Sunteți pe pagina 1din 18

STBC Information Security Manual

CET4884 - Team 4
Troy Barnette
Joseph Cosmano
Gregory Henson
Rodney Lambert
Daniel Miller
Gerardo Pineda
Jonathan Stein
STBC Information Security Manual

Table of Contents

Introduction..............................................................................................................3
Chapter 1. Program Policies......................................................................................4
1.1 Information Security Program Charter..............................................................4
1.2 Information Security Program Organization........................................................5
1.3 Information Security Audit Program...................................................................6
1.4 Incident Response and Continuity of Business.....................................................8
1.5 Information Security Awareness Program...........................................................9
Chapter 2. Issue Specific Policies.............................................................................11
2.1 Internet Use Policy........................................................................................11
2.2 Email Policy..................................................................................................12
2.3 Information Classification Policy......................................................................13
2.4 Access Control Policy.....................................................................................14
2.5 Malware Control Policy...................................................................................15
Chapter 3. System Specific Policy............................................................................18
3.1 Workstation Security Configuration..................................................................18
References..............................................................................................................19

2
STBC Information Security Manual

Introduction

This document is prepared to satisfy the requirements of CET4884 (Spring 2010) at the
University of Central Florida. Per direction, the formats used in developing this
document are presented in NIST Publication 800-12, Chapter 5: Computer Security
Policy.
The Sydney Teddy Bear Company (STBC) is a fictional company for which the students in
the course are employed. For the purposes of this group and assignment, the following
personnel are employees of STBC:
Chief Security Officer: Jonathan Stein
Information Security Directors: Dan Miller, Joseph Cosmano
Information Security Managers: Troy Barnette, Rodney Lambert,
Gerardo Pineda, Gregory Henson
Collaboration in the preparation of this document was done through a shared document
on Google Docs. The original document is located at:
http://docs.google.com/Doc?
docid=0AdLTUsgiEiQ4ZGM2a3A0bmtfMTAxaGJnYnhiZnc&hl=en

3
STBC Information Security Manual

Chapter 1. Program Policies

1.1 Information Security Program Charter


Authors: Joseph Cosmano, Jonathan Stein, Daniel Miller

Information is vitally important to the success of business operations and the viability of
STBC (the "Company"); therefore, the Company has an obligation to ensure that its
information is protected against unauthorized disclosure, modification, or destruction.
A risk management approach will be used in establishing the Company's Information
Security Program. This requires the identification, assessment, and mitigation of
vulnerabilities and threats that can significantly impact STBC's information assets.
1.1.1 Purpose
The purpose of this policy is to provide guidelines for STBC employees, vendors,
contractors, and visitors which are designed to maintain the confidentiality, integrity, and
availability of our data and confidential customer information. The goal of this policy is to
ensure that the Company operates within all of the legal guidelines and ethical standards
set forth.
1.1.2 Scope
This policy includes physical, logical, and personnel security strategies that apply to all
employees, vendors, contractors, and visitors of STBC.
1.1.3 Responsibilities
The Chief Information Security Officer is responsible for the content of this policy. The
Director of Human Resources is responsible for disseminating the information contained in
this policy as well as disciplinary actions resulting from non-compliance with the policies of
the STBC Information Security Program. Together, the CSO and HR Director will arrange
semiannual meetings to review and update the policy, train and educate employees on the
topics covered in the policy, and perform audits to assure that all policy requirements are
met.
1.1.4 Compliance
The Director of Information Technology will appoint an individual as a compliance auditor.
This individual will perform monthly audits to ensure that STBC is operating in compliance
with the policies of the STBC Information Security Program. Any departments or individuals
found to be in breach of compliance will be reported to their appropriate supervisors and the
Human Resources Department.

All STBC employees, vendors, contractors, and visitors will be held accountable by the
Human Resources department to maintain compliance with this policy. Those found to be in
breach of compliance will be subject to disciplinary action up to and including termination of
employment or contract.

