Version 1.

0 IT Security Policy
June 2010

TNM IT SECURITY
POLICY

Doc Ref: TNM Security Policy v1.0 Page i

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

Table of Contents

1 TNM Acceptable Use Policy.....................................................................................1

1.1 Overview..............................................................................................................1
1.2 Purpose................................................................................................................1
1.3 Scope...................................................................................................................1
1.4 Policy...................................................................................................................1
1.4.1 General Use and Ownership...............................................................................1
1.4.2 Security of Proprietary Information....................................................................2
1.4.3 Unacceptable Use................................................................................................3
i. System and Network Activities................................................................................3
ii. Data Storage Use....................................................................................................5
1.5 Enforcement.........................................................................................................5
1.6 Definitions...........................................................................................................5
1.7 Revision History..................................................................................................5

2 Analog/ISDN Line Security Policy...........................................................................6

2.1 Purpose................................................................................................................6
2.2 Scope...................................................................................................................6
2.3 Policy...................................................................................................................6
2.3.1 Scenarios & Business Impact..............................................................................6
i. Facsimile Machines.................................................................................................7
ii. Computer-to-Analog Line Connections...................................................................7
iii. Requesting an Analog/ISDN Line............................................................................7
2.4 Enforcement.........................................................................................................8
2.5 Revision History..................................................................................................8

3 Access andconnectivity to TNM Corporate Network.................................................9

3.1 Purpose................................................................................................................9
3.2 Scope...................................................................................................................9
3.3 Policy...................................................................................................................9

Doc Ref: TNM Security Policy v1.0 Page ii

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

3.3.1 Scenarios & Business Impact..............................................................................9

i. Wireless Access.....................................................................................................10
ii. VPN connection via ADSL, EVDO, ETC..............................................................10
4.....................................................................................................................................10
iii. Dial up /ISDN Line................................................................................................10
3.4 Enforcement.......................................................................................................10
3.5 Revision History................................................................................................10

4 TNM Email Use Policy............................................................................................11

4.1 Purpose..............................................................................................................11
4.2 Scope.................................................................................................................11
4.3 Policy.................................................................................................................11
4.3.1 Prohibited Use...................................................................................................11
4.3.2 Personal Use.....................................................................................................11
4.3.3 Monitoring.........................................................................................................11
4.4 Enforcement.......................................................................................................12
4.5 Definitions.........................................................................................................12

5 Database and Application Security Policy............................................................13

5.1 System Security Policy.......................................................................................13
5.1.1 Database User Management.............................................................................13
5.1.2 User Authentication...........................................................................................13
5.1.3 Operating System Security................................................................................13
5.2 Data Security Policy..........................................................................................13
5.3 User Security Policy..........................................................................................14
5.3.1 General User Security.......................................................................................14
5.3.2 End-User Security.............................................................................................14
5.3.3 Administrator Security......................................................................................14
5.4 Application Developer Security.........................................................................15
5.4.1 Application Developers and Their Privileges...................................................15
5.4.2 Application Developer Environment: Test and Production Databases............15
5.4.3 Free versus Controlled Application Development (for discussion)..................15

Doc Ref: TNM Security Policy v1.0 Page iii

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

5.4.4 Roles and Privileges for Application Developers.............................................16

5.5 Password Management Policy..........................................................................16
5.5.1 Account Locking................................................................................................16
5.5.2 Password Aging and Expiration........................................................................17
5.5.3 Password History..............................................................................................17

6 User Confirmation……………...………………………………………………18

Doc Ref: TNM Security Policy v1.0 Page iv

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

1 TNM Acceptable Use Policy

1.1 Overview
TNM's intentions for publishing an Acceptable Use Policy are not to impose restrictions
that are contrary to the company’s established culture of openness, trust and integrity.
TNM is committed to protecting the company's employees, partners and the company
from illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer
equipment, software, operating systems, storage media, network accounts providing
electronic mail, WWW browsing, and FTP, are the property of the company. These
systems are to be used for business purposes in serving the interests of the company, and
of our clients and customers in the course of normal operations.
Effective security is a team effort involving the participation and support of every
company employee and affiliate who deals with information and/or information systems.
It is the responsibility of every computer user to know these guidelines, and to conduct
their activities accordingly.

