Sunteți pe pagina 1din 13

VICTORIAN XRAY GROUP PTY LTD

Information Technology
Policies and Procedures

IT Policies and Procedures Page 0


VICTORIAN XRAY GROUP PTY LTD SECURITY POLICY

Introduction

Purpose

This document outlines the Computer Security Policies and Procedures for Victorian Xray Group Pty Ltd
(VXG).

These policies and procedures include:

Acceptable Computer Usage Policies


Administrative Security Practices
Network Security
Physical Security
Technical Security (System Hardware and Software)

The Computer Security Policies and Procedures are applicable to any staff of VXG and to anyone associated
with VXG in any way.

The aims of the Computer Security Policies and Procedures are:

To provide computer security policies and procedures for VXG


To provide a secure and productive computing environment for VXG.
To increase awareness of computer security amongst staff and clients of VXG.
To encourage ethical and lawful behaviour in all who use or provide information resources within VXG.
To increase user awareness of their responsibilities when using VXG resources and the disciplinary
actions for inappropriate use of VXG resources.
To provide a guideline for protecting valuable information resources from theft, damage, and
unauthorised access or change.
To increase the awareness of confidentiality and possible legal requirements when dealing with sensitive
VXG information.
To ensure processes are in place to identify and correct damaged systems such that VXG operations
continue with minimal disruption.

Firewalls protection of all VXG computing assets is mandatory however this document contains no direct
policy as to the installation and management, suffice to say a network is only as secure as its weakest link.
Firewall configuration should be consistent across to whole of VXG.

Review of Policy and Procedures

Individuals seeking clarification or interpretation of the security policies and procedures are to contact VXG
Head Office at 80 Drummond Street, Carlton on 03 9663 4450.

The Policies and Procedures are to be reviewed yearly or as needed.

Who Can Use VXG Resources

The resources provided by VXG are for staff and contractors for activities directly related to their employment
with VXG. Persons outside these categories are not permitted to use VXG resources unless explicitly
permitted in writing by the IT Management of VXG.

VXG Acceptable Use Policy covers the usage of all VXG resources.

IT Policies and Procedures Page 1


Rationale

Computer security threats are imminent in a information technology environment. The occurrence of a
computer security incident can have a significant impact on VXG operations. An incident may result in:

Breach of confidentiality, integrity and availability of VXG and client data


Disruption to VXG operational and administration activities
Loss of VXG assets
Loss of business
Commercial loss
Professional embarrassment

It is important that policies and procedures are put in place by VXG to impede the occurrence of the above
threats.

Having security policies and procedures also assists in the following:

To help make decisions with regards to other policies.


To assist in making purchasing decisions.
Forms a framework for deciding on what actions to take in particular circumstances.
Offer a framework for the design and configuration of computer systems and network infrastructure.
Is a testament to the commitment of VXG to professionalism.

IT Policies and Procedures Page 2


Definitions

The definitions shown below are to be applied to the appropriate term when referenced in the Security
Policies and Procedures for VXG.

People working with VXG, using VXG resources, but not employed by VXG, for example,
Associates
working in a cooperative project arrangement with VXG
Includes, but is not limited to, personal computers (PC's), laptops, notebooks, workstations,
Computer
mini-computers, mainframes. It also includes supplies for computer systems, printer paper,
Systems
floppy diskettes, tapes etc
A hostile act or an act of God that severely impedes the operational status of VXG
Disaster machines. A disaster includes such natural acts such as fire, earthquake, as well as human
acts such as accidental erasure, security breach (vandalism), and power loss
VXG Victorian Xray Group Pty Ltd of 80 Drummond Street, Carlton VIC 3053
VXG Asset An information, physical or software asset of VXG
VXG Data See VXG Information
Any information or data, in any medium or form, that is owned and used by VXG to conduct
VXG Information its business, consulting, and service activities, and which is captured, stored, maintained,
or accessed in VXG systems
Any business activities undertaken by VXG within its medical and radiology centres
VXG Operations
Means that, except for minimal personal use, VXG resources are to be used for tasks
VXG Purposes
related to a job function and/or course of business only
Information Databases and data files, system documentation, manuals, operational or support
Asset procedures, VXG Information
Network Includes, but is not limited to, network cabling, networking devices such as repeaters,
Infrastructure switches, routers.
Computer and network communications equipment, magnetic media, any technical
Physical Asset
equipment, furniture and accommodation
Any information or data, in any medium or form such as printed paper, digital, video, and
Resources audio representations, the computing hardware and software systems which access and
manipulate information or the network infrastructure which transports information
Software Asset Application software, system software, development tools and utilities
Staff An employee or contractor employed by VXG
Systems See Computer Systems
A Device or group of devices together with policies and infrastructure designed to prevent
Firewall the misuse, corruption or theft of data from personal or company IT resources from
networks or by hosts deemed to be in the public domain, for example the Internet
System
A person who has been delegated to manage a computer system or network system
Administrator