4
STBC Information Security Manual

1.2 Information Security Program Organization


Authors: Rodney Lambert, Troy Barnette

1.2.1 Purpose
Effective organization and direction from upper-management are essential to the success of
an Information Security Program. The goal of this policy is to clearly define the organization
of roles in the Company with respect to the implementation of the Information Security
Program.
1.2.2 Scope
This policy includes the supervisory, logistical, and administrative roles of employees of
STBC in regards to maintaining and organized Information Security Program.
1.2.3 Responsibilities
The assignment of responsibilities flows from the CEO down to STBC's employees and
vendors. All users play a role in keeping information secure at the Sidney Teddy Bear
Company.
• Chief Executive Officer The CEO appoints the Information Security Officer. This
person may also appoint employees to assist the Information Security Officer.
• Chief Information Security Officer This employee is responsible for the
coordination of the Information Security Program. The CISO will work throughout the
facility with employees who have access to valuable information. The CISO's major
objective is to utilize risk management to implement and administer a successful
Information Security Program.
• Vice Presidents of Sales, Operations, Administration and area managers This
group is responsible for identifying information assets "owned" by their areas and
ensuring adequate security for those assets. In addition, they will ensure that the
employees in their specific areas operate within the guidelines of the Information
Security Program and all associated policies.
• Information Security Team This team is tasked with developing and implementing
security controls throughout the workplace, delegating access to users, and resolving
security-related conflicts. The Chief Information Security Officer is a primary
member of this team.
• Computer Security Incident Response Team This team is comprised of members
of the Information Security Team. They are responsible for ensuring the
effectiveness of controls implemented for safeguarding the Company's information
assets, and investigating, responding to, assessing and minimizing the damage
caused by information security incidents.
1.2.4 Compliance
The Chief Information Security Officer shall ensure that the requirements and
responsibilities established by this policy are effectively implemented, and that such
responsibilities are met by all members of the Information Security Program Organization.

1.3 Information Security Audit Program


Author: Gregory Henson

5
STBC Information Security Manual

An effective Audit Program is essential to verifying the functionality of the policies and
controls implemented in respect to Information Security. Audits ensure that company
assets - physical or otherwise - are having the desired effect upon information security and
can be changed to keep pace with new threats.
1.3.1 Purpose
This policy will provide the Company with guidelines for conducting security audits. The
purpose of security audits is to assess threats and to revise the controls and policies
designed to ensure information security. Audits will assess Information Security controls for
compliance and adequacy in respect to established policies and procedures.
• Some reasons for audits include:
• Compliance with current security policy and procedures
• Investigate possible security breaches through security logs
• Schedule penetration and vulnerability testing
1.3.2 Scope
All communication and computer equipment owned by STBC and the Company's
information assets will be covered by this policy. Audits will be conducted to test
effectiveness and conformity with STBC policies. At the conclusion of an audit, a
detailed report will be submitted to the Chief Information Security Officer.

1.3.3 Responsibilities

All audits are the responsibility of the Chief Information Security Officer. All audit
findings will be documented for concurrence and non-concurrence. Any irregularities or
security issues found by the audit team will be reported to the Chief Information
Security Officer. All changes to the audit policy will be review by the STBC IT staff and
approved by senior management.
Audit responsibilities

Information Security Directors: • Network firewalls


• Workstation anti-virus
• Sensitivity of data
software
• Encryption and Authentication
• Workstation password
• Review of security log
• Open ports
• Report of findings including
• Servers
suggested corrective action
• VPN
• Review hiring policies
• Patches
• Emergency
• Report of findings including
• Data and records backup
suggested corrective action
• Physical facilities
Information Security Managers:

1.3.4 Compliance
Audits are to be preformed as scheduled. Any deviation from the audit schedule should be
reported to the CISO. All auditors will be held to the highest level of integrity and ethical
standards. Any auditor found in noncompliance with this policy will be subject disciplinary
action.

6
STBC Information Security Manual

Audit Controls, Techniques and Procedures

Control Activities Control Techniques Audit Procedures

Sensitivity of Data Check security for data that is Review log files.
segmented by classification.
Review and assess policy and
Network drive, file folders and
procedures.
directory need to be secured per
classification.

Encryption and Authentication Cryptographic systems are used Assess customer purchasing
for customer data and website for encryption. Review
authentication is used to verify employee identification.
employees of their identification.

Review of security log System log file will record all Verify all systems are generating
activity within STBC. log files. Review log file
classification.

Review hiring policies Background checks will be Review policy for hiring. Review
perform on all prospective employee files.
employees. Security policies will
be reviewed and signed by all
prospective employees.

Emergency An emergency plan has been Review policy


documented and reviewed by
Interview personnel
personnel.

Data and records backup Backup all records and data at a Review backup policy.
set time interval. Store data
Review federal and local
offsite
requirements.

