IT Security Policy
"It shall be the responsibility of the I.T. Department to
provide adequate protection and confidentiality of all
corporate data and proprietary software systems, whether held
centrally, on local storage media, or remotely, to ensure the
continued availability of data and programs to all authorised
members of staff, and to ensure the integrity of all data and
configuration controls." Summary of Main Security Policies.
1.1. Confidentiality of all data is to be maintained through
discretionary and mandatory access controls.
1.2. Internet and other external service access is
restricted to authorised personnel only.
1.3. Access to the private network is only authorised with
devices supplied and configured by the company.
1.4. Only authorised and licenced software may be installed,
and installation may only be performed by I.T. Department
staff.
1.5. The use of unauthorised software is prohibited. In the
event of unauthorised software being discovered it will be
removed from the device immediately.
1.6. Data may only be transferred for the purposes
determined in the Organisation's data-protection policy.
1.7. All diskette drives and removable media from external
sources must be virus checked before they are used within the
Organisation.
1.8. Passwords must consist of a mixture of at least 8
alphanumeric characters, and must be changed every 30 days and
must be unique.
1.9. Device configurations may only be changed by I.T.
Department staff.
1.10. The physical security of computer equipment will
conform to recognised loss prevention guidelines.
1.11. To prevent the loss of availability of I.T. resources
the I.T. Department will take measures to backup data,
applications and the configurations of all devices.
1.12 A Disaster Recovery plan will be developed and kept up
to date.
Back to
top...
2.1. The I.T. Department will have available up to date
virus scanning software for the scanning and removal of
suspected viruses.
2.2. Corporate file-servers will be protected with virus
scanning software.
2.3. All relevant client devices will be protected by virus
scanning software.
2.4. All device and server anti-virus software will be
regularly updated with the latest anti-virus patches by the
I.T. Department.
2.5. No disk or storage device that is brought in from
outside the Organisation is to be used until it has been
scanned and use has been authorised by the I.T. Department.
2.6. All systems will be built from original, clean master
copies whose write protection has always been in place. Only
original master copies will be used until virus scanning has
taken place.
2.7. All removable media containing executable software
(software with .EXE and .COM extensions) will be write
protected wherever possible.
2.8. All demonstrations by vendors will be run on their
machines and not the Organisation's.
2.9. Shareware is not to be used, as shareware is one of the
most common infection sources. If it is absolutely necessary to
use shareware the express permission and guidance of the I.T.
Department must be sought.
2.10. New commercial software will be scanned before it is
installed as it occasionally contains viruses.
2.11. All removable media brought in to the Organisation by
field engineers or support personnel must be scanned by the IT
Department before they are used on site.
2.12. To enable data to be recovered in the event of a virus
outbreak regular backups will be taken by the I.T.
Department.
2.13. Management strongly endorse the Organisation's
anti-virus policies and will make the necessary resources
available to implement them.
2.14. Users will be kept informed of current procedures and
policies.
2.15. Users will be notified of virus incidents.
2.16. Employees will be accountable for any breaches of the
Organisation's anti-virus policies.
2.17. Anti-virus policies and procedures will be reviewed
regularly.
2.18. In the event of a possible virus infection the user
must inform the I.T. Department immediately. The I.T.
Department will then scan the infected device and any removable
media or other workstations to which the virus may have spread
and eradicate it.
Back to
top...
3.1. The computer suite should be housed in a purpose built
room.
3.2. Partitions should separating the room or AREA from
adjoining rooms and corridors. If located on the ground floor
should have doors as defined below and glazing should be
protected by bars.
3.3. Secure doors giving access to the room or AREA, from
within the building, should be solid timber at least 45mm
thick. The locking should be by 2 mortise deadlocks with
registered keys. Door fittings should comprise 3 hinges.
3.4. The computer suite should contain an adequate air
conditioning system to provide a stable operating environment
to reduce the risk of system crashes due to component
failure.
3.5. No water, rain water or drainage pipes should run
within or above the computer suite to reduce the risk of
flooding.
3.6. The floor within the computer suite should be a raised
false floor to allow computer cables to run beneath the floor
and reduce the risk of damage to computer equipment in the case
of flooding.
3.7. Power points should be raised from the floor to allow
the smooth shutdown of computer systems in case of
flooding.
3.8. Where possible UPS or generator power should be
provided to the computer suite to help protect the computer
systems in the case of a mains power failure.
3.9. Access to the computer suite is restricted to IT
Department staff.
3.10. All contractors working within the computer suite are
to be supervised at all times and the IT Department is to be
notified of their presence and provided with details of all
work to be carried out, at least 48 hours in advance of its
commencement.
3.11. All equipment in the computer suite should be
protected by CO2 fire prevention.
Back to
top...
4.1. Users will only be given sufficient rights to all
systems to enable them to perform their job function. User
rights will be kept to a minimum at all times.
4.2. Users requiring access to systems must make an
application I.T Support Department.