1.2 Purpose
The purpose of this policy is to outline the acceptable use of Information Systems at the
company. These rules are in place to protect the employee and the company.
Inappropriate use exposes the company to risks including virus attacks, compromise of
network systems and services, and legal issues.

1.3 Scope
This policy applies to employees, contractors, consultants, temporaries, and other
workers at TNM, including all personnel affiliated with third parties. This policy applies
to all equipment that is owned or leased by the company.

1.4 Policy

1.4.1 General Use and Ownership

2
i. While TNM's network administration desires to provide a reasonable level of
privacy, users should be aware that the data they create on the corporate
systems remains the property of TNM. Because of the need to protect the
company's network, management cannot guarantee the confidentiality of
information stored on any network device belonging to it.
ii. Employees are responsible for exercising good judgment regarding the
reasonableness of personal use. IT department is responsible for creating
guidelines concerning personal use of Internet/Intranet/Extranet systems.
iii. For security and network maintenance purposes, authorized individuals within
the company may monitor equipment, systems and network traffic at any
time, per TNM's Audit Policy.

Doc Ref: TNM Security Policy v1.0 Page 1

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

iv. TNM reserves the right to audit networks and systems on a periodic basis to
ensure compliance with this policy.

2.1.1 Security of Proprietary Information

i. The user interface for information contained on Internet/Intranet/Extranet-

related systems should be classified as either confidential or not confidential, as
defined by corporate confidentiality guidelines.
Examples of confidential information include but are not limited to: company
private, corporate strategies, competitor sensitive, trade secrets, specifications,
customer lists, and research data. Employees should take all necessary steps to
prevent unauthorized access to this information.
ii. Keep passwords secure and do not share accounts. Authorized users are
responsible for the security of their passwords and accounts. System level
passwords should be changed quarterly; user level passwords should be changed
monthly.
iii. All PCs, laptops and workstations should be secured with a password-protected
screensaver with the automatic activation feature set at 10 minutes or less, or by
logging-off (control-alt-delete) when the host will be unattended.
iv. Because information contained on portable computers and other portable media
e.g. external hard disks is especially vulnerable, special care should be
exercised.
 Use a strong password (combination of letters, numbers, different cases
and punctuation marks) where applicable
 Put permanent tags (asset numbers) on the media
 Disable the network wireless connection when not in use
 Ensure the local administrator account has a password or has no
administrative privileges
 Ensure infrared ports are disabled
 When travelling with portable devices:
o Backup important data before leaving
o If possible use a non carrying case
o Never leave the devices unattended or with strangers
o Never leave the devices exposed e.g. on the backseat of a car.
Securely lock them away
o Never leave the devices in a conference room during lunch/break
time
o Do not put heavy object on top of portable devices
 When not in use, they should be locked up/away in the office
v. Postings by employees from a TNM email address to newsgroups should
contain a disclaimer stating that the opinions expressed are strictly their own
and not necessarily those of the company, unless posting is in the course of
business duties.
Doc Ref: TNM Security Policy v1.0 Page 2
Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

vi. All hosts used by the employee that are connected to the TNM
Internet/Intranet/Extranet, whether owned by the employee or the company,
shall be continually executing approved virus-scanning software with a current
virus database. Unless overridden by a group policy.
vii. Employees must use extreme caution when opening e-mail attachments received
from unknown senders, which may contain viruses, e-mail bombs, or Trojan
horse code.

2.1.2 Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from
these restrictions during the course of their legitimate job responsibilities (e.g., systems
administration staff may have a need to disable the network access of a host if that host is
disrupting production services).
Under no circumstances is an employee of TNM authorized to engage in any activity that
is illegal under local, state, federal or international law while utilizing TNM-owned
resources.