Network firewalls Firewalls are to be installed to Review firewall policy.


protect computer systems from
Check firewall software for recent
outside attacks.
updates.
Review log files.

Workstation anti-virus software Install anti-virus software on all Verify workstation for current
workstation and update software anti-virus software and up to date
with new virus definition. virus definition.

Workstation password Passwords are to unique, at least Review password policy.


6 characters and expire every 30
Test workstations for compliance.
days.

Open ports Close all unused ports to prevent Scan each workstation for open
unauthorized access to systems. ports.

Servers Servers will periodically be Verify server rooms are locked


backed-up. Servers will be and clean of debris. Check air
installed in a climate controlled temperature.
room. Server entrance should be

7
STBC Information Security Manual

keep locked at all times.

VPN VPN will allow personnel the Review VPN policy.


ability to work offsite.
Verify personnel, access
credentials, and encryption
methods.

Patches Software patches will be installed Verify software patches are up to


as necessary. All patches will be date.
approved by senior management
before installation.

Reports Report will be written after each Review audit report policy.
audit and stored for future
reference.

Physical facilities All employees entering STCB Review facilities security policy.
facilities will display an ID badge
Verify employees.
at all times. Badge readers will
allow authorized employees into Verify facilities outside perimeter.
areas of high security. Doors
leading outside will be kept
locked.

1.4 Incident Response and Continuity of Business


Author: Gerardo Pineda

Preparedness is essential in dealing with a breach of security or natural disaster. A well


prepared disaster response plan combined with a timely and effective response can
determine the difference between a minor incident and a severe business impacting
disaster.
1.4.1 Purpose
This policy defines the general response and reporting procedures to follow in the event
of a security incident or breach. In the event of an information security breach or
natural disaster that would effect the integrity or value of the company or its customers
through unauthorized access or exploitation from open resources, a response will be
conducted with the appropriated personnel that will assess and handle the incident,
developing a response plan and preventing further negative impact. A thorough and
concise reporting would be created that would determine the cause and impact of such
incidents, addressing any vulnerabilities or flaws in the system.
1.4.2 Scope
This policy has effect upon all aspects of information security, response and
documentation of incidents that may affect all levels of information systems resources
owned and used by the company. Such incidents may include misuse of data,

8
STBC Information Security Manual

exploitation of open resources, theft of valuable data or systems, corruption of software,


propagation of malware and/or any other incident that may jeopardize the availability
and consistency of the Company's information systems. This policy does not include
damages to systems owned by employees or any individual not employed by the
company, unless the system otherwise contributed to the incident.
1.4.3 Responsibilities
All suspicious events and/or information security incidents shall be immediately reported to
the Chief Information Security Officer (CISO). An immediate escalation shall be
implemented in which the CISO will determine the severity of the suspicious event and/or
incident in order to contain any systems or environment with security breaches that may
affect the overall performance of the company. Affected systems may include those with
network security breaches, malware infection, communication failure and/or any data
mishandling. All suspicious events and/or incidents shall be contained and eliminated as
soon as there are detected to minimize or eradicate any further propagation that may
complicate or affect the availability of information systems.
A thorough and concise investigation shall be put into action that would examine evidence
of the security breach. Evidence may include affected systems, log files, malicious
codes/scripts, network penetration logs and any other activity that may pertain to the
suspicious event and/or incident. Additionally, thorough documentation will be generated
and kept on all affected systems, the environment and potential evidence such as external
media (diskette, external hard drive, Zip drives, etc.) that may be recorded for future
reference.
The degree of all damages shall be determined by the CISO from all collected data and
he/she will then determine any further action to be taken. If the severity of the incident is of
high risk such as to cause systems to be removed from the network, a managerial
notification shall be required in order to address any critical action.
The CISO shall be responsible for the development of a Disaster Response Plan in
collaboration with the Information Security Team. The CISO will be responsible for securing
organizational approval and necessary funding, while the IST will determine technical
requirements.
1.4.4 Compliance
All Incident Response personnel shall comply with the above procedures in order to ensure
system and network control. Failure to comply with such procedures may result in
disciplinary action up to and including termination of employment.

1.5 Information Security Awareness Program


Author: Jonathan Stein

Securing an organization's information starts with securing the front-lines: the users of the
organization's information systems. A successful security program can be directly tied to
security awareness, so training and compliance are fundamental to achieving this goal. This
policy intends to create an Information Security Awareness Program with the express goal
of educating the Company's network users on what they can do to provide for Information
Security, as well as teaching them to identify bad practices and threats to security.

