Documente Academic
Documente Profesional
Documente Cultură
CET4884 - Team 4
Troy Barnette
Joseph Cosmano
Gregory Henson
Rodney Lambert
Daniel Miller
Gerardo Pineda
Jonathan Stein
STBC Information Security Manual
Table of Contents
Introduction..............................................................................................................3
Chapter 1. Program Policies......................................................................................4
1.1 Information Security Program Charter..............................................................4
1.2 Information Security Program Organization........................................................5
1.3 Information Security Audit Program...................................................................6
1.4 Incident Response and Continuity of Business.....................................................8
1.5 Information Security Awareness Program...........................................................9
Chapter 2. Issue Specific Policies.............................................................................11
2.1 Internet Use Policy........................................................................................11
2.2 Email Policy..................................................................................................12
2.3 Information Classification Policy......................................................................13
2.4 Access Control Policy.....................................................................................14
2.5 Malware Control Policy...................................................................................15
Chapter 3. System Specific Policy............................................................................18
3.1 Workstation Security Configuration..................................................................18
References..............................................................................................................19
2
STBC Information Security Manual
Introduction
This document is prepared to satisfy the requirements of CET4884 (Spring 2010) at the
University of Central Florida. Per direction, the formats used in developing this
document are presented in NIST Publication 800-12, Chapter 5: Computer Security
Policy.
The Sydney Teddy Bear Company (STBC) is a fictional company for which the students in
the course are employed. For the purposes of this group and assignment, the following
personnel are employees of STBC:
Chief Security Officer: Jonathan Stein
Information Security Directors: Dan Miller, Joseph Cosmano
Information Security Managers: Troy Barnette, Rodney Lambert,
Gerardo Pineda, Gregory Henson
Collaboration in the preparation of this document was done through a shared document
on Google Docs. The original document is located at:
http://docs.google.com/Doc?
docid=0AdLTUsgiEiQ4ZGM2a3A0bmtfMTAxaGJnYnhiZnc&hl=en
3
STBC Information Security Manual
Information is vitally important to the success of business operations and the viability of
STBC (the "Company"); therefore, the Company has an obligation to ensure that its
information is protected against unauthorized disclosure, modification, or destruction.
A risk management approach will be used in establishing the Company's Information
Security Program. This requires the identification, assessment, and mitigation of
vulnerabilities and threats that can significantly impact STBC's information assets.
1.1.1 Purpose
The purpose of this policy is to provide guidelines for STBC employees, vendors,
contractors, and visitors which are designed to maintain the confidentiality, integrity, and
availability of our data and confidential customer information. The goal of this policy is to
ensure that the Company operates within all of the legal guidelines and ethical standards
set forth.
1.1.2 Scope
This policy includes physical, logical, and personnel security strategies that apply to all
employees, vendors, contractors, and visitors of STBC.
1.1.3 Responsibilities
The Chief Information Security Officer is responsible for the content of this policy. The
Director of Human Resources is responsible for disseminating the information contained in
this policy as well as disciplinary actions resulting from non-compliance with the policies of
the STBC Information Security Program. Together, the CSO and HR Director will arrange
semiannual meetings to review and update the policy, train and educate employees on the
topics covered in the policy, and perform audits to assure that all policy requirements are
met.
1.1.4 Compliance
The Director of Information Technology will appoint an individual as a compliance auditor.
This individual will perform monthly audits to ensure that STBC is operating in compliance
with the policies of the STBC Information Security Program. Any departments or individuals
found to be in breach of compliance will be reported to their appropriate supervisors and the
Human Resources Department.
All STBC employees, vendors, contractors, and visitors will be held accountable by the
Human Resources department to maintain compliance with this policy. Those found to be in
breach of compliance will be subject to disciplinary action up to and including termination of
employment or contract.
4
STBC Information Security Manual
1.2.1 Purpose
Effective organization and direction from upper-management are essential to the success of
an Information Security Program. The goal of this policy is to clearly define the organization
of roles in the Company with respect to the implementation of the Information Security
Program.
1.2.2 Scope
This policy includes the supervisory, logistical, and administrative roles of employees of
STBC in regards to maintaining and organized Information Security Program.
1.2.3 Responsibilities
The assignment of responsibilities flows from the CEO down to STBC's employees and
vendors. All users play a role in keeping information secure at the Sidney Teddy Bear
Company.
• Chief Executive Officer The CEO appoints the Information Security Officer. This
person may also appoint employees to assist the Information Security Officer.
• Chief Information Security Officer This employee is responsible for the
coordination of the Information Security Program. The CISO will work throughout the
facility with employees who have access to valuable information. The CISO's major
objective is to utilize risk management to implement and administer a successful
Information Security Program.
