Network Security Policy

1
NETWORK SECURITY POLICY

Version 1.0
Submitted by
Dr. Gatana Kariuki
9 September 2013
2
Table of Content
A. Executive Summary.................................................................................................................. .3
I. Introduction......................................................................................................................... .3
II. Security Policy Components............................................................................................... .5
III. Trends in Network Security............................................................................................... 11
Acceptable Use Policy...................................................................................................................12
Password Policy........................................................................................................................... ..20
Workstation Security Policy..........................................................................................................25
Removable Media Policy................................................................................. ..............................28
Server Security Policy....................................................................................................................30
Antivirus Policy............................................................................................................. ................34
Internet Usage Policy.....................................................................................................................36
Wireless Communication Policy................................................................................................ ....50
Router Security Policy................................................................................................................... 54
Acceptable Encryption Policy...................................................................................................... ..58
3
A. Executive Summary
The Government has invested considerable time, money, and people resources into providing
computer hardware, software, and networking to equip the staff to perform their varied functions.
However, employment here does not guarantee access to a computer or related resources. As a
civil servant, it is your responsibility to take reasonable efforts to safeguard the valuable
equipment and data provided to you.
Civil servants are representatives of the Government. Any use of computer equipment is an
extension of that representation. With access to email and the internet, you can represent the
Government, worldwide, nearly instantly. All access needs to be minimally appropriate, and
preferably of a positive nature.
Our policies are intended to protect both the Government and the computer user. Violation of
policies is grounds for disciplinary action, which may include termination. Violation of some
policies may also call for additional legal or civil actions. Exceptions are handled only by PRIOR
request and approval of the ICT Department. Requests should be made by way of email
addressed to the helpdesk.
I. Introduction
Business goals and risk analysis drive the need for network security. For a while, information
security was influenced to some extent by fear, uncertainty, and doubt. Examples of these
influences included the fear of a new worm outbreak, the uncertainty of providing web services,
or doubts that a particular leading-edge security technology would fail. But regardless of the
security implications, business needs have to come first.
In order to address the security needs of Government of The Gambia (GOTG), the following four
requirements need to be addressed:-
4
1. Business needs - What does your organization want to do with the network?
2. Risk analysis - What is the risk and cost balance?
3. Security policy - What are the policies, standards, and guidelines that you need to address
business needs and risks?
4. Industry best practices - What are the reliable, well-understood, and recommended security
best practices?
Figure 1 illustrates the key factors you should consider when designing a secure network:
Figure 1: Factors Affecting the Design of a Secure Network
5
II. Security Policy Components
Figure 2 shows the hierarchy of the organization policy structure that is aimed at effectively
meeting the needs of all audiences.
Figure 2: Components of a Comprehensive Security Policy
a) Governing policy: This policy is a high-level treatment of security concepts that are
important to the organization. Managers and technical custodians are the intended audience.
The governing policy controls all security-related interaction among business units and
supporting departments in the organization. In terms of detail, the governing policy outlines
the security concepts that are important to the organization for managers and technical
custodians:
It controls all security-related interactions among business units and supporting
departments in the organization.
It aligns closely with not only existing organization policies, especially human
resource policies, but also any other policy that mentions security-related issues,
such as issues concerning email, computer use, or related IT subjects.
It is placed at the same level as all organization wide policies.
6
It supports the technical and end-user policies.
It includes the following key components:
o A statement of the issue that the policy addresses
o A statement about your position as IT manager on the policy
o How the policy applies in the environment
o The roles and responsibilities of those affected by the policy
o What level of compliance to the policy is necessary
o Which actions, activities, and processes are allowed and which are not
o What the consequences of noncompliance are.
The General or Governing policy for Government of the Gambia is users of government
information resources must protect:
1) Their online identity from use by another individual,
2) The integrity of computer-based information resources, and
3) The privacy of electronic information. In addition, users must refrain from seeking
to gain unauthorized access, honour all copyrights and licenses and respect the
rights of other information resource.
b) End-user policies: This document covers all security topics important to end users. In terms
of detail level, end-user policies answer the what, who, when, and where security
policy questions at an appropriate level of detail for an end user. End-user policies are
compiled into a single policy document that covers all the topics pertaining to information
security that end users should know about, comply with, and implement. This policy may
overlap with the technical policies and is at the same level as a technical policy. Grouping all
the end-user policies together means that users have to go to only one place and read one
7
document to learn everything that they need to do to ensure compliance with the organization
security policy.
c) Technical policies: Security staff members use technical policies as they carry out their
security responsibilities for the system. These policies are more detailed than the governing
policy and are system or issue specific (for example, access control, router security issues or
physical security issues). These policies are essentially security handbooks that describe what
the security staff does, but not how the security staff performs its functions. In terms of
detail, technical policies answer the what, who, when, and where security policy
questions. The why is left to the owner of the information.
