Informati on Technolo gy Cyber Security Policy (Insert Name of Organization)
SAMPLE TEMPLATE TEMPLATE Organizations are enco ncourag raged to deve evelop their own policy and procedures from the information enclosed. Please feel free to change an y portion of t h is docum ocumen entt to meet eet your your specic needs. The inform informati ation on provid provided ed is just just one one exam exampl ple e and and shou sh ould ld not not prec preclu lude de any any Versi ersion on Dat Date e Page age 0
(Insert Date)
(NAM O! O"#ANI$ATION %") PO&IC' MANA& Subject:
C'" SC"IT' PO&IC'
Approved: (Signature Line)
Efective Date: (nsert Date)
* D!INITION T!e use o" t!e ter# $co#pan%& is in reverence to t!e "o''oing organiation: (nsert *rganiation +a#e),
+ INT"ODCTION T!is -%ber Securit% Po'ic% is a "or#a' set o" ru'es b% !ic! t!ose peop'e !o are given access to co#pan% tec!no'og% and in"or#ation assets #ust abide, T!e -%ber Securit% Po'ic% serves severa' purposes, T!e #ain purpose is to in"or# co#pan% users: e#p'o%ees. contractors and ot!er aut!oried users o" t!eir ob'igator% re/uire#ents "or protecting t!e tec!no'og% and in"or#ation assets o" t!e co#pan%, T!e -%ber Securit% Po'ic% describes t!e tec!no'og% and in"or#ation assets t!at e #ust protect and identies #an% o" t!e t!reats to t!ose assets, T!e -%ber Securit% Po'ic% a'so describes t!e user1s responsibi'ities and privi'eges, 2!at is considered acceptab'e use3 2!at are t!e ru'es regarding nternet access3 T!e po'ic% ansers t!ese /uestions. describes user 'i#itations and in"or#s users t!ere i'' be pena'ties "or vio'ation o" t!e po'ic%, T!is docu#ent a'so contains procedures "or responding to incidents t!at t!reaten t!e securit% o" t!e co#pan% co#puter s%ste#s and netor4,
, -%AT A" - P"OTCTIN# t is t!e ob'igation o" a'' users o" t!e co#pan% s%ste#s to protect t!e tec!no'og% and in"or#ation assets o" t!e co#pan%, T!is in"or#ation #ust be protected "ro# unaut!oried access. t!e"t and destruction, T!e tec!no'og% and in"or#ation assets o" t!e co#pan% are #ade up o" t!e "o''oing co#ponents: •
•
-o#puter !ardare. -P5. disc. E#ai'. eb. app'ication servers. Ps%ste#s. app'ication so"tare. s%ste# so"tare. etc, S%ste# So"tare inc'uding: operating s%ste#s. database #anage#ent s%ste#s. and bac4up and restore so"tare. co##unications protoco's. and so "ort!,
Version Date Page 6
•
•
App'ication So"tare: used b% t!e various depart#ents it!in t!e co#pan%, T!is inc'udes custo# ritten so"tare app'ications. and co##ercia' of t!e s!e'" so"tare pac4ages, -o##unications +etor4 !ardare and so"tare inc'uding: routers. routing tab'es. !ubs. #ode#s. #u'tip'e7ers. sitc!es. rea''s. private 'ines. and associated netor4 #anage#ent so"tare and too's,
,.* Classi/cation of Information 5ser in"or#ation "ound in co#puter s%ste# 'es and databases s!a'' be c'assied as eit!er condentia' or non8condentia', T!e co#pan% s!a'' c'assi"% t!e in"or#ation contro''ed b% t!e#, T!e (co#pan% designee) is re/uired to revie and approve t!e c'assication o" t!e in"or#ation and deter#ine t!e appropriate 'eve' o" securit% to best protect it, 9urt!er#ore. t!e (co#pan% designee) s!a'' c'assi"% in"or#ation contro''ed b% units not ad#inistered b% a (co#pan% designee),
,.+ Classi/cation of Com0uter Systems Security &e1el ED
=EE+
2>TE
?LA-@ Version Date Page
Descri0tion T!is s%ste# contains condentia' in"or#ation ; in"or#ation t!at cannot be revea'ed to personne' outside o" t!e co#pan%, Even it!in t!e co#pan%. access to t!is in"or#ation is provided on a $need to 4no& basis, T!e s%ste# provides #ission8 critica' services vita' to t!e operation o" t!e business, 9ai'ure o" t!is s%ste# #a% !ave 'i"e t!reatening conse/uences and
2am0le Server containing condentia' data and ot!er depart#ent in"or#ation on databases, +etor4 routers and rea''s containing condentia' routing tab'es and securit% in"or#ation,
5ser depart#ent P-s used to access Server and app'ication(s), Manage#ent or4stations used b% s%ste#s and netor4 ad#inistrators, A test s%ste# used b% s%ste# designers and progra##ers to deve'op ne co#puter s%ste#s,
A pub'ic 2eb server it!
