Documente Academic
Documente Profesional
Documente Cultură
0 IT Security Policy
June 2010
TNM IT SECURITY
POLICY
Table of Contents
6 User Confirmation……………...………………………………………………18
1.1 Overview
TNM's intentions for publishing an Acceptable Use Policy are not to impose restrictions
that are contrary to the company’s established culture of openness, trust and integrity.
TNM is committed to protecting the company's employees, partners and the company
from illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer
equipment, software, operating systems, storage media, network accounts providing
electronic mail, WWW browsing, and FTP, are the property of the company. These
systems are to be used for business purposes in serving the interests of the company, and
of our clients and customers in the course of normal operations.
Effective security is a team effort involving the participation and support of every
company employee and affiliate who deals with information and/or information systems.
It is the responsibility of every computer user to know these guidelines, and to conduct
their activities accordingly.
1.2 Purpose
The purpose of this policy is to outline the acceptable use of Information Systems at the
company. These rules are in place to protect the employee and the company.
Inappropriate use exposes the company to risks including virus attacks, compromise of
network systems and services, and legal issues.
1.3 Scope
This policy applies to employees, contractors, consultants, temporaries, and other
workers at TNM, including all personnel affiliated with third parties. This policy applies
to all equipment that is owned or leased by the company.
1.4 Policy
iv. TNM reserves the right to audit networks and systems on a periodic basis to
ensure compliance with this policy.
vi. All hosts used by the employee that are connected to the TNM
Internet/Intranet/Extranet, whether owned by the employee or the company,
shall be continually executing approved virus-scanning software with a current
virus database. Unless overridden by a group policy.
vii. Employees must use extreme caution when opening e-mail attachments received
from unknown senders, which may contain viruses, e-mail bombs, or Trojan
horse code.
The following activities are, in general, prohibited. Employees may be exempted from
these restrictions during the course of their legitimate job responsibilities (e.g., systems
administration staff may have a need to disable the network access of a host if that host is
disrupting production services).
Under no circumstances is an employee of TNM authorized to engage in any activity that
is illegal under local, state, federal or international law while utilizing TNM-owned
resources.
The lists below are by no means exhaustive, but attempt to provide a framework for
activities which fall into the category of unacceptable use.
4.1 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
4.2 Definitions
Term Definition
Doc Ref: TNM Security Policy v1.0 Page 4
Copyright (C) TNM AZB
Version 1.0 IT Security Policy
June 2010
4.4 Purpose
This document explains TNM’s analog and ISDN line acceptable use and approval
policies and procedures. This policy covers two distinct uses of analog/ISDN lines: lines
that are to be connected for the sole purpose of fax sending and receiving, and lines that
are to be connected to computers.
4.5 Scope
This policy covers only those lines that are to be connected to a point within the Offices
of TNM. It does not pertain to ISDN/phone lines that are connected into employee
homes, PBX desktop phones, and those lines used by Telecom for emergency and non-
corporate information purposes.
4.6 Policy
There are two important scenarios that involve analog line misuse, which we attempt to
guard against through this policy. The first is an outside attacker who calls a set of analog
line numbers in the hope of connecting to a computer that has a modem attached to it. If
the modem answers (and most computers today are configured out-of-the-box to auto-
answer) from inside the company premises, then there is the possibility of breaching
TNM's internal network through that computer, unmonitored. At the very least,
information that is held on that computer alone can be compromised. This potentially
results in the loss of millions of dollars worth of corporate information.
The second scenario is the threat of anyone with physical access into a TNM facility
being able to use a modem-equipped laptop or desktop computer. In this case, the
intruder would be able to connect to the trusted networking of TNM through the
computer's Ethernet connection, and then call out to an unmonitored site using the
modem, with the ability to siphon company information to an unknown location. This
could also potentially result in the substantial loss of vital information.
Specific procedures for addressing the security risks inherent in each of these scenarios
follow.