The lists below are by no means exhaustive, but attempt to provide a framework for
activities which fall into the category of unacceptable use.

3 System and Network Activities

The following activities are strictly prohibited, with no exceptions:

a) Unauthorized copying of copyrighted material including, but not limited to,

digitization and distribution of photographs from magazines, books or other
copyrighted sources, copyrighted music, and the installation of any copyrighted
software for which TNM or the end user does not have an active license is strictly
prohibited.
b) Exporting software, technical information, encryption software or technology, in
violation of international or regional export control laws, is illegal. The
appropriate management should be consulted prior to export of any material that
is in question.
c) Introduction of malicious programs into the network or server (e.g., viruses,
worms, Trojan horses, e-mail bombs, etc.).
d) Sending/forwarding chain letters.
e) Revealing your account password to others or allowing use of your account by
others. This includes family and other household members when work is being
done at home.
f) Using a TNM computing asset to actively engage in procuring or transmitting
material that is in violation of sexual harassment or hostile workplace laws in the
user's local jurisdiction.
g) Unauthorised use of peer to peer file sharing protocols
Doc Ref: TNM Security Policy v1.0 Page 3
Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

h) Making fraudulent offers of products, items, or services originating from any

TNM account.
i) Making statements about warranty, expressly or implied, unless it is a part of
normal job duties.
j) Effecting security breaches or disruptions of network communication. Security
breaches include, but are not limited to, accessing data of which the employee is
not an intended recipient or logging into a server or account that the employee is
not expressly authorized to access, unless these duties are within the scope of
regular duties. For purposes of this section, "disruption" includes, but is not
limited to, network sniffing, pinged floods, packet spoofing, denial of service, and
forged routing information for malicious purposes.
k) Port scanning or security scanning is expressly prohibited unless prior notification
to the responsible authority within the Data Center Operations team, TNM.
l) Executing any form of network monitoring which will intercept data not intended
for the employee's host, unless this activity is a part of the employee's normal
job/duty.
m) Circumventing user authentication or security of any host, network or account.
n) Interfering with or denying service to any user other than the employee's host (for
example, denial of service attack).
o) Using any program/script/command, or sending messages of any kind, with the
intent to interfere with, or disable, a user's terminal session, via any means, locally
or via the Internet/Intranet/Extranet, unless explicitly allowed by a relevant
authority within the Data Center Operations team.
p) Providing information about, or lists of, TNM employees to parties outside the
company.

4 Data Storage Use

a) Use of Online storage for storage of personal, (non-business related) information

or data
b) Use of Online storage for any media files other that those important to the
business e.g. music or videos that are not for company use
c) Duplication of Files on personal folders.

4.1 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.

4.2 Definitions

Term Definition
Doc Ref: TNM Security Policy v1.0 Page 4
Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

Spam Unauthorized and/or unsolicited electronic mass mailings.

4.3 Revision History

Doc Ref: TNM Security Policy v1.0 Page 5

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

2 Analog/ISDN Line Security Policy

4.4 Purpose

This document explains TNM’s analog and ISDN line acceptable use and approval
policies and procedures. This policy covers two distinct uses of analog/ISDN lines: lines
that are to be connected for the sole purpose of fax sending and receiving, and lines that
are to be connected to computers.

4.5 Scope

This policy covers only those lines that are to be connected to a point within the Offices
of TNM. It does not pertain to ISDN/phone lines that are connected into employee
homes, PBX desktop phones, and those lines used by Telecom for emergency and non-
corporate information purposes.

4.6 Policy

4.6.1 Scenarios & Business Impact

There are two important scenarios that involve analog line misuse, which we attempt to
guard against through this policy. The first is an outside attacker who calls a set of analog
line numbers in the hope of connecting to a computer that has a modem attached to it. If
the modem answers (and most computers today are configured out-of-the-box to auto-
answer) from inside the company premises, then there is the possibility of breaching
TNM's internal network through that computer, unmonitored. At the very least,
information that is held on that computer alone can be compromised. This potentially
results in the loss of millions of dollars worth of corporate information.

