommercialsoftwarewillbescannedbeforeitisinstalled,asitoccasionally
containsviruses.
2.11.
Allmediabroughtintothecompanybyfieldengineersorsupportpersonnelwill
bescannedbyComputerServicesbeforetheyareusedonsite.
2.12.
Toenabledatatoberecoveredintheeventofavirusoutbreak,regularbackups
willbetakenbyITServices.
2.13.
Managementstronglyendorsesthecompany'santiviruspoliciesandwillmakethe
necessaryresourcesavailabletoimplementthem.
2.14.
Userswillbekeptinformedofcurrentproceduresandpolicies.
2.15.
Userswillbenotifiedofvirusincidents.
2.16.
Employeeswillbeaccountableforanybreachesofthecompany'santivirus
policies.
2.17.
Antiviruspoliciesandprocedureswillbereviewedregularly.
2.18.
Intheeventofapossiblevirusinfection,theusermustinformITServices
immediately.ITServiceswillthenscantheinfectedmachineanddevicesorother
workstationstowhichthevirusmayhavespreadanderadicateit.
3.1.6.NACOSS
NationalApprovalCompanyforSecuritySystems
ThesecuritymeasuresdetailedinLevel1are
guidelinesforallCOMPUTEREQUIPMENTnot
describedbelow.
3.2.2. SECURITYLEVEL2:
Theseguidelinesapplywhereasingleroomor
AREAcontainsPCswherethetotalreplacement
valueofthishardwareisLESSthan$20,000per
roomorAREA.
3.2.3. SECURITYLEVEL3:
Theseguidelinesapplywhereasingleroomor
AREAcontainsPCswherethetotalreplacement
valueofthishardwareisbetween$20,000and
$50,000perroomorAREA.
3.2.4. SECURITYLEVEL4:
Theseguidelinesapplywhereasingleroomor
AREAcontainsPCswherethetotalreplacement
valueofthishardwareisinexcessof$50,000per
roomorAREA.
3.2.5. COMPUTERSUITE:
Theseguidelinesapplytothelocationorroom
comprisingthepurposebuiltcomputersuite.
SecurityLevel(s)
SecurityMarking........................................................................................................1,2,3,4
LockingPCcase
Computersplacedawayfromwindows......................................................................1,2,3,4
Highrisksituationwindowlocks...............................................................................1,2,3,4
Blindsforobservablewindows...................................................................................1,2,3,4
Allequipment>$1,500haslockdowndevice
(ifnointruderalarm).......................................................................................1,2,3,4
IntruderalarminstalledbyNACOSScompany.............................................................2,3,4
ProtectionofsignaltransmissiontoAlarmReceivingCenter.......................................2,3,4
Assessmentoflocationofintruderalarmprotection.....................................................2,3,4
Walktestofmovementdetectors...................................................................................2,3,4
Checkthatmovementdetectorsnotobscured...............................................................2,3,4
Antimaskingintruderalarmsensorsinroomorarea......................................................3,4
Breakglassalarmsensors.................................................................................................3,4
Individualalarmzoningofroomorarea..........................................................................3,4
ImprovedprotectionofsignaltransmissiontoAlarmReceivingCenter.........................3,4
Minimumroomorareaconstruction................................................................................3,4
Doorspecificationforentrytoroomorarea....................................................................3,4
Antimaskingintruderalarmsensorsinroomandaccessroutes.........................................4
Alarmshuntlockondoor....................................................................................................4
Visualoraudioalarmconfirmation.....................................................................................4
Superiorprotectionofalarmsignaltransmission................................................................4
Improvedroomorareaconstruction....................................................................................4
Allexternalopeningwindowstohavelocks.......................................................................4
Highrisksituationwindowstohaveshutters/bars..............................................................4
3.3.1. SecurityMarking
Allcomputerequipmentshouldbeprominentlysecuritymarkedbybrandingor
etchingwiththenameoftheestablishmentandareapostcode.Advisorysigns
informingthatallpropertyhasbeensecuritymarkedshouldbeprominently
displayedexternally.Thefollowingareconsideredinferiormethodsofsecurity
marking:textcomprisedsolelyofinitialsorabbreviations,markingbypaintor
ultravioletink(indelibleorotherwise),oradhesivelabelsthatdonotincludean
etchingfacility.