accessib'e, t is iso'ated "ro# ED or =EE+ s%ste#s b% a rea'', 2!i'e it per"or#s i#portant services. it does not contain condentia' in"or#ation,
Version Date Page B
non8sensitive in"or#ation,
,., &ocal Area Net3or4 (&AN) Classi/cations A LA+ i'' be c'assied b% t!e s%ste#s direct'% connected to it, 9or e7a#p'e. i" a LA+ contains just one ED s%ste# and a'' netor4 users i'' be subject to t!e sa#e restrictions as ED s%ste#s users, A LA+ i'' assu#e t!e Securit% -'assication o" t!e !ig!est 'eve' s%ste#s attac!ed to it,
5 D!INITIONS 2ternally accessible to 0ublic. T!e s%ste# #a% be accessed via t!e nternet b% persons outside o" t!e co#pan% it!out a 'ogon id or passord, T!e s%ste# #a% be accessed via dia'8up connection it!out providing a 'ogon id or passord, t is possib'e to $ping& t!e s%ste# "ro# t!e nternet, T!e s%ste# #a% or #a% not be be!ind a rea'', A pub'ic 2eb Server is an e7a#p'e o" t!is t%pe o" s%ste#, Non6Public7 2ternally accessible. 5sers o" t!e s%ste# #ust !ave a va'id 'ogon id and passord, T!e s%ste# #ust !ave at 'east one 'eve' o" rea'' protection beteen its netor4 and t!e nternet, T!e s%ste# #a% be accessed via t!e nternet or t!e private ntranet, A private 9TP server used to e7c!ange 'es it! business partners is an e7a#p'e o" t!is t%pe o" s%ste#, Internally accessible only. 5sers o" t!e s%ste# #ust !ave a va'id 'ogon id and passord, T!e s%ste# #ust !ave at 'east to 'eve's o" rea'' protection beteen its netor4 and t!e nternet, T!e s%ste# is not visib'e to nternet users, t #a% !ave a private nternet (non8trans'ated) address and it does not respond to a $ping& "ro# t!e nternet, A private intranet 2eb Server is an e7a#p'e o" t!is t%pe o" s%ste#, Chief Information O8cer. T!e Director o" t!e Depart#ent o" n"or#ation Tec!no'og% (T) s!a'' serve as t!e -!ie" n"or#ation *Ccer, Security A9ministrator. An e#p'o%ee o" T s!a'' be designated as t!e Securit% Ad#inistrator "or t!e co#pan%,
: Threats to Security :.* m0loyees *ne o" t!e biggest securit% t!reats is e#p'o%ees, T!e% #a% do da#age to %our s%ste#s eit!er t!roug! inco#petence or on purpose, ou !ave to 'a%er %our securit% to co#pensate "or t!at as e'', ou #itigate t!is b% doing t!e "o''oing,
*n'% give out appropriate rig!ts to s%ste#s, Li#it access to on'% business !ours,
Version Date Page
Don1t s!are accounts to access s%ste#s, +ever s!are %our 'ogin in"or#ation it! co8or4ers, 2!en e#p'o%ees are separated or discip'ined. %ou re#ove or 'i#it access to s%ste#s, Advanced ; @eep detai'ed s%ste# 'ogs on a'' co#puter activit%, P!%sica''% secure co#puter assets. so t!at on'% staf it! appropriate need can access,
:.+ Amateur %ac4ers an9 ;an9als. T!ese peop'e are t!e #ost co##on t%pe o" attac4ers on t!e nternet, T!e probabi'it% o" attac4 is e7tre#e'% !ig! and t!ere is a'so 'i4e'% to be a 'arge nu#ber o" attac4s, T!ese are usua''% cri#es o" opportunit%, T!ese a#ateur !ac4ers are scanning t!e nternet and 'oo4ing "or e'' 4non securit% !o'es t!at !ave not been p'ugged, 2eb servers and e'ectronic #ai' are t!eir "avorite targets, *nce t!e% nd a ea4ness t!e% i'' e7p'oit it to p'ant viruses. Trojan !orses. or use t!e resources o" %our s%ste# "or t!eir on #eans, " t!e% do not nd an obvious ea4ness t!e% are 'i4e'% to #ove on to an easier target,