The second scenario is the threat of anyone with physical access into a TNM facility
being able to use a modem-equipped laptop or desktop computer. In this case, the
intruder would be able to connect to the trusted networking of TNM through the
computer's Ethernet connection, and then call out to an unmonitored site using the
modem, with the ability to siphon company information to an unknown location. This
could also potentially result in the substantial loss of vital information.

Specific procedures for addressing the security risks inherent in each of these scenarios
follow.

5 Facsimile Machines

As a rule, the following applies to requests for fax and analog lines:

Doc Ref: TNM Security Policy v1.0 Page 6

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

a) Fax lines will be approved for departmental use only.

b) No fax lines will be installed for personal use.
c) The fax machine must be placed in a centralized administrative area designated
for departmental use, and away from other computer equipment.
d) A computer which is capable of making a fax connection is not to be allowed to
use an analog line for this purpose.

Waivers for the above policy on analog-as-fax lines will be delivered on a case-by-case
basis after reviewing the business need with respect to the level of sensitivity and security
posture of the request.

Use of an analog/ISDN fax line is conditional upon the requester's full compliance with
the requirements listed below. These requirements are the responsibility of the authorized
user to enforce at all times:
a) The fax line is used solely as specified in the request.
b) Only persons authorized to use the line have access to it.
c) When not in use, the line is to be physically disconnected from the computer.
d) When in use, the computer is to be physically disconnected from the company's
internal network.
e) The line will be used solely for TNM business, and not for personal reasons.
f) All downloaded material, prior to being introduced into company systems and
networks, must have been scanned by an approved anti-virus utility (e.g., Sophos
Scan) which has been kept current through regular updates.

6 Computer-to-Analog Line Connections

The general policy is that requests for computers or other intelligent devices to be
connected with analog or ISDN lines from within the company will not be approved for
security reasons. Analog and ISDN lines represent a significant security threat to the
company, and active penetrations have been launched against such lines by hackers.
Waivers to the policy above will be granted on a case by case basis.
Replacement lines, such as those requested because of a move, fall under the category of
"new" lines. They will also be considered on a case by case basis.

7 Requesting an Analog/ISDN Line

Once approved by a manager, the individual requesting an analog/ISDN line must

provide the following information to Telecom:
a) a clearly detailed business case of why other secure connections available at TNM
cannot be used,
b) the business purpose for which the analog line is to be used,
c) the software and hardware to be connected to the line and used across the line,
d) And to what external connections the requester is seeking access.

Doc Ref: TNM Security Policy v1.0 Page 7

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

The business case must answer, at a minimum, the following questions:

a) What business needs to be conducted over the line?
b) Why is a TNM-equipped desktop computer with Internet capability unable to
accomplish the same tasks as the proposed analog line?
c) Why is TNM's current dial-out access pool unable to accomplish the same tasks
as an analog line?

In addition, the requester must be prepared to answer the following supplemental

questions related to the security profile of the request:

a) Will the machines that are using the analog lines be physically disconnected from
TNM's internal network?
b) Is dial-in from outside of TNM needed?
c) How many lines are being requested, and how many people will use the line?
d) What is the earliest date the line can be terminated from service?
e) What other means will be used to secure the line from unauthorized use?
f) Is this a replacement line from an old location? What was the purpose of the
original line?
g) What types of protocols will be run over the line?
h) Will a TNM-authorized anti-virus scanner be installed on the machine(s) using
the analog lines?
i) The requester should use the Analog/ISDN Line Request Form to address these
issues and submit a request.