5 Facsimile Machines
As a rule, the following applies to requests for fax and analog lines:
Waivers for the above policy on analog-as-fax lines will be delivered on a case-by-case
basis after reviewing the business need with respect to the level of sensitivity and security
posture of the request.
Use of an analog/ISDN fax line is conditional upon the requester's full compliance with
the requirements listed below. These requirements are the responsibility of the authorized
user to enforce at all times:
a) The fax line is used solely as specified in the request.
b) Only persons authorized to use the line have access to it.
c) When not in use, the line is to be physically disconnected from the computer.
d) When in use, the computer is to be physically disconnected from the company's
internal network.
e) The line will be used solely for TNM business, and not for personal reasons.
f) All downloaded material, prior to being introduced into company systems and
networks, must have been scanned by an approved anti-virus utility (e.g., Sophos
Scan) which has been kept current through regular updates.
The general policy is that requests for computers or other intelligent devices to be
connected with analog or ISDN lines from within the company will not be approved for
security reasons. Analog and ISDN lines represent a significant security threat to the
company, and active penetrations have been launched against such lines by hackers.
Waivers to the policy above will be granted on a case by case basis.
Replacement lines, such as those requested because of a move, fall under the category of
"new" lines. They will also be considered on a case by case basis.
a) Will the machines that are using the analog lines be physically disconnected from
TNM's internal network?
b) Is dial-in from outside of TNM needed?
c) How many lines are being requested, and how many people will use the line?
d) What is the earliest date the line can be terminated from service?
e) What other means will be used to secure the line from unauthorized use?
f) Is this a replacement line from an old location? What was the purpose of the
original line?
g) What types of protocols will be run over the line?
h) Will a TNM-authorized anti-virus scanner be installed on the machine(s) using
the analog lines?
i) The requester should use the Analog/ISDN Line Request Form to address these
issues and submit a request.
7.1 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
7.2 Revision History
7.3 Purpose
This document explains TNM’s wireless and VPN network access acceptable use and
approval policies and procedures.
7.4 Scope
This Policy covers all network connectivity solutions to be used on the corporate network
other than the direct connection via the Ethernet network. They include the following;
Wireless access, VPN access via any form of internet connection; Dialup access
7.5 Policy
Specific procedures for addressing the security risks inherent in each of these scenarios
follow.
10 Wireless Access
As a rule, Wireless access points/devices including TNM dongles, are not to be installed
or connected to the network, unless under direct supervision of the Team Leader
Infrastructure and relevant authority from the Head of IT. Any Access-point/device to be
installed will conform to the following:-
Waivers for the above policy will be delivered on a case-by-case basis after reviewing the
business need with respect to the level of sensitivity and security posture of the request.
VPN access shall be granted on a case-by-case basis after reviewing the business need
with respect to the level of sensitivity and security posture of the request.
The VPN configurations shall be installed by a member of the IT Infrastructure Team.
i. Other equipment
Only equipment owned by TNM shall be plugged on to the TNM LAN/WAN
Users requiring to use other equipment not owned by TNM on the TNM
LAN/WAN shall seek authorization first from Head of IT and only connect the
equipment once authority is granted.
All other service providers/contractors equipment that needs to be connected to
the TNM WAN/LAN shall be connected through the proxy/firewall.
12.1 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
12.3 Purpose
To prevent tarnishing the public image of TNM When email goes out from the company,
the general public will tend to view that message as an official policy statement from the
TNM.
12.4 Scope
This policy covers appropriate use of any email sent from a TNM email address and
applies to all employees, vendors, and agents operating on behalf of TNM.
12.5 Policy
The TNM email system shall not to be used for the creation or distribution of any
disruptive or offensive messages, including offensive comments about race,
gender, hair color, disabilities, age, sexual orientation, pornography, religious
beliefs and practice, political beliefs, or national origin. Employees who receive
any emails with this content from any TNM employee should report the matter to
their supervisor immediately.
Mass mailings will not be done unless approval is given by Head of IT/Head of
HR.
Sharing of company confidential information without prior authorization will not
be allowed.