9
STBC Information Security Manual

1.5.1 Purpose
All users who are granted access to STBC information systems must be aware of the
importance of protecting the Company's information assets. The purpose of the Information
Security Awareness Program Policy is to provide guidelines to the Company and its
employees on the development, implementation, and review of information security
education programs and to foster a culture of continued learning in regards to Information
Security.
1.5.2 Scope
All persons who have been granted access to STBC information systems and/or data,
including full-time and part-time employees, contractors, vendors, temporary workers, and
others granted access are covered by this policy.
1.5.3 Responsibilities
The Information Security (IS) department will be responsible for developing and maintaining
an Information Security Awareness training program. Alternatively, a commercially
available program may be purchased so long as it meets the minimum requirements set
forth below.
The Human Resources (HR) department will be responsible for ensuring that all current
employees, new hires, and others as determined by the scope of this policy adequately
complete the training in accordance with this policy.
At a minimum, the selected education program must cover the following topics: viruses,
spyware, world wide web use, information classification, best practices, worst practices,
encryption, backup procedures, physical security, passwords, and social engineering
techniques such as phishing.
New hires must undergo training prior to being granted access to the Company's
information systems. The program must be reviewed and revised annually to reflect the
latest developments in information security threats. All employees must undergo annual
retraining and recertification in this program following the annual review.
In the event of a significant development in network security - such as a major threat or
security incident on the Company network - special training should be developed internally
and deployed to users in a responsively fast manner in order to address the Company's
needs in response to the development. Recommendations for this requirement will come
from any Chief or Director of Information Security.
Users who are found in violation of any Information Security related policy will have their
network access privileges revoked until such time as they have completed a review of the
training program established by this policy as directed by the Director of Human Resources.
1.5.4 Compliance
All managers are responsible for supervising their subordinates' use of STBC information
systems. Users who do not satisfy the requirements of this policy will have their
network access privileges revoked, and may be subject to disciplinary actions up to and
including termination of employment or contract.

10
STBC Information Security Manual

Chapter 2. Issue Specific Policies

2.1 Internet Use Policy


Author: Troy Barnette

2.1.1 Issue Statement


The Internet provides access to a myriad of resources that may or may not be related to or
suitable for use in the work environment. Access to some material may expose the
organization to security threats such as viruses, unauthorized disclosure of sensitive
information, and potential legal action.
2.1.2 Statement of the Organization's Position
The computer network is the property of STBC and should be used for business purposes by
employees only in the fulfillment of their jobs. All Employees have a responsibility to use the
Company's computer resources and the Internet in a professional, lawful and ethical
manner.
2.1.3 Applicability
This policy applies to all employees and computer resources of STBC.
2.1.4 Roles and Responsibilities
The Chief Information Security Officer shall be responsible for the enforcement of this
policy. Requests for a waiver to any part of this policy may be directed to the Director of
Information Security. Such requests shall be approved only when the policy can be
demonstrated to hinder the course of business with approval of the CISO.
2.1.5 Compliance
• STBC has the right, but not the responsibility to monitor all employees Internet
use at its discretion.
• STBC has the right to block access to Internet sites that are determined to be
offensive, pornographic, or unlawful.
• Instant Messaging programs other than those provided and supported by STBC
are strictly prohibited.
• Downloading, copying, and pirating of software or electronic files that are
copyrighted, or otherwise infringe upon the intellectual property rights of any
individual or organization is strictly prohibited.
• Removal or interference with STBC provided antivirus and anti-malware software
is forbidden
• Access to Social Networking sites is prohibited.
• Access to web-based email is forbidden.
• Use of the Internet to share confidential material, trade secrets or proprietary
information is forbidden.
• Using the Internet to Send or post discriminatory, harassing, or threatening
messages or images is strictly forbidden.
Any violation of this policy will be directed to the Director of Human Resources for
investigation. All infractions will warrant an audit of this policy. An incident report will be
generated for future records and stored in the employees personnel file. Any employee

11
STBC Information Security Manual

found in violation of the policy will be subject to disciplinary action up to and including
termination and possible legal action.

2.1.6 Points of Contact and Supplementary Information


Any issues regarding the statutes of this policy may be referred to the Director of
Information Security. Issues of non-compliance should be referred to the Director of
Human Resources.