7.1 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
7.2 Revision History

Doc Ref: TNM Security Policy v1.0 Page 8

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

3 Access and connectivity to TNM Corporate Network

7.3 Purpose

This document explains TNM’s wireless and VPN network access acceptable use and
approval policies and procedures.
7.4 Scope

This Policy covers all network connectivity solutions to be used on the corporate network
other than the direct connection via the Ethernet network. They include the following;
Wireless access, VPN access via any form of internet connection; Dialup access

7.5 Policy

7.5.1 Scenarios & Business Impact

Misuse of these solutions could be categorized in two scenarios:-

 Installation/Configuration of any of the solutions on unauthorized Computers
(especial those that don’t belong to the TNM)
 Actions by Users that result into leakage of private configuration-information
(e.g. passwords, IP addresses, etc) to unauthorized individuals

Specific procedures for addressing the security risks inherent in each of these scenarios
follow.

8 Network Access by TNM Users

 Access to the TNM Network resources will be limited to authorized (by the Head
of IT or designate) employees only.
 Access will be by means of authentication using a username and password
 Each user will be given a network access username and password (which must be
changed the very first time a user logs on to the network, and no sharing is
allowed.

9 Network Access by Contractors, Service Providers

 All contractors/suppliers requiring access to the TNM LAN/WAN will have to
make an application in writing to Head of IT.
 Contractors once given access to the TNM LAN/WAN, shall in no way abuse the
access, and shall solely use the access for the for the purpose that it is given
 Other applications accessible by the public if necessary will be placed in the
demilitarized zone.
 The network access firewall and/or secure gateway will be configured to deny all
incoming services unless explicitly permitted.

Doc Ref: TNM Security Policy v1.0 Page 9

Copyright (C) TNM AZB
 Version 1.0 IT Security Policy
June 2010

10 Wireless Access

As a rule, Wireless access points/devices including TNM dongles, are not to be installed
or connected to the network, unless under direct supervision of the Team Leader
Infrastructure and relevant authority from the Head of IT. Any Access-point/device to be
installed will conform to the following:-

 Must have WEP Encryption enabled.

 Must be installed for a specified period of time, after which the WEK key should
change if the Access point is still required.
 The LAN/WAN connectivity will be disconnected first by the user before using
wireless access devices

Waivers for the above policy will be delivered on a case-by-case basis after reviewing the
business need with respect to the level of sensitivity and security posture of the request.

11 VPN connection via ADSL, CDMA, EVDO, ETC

VPN access shall be granted on a case-by-case basis after reviewing the business need
with respect to the level of sensitivity and security posture of the request.
The VPN configurations shall be installed by a member of the IT Infrastructure Team.

12 Dial up /ISDN Line

Dialup access shall be provided on endorsed by a manager of the individual requesting

for Dial up access to the LAN, and approved by the Head of IT.

i. Other equipment
 Only equipment owned by TNM shall be plugged on to the TNM LAN/WAN
 Users requiring to use other equipment not owned by TNM on the TNM
LAN/WAN shall seek authorization first from Head of IT and only connect the
equipment once authority is granted.
 All other service providers/contractors equipment that needs to be connected to
the TNM WAN/LAN shall be connected through the proxy/firewall.

12.1 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.

Doc Ref: TNM Security Policy v1.0 Page 10

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

12.2 Revision History

4 TNM Email/Internet Use Policy

12.3 Purpose

To prevent tarnishing the public image of TNM When email goes out from the company,
the general public will tend to view that message as an official policy statement from the
TNM.

12.4 Scope

This policy covers appropriate use of any email sent from a TNM email address and
applies to all employees, vendors, and agents operating on behalf of TNM.