Disclosure of internal e-mail addresses when sending to recipients outside TNM
will not be allowed
Subscription to non-work related sites using company e-mail shall not be allowed
Surfing of pornographic sites is prohibited
Downloading of non-work related software e.g. video, music will not be allowed
Facebook, Twitter, Skype, and other messaging sites for non business related
issues will not be allowed
Using a reasonable amount of TNM resources for personal emails is acceptable, but non-
work related email shall be saved in a separate folder from work related email. Sending
chain letters or joke emails from a TNM email account is not allowed. Virus or other
malware warnings and mass mailings from TNM shall be approved by the company Head
of HR or IT according to the subject before sending. These restrictions also apply to the
forwarding or replying of mail received by a TNM employee.
12.5.3 Monitoring
TNM employees shall have no expectation of privacy in anything they store, send or
receive on the company’s email system. The company may monitor messages without
prior notice where need arises. The company is not obliged to monitor email messages.
Only a designated member of IT shall monitor messages only after authorization is
granted by Chief Technical Officer of Head of IT.
12.6 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
Database users are the access paths to the information in a database. Users are created,
altered and dropped by the Database Administrators.
Database users are authenticated (verified as the correct person) by using database
passwords.
Users will have either read or write rights to databases following approval from
line managers.
The following security issues must also be considered for the operating system
environment executing Oracle and any database applications:
Database administrators have the operating system privileges to create and delete
files.
Application administrators have the operating system privileges to create and delete
files.
Data security includes the mechanisms that control the access to and use of the database
at the object level. The data security policy determines which users have access to a
specific schema object, and the specific types of actions allowed for each user on the
object.
Means for implementing data security include system and object privileges, and roles. A
role is a set of privileges grouped together that can be granted to users.
Users are required to change their passwords every 30 days in order to prevent
unauthorized access to the database.
Once a user tries to use a password unsuccessfully for three times, the account will
be locked.
Roles (named groups of related privileges that are granted to users or other roles) to
manage the privileges available to users. Users that do very specific tasks are granted
privileges explicitly.
User groups are assigned specific application roles to enable them to perform their day
-to-day tasks, however some privileges are explicitly granted to individual users.
Roles are associated with both applications, and they contain the object privileges
necessary to execute those applications.
The privileges associated with these user names are extremely sensitive, and are
available to only the database administrators.
Only database/system administrators and the billing manager are able to connect
to a database/system with administrative privileges. For example:
Such connections are authorized only after verification with the password file or
with the operating system privileges and permissions.
not compete with end users for database resources, and that they cannot
detrimentally affect a production database.
Free development
Controlled Development
Roles to manage the privileges required by the typical application developer must
are created. For example, a typical role named APPLICATION_DEVELOPER
includes the CREATE TABLE, CREATE VIEW, and CREATE PROCEDURE
system privileges.
Database security systems are dependent on passwords; they are kept secret at all
times. Because passwords are vulnerable to theft, forgery, and misuse, Oracle
Database uses a password management policy. The DBA controls this policy
through user profiles, enabling greater control over database security.
When a particular user exceeds a designated number of failed login attempts, the
server automatically locks that user account. This is done by setting the
permissible number of failed login attempts. The amount of time accounts remain
locked is also specified. This is implemented using profiles by setting the
parameters below.
After a user successfully logs into an account, the unsuccessful login attempt
count for the user, if it exists, is reset to 0.
This specifies the maximum lifetime for passwords. When the specified amount
of time passes and the password expires, the user or Database/Application/System
Administrator must change the password.
The grace period for password expiration of the password should also be
specified. Users enter the grace period upon the first attempt to log in to a
database account after their password has expired. During the grace period, a
warning message appears each time users try to log in to their accounts, and
continues to appear until the grace period expires. Users must change the
password within the grace period. If the password is not changed within the grace
period, then users are prompted for a new password each time an attempt is made
to access their accounts. Access to an account is denied until a new password is
supplied.
12.12 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
Signature: …………………………………………………….
Date: …………………………………………………….