Acceptable Use

Acceptable Use of Resources

The use of computing and network resources at VXG imposes with it the responsibility and obligation to use
the resources in an efficient, ethical, and legal manner.

Acceptable use of resources demonstrates respect for intellectual property, ownership of data, system
security mechanisms, and an individual's rights to privacy and to freedom from intimidation, harassment, and
unwarranted annoyance.

The resources are to be used in a manner consistent with the business objectives of VXG and with the
purpose for which such use was intended.

IT Policies and Procedures Page 3


Expectations of Users

Accounts on computer systems are to be used solely for the purposes for which the accounts are intended.
The user must maintain the integrity of the account by ensuring the following:

Users shall use accounts only for VXG Purposes specified and shall not use any other user's account
with or without that user's permission.
Other than minimal personal use, non-VXG use constitutes misuse of VXG property.
Users shall use passwords that conform to VXG's Password Policy; see section Passwords.
Users shall protect their user-id and passwords from unauthorised use. Users are responsible for all
activities, legal or otherwise, associated with their user-id.
Under no circumstances shall VXG resources be used for personal profit or gain in a manner not
authorised by VXG.

To respect software copyright and licenses:

Users shall use only legal versions of copyrighted software in compliance with vendor license
requirements and software shall not be copied except as specifically stipulated by the owner of the
copyright.

To respect the privacy of other users:

Users shall not intentionally seek information on, obtain copies of, or modify files, passwords or any type
of data belonging to other users unless specifically authorised to do so or where such data is in the
public domain.
Electronic communication facilities (such as email, talk) shall not be used to send fraudulent, harassing,
obscene, threatening, or other unlawful messages.
Users may not create, send, or forward multilevel marketing letters (chain letters, pyramid selling
schemes etc.)
Attempts to alter the attribution of origin of a communication facility will be considered a breach of
acceptable use.

To respect the integrity of the systems:

Users shall not use VXG resources to develop or execute programs that could harass other users,
infiltrate the systems, or damage or alter the software components of the systems. This includes:
o Attempting to decode passwords or access control information
o Attempting to probe, circumvent or subvert system or network security measures

To respect the resources and resource controls of the systems:

Users shall not attempt to alter or avoid accounting, audit, or security controls and mechanisms on
computing systems.
Users should avoid excessive use of resources, controlled or otherwise. It is not acceptable for users to
encroach on other's use of resources. This includes:
o excess printing of documents, running grossly inefficient programs when efficient alternatives are
known to be available
o unauthorised modification of system facilities, operating systems, configuration files or disk
partitions
o attempting to crash or tie up a computer system.

Users shall not attempt to modify or remove computer equipment, software, or peripherals without proper
authorisation.

IT Policies and Procedures Page 4


To respect the privileges of network connectivity.

Users should not harass other users, violate other's privacy, tamper with security systems, or attempt
entry to non-public hosts.
Random host and network probing is not approved. Users must adhere to the following guidelines:
o Do not transfer files to any machines on which one does not have an account or which does not
advertise anonymous file transfer services.
o Do not Telnet to any machines on which one does not have an account or which does not have a
guest account.
o Do not try to Telnet into miscellaneous ports; use only authorised ports for access.

Violations of these conditions of acceptable use may, after due process, result in any of the following:

The suspension of computing privileges


Termination of employment
Legal action

Violation of Policy

Users, when requested, are expected to cooperate with system administrators in any investigations of
system abuse. Deliberate attempts to thwart such investigations or refusal to respond to reasonable requests
may be grounds for cancellation of access privileges.