:., Criminal %ac4ers an9 Saboteurs. T!e probabi'it% o" t!is t%pe o" attac4 is 'o. but not entire'% un'i4e'% given t!e a#ount o" sensitive in"or#ation contained in databases, T!e s4i'' o" t!ese attac4ers is #ediu# to !ig! as t!e% are 'i4e'% to be trained in t!e use o" t!e 'atest !ac4er too's, T!e attac4s are e'' p'anned and are based on an% ea4nesses discovered t!at i'' a''o a "oot!o'd into t!e netor4,
< ser "es0onsibilities T!is section estab'is!es usage po'ic% "or t!e co#puter s%ste#s. netor4s and in"or#ation resources o" t!e oCce, t pertains to a'' e#p'o%ees and contractors !o use t!e co#puter s%ste#s. netor4s. and in"or#ation resources as business partners. and individua's !o are granted access to t!e netor4 "or t!e business purposes o" t!e co#pan%,
<.* Acce0table se 5ser accounts on co#pan% co#puter s%ste#s are to be used on'% "or business o" t!e co#pan% and not to be used "or persona' activities, 5naut!oried use o" t!e s%ste# #a% be in vio'ation o" t!e 'a. constitutes t!e"t and can be punis!ab'e b% 'a, T!ere"ore. unaut!oried use o" t!e co#pan% co#puting s%ste# and "aci'ities #a% constitute grounds "or eit!er civi' or cri#ina' prosecution, 5sers are persona''% responsib'e "or protecting a'' condentia' in"or#ation used and
5sers s!a'' not purpose'% engage in activit% it! t!e intent to: !arass ot!er usersG degrade t!e per"or#ance o" t!e s%ste#G divert s%ste# resources to t!eir on useG or gain access to co#pan% s%ste#s "or !ic! t!e% do not !ave aut!oriation, 5sers s!a'' not attac! unaut!oried devices on t!eir P-s or or4stations. un'ess t!e% !ave received specic aut!oriation "ro# t!e e#p'o%ees1 #anager and
<.+ se of the Internet T!e co#pan% i'' provide nternet access to e#p'o%ees and contractors !o are connected to t!e interna' netor4 and !o !as a business need "or t!is access, E#p'o%ees and contractors #ust obtain per#ission "ro# t!eir supervisor and 'e a re/uest it! t!e Securit% Ad#inistrator, T!e nternet is a business too' "or t!e co#pan%, t is to be used "or business8 re'ated purposes suc! as: co##unicating via e'ectronic #ai' it! supp'iers and business partners. obtaining use"u' business in"or#ation and re'evant tec!nica' and business topics, T!e nternet service #a% not be used "or trans#itting. retrieving or storing an% co##unications o" a discri#inator% or !arassing nature or !ic! are derogator% to an% individua' or group. obscene or pornograp!ic. or de"a#ator% or t!reatening in nature "or $c!ain 'etters& or an% ot!er purpose !ic! is i''ega' or "or persona' gain,
<., ser Classi/cation A'' users are e7pected to !ave 4no'edge o" t!ese securit% po'icies and are re/uired to report vio'ations to t!e Securit% Ad#inistrator, 9urt!er#ore. a'' users #ust con"or# to t!e Acceptab'e 5se Po'ic% dened in t!is docu#ent, T!e co#pan% !as estab'is!ed t!e "o''oing user groups and dened t!e access privi'eges and responsibi'ities:
ser Category Depart#ent 5sers (E#p'o%ees)
S%ste# Ad#inistrators
Version Date Page H
Pri1ileges = "es0onsibilities Access to app'ication and databases as re/uired "or job "unction, (ED and
Securit% Ad#inistrator
S%ste#s Ana'%st
-ontractors<-onsu'tants
*t!er Agencies and ?usiness Partners
=enera' Pub'ic