3.3.2. LockingofPCcases
PCsfittedwithlockingcaseswillbekeptlockedatalltimes.
3.3.3. LocationofComputers
Whereverpossible,COMPUTEREQUIPMENTshouldbekeptatleast1.5meters
awayfromexternalwindowsinHIGHRISKSITUATIONS.
3.3.4. OpeningWindows
AllopeningwindowsonexternalelevationsinHIGHRISKSITUATIONSshould
befittedwithkeyoperatedlocks.
3.3.5. Blinds
AllexternalwindowstoroomscontainingCOMPUTEREQUIPMENTatground
floorlevelorotherwisevisibletothepublicshouldbefittedwithwindowblinds
orobscurefilming.
3.3.6. LockdownDevices
ForanyitemofCOMPUTEREQUIPMENTwithapurchasepriceinexcessof
$1,500whichisnotdirectlycoveredbyanintruderalarm,theprocessingunit
shouldhaveaLOCKDOWNDEVICEfittedtotheworkstation.
Whenitisimpossibleorundesirabletoanchorhardware,suchequipmentcanbe
movedtoasecuritystoreorcabinetoutsidenormalhoursofoccupation.
3.3.7. IntruderAlarm
Anintruderalarmincorporatingthefollowingfeaturesshouldbeinstalled.
Installation,maintenance,andmonitoringbyaNACOSSlistedcompany.
3.3.8. ProtectionofSignalTransmission
Unlesstelephonewiresdirectlyentertheprotectedpremisesunderground,
signalingtotheAlarmReceivingCentershouldbebymonitoreddirectline,
BritishTelecomRedDirectorRedcare,oraPaknetradiosignalingsystem.
3.3.9. LocationofIntruderAlarms
DetectiondevicesshouldbelocatedwithintheroomorAREAandelsewherein
thepremisestoensurethatunauthorizedaccesstotheroomorAREAisnot
possiblewithoutdetection.Thisshouldincludeanassessmentastowhether
accessispossibleviaexternalelevations,doors,windows,androoflights.
3.3.10. WalkTest
Awalktestofmotiondetectorsshouldbeundertakenonaregularbasisinorder
toensurethatallPCsarelocatedwithinthealarmprotectedarea.Thisis
necessaryduetothepossibleongoingchangesinthepositionoffurniture,
screens,andpartitions,whichmayseriouslyimpedethefieldofcoverprovided
byexistingdetectiondevices.
ForanyPCwhichisnotdirectlycoveredbyanintruderalarm,theprocessingunit
shouldhaveaLOCKDOWNDEVICE.
3.3.11. CheckDetectors
Buildingmanagersshouldensure,aspartoftheirnormaldutiesatlockingup
time,thatinternalspacedetectorshavenotbeenindividuallyobscuredorhad
theirfieldofvisionrestricted.
3.3.12. AntiMaskingIntruderAlarm
Antimaskingintruderalarmmovementsensorsarerecommendedtoimmediately
detectamovementwithintheroomorAREA.
3.3.13. BreakGlassAlarmSensors
BreakGlassalarmsensorstodetectforcedentrythroughexternalwindowsofthe
roomorAREAarerecommended.
3.3.14. AlarmZoning
Theabilitytozonetheintruderalarmfromthemaincontrolpanelshouldbe
providedtoenableauthorizedusageofotherareasofthebuildingoutsidenormal
hours,whileretainingalarmdetectionwithintheroomorAREA.
3.3.15. ImprovedProtectionofSignalTransmission
Unlesstelephonewiresdirectlyentertheprotectedpremisesunderground,
signalingtotheAlarmReceivingCentershouldbebymonitoreddirectline,
BritishTelecomRedDirectorRedcare,oraPaknetradiosignalingsystem.