2.2 Email Policy


Author: Daniel Miller

2.2.1 Issue Statement


Email is possibly the most often used means of communications in business today. It is
essential that email systems are constantly available, secure, and capable of handling the
communications needs of the entire company.
However, email introduces several caveats which must be addressed. It is well known that
email may often appear impersonal, and subtleties such as intonation and meaning may be
lost or misconstrued by the recipient of a message. In addition, email can be a primary
threat vector for the introduction of viruses and malware and the unauthorized disclosure of
sensitive information.
2.2.2 Statement of the Organization's Position
Much of the communication within STBC is through email. As such, it is very important that
we maintain a high level of quality and professionalism within those communications. In
addition to ensuring professionalism, the company must also ensure the availability of email
systems and prevent exposure to security threats.
2.2.3 Applicability
This policies applies to all personnel who have an email account with STBC.
2.2.4 Roles and Responsibilities
The Chief Information Security Officer shall be responsible for the enforcement of this
policy.
The Director of Information Technology shall establish maximum attachment size limits, file-
extension blacklists, mailbox quotas, spam filters, and other necessary restrictions following
a thorough review of email needs and habits in the company. These restrictions shall be
reviewed on a semi-annual basis, or at the request of any Director or Chief of the Company.
2.2.5 Compliance
STBC reserves the right to monitor all email communications. This is to ensure the quality of
service to clients, vendors, and business partners. This will also ensure that all
communications are business related and free of impropriety. STBC-provided email
accounts are for business use only.
The Department of Information Technology shall implement and enforce all controls and
restrictions established by the Director of IT.

12
STBC Information Security Manual

Sending or forwarding emails with pornography or discriminatory content will be treated as


harassment and will be dealt with accordingly.
Any violation of this policy will be directed to the Chief Information Security Officer. The
infractions of the employee will be documented and recorded in the employee's personnel
file.
2.2.6 Points of Contact and Supplementary Information
Any questions or issues with these policies are to be directed to the offices the Chief
Information Security Officer.
Employees may reference the following website for information on email-writing. Writing
Effective Email http://jerz.setonhill.edu/writing/e-text/e-mail.htm

2.3 Information Classification Policy


Author: Gregory Henson

2.3.1 Issue Statement


All employees at STBC have a responsibility to protect information from destruction or
unauthorized access. The disclosure of sensitive data can cause damages to the
company, and as such, data classification can aid in ensuring that such data is properly
marked in order to adequately protect it.
2.3.2 Statement of the Organization’s Position
STBC has the obligation to protect its customer and employees, and the implementation
of an information classification scheme will help to fulfill this. STBC will comply with
local and federal regulation as they pertains to the classification of information.
2.3.3 Applicability
All data - on paper copy or electronic media - will be covered by this policy. All personnel
granted access to classified information shall be required to have a signed non-disclosure
agreement in their personnel file.
2.3.4 Roles and Responsibilities
A senior manager who is considered the "owner" of a piece of information, or its
"stakeholder", is solely responsible for classifying such information. Written authorization
from the stakeholder must be obtained in order to change a classification.
All employees are responsible for safeguarding information protected under a classification
level.
The Human Resources Department shall be responsible for conducting background checks to
identify any personnel who may not warrant clearance to classified information.
2.3.5 Compliance
All information used, created or owned by STBC should be classified into the following
categories:
• Unclassified Public: Data that is not critical or confidential to the company,
employees or customer. Examples of unclassified public would include but are
not limited to product brochures, newsletters and public web site information.

13
STBC Information Security Manual

• Proprietary: Data that is regulated by management. Examples of proprietary


data would include but are not limited to security and financial information and
operating procedures.
• Customer Confidential: Data that contains customer information and is
regarded as having the highest level of confidentiality and integrity. This
information is considered critical to the company and it customers. The company
must comply with all local, state and federal regulations. Examples of customer
confidential data would include but are not limited to customer credit cards
numbers, bank data, phone number and street addresses.
• Company Confidential: Data that contains company information and is
regarded as having the highest level of confidentiality and integrity. The
company must comply with all local, state and federal regulations. Examples of
company confidential data would include but are not limited to employee
information, contracts and accounting information.
Any violation of this policy will be directed to senior management for investigation. All
infractions will warrant an audit of this policy. An incident report will be generated for
future records. Any employee found in violation of the policy will be subject to disciplinary
action up to and including termination and possible legal action.
2.3.6 Points of Contact and Supplementary Information
Information Security issues or questions should be directed to the office of the Chief
Information Security Officer. Policy compliance questions should be directed to the Human
Resource office.