4.3. Where possible no one person will have full rights to
any system. The I.T. Department will control network/server
passwords and system passwords will be assigned by the system
administrator in the IT department.
4.4. The system administrator will be responsible for the
maintaining the data integrity of the all departments data and
for determining end-user access rights.
4.5. Access to the network/servers and systems will be by
individual username and password.
4.6. Usernames and passwords must not be shared by
users.
4.7. Usernames and passwords should not be written down.
4.8. Usernames will consist of initials and/or name.
4.9. All users will have an alphanumeric password of at
least 8 characters.
4.10. Passwords will expire every 30 days and must be
unique.
4.11. Intruder detection will be implemented where possible.
The user account will be locked after 3 incorrect attempts.
4.12. The I.T. Department will be notified of all employees
leaving the Organisation's employment. The I.T. Department will
then remove the employees rights to all systems.
4.13. Network/server supervisor passwords and system
supervisor passwords will be stored in a secure location in
case of an emergency or disaster, for example a fire safe in
the I.T. Department.
4.14. Auditing will be implemented on all systems to record
login attempts/failures, successful logins and changes made to
all systems.
4.15. I.T. Department staff will not login as root on to
UNIX, Linux systems, but will use the su command to obtain root
privileges.
4.16. Use of the admin username on Novell systems and the
Administrator username on Windows is to be kept to a
minimum.
4.17. Default passwords on systems such as Oracle and
SQLServer will be changed after installation.
4.18. On UNIX and Linux systems, rights to rlogin, ftp,
telnet, ssh will be restricted to I.T. Department staff
only.
4.19. Where possible users will not be given access to the
UNIX or Linux shell prompt.
4.20. File systems will have the maximum security
implemented that is possible. Where possible users will only be
given Read and Filescan rights to directories, files will be
flagged as read only to prevent accidental deletion.
4.21 Access to the network will only be granted to
non-employees with the express permission of the I.T.
Department and on completion of the company's standard
non-disclosure agreement.
Back to
top...
5.1. LAN equipment, hubs, bridges, repeaters, routers,
switches will be kept in secure hub rooms. Hub rooms will be
kept locked at all times. Access to hub rooms will be
restricted to I.T. Department staff only. Other staff, and
contractors requiring access to hub rooms will notify the I.T.
Department in advance so that the necessary supervision can be
arranged. Workstations
5.2. Users must logout of their workstations when they leave
their workstation for any length of time.
5.3. All unused workstations must be switched off outside
working hours.
Wiring
5.4. Redundant cabling schemes will be used where
possible.
Monitoring Software
5.5. The use of LAN analyser and packet sniffing software is
restricted to the I.T. Department.
5.6. LAN analysers and packet sniffers will be securely
locked up when not in use.
Servers
5.7. All servers will be kept securely under lock and
key.
5.8. Access to the system console and server disk/tape
drives will be restricted to authorised I.T. Department staff
only. Electrical Security
5.9. All servers will be fitted with UPS's that also
condition the power supply.
5.10. All hubs, bridges, repeaters, routers, switches and
other critical network equipment will also be fitted with
UPS's.
5.11. In the event of a mains power failure, the UPS's will
have sufficient power to keep the network and servers running
for orderly shutdown of the servers.
5.12. All UPS's will be tested periodically. Inventory
Management
5.13. The I.T. Department will keep a full inventory of all
computer equipment and software in use throughout the
Company.
5.14. Computer hardware and software audits will be carried
out periodically.
These audits will be used to track unauthorised copies of
software and unauthorised changes to hardware and software
configurations.
Back to
top...
This section applies to Windows, UNIX, Linux and Novell
servers.
6.1. The operating system will be kept up to date and
patched on a regular basis.
6.2. Servers will be checked regularly for viruses.
6.3. Servers will be locked in a secure room.
6.4. Where appropriate the server console feature will be
activated.
6.5. Remote management passwords will be different to the
Admin/Administrator/root password.
6.6. Users possessing Admin/Administrator/root rights will
be limited to trained members of the I.T. Department staff
only.
6.7. Use of the Admin/Administrator/root accounts will be
kept to a minimum.
6.8. Assigning security equivalences that give one user the
same access rights as another user will be avoided where
possible.
6.9. Users access to data and applications will be limited
by the access control features.
6.10. Intruder detection and lockout will be enabled.
6.11. The system auditing facilities will be enabled.
6.12. Users must logout or lock their workstations when they
leave their workstation for any length of time.
6.13. All unused workstations must be switched off outside
working hours.
6.14. All accounts will be assigned a password of a minimum
of 8 characters.
6.15. Users will change their passwords every 30 days.
6.16. Unique passwords will be used.
6.17. The number of grace logins will be limited to 3.
6.18. The number of concurrent connections will be limited
to 1.
6.19. In certain areas users will be restricted to logging
in to specified workstations only.
Back to
top...
7.1. Direct root access will be limited to the system
console only.
7.2. I.T. Department staff requiring root access must make
use of the su command.