Abuse of computing privileges is subject to disciplinary action. If system administrators have strong evidence
of misuse of computing resources, and if that evidence points to the computing activities or the computer
files of an individual, they have the obligation to pursue any or all of the following steps to protect other users
and VXG:

Temporarily suspend or restrict the user's computing privileges during the investigation. Staff may appeal
such a suspension or restriction through the Managing Director of VXG or designate
Inspect the user's files, diskettes, tapes, and/or other computer-accessible storage media or computer
system if applicable.
Refer the matter for possible disciplinary action to the Managing Director of VXG (or designate) and/or IT
Management

IT Policies and Procedures Page 5


Policy

Physical Access

Building

Possession of a key not issued to its holder is a disciplinary offence.


A key issued to an individual must not be passed to another person.
A key code if applicable, given to an individual must not be told to another person
Staff will have access to their place of work during the standard working hours
Staff will have after-hours access to VXG IT areas as deemed necessary by IT management.
Staff requiring access to any IT area not directly related to their position or employment will require
authorisation from IT Management.

Hardware and Physical Security

Access to Resources

Computer Systems are to be protected by key locks, passwords or other controls when not in use. If this
is not possible, users are to log off or log out of the computer system.
Users will be held responsible for any use/misuse of the computer privileges resulting from a failure to
logout of a computer system.
Where possible, equipment should be situated to minimise the threat of unauthorised access.
Workstations handling sensitive data should be positioned to reduce the risk of overlooking.

Security of Resources

Office space containing computer assets are to be secured, and if applicable, access codes to those
offices are to be registered and monitored to ensure return and/or changing if an individual
terminates employment with VXG.
Depending on the risk and value of the computer assets, security measures may include installation of
video cameras, or keypad readers on doors providing access to particular rooms.
Any equipment located in publicly accessible areas, or rooms that cannot be locked, are to be fastened
down by some physical means such as a cable lock system or enclosed in a lockable computer
equipment unit or case.
Computer systems are to be secured against accessing, tampering, or removal of components.
Computer systems with critical and sensitive data either stored on them or accessible through them
should be further secured against unauthorised use even by someone who has legitimate access to
the physical space.
Computer equipment should be clearly marked as owned by VXG.
All VXG computer assets are to be registered on the VXG Asset Register
No VXG computer assets are to be removed from VXG without the explicit written permission of the
Technical Manager

Maintenance of Equipment

Equipment malfunction can result in:


o Interruptions to VXG Operations
o Loss of availability, integrity and confidentiality of VXG Information or resources.
o The potential for a security breach to occur.
In order to minimise the effects of equipment malfunction the following is recommended:
o Computer equipment is to be maintained in accordance with the suppliers' recommended
service intervals and specifications.
o Repairs and servicing of equipment should only be carried out by authorised maintenance
personnel.
o All computer equipment critical to VXG operations are to be under support and/or maintenance
contracts in case of unexpected operation or technical difficulties. The level of maintenance
taken out is to be appropriate for the importance of the item of equipment.
o Any Media: Hard Disks, Tapes, CDs etc. containing sensitive data is not to be allowed off-site for
repair without appropriate confidentiality agreements being in place.

IT Policies and Procedures Page 6


Security of VXG Equipment off Premises

No VXG resources are to be removed from VXG without the explicit written permission from IT
Management.
Personal computers are not to be used at home for VXG purposes unless virus controls are in place.
When travelling, VXG resources are not to be left unattended in public places. Portable computers are to
be carried as hand luggage when travelling wherever possible.
Portable computers are vulnerable to theft, loss or unauthorised access. Wherever possible, sensitive
information should not be left on the in-built disk of any portable computer, but should be carried on a
diskette. If such information is carried on the in-built disk, machine should have appropriate access
protection or encryption.
Stored passwords and automatic logons should never be enabled on any Portable equipment.
Manufacturers' instructions regarding the protection of equipment should be observed at all times.
VXG resources are to be kept securely where practically possible.