The following are typical policy categories for technical policies:
General policies
o Acceptable use policy (AUP): Defines the acceptable use of equipment and
computing services, and the appropriate security measures that employees should
take to protect the corporate resources and proprietary information.
o Account access request policy: Formalizes the account and access request process
within the organization. Users and system administrators who bypass the standard
processes for account and access requests may cause legal action against the
organization.
o Acquisition assessment policy: Defines the responsibilities regarding corporate
acquisitions and defines the minimum requirements that the information security
group must complete for an acquisition assessment.
8
o Audit policy: Use to conduct audits and risk assessments to ensure integrity of
information and resources, investigate incidents, ensure conformance to security
policies, or monitor user and system activity where appropriate.
o Information sensitivity policy: Defines the requirements for classifying and
securing information in a manner appropriate to its sensitivity level.
o Password policy: Defines the standards for creating, protecting, and changing
strong passwords.
o Risk-assessment policy: Defines the requirements and provides the authority for
the information security team to identify, assess, and remediate risks to the
information infrastructure that is associated with conducting business.
o Global web server policy: Defines the standards that are required by all web hosts.
Email policies
o Automatically forwarded email policy: Documents the policy restricting
automatic email forwarding to an external destination without prior approval from
the appropriate manager or director.
o Email policy: Defines the standards to prevent tarnishing the public image of the
organization.
o Spam policy: The AUP covers spam.
Remote-access policies
o Dial-in access policy: Defines the appropriate dial-in access and its use by
authorized personnel.
o Remote-access policy: Defines the standards for connecting to the organization
network from any host or network external to the organization.
9
o VPN security policy: Defines the requirements for remote-access IP Security
(IPsec) or Layer 2 Tunneling Protocol (L2TP) VPN connections to the
organization network.
Personal device and phone policies
o Analog and ISDN line policy: Defines the standards to use analog and ISDN lines
for sending and receiving faxes and for connection to computers.
o Personal communication device policy: Defines the information securitys
requirements for personal communication devices, such as voicemail,
smartphones, tablets, and so on.
Application policies
o Acceptable encryption policy: Defines the requirements for encryption algorithms
that are used within the organization.
o Application service provider (ASP) policy: Defines the minimum security criteria
that an ASP must execute before the organization uses the ASPs services on a
project.
o Database credentials coding policy: Defines the requirements for securely storing
and retrieving database usernames and passwords.
o Interprocess communications policy: Defines the security requirements that any
two or more processes must meet when they communicate with each other using a
network socket or operating system socket.
o Project security policy: Defines requirements for project managers to review all
projects for possible security requirements.
10
o Source code protection policy: Establishes minimum information security
requirements for managing product source code.
Network policies
o Extranet policy: Defines the requirement that third-party organizations that need
access to the organization networks must sign a third-party connection agreement.
o Minimum requirements for network access policy: Defines the standards and
requirements for any device that requires connectivity to the internal network.
o Network access standards: Defines the standards for secure physical port access
for all wired and wireless network data ports.
o Router and switch security policy: Defines the minimal security configuration
standards for routers and switches inside a organization production network or
used in a production capacity.
o Server security policy: Defines the minimal security configuration standards for
servers inside a organization production network or used in a production capacity.
Wireless communication policy: Defines standards for wireless systems that are used to
connect to the organization networks.
Document retention policy: Defines the minimal systematic review, retention, and
destruction of documents received or created during the course of business. The
categories of retention policy are, among others:
o Electronic communication retention policy: Defines standards for the retention of
email and instant messaging.
o Financial retention policy: Defines standards for the retention of bank statements,
annual reports, pay records, accounts payable and receivable, and so on.
11
o Employee records retention policy: Defines standards for the retention of
employee personal records.
o Operation records retention policy: Defines standards for the retention of past
inventories information, training manuals, suppliers lists, and so forth.