a $need to 4no& basis on'%, >ig!est 'eve' o" securit% c'earance, A''oed access to a'' co#puter s%ste#s. databases. rea''s. and netor4 devices as re/uired "or job "unction, Access to app'ications and databases as re/uired "or specic job "unction, +ot aut!oried to access routers. rea''s. or ot!er netor4 devices, Access to app'ications and databases as re/uired "or specic job "unctions, Access to routers and rea'' on'% i" re/uired "or job "unction, @no'edge o" securit% po'icies, Access to co#pan% in"or#ation and s%ste#s #ust be approved in riting b% t!e co#pan% director<-E*, Access a''oed to se'ected app'ications on'% !en contract or inter8agenc% access agree#ent is in p'ace or re/uired b% app'icab'e 'as, Access is 'i#ited to app'ications running on pub'ic 2eb servers, T!e genera' pub'ic i'' not be a''oed to access condentia' in"or#ation,
<.5 Monitoring se of Com0uter Systems T!e co#pan% !as t!e rig!t and capabi'it% to #onitor e'ectronic in"or#ation created and
oever. users o" t!e s%ste#s s!ou'd be aare t!at t!e co#pan% #a% #onitor usage. inc'uding. but not 'i#ited to. patterns o" usage o" t!e nternet (e,g, site accessed. on8'ine 'engt!. ti#e o" da% access). and e#p'o%ees1 e'ectronic 'es and #essages to t!e e7tent necessar% to ensure t!at t!e nternet and ot!er e'ectronic co##unications are being used in co#p'iance it! t!e 'a and it! co#pan% po'ic%,
> Access Control A "unda#enta' co#ponent o" our -%ber Securit% Po'ic% is contro''ing access to t!e critica' in"or#ation resources t!at re/uire protection "ro# unaut!oried disc'osure or #odication, T!e "unda#enta' #eaning o" access contro' is t!at per#issions are assigned to individua's or s%ste#s t!at Version Date Page I
are aut!oried to access specic resources, Access contro's e7ist at various 'a%ers o" t!e s%ste#. inc'uding t!e netor4, Access contro' is i#p'e#ented b% 'ogon D and passord, At t!e app'ication and database 'eve'. ot!er access contro' #et!ods can be i#p'e#ented to "urt!er restrict access, T!e app'ication and database s%ste#s can 'i#it t!e nu#ber o" app'ications and databases avai'ab'e to users based on t!eir job re/uire#ents,
>.* ser System an9 Net3or4 Access ? Normal ser I9enti/cation A'' users i'' be re/uired to !ave a uni/ue 'ogon D and passord "or access to s%ste#s, T!e user1s passord s!ou'd be 4ept condentia' and M5ST +*T be s!ared it! #anage#ent J supervisor% personne' and
•
• • •
Passord #ust not be "ound in an% Eng'is! or "oreign dictionar%, T!at is. do not use an% co##on na#e. noun. verb. adverb. or adjective, T!ese can be easi'% crac4ed using standard $!ac4er too's&, Passords s!ou'd not be posted on or near co#puter ter#ina's or ot!erise be readi'% accessib'e in t!e area o" t!e ter#ina', Passord #ust be c!anged ever% (K o" da%s), 5ser accounts i'' be "roen a"ter (K o" da%s) "ai'ed 'ogon atte#pts, Logon Ds and passords i'' be suspended a"ter (K o" da%s) da%s it!out use,
5sers are not a''oed to access passord 'es on an% netor4 in"rastructure co#ponent, Passord 'es on servers i'' be #onitored "or access b% unaut!oried users, -op%ing. reading. de'eting or #odi"%ing a passord 'e on an% co#puter s%ste# is pro!ibited, 5sers i'' not be a''oed to 'ogon as a S%ste# Ad#inistrator, 5sers !o need t!is 'eve' o" access to production s%ste#s #ust re/uest a Specia' Access account as out'ined e'se!ere in t!is docu#ent, E#p'o%ee Logon Ds and passords i'' be deactivated as soon as possib'e i" t!e e#p'o%ee is ter#inated. red. suspended. p'aced on 'eave. or ot!erise 'eaves t!e e#p'o%#ent o" t!e co#pan% oCce, Supervisors < Managers s!a'' i##ediate'% and direct'% contact t!e co#pan% T Manager to report c!ange in e#p'o%ee status t!at re/uires ter#inating or #odi"%ing e#p'o%ee 'ogon access privi'eges, E#p'o%ees !o "orget t!eir passord #ust ca'' t!e T depart#ent to get a ne passord assigned to t!eir account, T!e e#p'o%ee #ust identi"% !i#se'"