3.3.16. AREAConstruction
PartitionsseparatingtheroomorAREAfromadjoiningroomsandcorridors
shouldbeaminimumof100mmsolidnonlightweightblockworkorbrickwork
devoidofglazingorotheropeningsexceptforprotecteddoorsasdefinedbelow.
Ifglazingisessentialforlightingorotherpurposes,itshouldbeupgradedby
beingsupplementedinternallywith1.5mmmesh,securityshuttersorbars.
3.3.17. DoorSpecification
AlldoorsgivingaccesstotheroomorAREAbothfromwithinandoutsidethe
buildingshouldbe,asaminimum,solidtimberandatleast45mmthick,
preferablyunglazed.Doorsshouldhaveamortisedeadlockwithkeyregistration.
Doorfittingsshouldcomprisethreehinges,supplementedbytwohingeboltsif
outwardopening.InwardopeningdoorstotheroomorAREAshouldhavea
Londonbar(ametalstripstrengtheningthelockingpostofthedoorframe).
Whereadoorisglazedasafirerequirement,andentryiseitherpossiblethrough
theglazing(wherethewidthorheightoftheglazingexceeds200mmineither
direction)orbybreakingtheglazingtoreachaninternalreleasemechanism,the
glazingshouldbesupplementedinternallywith1.5mmor7.5mmlaminated
glass,retainingthewiredglassforfireresistance.
3.3.18. IntruderAlarmSensorsonAccessRoutes
Antimaskingintruderalarmmovementsensorsarerecommendedtoimmediately
detectamovementwithintheroomorAREAandanyinternalcorridorsorrooms
givingaccesstotheroomorAREA.
3.3.19. AlarmShuntLock
Thealarmshouldhavethefacilityforsettingandunsettingwithintheroomor
AREAindependentlyofthestatusofthemainpremisescontrolpanelviaashunt
lockontheroomorAREAaccessdoor.Itshouldnotbepossibletosetthemain
systemiftheroomorAREAdetectionisshuntedout.
3.3.20. AlarmConfirmation
Visualoraudioalarmconfirmationshouldbeprovidedatthemonitoringfacility
forallconventionaldetectionwithintheroomorAREA.
3.3.21. SuperiorProtectionofSignalTransmission
MonitoredsignalingtotheAlarmReceivingCentershouldbeeitherbydirectline
orBritishTelecomRedDirect.
3.3.22. ImprovedAREAConstruction
PartitionsseparatingtheroomorAREAfromadjoiningroomsandcorridors
shouldbeaminimumof150mmsolidnonlightweightblockworkorbrickwork
devoidofglazingorotheropeningsexceptforprotecteddoorsasdefinedbelow.
Whereglazingisessentialforlightingorotherpurposesthisshouldbeprotected
bysecurityshuttersorbars.
SecuredoorsgivingaccesstotheroomorAREA,fromwithinthebuilding,
shouldbesolidtimberatleast45mmthickandunglazed.Thelockingshouldbe
bytwomortisedeadlockswithregisteredkeys,amicroswitchbeingavailablefor
analarmshuntlock.Doorfittingsshouldcomprisethreehinges,supplementedby
twohingeboltsifoutwardopeningdoors.Inwardopeningdoorstoroomor
AREAshouldhaveaLondonbar(ametalstripstrengtheningthelockingpostof
thedoorframe).
3.3.23. ExternalWindowstoHaveLocks
AllopeningwindowswithintheperimeteroftheroomorAREAshouldbefitted
withkeyoperatedwindowlocks.
3.3.24. HIGHRISKSITUATIONS
WheretheroomorAREAisclassifiedasbeinginaHIGHRISKSITUATION
thefollowingadditionalprotectionshouldbeprovided.
Windowstoexternalelevationsshouldbefittedwithsecurityshuttersorbars
insteadoflocks.