Network Infrastructure

VXG network infrastructure and associated devices may not be monitored, interfered with, or
restructured without the express permission of the Technical Manager or delegate.
No user may listen to network communications or pose as another infrastructure device on the network,
this includes listening devices.
No user may try to subvert devices by sending false information to any infrastructure device or computer,
for example, attempt a source routing attack.
Where possible network cabling should limit the number of users per cable run.
Network traffic should be isolated between unrelated networks.
Point-to-point encryption should be used on devices carrying sensitive data where possible.
No user may connect to a machine for which they do not have express permission to use.
Users may only connect to machines via the specified protocols on machines for which they have
access.
All hosts outside VXG that are not directly connected VXG, i.e. the Internet are deemed to be located on
a public network and therefore caution must be taken when transmitting private/confidential
information and passwords.
Any hosts outside VXG that are connected directly to VXG and in turn connected to hosts out side of
VXG, i.e. the Internet, are deemed to be located on a public network and therefore caution must be
taken when transmitting private/confidential information and passwords.

Computer Security

VXG Computer Systems are to be monitored with established controls to ensure conformity to VXG's
Acceptable Use Policy and procedures. These controls should provide the ability to trace violations
or attempted violations of information security to the individuals who may be held responsible.
Firewalls are to be implemented so as to protect all VXG computing assets that may be connected in any
form to the Internet.
Audit trails recording exceptions and other security relevant events should be produced and kept for an
agreed period to assist in future investigations and access control monitoring. Where possible, audit
trails should include:
o A user's ID
o Dates and times of access or login and logoff times
o Terminal or host identity from which access was made
Where possible (and needed), all computer operating systems are to be maintained at the latest, stable,
recommended patch level by the vendor for that particular system.
Where possible, all computer systems using third party software (e.g. Public domain Internet software)
are to be maintained at the latest stable recommended patch level.
Security patches for computer system software are to be investigated and applied as soon as practically
possible.
Backup media and devices should be taken into consideration with new equipment purchases. This
strategy provides better backup/restore facilities and more security for the computer systems in
question.
Email clients are to be installed such that executable attachments cannot be executed directly from the
email client.

Electronic Mail
IT Policies and Procedures Page 7
The contents of email messages should be used for information only since it is possible to send
fraudulent mail. Email can only be considered secure if using a mechanism such as PGP.
Standard Company disclaimers to be attached to all outbound email.
Email can contain dangerous payloads as attachments; these are in the form of malicious executable
files. No executable attachments should be opened and instead deleted on receipt. These
attachments have file name extensions such as .exe .dll .bat .com
Staff shall only use email for work related purposes with an exception allowing for minimal personal use.
Acceptable use of email includes:
o Conversing with VXG staff, prospects, shareholders and clients.
o Conversing with other people in the pursuit of business goals.
o Subscribing to Internet email lists that cover the staff members job function.
o Minimal Personal use.
Staff shall not use email to send and/or knowingly or intentionally receive material that is illegal under
Australian Law.
Personnel with access to stored or transmitted email messages will not seek to access such messages
except in operational or investigative circumstances that necessitate such access. Users must be
aware that VXG can not guarantee the confidentiality of email messages.
Staff have the right to privacy when using email. As such, no Systems Administrator may read the email
of any staff member, the only exception being the investigation of misuse by the particular user.
Any staff member suspected of misusing email may have all transactions and material logged for further
action.

World Wide Web and the Internet

Browsing and Searching the Internet

Staff members may browse the Internet using World Wide Web (WWW), Gopher, WAIS, etc. for the
purpose of their research or job function. Minimal personal use is acceptable.
No sites known to contain material that is illegal under Australian Law may be visited.
All sites visited may be logged. Any staff member suspected of misuse may have all transactions and
material logged for further action.

WWW Home Pages

No material that is illegal under Australian Law may be made available via WWW Pages.
No confidential material may be made available.
For security reasons VXG is not obliged to supply or make available any CGI scripts.
All WWW Pages may be scrutinised. Any staff member suspected of misuse may have all transactions
and material logged for further action.