Version Date Page
E#p'o%ees i'' be responsib'e "or a'' transactions occurring during Logon sessions initiated b% use o" t!e e#p'o%ee1s passord and D, E#p'o%ees s!a'' not 'ogon to a co#puter and t!en a''o anot!er individua' to use t!e co#puter or ot!erise s!are access to t!e co#puter s%ste#s,
>.+ System A9ministrator Access S%ste# Ad#inistrators. netor4 ad#inistrators. and securit% ad#inistrators i'' !ave (t%pe o" access) access to !ost s%ste#s. routers. !ubs. and rea''s as re/uired to "u''' t!e duties o" t!eir job, A'' s%ste# ad#inistrator passords i'' be DELETED i##ediate'% a"ter an% e#p'o%ee !o !as access to suc! passords is ter#inated. red. or ot!erise 'eaves t!e e#p'o%#ent o" t!e co#pan%,
>., S0ecial Access Specia' access accounts are provided to individua's re/uiring te#porar% s%ste# ad#inistrator privi'eges in order to per"or# t!eir job, T!ese accounts are #onitored b% t!e co#pan% and re/uire t!e per#ission o" t!e user1s co#pan% T Manager, Monitoring o" t!e specia' access accounts is done b% entering t!e users into a specic area and periodica''% generating reports to #anage#ent, T!e reports i'' s!o !o current'% !as a specia' access account. "or !at reason. and !en it i'' e7pire, Specia' accounts i'' e7pire in ( K o") da%s and i'' not be auto#atica''% reneed it!out ritten per#ission,
>.5 Connecting to Thir96Party Net3or4s T!is po'ic% is estab'is!ed to ensure a secure #et!od o" connectivit% provided beteen t!e co#pan% and a'' t!ird8part co#panies and ot!er entities re/uired to e'ectronica''% e7c!ange in"or#ation it! co#pan%, $T!ird8part%& re"ers to vendors. consu'tants and business partners doing business it! co#pan%. and ot!er partners t!at !ave a need to e7c!ange in"or#ation it! t!e co#pan%, T!ird8part% netor4 connections are to be used on'% b% t!e e#p'o%ees o" t!e t!ird8part%. on'% "or t!e business purposes o" t!e co#pan%, T!e t!ird8part% co#pan% i'' ensure t!at on'% aut!oried users i'' be a''oed to access in"or#ation on t!e co#pan% netor4, T!e t!ird8part% i'' not a''o nternet traCc or ot!er private netor4 traCc to No into t!e netor4, A t!ird8part% netor4 connection is dened as one o" t!e "o''oing connectivit% options: •
A netor4 connection i'' ter#inate on a (to be specied) and t!e t!ird8part% i'' be subject to standard co#pan% aut!entication ru'es,
T!is po'ic% app'ies to a'' t!ird8part% connection re/uests and an% e7isting t!ird8part% connections, n cases !ere t!e e7isting t!ird8part% netor4 connections do not #eet t!e re/uire#ents out'ined in t!is docu#ent. t!e% i'' be re8designed as needed, Version Date Page O
A'' re/uests "or t!ird8part% connections #ust be #ade b% sub#itting a ritten re/uest and be approved b% t!e co#pan%,
>.: Connecting De1ices to the Net3or4 *n'% aut!oried devices #a% be connected to t!e co#pan% netor4(s), Aut!oried devices inc'ude P-s and or4stations oned b% co#pan% t!at co#p'% it! t!e conguration guide'ines o" t!e co#pan%, *t!er aut!oried devices inc'ude netor4 in"rastructure devices used "or netor4 #anage#ent and #onitoring, 5sers s!a'' not attac! to t!e netor4: non8co#pan% co#puters t!at are not aut!oried. oned and