Anydoorintheexternalelevationshouldbeprovidedwithasecurityshutter
wherepractical.Considerationsshouldbegiventoreplacementoffireexitdoors
whichcannotbesecuredinthisfashion,andanyotherdoorsdesignatedasfire
escapesbytheFirePreventionOfficer,withproprietarysecuritydoorsandframes
fittedwithanAbloySecurXitfourpointlockingboltandanalarmvibration
sensor.
4. ACCESS CONTROL
4.1.
Userswillonlybegivensufficientrightstoallsystemstoenablethemtoperform
theirjobfunction.Userrightswillbekepttoaminimumatalltimes.
4.2.
Usersrequiringaccesstosystemsmustmakeawrittenapplicationontheforms
providedbyITServices.
4.3.
Wherepossiblenoonepersonwillhavefullrightstoanysystem.ITServiceswill
controlnetwork/serverpasswords,andsystempasswordswillbeassignedbythe
systemadministratorintheenduserdepartment.
Thesystemadministratorwillberesponsibleforthemaintainingthedataintegrity
oftheenduserdepartmentsdataandfordeterminingenduseraccessrights.
4.4.
Accesstothenetwork/serversandsystemswillbebyindividualusernameand
password.
4.5.
Usernamesandpasswordsmustnotbesharedbyusers.
4.6.
Usernamesandpasswordsshouldnotbewrittendown.
4.7.
Usernameswillconsistofinitialsandsurnameuptoeightcharactersinlength.
4.8.
Alluserswillhaveanalphanumericpasswordofatleastsixcharacters.
4.9.
Passwordswillexpireevery40daysandmustbeunique.
4.10.
Intruderdetectionwillbeimplementedwherepossible.Theuseraccountwillbe
lockedafterthreeincorrectattempts.
4.11.
Userswillbegivenausernameandpasswordtologintothenetwork/serversand
anotherpasswordtologintoindividualsystems.
4.12.
ITServiceswillbenotifiedofallemployeesleavingthecompany'semployment.
4.13.
Network/serversupervisorpasswordsandsystemsupervisorpasswordswillbe
storedinthefiresafeinITServicesincaseofanemergency.
4.14.
Auditingwillbeimplementedonallsystemstorecordloginattempts/failures,
successfullogins,andchangesmadetoallsystems.
4.15.
DefaultpasswordsonsystemssuchasOraclewillbechangedafterinstallation.
4.16.
Accesstothenetwork/serverswillberestrictedtonormalworkinghours.
Allunusedworkstationsmustbeswitchedoffoutsideworkinghours.
Wiring
5.4.
Allnetworkwiringwillbefullydocumented.
5.5.
Allunusednetworkpointswillbedeactivatedwhennotinuse.
5.6.
Allnetworkcableswillbeperiodicallyscannedandreadingsrecordedforfuture
reference.
5.7.
Usersmustnotplaceorstoreanyitemontopofnetworkcabling.
5.8.
Redundantcablingschemeswillbeusedwherepossible.
MonitoringSoftware
5.10. TheuseofLANanalyzersoftwareisrestrictedtoITServicesstaffonly.
5.11.
LANanalyzerswillbesecurelylockedupwhennotinuse.
Servers
5.12. Allserverswillbekeptsecurelyunderlockandkey.
5.13.
Accesstothesystemconsoleandserverdisk/tapedriveswillberestrictedto
authorizedITServicesstaffonly.
ElectricalSecurity
5.14. AllserverswillbefittedwithUPSsthatalsoconditionthepowersupply.
5.15.
Allhubs,bridges,repeaters,andothercriticalnetworkequipmentwillalsobe
fittedwithUPSs.
5.16.
Intheeventofamainpowerfailure,theUPSswillhavesufficientpowertokeep
thenetworkandserversrunninguntilthegeneratortakesover.
5.17.
Softwarewillbeinstalledonallserverstoimplementanorderlyshutdowninthe
eventofatotalpowerfailure.
5.18.
AllUPSswillbetestedperiodically.
(Sourceforpolicytemplate:Ruskwig.com)