III. Trends in Network Security
Several trends in business, technology, and innovation influence the need for new paradigms in
information security. Mobility is one trend. Expect to see billions of new network mobile devices
moving into the enterprise worldwide over the next few years. Taking into consideration constant
reductions and streamlining in IT budgets, organizations face serious challenges in supporting a
growing number of mobile devices at a time when their resources are being reduced.
The second market transition is cloud computing and cloud services. Organizations of all kinds
are taking advantage of offerings such as Software as a Service (SaaS) and Infrastructure as a
Service (IaaS) to reduce costs and simplify the deployment of new services and applications.
These cloud services add challenges in visibility (how do you identify and mitigate threats that
come to and from a trusted network?), control (who controls the physical assets, encryption keys,
and so on?), and trust (do you trust cloud partners to ensure that critical application data is still
protected when it is off the enterprise network?).
12
Acceptable Use Policy
1.0 Overview
GOTG intentions for publishing an Acceptable Use Policy are not to impose restrictions that are
contrary to Governments established culture of openness, trust and integrity. GOTG is
committed to protecting Government's employees, partners and the government from illegal or
damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment,
software, operating systems, storage media, network accounts providing electronic mail, WWW
browsing, and FTP, are the property of GOTG. These systems are to be used for business
purposes in serving the interests of the Government, and of our staff and customers in the course
of normal operations. Please review Human Resources policies for further details.
Effective security is a team effort involving the participation and support of every Government
employee and affiliate who deals with information and/or information systems. It is the
responsibility of every computer user to know these guidelines, and to conduct their activities
accordingly. Ignorance is no defence.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at
Government. These rules are in place to protect the employee and Government. Inappropriate
use exposes Government to risks including virus attacks, compromise of network systems and
services, and legal issues.
13
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at
Government, including all personnel affiliated with third parties. This policy applies to all
equipment that is owned or leased by Government.
4.0 Policy
4.1 General Use and Ownership
1. While Government's network administration desires to provide a reasonable level of
privacy, users should be aware that the data they create on the corporate systems remains
the property of Government.
2. Employees are responsible for exercising good judgment regarding the reasonableness of
personal use. Individual departments are responsible for proposing specific guidelines
concerning personal use of Internet/Intranet/Extranet systems in collaboration with
MOICI. In the absence of such policies, employees should be guided by departmental
policies on personal use, and if there is any uncertainty, employees should consult their
supervisor or manager.
3. Government recommends that any information that users consider sensitiveor vulnerable
be encrypted.
4. For security and network maintenance purposes, authorized individuals within
Government may monitor equipment, systems and network traffic at any time, per
Governments Audit Policy.
5. Government reserves the right to audit networks and systems on a periodic basis to
ensure compliance with this policy.
14
6. To prevent unauthorized access to Government information, only authorized individuals
within Government will repair computer systems.
4.2 Security and Proprietary Information
1. The user interface for information contained on Internet/Intranet/Extranet-related systems
should be classified as either confidential or not confidential, as defined by corporate
confidentiality guidelines, details of which can be found in Human Resources policies.
Examples of confidential information include but are not limited to: government private,
corporate strategies, sensitive information, trade secrets, specifications, customer lists,
and research data. Employees should take all necessary steps to prevent unauthorized
access to this information.
2. Keep passwords secure and do not share accounts. Authorized users are responsible for
the security of their passwords and accounts. System level passwords should be changed
quarterly, user level passwords should be changed every six months.
3. All PCs, laptops and workstations should be secured with a password-protected
screensaver with the automatic activation feature set at 10 minutes or less, or by logging-
off (control-alt-delete for Windows users) when the host will be unattended.
4. Use encryption of information in compliance with Government's Acceptable Encryption
policy.
5. Because information contained on portable computers is especially vulnerable, special
care should be exercised. Staff using official portable personal computer, must
adequately safeguard them against physical damage and burglary at all times. The
standard encryption tool must be available for encrypting necessary areas of the hard
disk.
15
6. Postings by employees from a Government email address to newsgroups should contain a
disclaimer stating that the opinions expressed are strictly their own and not necessarily
those of Government, unless posting is in the course of business duties.
7. All hosts used by the employee that are connected to the Government
Internet/Intranet/Extranet, whether owned by the employee or Government, shall be
continually executing approved virus-scanning software with a current virus database
unless overridden by departmental or group policy.
8. Employees must use extreme caution when opening e-mail attachments received from
unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted from these
restrictions during the course of their legitimate job responsibilities (e.g., systems administration
staff may have a need to disable the network access of a host if that host is disrupting production
services).