• Vice Presidents of Sales, Operations, Administration and area managers This
group is responsible for identifying information assets "owned" by their areas and
ensuring adequate security for those assets. In addition, they will ensure that the
employees in their specific areas operate within the guidelines of the Information
Security Program and all associated policies.
• Information Security Team This team is tasked with developing and implementing
security controls throughout the workplace, delegating access to users, and resolving
security-related conflicts. The Chief Information Security Officer is a primary
member of this team.
• Computer Security Incident Response Team This team is comprised of members
of the Information Security Team. They are responsible for ensuring the
effectiveness of controls implemented for safeguarding the Company's information
assets, and investigating, responding to, assessing and minimizing the damage
caused by information security incidents.
1.2.4 Compliance
The Chief Information Security Officer shall ensure that the requirements and
responsibilities established by this policy are effectively implemented, and that such
responsibilities are met by all members of the Information Security Program Organization.
5
STBC Information Security Manual
An effective Audit Program is essential to verifying the functionality of the policies and
controls implemented in respect to Information Security. Audits ensure that company
assets - physical or otherwise - are having the desired effect upon information security and
can be changed to keep pace with new threats.
1.3.1 Purpose
This policy will provide the Company with guidelines for conducting security audits. The
purpose of security audits is to assess threats and to revise the controls and policies
designed to ensure information security. Audits will assess Information Security controls for
compliance and adequacy in respect to established policies and procedures.
• Some reasons for audits include:
• Compliance with current security policy and procedures
• Investigate possible security breaches through security logs
• Schedule penetration and vulnerability testing
1.3.2 Scope
All communication and computer equipment owned by STBC and the Company's
information assets will be covered by this policy. Audits will be conducted to test
effectiveness and conformity with STBC policies. At the conclusion of an audit, a
detailed report will be submitted to the Chief Information Security Officer.
1.3.3 Responsibilities
All audits are the responsibility of the Chief Information Security Officer. All audit
findings will be documented for concurrence and non-concurrence. Any irregularities or
security issues found by the audit team will be reported to the Chief Information
Security Officer. All changes to the audit policy will be review by the STBC IT staff and
approved by senior management.
Audit responsibilities
1.3.4 Compliance
Audits are to be preformed as scheduled. Any deviation from the audit schedule should be
reported to the CISO. All auditors will be held to the highest level of integrity and ethical
standards. Any auditor found in noncompliance with this policy will be subject disciplinary
action.
6
STBC Information Security Manual
Sensitivity of Data Check security for data that is Review log files.
segmented by classification.
Review and assess policy and
Network drive, file folders and
procedures.
directory need to be secured per
classification.
Encryption and Authentication Cryptographic systems are used Assess customer purchasing
for customer data and website for encryption. Review
authentication is used to verify employee identification.
employees of their identification.
Review of security log System log file will record all Verify all systems are generating
activity within STBC. log files. Review log file
classification.
Review hiring policies Background checks will be Review policy for hiring. Review
perform on all prospective employee files.
employees. Security policies will
be reviewed and signed by all
prospective employees.
Data and records backup Backup all records and data at a Review backup policy.
set time interval. Store data
Review federal and local
offsite
requirements.
Workstation anti-virus software Install anti-virus software on all Verify workstation for current
workstation and update software anti-virus software and up to date
with new virus definition. virus definition.
Open ports Close all unused ports to prevent Scan each workstation for open
unauthorized access to systems. ports.
7
STBC Information Security Manual
Reports Report will be written after each Review audit report policy.
audit and stored for future
reference.
Physical facilities All employees entering STCB Review facilities security policy.
facilities will display an ID badge
Verify employees.
at all times. Badge readers will
allow authorized employees into Verify facilities outside perimeter.
areas of high security. Doors
leading outside will be kept
locked.
8
STBC Information Security Manual
Securing an organization's information starts with securing the front-lines: the users of the
organization's information systems. A successful security program can be directly tied to
security awareness, so training and compliance are fundamental to achieving this goal. This
policy intends to create an Information Security Awareness Program with the express goal
of educating the Company's network users on what they can do to provide for Information
Security, as well as teaching them to identify bad practices and threats to security.
9
STBC Information Security Manual
1.5.1 Purpose
All users who are granted access to STBC information systems must be aware of the
importance of protecting the Company's information assets. The purpose of the Information
Security Awareness Program Policy is to provide guidelines to the Company and its
employees on the development, implementation, and review of information security
education programs and to foster a culture of continued learning in regards to Information
Security.
1.5.2 Scope
All persons who have been granted access to STBC information systems and/or data,
including full-time and part-time employees, contractors, vendors, temporary workers, and
others granted access are covered by this policy.