12.5 Policy

12.5.1 Prohibited Use.

 The TNM email system shall not to be used for the creation or distribution of any
disruptive or offensive messages, including offensive comments about race,
gender, hair color, disabilities, age, sexual orientation, pornography, religious
beliefs and practice, political beliefs, or national origin. Employees who receive
any emails with this content from any TNM employee should report the matter to
their supervisor immediately.
 Mass mailings will not be done unless approval is given by Head of IT/Head of
HR.
 Sharing of company confidential information without prior authorization will not
be allowed.
 Disclosure of internal e-mail addresses when sending to recipients outside TNM
will not be allowed
 Subscription to non-work related sites using company e-mail shall not be allowed
 Surfing of pornographic sites is prohibited
 Downloading of non-work related software e.g. video, music will not be allowed
 Facebook, Twitter, Skype, and other messaging sites for non business related
issues will not be allowed

12.5.2 Personal Use.

Using a reasonable amount of TNM resources for personal emails is acceptable, but non-
work related email shall be saved in a separate folder from work related email. Sending

Doc Ref: TNM Security Policy v1.0 Page 11

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

chain letters or joke emails from a TNM email account is not allowed. Virus or other
malware warnings and mass mailings from TNM shall be approved by the company Head
of HR or IT according to the subject before sending. These restrictions also apply to the
forwarding or replying of mail received by a TNM employee.

12.5.3 Monitoring

TNM employees shall have no expectation of privacy in anything they store, send or
receive on the company’s email system. The company may monitor messages without
prior notice where need arises. The company is not obliged to monitor email messages.
Only a designated member of IT shall monitor messages only after authorization is
granted by Chief Technical Officer of Head of IT.

12.6 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.

Doc Ref: TNM Security Policy v1.0 Page 12

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

5 Database and Application Security Policy

12.7 System Security Policy

12.7.1 Database User Management

Database users are the access paths to the information in a database. Users are created,
altered and dropped by the Database Administrators.

12.7.2 User Authentication

Database users are authenticated (verified as the correct person) by using database
passwords.

 Only database administrators will have modification rights of a database

 Use of roles will be made to limit user’s access to databases.

 Users will have either read or write rights to databases following approval from
line managers.

12.7.3 Operating System Security

The following security issues must also be considered for the operating system
environment executing Oracle and any database applications:

 Database administrators have the operating system privileges to create and delete
files.

 Application administrators have the operating system privileges to create and delete
files.

 Typical database/application users do not have the operating system privileges to

create or delete files related to the database/applications/systems.

12.8 Data Security Policy

Data security includes the mechanisms that control the access to and use of the database
at the object level. The data security policy determines which users have access to a
specific schema object, and the specific types of actions allowed for each user on the
object.

Doc Ref: TNM Security Policy v1.0 Page 13

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

Users request for privileges to access database/applications using a privilege requisition

form that is duly signed and endorsed by the section managers.

Means for implementing data security include system and object privileges, and roles. A
role is a set of privileges grouped together that can be granted to users.

12.9 User Security Policy

12.9.1 General User Security

12.9.1.1 Password Security

 Authentication is managed by the database; a password security policy is used to
maintain database access security

 Users are required to change their passwords every 30 days in order to prevent
unauthorized access to the database.

 Users are not allowed to share their passwords.

 Users are not allowed to re-use passwords

 User passwords will contain a mixture of numbers and letters

 User passwords will have a minimum of 7 characters

 Once a user tries to use a password unsuccessfully for three times, the account will
be locked.

12.9.1.2 Privilege Management

Roles (named groups of related privileges that are granted to users or other roles) to
manage the privileges available to users. Users that do very specific tasks are granted
privileges explicitly.

12.9.2 End-User Security

User groups are assigned specific application roles to enable them to perform their day
-to-day tasks, however some privileges are explicitly granted to individual users.

Doc Ref: TNM Security Policy v1.0 Page 14

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

12.9.2.1 Roles for End-User Privilege Management

Roles are associated with both applications, and they contain the object privileges
necessary to execute those applications.

12.9.3 Administrator Security

12.9.3.1 Protection for Connections as SYS and SYSTEM

The privileges associated with these user names are extremely sensitive, and are
available to only the database administrators.