2.4 Access Control Policy


Author: Gerardo Pineda

2.4.1 Issue Statement


Strict access controls that maintain availability of data are an important requirement of
securing information. It is vital to guarantee information and resources are properly
protected against illicit access and improper alteration that may cause harm or jeopardize
the integrity and value of the company. The goal of the access control policy to ensure that
data is available to authorized personnel at any time they may need it without limitation to
their geographical or logical location.
2.4.2 Statement of the Organization's Position
All access to classified information shall be limited to personnel with appropriate credentials.
Unique user identification shall be given to all system users by the Chief Information
Security Officer (CISO) to ensure access to sensitive information on a need-to-know basis.
2.4.3 Applicability
This policy applies to all employees, vendors and contractors of STBC who are granted
access to the Company's information assets, with special consideration for access to
classified information.
2.4.4 Roles and Responsibilities
The Chief Information Security Officers (CISO) shall be required to maintain and submit
account activation and/or termination requests. In addition, the CISO shall establish

14
STBC Information Security Manual

procedures for responding to the event of unauthorized access to confidential information


whose disclosure would jeopardize the company’s value or its customer’s privacy.
The Department of Information Technology shall be responsible for network-, systems-, and
applciations- level implementation of access controls.
The Department of Human Resources shall be responsible for distributing identification
badges and keys to all employees for physical security needs.
The Department of Operations shall be responsible for maintaining locks on doors to
restricted areas, maintaining id-badge reading systems, and maintaining surveillance
systems.
2.4.5 Compliance
Each person will be responsible for the confidentiality of their access credentials. Users are
not to share or otherwise make known to others any information about their unique user ID,
passwords, or other credentials that would allow others to access confidential, restricted and
unclassified material. Additionally, the CISO shall ensure users are aware of what
information they have or do not have access to.
All users shall be responsible for locking or logging off when they leave their system
unattended. Such practice will increase system security. Systems shall be deployed with
an automatic inactivity lock procedure that would increase data safekeeping for unattended
systems that may be used to obtain information by unauthorized personnel.
All employees must display ID badges when on company property, and keys to secured
areas shall be assigned only to essential personnel.
In the event of an unauthorized access incident, a report shall be given to the CISO for
thorough examination. The CISO will then direct the implementation of measures to prevent
future incident.
Failure to comply with this policy will be referred to senior management for disciplinary
action. Any unauthorized disclosure of classified information will conclude in termination of
employment and/or possibly legal action.
2.4.6 Points of Contact and Supplementary Information
Questions about this policy, as well as access requests in regards to protected information
may be directed to the office of the Chief Information Security Officer.

2.5 Malware Control Policy


Author: Rodney Lambert

2.5.1 Issue Statement


Malware is malicious code which may infect a computer and introduce a security threat such
as a "keylogger" or "backdoor". There are many kinds of malware, including viruses,
trojans, worms, and adware. They have the potential to expose the company's sensitive
information to the outside world and hamper the performance and functionality of the
computer network.
By keeping malware free from our computers, we can add value to the over all goal and
mission of the STBC organization.

15
STBC Information Security Manual

2.5.2 Statement of the Organization's Position


The Company must protect information systems against malware. The primary goal is to
ensure the security of our information, employees and customers and to gain a high
performance from the network. Management would like to ensure all employees can
reliably and securely access their workstations and information at all times.
2.5.3 Applicability
This policy applies to all physical assets attached to the STBC network whether on-site or
remotely connected. It also applies to company property or any property a SBTC employee
may own.