Under no circumstances is an employee of Government authorized to engage in any activity that
is illegal under local, state or international law while utilizing Government-owned resources.
The lists below are by no means exhaustive, but attempt to provide a framework for activities
which fall into the category of unacceptable use.
4.3.0 System and Network Activities
The following activities are strictly prohibited, with no exceptions:
1. Violations of the rights of any person or company protected by copyright, trade secret,
patent or other intellectual property, or similar laws or regulations, including, but not
16
limited to, the installation or distribution of "pirated" or other software products that are
not appropriately licensed for use by Government.
2. Unauthorized copying of copyrighted material including, but not limited to, digitization
and distribution of photographs from magazines, books or other copyrighted sources,
copyrighted music, and the installation of any copyrighted software for which
Government or the end user does not have an active license is strictly prohibited.
3. Exporting software, technical information, encryption software or technology, in
violation of international or regional export control laws, is illegal. The appropriate
management should be consulted prior to export of any material that is in question.
4. Introduction of malicious programs into the network or server (e.g., viruses, worms,
Trojan horses, e-mail bombs, etc.).
5. Revealing your account password to others or allowing use of your account by others.
This includes family and other household members when work is being done at home.
6. Using a Government computing asset to actively engage in procuring or transmitting
material that is in violation of sexual harassment or hostile workplace laws in the user's
local jurisdiction.
7. Making fraudulent offers of products, items, or services originating from any
Government account.
8. Making statements about warranty, expressly or implied, unless it is a part of normal job
duties.
9. Effecting security breaches or disruptions of network communication. Security breaches
include, but are not limited to, accessing data of which the employee is not an intended
recipient or logging into a server or account that the employee is not expressly authorized
17
to access, unless these duties are within the scope of regular duties. For purposes of this
section, "disruption" includes, but is not limited to, network sniffing, pinged floods,
packet spoofing, denial of service, and forged routing information for malicious purposes.
10. Port scanning or security scanning is expressly prohibited unless prior notification to ICT
Department is made.
11. Executing any form of network monitoring which will intercept data not intended for the
employee's host, unless this activity is a part of the employee's normal job/duty.
12. Circumventing user authentication or security of any host, network or account.
13. Interfering with or denying service to any user other than the employee's host (for
example, denial of service attack).
14. Using any program/script/command, or sending messages of any kind, with the intent to
interfere with, or disable, a user's terminal session, via any means, locally or via the
Internet/Intranet/Extranet.
15. Providing information about, or lists of, Government employees to parties outside
Government.
4.3.1 Email and Communications Activities
1. Sending unsolicited email messages, including the sending of "junk mail" or other
advertising material to individuals who did not specifically request such material (email
spam).
2. Any form of harassment via email, telephone or paging, whether through language,
frequency, or size of messages.
3. Unauthorized use, or forging, of email header information.
18
4. Solicitation of email for any other email address, other than that of the poster's account,
with the intent to harass or to collect replies.
5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
6. Use of unsolicited email originating from within Government's networks of other
Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service
hosted by Government or connected via Government's network.
7. Posting the same or similar non-business-related messages to large numbers of Usenet
newsgroups (newsgroup spam).
4.4. Blogging
1. Blogging by employees, whether using Government property and systems or personal
computer systems, is also subject to the terms and restrictions set forth in this Policy.
Limited and occasional use of Government systems to engage in blogging is acceptable,
provided that it is done in a professional and responsible manner, does not otherwise
violate Governments policy, is not detrimental to Governments best interests, and does
not interfere with an employees regular work duties. Blogging from Governments
systems is also subject to monitoring.
2. Governments Confidential Information policy also applies to blogging. As such,
Employees are prohibited from revealing any Government confidential or proprietary
information, trade secrets or any other material covered by Governments Confidential
Information policy when engaged in blogging.
3. Employees shall not engage in any blogging that may harm or tarnish the image,
reputation and/or goodwill of Government and/or any of its employees. Employees are
also prohibited from making any discriminatory, disparaging, defamatory or harassing
19
comments when blogging or otherwise engaging in any conduct prohibited by
Governments Non-Discrimination and Anti-Harassment policy.
4. Employees may also not attribute personal statements, opinions or beliefs to Government
when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions
in blogs, the employee may not, expressly or implicitly, represent themselves as an
employee or representative of Government. Employees assume any and all risk
associated with blogging.