>.< "emote Access *n'% aut!oried persons #a% re#ote'% access t!e co#pan% netor4, e#ote access is provided to t!ose e#p'o%ees. contractors and business partners o" t!e co#pan% t!at !ave a 'egiti#ate business need to e7c!ange in"or#ation. cop% 'es or progra#s. or access co#puter app'ications, Aut!oried connection can be re#ote P- to t!e netor4 or a re#ote netor4 to co#pan% netor4 connection, T!e on'% acceptab'e #et!od o" re#ote'% connecting into t!e interna' netor4 is using a secure D,
>.> nauthorize9 "emote Access T!e attac!#ent o" (e,g, !ubs) to a user1s P- or or4station t!at is connected to t!e co#pan% LA+ is not a''oed it!out t!e ritten per#ission o" t!e co#pan%, Additiona''%. users #a% not insta'' persona' so"tare designed to provide re#ote contro' o" t!e P- or or4station, T!is t%pe o" re#ote access b%passes t!e aut!oried !ig!'% secure #et!ods o" re#ote access and poses a t!reat to t!e securit% o" t!e entire netor4,
@ Penalty for Security ;iolation T!e co#pan% ta4es t!e issue o" securit% serious'%, T!ose peop'e !o use t!e tec!no'og% and in"or#ation resources o" co#pan% #ust be aare t!at t!e% can be discip'ined i" t!e% vio'ate t!is po'ic%, 0on 1iolation of this 0olicy7 an em0loyee of com0any may be subect to 9isci0line u0 to an9 inclu9ing 9ischarge. T!e specic discip'ine i#posed i'' be deter#ined b% a case8b%8case basis. ta4ing into consideration t!e nature and severit% o" t!e vio'ation o" t!e -%ber Securit% Po'ic%. prior vio'ations o" t!e po'ic% co##itted b% t!e individua'. state and "edera' 'as and a'' ot!er re'evant in"or#ation, Discip'ine !ic! #a% be ta4en against an e#p'o%ee s!a'' be ad#inistrated in accordance it! an% appropriate ru'es or po'icies and t!e co#pan% Po'ic% Manua', Version Date Page 60
n a case !ere t!e accused person is not an e#p'o%ee o" co#pan% t!e #atter s!a'' be sub#itted to t!e (co#pan% designee), T!e (co#pan% designee) #a% re"er t!e in"or#ation to 'a en"orce#ent agencies and
B Security Inci9ent %an9ling Proce9ures T!is section provides so#e po'ic% guide'ines and procedures "or !and'ing securit% incidents, T!e ter# $securit% incident& is dened as an% irregu'ar or adverse event t!at t!reatens t!e securit%. integrit%. or avai'abi'it% o" t!e in"or#ation resources on an% part o" t!e co#pan% netor4, So#e e7a#p'es o" securit% incidents are: ''ega' access o" a co#pan% co#puter s%ste#, 9or e7a#p'e. a !ac4er 'ogs onto a production server and copies t!e passord 'e, Da#age to a co#pan% co#puter s%ste# or netor4 caused b% i''ega' access, e'easing a virus or or# ou'd be an e7a#p'e, Denia' o" service attac4 against a co#pan% eb server, 9or e7a#p'e. a !ac4er initiates a Nood o" pac4ets against a 2eb server designed to cause t!e s%ste# to cras!, Ma'icious use o" s%ste# resources to 'aunc! an attac4 against ot!er co#puter outside o" t!e co#pan% netor4, 9or e7a#p'e. t!e s%ste# ad#inistrator notices a connection to an un4non netor4 and a strange process accu#u'ating a 'ot o" server ti#e, E#p'o%ees. !o be'ieve t!eir ter#ina' or co#puter s%ste#s !ave been subjected to a securit% incident. or !as ot!erise been i#proper'% accessed or used. s!ou'd report t!e situation to t!eir (co#pan% designee) i##ediate'%, T!e e#p'o%ee s!a'' not turn of t!e co#puter or de'ete suspicious 'es, Leaving t!e co#puter in t!e condition it as in !en t!e securit% incident as discovered i'' assist in identi"%ing t!e source o" t!e prob'e# and in deter#ining t!e steps t!at s!ou'd be ta4en to re#ed% t!e prob'e#, •
•
•
•
Version Date Page 66