All employees, vendors, and contractors will be responsible for compliance with this policy.
2.5.4 Roles and Responsibilities
The Director of Information Security shall ensure that all computer workstations, servers,
and other hardware are configured in compliance with this policy. All employees are
otherwise responsible for informing the Computer Security Incident Response Team of any
suspicious processes or behaviors encountered on their workstation.
2.5.5 Compliance
No employee is to disable, alter, reconfigure, or otherwise tamper with any software or
other product intended to detect malware installed on their workstation or on the network.
The company will install a mainstream antivirus/antimalware software and software firewall
on all workstations and servers to ensure our computer’s are running at optimal speeds.
Additional measures, such as a hardware filter may be implemented at the direction of the
CISO.
The Information Technology Department will block web sites that may contain malware
which could harm our computers.
The company will provide at no cost to all employees antivirus/antimalware software to
protect their home computers and/or portable computers which may be used for STBC
business. The software chosen may be the same as used internally by the company, or a
different product may be chosen, so long as it provides highly-reliable antivirus and
antimalware protection and regular updates at no cost to the employee. Vendors and
Contractors will not be provided with the software.
Anyone found disseminating malicious code intentionally or otherwise will be dealt with
severely. The Director of Human Resources is responsible for disciplinary action arising from
violations of this policy. Depending on the severity of the offense, a written warning may be
issued and documented in the employee's personnel file. The second offense will result in
termination and possible legal action. Contractor or vendors found in violation of this policy
may be subject to termination of contract and/or possible legal action.
2.5.6 Points of Contact and Supplementary Information
Questions or issues regarding this policy should be directed to the Director of
Information Security. Employees may obtain copies of free antivirus software from the
office of the Director of Information Security.

16
STBC Information Security Manual

Chapter 3. System Specific Policy

3.1 Workstation Security Configuration


Author: Joseph Cosmano

3.1.1 Security Objectives


In conjunction with our overall security policy, our system specific policy is designed to
ensure the confidentiality, integrity, and availability of STBC data. Specifically, the security
objective can be further defined to provide privileged users with the resources needed to
efficiently perform their job duties while minimizing the risk of security breach or negative
impact to STBC or it's customers. The implementation of system specific security measures
should be prioritized based on constraints to ensure that the overall security objectives
meet or exceed managements expectations.
3.1.2 Operational Security Rules
• Physical access to workstations are limited to authorized personnel only.
• Use of workstations are only for sanctioned business functions.
Workstation operating systems must be kept up to date by applying vendor supplied patches on regular
intervals. "Zero Day" exploits will be handled as quickly as possible.

• Workstations are required to be password protected and configured to


automatically lock after 5 minutes of inactivity.
• Passwords must be of sufficient strength, which is defined as using at least 10
alphanumeric and special characters of varying in case that do not match
dictionary words.
• The maximum acceptable password age is 30 days. After 30 days users must be
required to change their password to a unique password not used in at least 5
cycles of age expiration.
• Workspaces must be kept clean and clear of sensitive information.
• Food and drinks are not permitted near workspaces.
• Anti-Virus software will be installed and kept up to date on all workstations.
• No hardware or software will be installed onto the workstations by non-IT staff.
• Any portable workstations must use full disk encryption.
3.1.3 Policy Implementation
STBC will implement both technical and non-technical controls to ensure that operational
security policy is enforced. Hardware devices in combination with software will be used
to enforce and audit policy compliance. Despite the best efforts to implement policy that
will meet our security needs while sufficiently protecting our assets, the dynamic nature
of business may require special cases where operation outside of normal policy may be
required. Departmental mangers will bring these scenarios to the attention of the IT
Director who can authorize such changes to be made.

17
STBC Information Security Manual

References

"Data Classification Security Policy." 12 April 2004. The George Washington University.
10 April 2010 <http://my.gwu.edu/files/policies/DataClassificationPolicy.pdf>.
Department of Homeland Security. "Open Storage Area Standards for Collateral
Classified Information." 22 February 2005. Department of Homeland Security. 10 April
2010
<http://www.dhs.gov/xlibrary/assets/foia/mgmt_directive_11046_open_storage_area_s
tandards_for_collateral_classified_information.pdf>.
Mitnick, Kevin D and William L Simon. The Art of Deception. Indianapolis: Wiley
Publishing, 2002.
"Sample Information Security Program Charter." 9 March 2009. HORSE - Holistic
Operational Readiness Security Evaluation. 26 March 2010
<http://www.lazarusalliance.com/horsewiki/index.php/Sample_Information_Security_Pr
ogram_Charter:>.
Sans Institute. "SANS Workstation Security Policy." 2008. SANS Institute. 3 Apr 2010
<http://www.sans.edu/resources/student_projects/200802_002.doc>.
USGAO. "Federal Information Systems Audit Control Manual." 2 February 2009. US
Government Accountability Office. <http://www.gao.gov/new.items/d09232g.pdf>.
Whitman, Michael. Principles of Information Security. Canada: Thomson, 2009.

18

S-ar putea să vă placă și