System Administrators

The System Administrator's use of VXG computing resources is an extension of the guidelines that apply
to a normal user. That is, these guidelines are in addition to those of a normal user.
When ever possible System administrators will not dictate or set a user password if this needs to be
done, it should be done in such a way that the user is automatically required to change the password
next time they access the system. If this is not possible the user should be notified and requested to
make the change manually.
System Administrators/Managers should never expect a user to divulge their passwords.
System Administrators have the responsibility to ensure the computer systems and network
infrastructure under their control are effectively maintained.
System Administrators' responsibilities include:
o Treating information about, and information stored by, the system's users as confidential and
taking reasonable precautions to ensure the security of a system or network and the information
contained therein.
o Dissemination of information about specific policies and procedures that govern access to, and
use of, the system. A written document given to users, or messages posted on the computer
system, shall be considered adequate notice.
o Ensuring the users on the systems adhere to VXG Security Policy.
o Taking reasonable precautions against theft of, or damage to, system components.
o Faithfully executing all hardware and software licensing agreements applicable to the system.
IT Policies and Procedures Page 8
o Co-operating with the System Administrators of other computer systems or networks, whether
inside or outside VXG.
The System Administrators are authorised to take all reasonable steps and actions to implement and
enforce the usage, service, and security policies of the system.
System Administrators may temporarily suspend access privileges of any user if deemed necessary to
maintain the integrity of the computer system or network.
System Administrators should provide a disaster recovery strategy in case of severe failure; see section
Disaster Recovery.
System Administrators should provide an effective backup strategy in case of disaster.
System logging should be kept where possible on hard-copy so that security incidents can be
determined and tracked.
Administration procedures should be maintained in a Procedures Manual or Log Book. Hard-copies of
important configuration files should also be kept.
System Administrators are to subscribe to any security-alert email lists that concern the type or brand of
machine for which they are responsible.

User/Login names and Passwords

Users who have accounts on multiple systems should use different passwords on each system. This is
extremely important.
Passwords should be changed periodically; at one to three month intervals.
User/Login names are not transferable between users. No user may share their User/login name with
another user.
Passwords are not transferable between users. No user may share their password with another user.
Users will be held responsible for any misuse of the computers and/or data resulting from divulgence or
sharing of ones user name and passwords.
System Administrators/Managers will never request your password. This practice should be treated with
total mistrust especially if by phone or email.
Should your password be compromised you should immediately take steps to change it.

Security Incident Processing

IT management will coordinate all activities associated with a security incident.


Any systems staff who suspect a security breach must report the incident directly to IT Management.
All other Systems Administration staff within VXG should also be notified in a timely manner.
The IT Management will then assess whether the incident warrants reporting any further.
For major incidents involving computing installations outside VXG, IT Management if deemed necessary
will contact AUSCERT with the appropriate details.

Viruses, Trojan, and Worm Prevention

It is illegal, unethical and contrary to VXG policy to use PCs to generate viruses, worms, or any malicious
devices to contaminate other information systems.
All software used on personal computers within VXG are to be a legitimate licensed copy and adhere to
the software owners copyright conditions.
Introduction of viruses and other contaminants can occur through a variety of channels:
o Software introduced into or used on the system by an outsider who had access to the system
o Software used at home on an infected system
o Software purchased from a vendor who has an infected production system
o Infected software from bulletin boards or the Internet
o Software intentionally infected by a disgruntled user
In order to decrease the risk of viruses and limit their spread:
o Anti-virus software is to be installed on all VXG PC's. The Anti-virus software is to be used to
scan computers and media for known viruses, either as a precautionary measure or on a routine
basis.
o Where applicable, anti-virus software is to be installed on all VXG servers.
o Virus 'repair' software should be used with caution and only in cases where virus characteristics
are fully understood and the correct repair is certain.
o Any diskettes of PC software of uncertain or unauthorised origin should be checked for viruses
before use. New shrink wrapped software should also be checked before installation and/or use.

IT Policies and Procedures Page 9


o Email can contain dangerous payloads as attachments; these are in the form of malicious
executable files. No executable attachments should be opened and instead are to be deleted on
receipt. These attachments have file name extensions including but not limited to .exe, .dll,
.bat, .com. These attachments are not necessarily detected by anti virus software and therefore,
irrespective of the sender they should never be opened and run.
Any virus or other contaminated systems such as that by Trojan horse, malicious attachment should be
isolated immediately and reported to IT Management.
Master software diskettes are to be secured and maintained by IT management.