7.3. Use of the root account will be kept to a minimum.
7.4. All UNIX and Linux system accounts will be password
protected, lp etc.
7.5. rlogin facilities will be restricted to authorised I.T.
Department staff only.
7.6. ftp facilities will be restricted to authorised I.T.
Services staff only.
7.7. telnet facilities will be restricted to authorised
users.
7.8. ssh facilities will be restricted to authorised
users.
7.9. Users access to data and applications will be limited
by the access control features.
7.10. Users will not have access to the $ prompt.
7.11. All accounts will be assigned a password of a minimum
of 8 characters.
7.12. Users will change their passwords every 40 days.
Back to
top...
8.1. Wireless LAN's will make use of the most secure
encryption and authentication facilities available.
8.2 Users will not install their own wireless equipment
under any circumstances.
8.3. Modems will not be used by users without first
notifying the I.T. Department and obtaining their approval.
8.4. Where dial-in modems are used, the modem will be
unplugged from the telephone network and the access software
disabled when not in use.
8.5 Modems will only be used where necessary, in normal
circumstances all communications should pass through the
Organisations router and firewall.
8.6. Where leased lines are used, the associated channel
service units will be locked up to prevent access to their
monitoring ports.
8.7. All bridges, routers and gateways will be kept locked
up in secure areas.
8.8. Unnecessary protocols will be removed from routers.
8.9. Company firewall rules will not allow pin holing of
inbound protocol rules.
8.10. All changes in firewall rules must be requested in
writing and authorised by the I.T Department using the Network
providers change request forms.
Back to
top...
9.1. Permanent connections to the Internet will be via the
means of a firewall to regulate network traffic.
9.2. Permanent connections to other external networks, for
offsite processing etc., will be via the means of a firewall to
regulate network traffic.
9.3. Where firewalls are used, a dual homed firewall (a
device with more than one TCP/IP address) will be the preferred
solution.
9.4. Workstation access to the Internet will be via the
Organisation's proxy server.
9.5. All incoming and outbound will be scanned by the
Organisation's e-mail content scanner.
Back to
top...
- Control - The process of limiting access
to the resources of a system only to authorised programs,
processes, or other systems
- Audit Trail - A chronological record of
system activities that is sufficient to enable the
reconstruction, reviewing, and examination of the sequence of
environments and activities surrounding or leading to an
operation, a procedure, or an event in a transaction from its
inception to final results
- Authenticate - To verify the identity of
a user, device, or other entity in a computer system, often
as a prerequisite to allowing access to resources in a
system
- Authorisation - The granting of access
rights to a user, program, or process
- C2 Security - American security
classification generally accepted world-wide, classifying the
level of security provided
- CE - Products which meet the essential
requirements of European Community directives for safety and
protection carry this mark
- Products which carry the CE mark may be sold anywhere in
the community
- DISA - Direct inward system access. DISA
is used to allow an inward-calling person access to an
outbound line. Many PBXs have inbound 0800 numbers for
employee use. Employees use them to retrieve their voice mail
and to speak to people in the office
- Discretionary Access Control - A means
of restricting access to objects based upon the identity and
need to know of the user, process, and/or groups to which
they belong
- File Security The means by which access to computer files
is limited to authorised users only
- Firewall - A device and/or software that
prevents unauthorised and improper transit of access and
information from one network to another
- FTP - File transfer protocol. Protocol
that allows files to be transferred using TCP/IP
- Hub - Network device for repeating
network packets of information around the network.
Identification - The process that enables recognition of an
entity by a system, generally by the use of unique
machine-readable user names.
- Internet - World wide information
service, consisting of computers around the globe linked
together by telephone cables. LAN Analyzer - Device for
monitoring and analysing network traffic. Typically used to
monitor network traffic levels. Sophisticated analysers can
decode network packets to see what information has been sent.
Laptop Small portable computer.
- Mandatory Access Control - A means of
restricting access to objects based upon the sensitivity of
the information contained in the objects and the formal
authorisation of subjects to access information of such
sensitivity. Modem Device which allows a computer to send
data down the telephone network.
- Password - A protected, private
character string used to authenticate an identity.
- PBX - Private branch exchange - small
telephone exchange used internally within an
organisation.
- Rlogin - Remote login. Protocol that
allows a remote host to login to a UNIX host without using a
password.
- Shareware - Software for which there is
no charge, but a registration fee is payable if the user
decides to use the software. Often downloaded from the
Internet or available from PC magazines. Normally not that
very well written and often adversely effects other
software.
- Telnet - Protocol that allows a device
to login in to a UNIX host using a terminal session.
- UPS - Uninteruptable power supply.
Device containing batteries that protects electrical
equipment from surges in the mains power and acts as a
temporary source of power in the event of a mains
failure.
- Username - A unique symbol or character
string that is used by a system to identify a specific
user.
- Virus - Computer software that
replicates itself and often corrupts computer programs and
data.
- Voice Mail - Facility which allows
callers to leave voice messages for people who are not able
to answer their phone. The voice messages can be played back
at a later time.