12.9.3.2 Protection for Administrator Connections

Only database/system administrators and the billing manager are able to connect
to a database/system with administrative privileges. For example:

CONNECT username/password AS SYSDBA/SYSOPER

Connections requested AS SYSDBA or AS SYSOPER must use these phrases;

without them, the connection fails. The Oracle parameter
07_DICTIONARY_ACCESSIBILITY is set to FALSE by default, to limit
sensitive data dictionary access only to those authorized.

Such connections are authorized only after verification with the password file or
with the operating system privileges and permissions.

12.10 Application Developer Security

12.10.1 Application Developers and Their Privileges

Application developers using the database have a special security policy.

Developers have system privileges, such as CREATE TABLE, CREATE
PROCEDURE, and so on. However, specific system privileges are granted to
developers to restrict their overall capabilities in the database. The Database
administrators grant appropriate privileges to the application developers.

12.10.2 Application Developer Environment: Test and Production Databases

Application development will be restricted to test databases and is not allowed

on production databases. This restriction ensures that application developers do

Doc Ref: TNM Security Policy v1.0 Page 15

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

not compete with end users for database resources, and that they cannot
detrimentally affect a production database.

After an application has been thoroughly developed and tested, it is permitted

access to the production database and made available to the appropriate end
users of the production database.

12.10.3 Free versus Controlled Application Development (for discussion)

The database administrator defines the following options when determining

which privileges should be granted to application developers:

 Free development

An application developer is allowed to create new schema objects, including

tables, indexes, procedures, packages, and so on. This option allows the
application developer to develop an application independent of other objects.

 Controlled Development

An application developer is not allowed to create new schema objects. A

database administrator creates all required tables, indexes, procedures, and so
on, as requested by an application developer. This option allows the database
administrator to completely control the space usage of a database and the
access paths to information in the database.

Database systems use a combination of the above systems during

development. For example, application developers are allowed to create new
stored procedures and packages, but not allowed to create tables or indexes.

12.10.4 Roles and Privileges for Application Developers

Roles to manage the privileges required by the typical application developer must
are created. For example, a typical role named APPLICATION_DEVELOPER
includes the CREATE TABLE, CREATE VIEW, and CREATE PROCEDURE
system privileges.

12.11 Password Management Policy

Database security systems are dependent on passwords; they are kept secret at all
times. Because passwords are vulnerable to theft, forgery, and misuse, Oracle
Database uses a password management policy. The DBA controls this policy
through user profiles, enabling greater control over database security.

Doc Ref: TNM Security Policy v1.0 Page 16

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

12.11.1 Account Locking

When a particular user exceeds a designated number of failed login attempts, the
server automatically locks that user account. This is done by setting the
permissible number of failed login attempts. The amount of time accounts remain
locked is also specified. This is implemented using profiles by setting the
parameters below.

After a user successfully logs into an account, the unsuccessful login attempt
count for the user, if it exists, is reset to 0.

Accounts for former employees will be disabled or locked.

12.11.2 Password Aging and Expiration

This specifies the maximum lifetime for passwords. When the specified amount
of time passes and the password expires, the user or Database/Application/System
Administrator must change the password.

The grace period for password expiration of the password should also be
specified. Users enter the grace period upon the first attempt to log in to a
database account after their password has expired. During the grace period, a
warning message appears each time users try to log in to their accounts, and
continues to appear until the grace period expires. Users must change the
password within the grace period. If the password is not changed within the grace
period, then users are prompted for a new password each time an attempt is made
to access their accounts. Access to an account is denied until a new password is
supplied.

12.11.3 Password History

An old password will no be reused in the system

12.12 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.

12.13 Revision History

Doc Ref: TNM Security Policy v1.0 Page 17

Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010

6.0 User confirmation

I ……………………………………………………………………(full name) of the

………………………………………… Department, confirm that I have read, and
understood the TNM IT Security Policy and will adhere to IT.

Signature: …………………………………………………….

Date: …………………………………………………….

Doc Ref: TNM Security Policy v1.0 Page 18

Copyright (C) TNM AZB