1.5.3 Responsibilities
The Information Security (IS) department will be responsible for developing and maintaining
an Information Security Awareness training program. Alternatively, a commercially
available program may be purchased so long as it meets the minimum requirements set
forth below.
The Human Resources (HR) department will be responsible for ensuring that all current
employees, new hires, and others as determined by the scope of this policy adequately
complete the training in accordance with this policy.
At a minimum, the selected education program must cover the following topics: viruses,
spyware, world wide web use, information classification, best practices, worst practices,
encryption, backup procedures, physical security, passwords, and social engineering
techniques such as phishing.
New hires must undergo training prior to being granted access to the Company's
information systems. The program must be reviewed and revised annually to reflect the
latest developments in information security threats. All employees must undergo annual
retraining and recertification in this program following the annual review.
In the event of a significant development in network security - such as a major threat or
security incident on the Company network - special training should be developed internally
and deployed to users in a responsively fast manner in order to address the Company's
needs in response to the development. Recommendations for this requirement will come
from any Chief or Director of Information Security.
Users who are found in violation of any Information Security related policy will have their
network access privileges revoked until such time as they have completed a review of the
training program established by this policy as directed by the Director of Human Resources.
1.5.4 Compliance
All managers are responsible for supervising their subordinates' use of STBC information
systems. Users who do not satisfy the requirements of this policy will have their
network access privileges revoked, and may be subject to disciplinary actions up to and
including termination of employment or contract.
10
STBC Information Security Manual
11
STBC Information Security Manual
found in violation of the policy will be subject to disciplinary action up to and including
termination and possible legal action.
12
STBC Information Security Manual
13
STBC Information Security Manual
14
STBC Information Security Manual
15
STBC Information Security Manual
All employees, vendors, and contractors will be responsible for compliance with this policy.
2.5.4 Roles and Responsibilities
The Director of Information Security shall ensure that all computer workstations, servers,
and other hardware are configured in compliance with this policy. All employees are
otherwise responsible for informing the Computer Security Incident Response Team of any
suspicious processes or behaviors encountered on their workstation.
2.5.5 Compliance
No employee is to disable, alter, reconfigure, or otherwise tamper with any software or
other product intended to detect malware installed on their workstation or on the network.
The company will install a mainstream antivirus/antimalware software and software firewall
on all workstations and servers to ensure our computer’s are running at optimal speeds.
Additional measures, such as a hardware filter may be implemented at the direction of the
CISO.
The Information Technology Department will block web sites that may contain malware
which could harm our computers.
The company will provide at no cost to all employees antivirus/antimalware software to
protect their home computers and/or portable computers which may be used for STBC
business. The software chosen may be the same as used internally by the company, or a
different product may be chosen, so long as it provides highly-reliable antivirus and
antimalware protection and regular updates at no cost to the employee. Vendors and
Contractors will not be provided with the software.
Anyone found disseminating malicious code intentionally or otherwise will be dealt with
severely. The Director of Human Resources is responsible for disciplinary action arising from
violations of this policy. Depending on the severity of the offense, a written warning may be
issued and documented in the employee's personnel file. The second offense will result in
termination and possible legal action. Contractor or vendors found in violation of this policy
may be subject to termination of contract and/or possible legal action.
2.5.6 Points of Contact and Supplementary Information
Questions or issues regarding this policy should be directed to the Director of
Information Security. Employees may obtain copies of free antivirus software from the
office of the Director of Information Security.
16
STBC Information Security Manual
17
STBC Information Security Manual
References
"Data Classification Security Policy." 12 April 2004. The George Washington University.
10 April 2010 <http://my.gwu.edu/files/policies/DataClassificationPolicy.pdf>.
Department of Homeland Security. "Open Storage Area Standards for Collateral
Classified Information." 22 February 2005. Department of Homeland Security. 10 April
2010
<http://www.dhs.gov/xlibrary/assets/foia/mgmt_directive_11046_open_storage_area_s
tandards_for_collateral_classified_information.pdf>.
Mitnick, Kevin D and William L Simon. The Art of Deception. Indianapolis: Wiley
Publishing, 2002.
"Sample Information Security Program Charter." 9 March 2009. HORSE - Holistic
Operational Readiness Security Evaluation. 26 March 2010
<http://www.lazarusalliance.com/horsewiki/index.php/Sample_Information_Security_Pr
ogram_Charter:>.
Sans Institute. "SANS Workstation Security Policy." 2008. SANS Institute. 3 Apr 2010
<http://www.sans.edu/resources/student_projects/200802_002.doc>.
USGAO. "Federal Information Systems Audit Control Manual." 2 February 2009. US
Government Accountability Office. <http://www.gao.gov/new.items/d09232g.pdf>.
Whitman, Michael. Principles of Information Security. Canada: Thomson, 2009.
18