IT Policies and Procedures Page 10


Procedures

Network Infrastructure Procedures

General Procedures

All networking equipment critical to VXG operations are to be under support/maintenance contracts in
the event of unexpected operational or technical difficulties. The level of maintenance taken out is to
be appropriate for the importance of the networking equipment.
All network installation/upgrades within VXG are to be done in consultation with IT Management.
All re-cabling of offices is to be carried out by AUSTEL licensed personnel using cable rated and tested
to Category 5 Twisted Pair specifications. Where applicable, the cost of re-cabling is to include the
cost of the appropriate network hubs.
Where possible, all networking hubs and repeaters purchased by VXG are to have port switching and/or
port security facilities. This offers the best protection against unauthorised access via network
sniffing and the attachment of unauthorised devices.
Network traffic from the various VXG Networks are to be isolated from each other.
Any VXG networking equipment is to be placed in a secure area.
The security features of VXG network devices are to be used to the best of their capabilities.
Any network devices that have password facilities to control access to them are to have those password
facilities enabled.
IT management is responsible for maintaining all network address, domain name and host names within
VXG.
All hosts outside of VXG are to be treated as foreign and therefore may pose a threat to VXG's security.
Therefore, passwords and other confidential information sent to these hosts should not be classed
as secure.
All connections from external hosts to staff machines in VXG are to be done is such a way that a users id
and password are not sent in clear text over the network and/or can not be captured and reused.

Systems Administrator Procedures

Disaster Recovery

The administrators of the various major machines in VXG must have a contingency strategy for
recovering from disasters. This typically entails keeping off-site backups as well as a strategy to
easily restore them.
The primary goal after a disaster is to provide a basic level of service to the staff and customers as soon
as practical after the incident. In the case of a security breach the downtime of systems will be
determined by IT Management due to possible restructuring that may be required.
IT Management will coordinate all efforts associated with disaster recovery.
Wherever possible, critical Internet services such as DNS, email and WWW, should be located on
separate hosts.

Backups

Backups are a critical systems maintenance task and are often the final recourse after a total systems
failure or disaster.
A complete and recent set of backups for each system should be kept off-site.
A hard-copy summary of how to create and restore a backup for a given system must be filed with easy
access for systems staff.
Tapes must be clearly labelled with the current date of the backup and a sequence number.
A copy of the backup script should be kept on floppy disk and stored as a hard copy.
Backup media and devices are to be taken into consideration with new equipment purchases.
Backup devices are to be cleaned and maintained are per the manufacturers instructions.
The backup material is to be kept in a location separate from the original system to protect it from the
same hazards.
Media degeneration implies that files should be copied to fresh media as the manufacturer recommends.

IT Policies and Procedures Page 11


Administration

Relevant security information should be printed out in real time where practical. The electronic form
should be checked daily for problems. If any abnormalities are found the printed logs should be
referenced to ensure no tampering has taken place. The amount of logging performed is to be
assessed by the relevant staff member and should be based on the importance of the machine and
where it is situated within VXG network.
All unused network services should be disabled either in the inetd.conf file or removing the invocation
from the applicable start-up script.
Password aging should be implemented on machines where appropriate.
Where possible passwords should not be "remembered" by programs in case the passwords can be
easily read from a file.
Accounts should be allocated and deactivated based on the employment contract of the user

Procedure Documentation

Operations procedures should be kept in an operations manual or log book. The primary purpose for this
is to allow the easy re-installation or upgrade of software. A lot of time is spent reading installation
procedures when re-installing a product, therefore a list of destination file locations, and notes on
setting up the product should be kept.
A hard copy of important configuration files should be kept. Typical examples include complex files such
as sendmail.cf and DNS databases.

Recognition of Unauthorised Activity

The following can be used to assist in the detection of unauthorised activity of a computer system.
System logging should be configured on all computer systems.
All system log files should be checked regularly.
Tripwire should be executed daily on applicable systems, these systems include but are not limited to;
Firewall hosts and machines used for monitoring and logging of system activities.
The file system on each system should be perused regularly by the system administrators.

IT Policies and Procedures Page 12