5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or
export controlled materials, Governments trademarks, logos and any other Government
intellectual property may also not be used in connection with any blogging activity.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
6.0 Definitions
Term Definition
Blogging Writing a blog. A blog (short for weblog) is a personal online journal that is
frequently updated and intended for general public consumption.
Spam Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History
Original Issue Date: 9/9/2013
20
Password Policy
1.0 Overview
Passwords are an important aspect of computer security. A poorly chosen password may result
in unauthorized access and/or exploitation of Government resources. All users, including
contractors and vendors with access to Government systems, are responsible for taking the
appropriate steps, as outlined below, to select and secure their passwords.
2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the
protection of those passwords, and the frequency of change.
3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or
any form of access that supports or requires a password) on any system that resides at any
Government facility, has access to the Government network, or stores any non-public
Government information.
4.0 Policy
4.1 General
All system-level passwords (e.g., root, enable, Windows Administrator, application
administration accounts, etc.) must be changed on at least a quarterly basis.
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at
least every six months.
User accounts that have system-level privileges granted through group memberships or
programs must have a unique password from all other accounts held by that user.
21
Where SNMP is used, the community strings must be defined as something other than the
standard defaults of "public," "private" and "system" and must be different from the
passwords used to log in interactively. A keyed hash must be used where available (e.g.,
SNMPv2).
All user-level and system-level passwords must conform to the guidelines described
below.
4.2 Guidelines
A. General Password Construction Guidelines
All users at GOTG should be aware of how to select strong passwords.
Strong passwords have the following characteristics:
Contain at least three of the five following character classes:
o Lower case characters
o Upper case characters
o Numbers
o Punctuation
o Special characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc)
Contain at least fifteen alphanumeric characters.
Weak passwords have the following characteristics:
The password contains less than fifteen characters
The password is a word found in a dictionary (English or foreign).
The password is a common usage word such as:
o Names of family, pets, friends, co-workers, fantasy characters, etc.
o Computer terms and names, commands, sites, companies, hardware, software.
22
o The words "<Company Name>", "sanjose", "sanfran" or any derivation.
o Birthdays and other personal information such as addresses and phone numbers.
o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
o Any of the above spelled backwards.
o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Try to create passwords that can be easily remembered. One way to do this is create a password
based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May
Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some
other variation.
(NOTE: Do not use either of these examples as passwords!)
B. Password Protection Standards
Always use different passwords for Government accounts from other non-Government
access (e.g., personal ISP account, option trading, benefits, etc.).
Always use different passwords for various Government access needs whenever possible.
For example, select one password for systems that use directory services (i.e. LDAP,
Active Directory, etc.) for authentication and another for locally authenticated access.
Do not share Government passwords with anyone, including administrative assistants or
secretaries. All passwords are to be treated as sensitive, confidential Government
information.
Passwords should never be written down or stored on-line without encryption.
Do not reveal a password in email, chat, or other electronic communication.
Do not speak about a password in front of others.
Do not hint at the format of a password (e.g., "my family name").
23
Do not reveal a password on questionnaires or security forms.
If someone demands a password, refer them to this document and direct them to the ICT
Department.
Always decline the use of the "Remember Password" feature of applications (e.g.,
Internet Explorer, Mozilla Firefox, Google Chrome, Ms Outlook).
If an account or password compromise is suspected, report the incident to the ICT Department.
C. Application Development Standards
Application developers must ensure their programs contain the following security precautions.
Applications:
Shall support authentication of individual users, not groups.
Shall not store passwords in clear text or in any easily reversible form.
Shall provide for some sort of role management, such that one user can take over the
functions of another without having to know the other's password.
Shall support TACACS+, RADIUS and/or X.509 with LDAP security retrieval wherever
possible.
D. Use of Passwords and Passphrases for Remote Access Users
Access to the Government network via remote access is to be controlled using either a one-time
password authentication or a public/private key system with a strong passphrase.
E. Passphrases
Passphrases are generally used for public/private key authentication. A public/private key system
defines a mathematical relationship between the public key that is known by all, and the private
key, that is known only to the user. Without the passphrase to "unlock" the private key, the user
cannot gain access.
24
Passphrases are not the same as passwords. A passphrase is a longer version of a password and
is, therefore, more secure. A passphrase is typically composed of multiple words. Because of
this, a passphrase is more secure against "dictionary attacks."
A good passphrase is relatively long and contains a combination of upper and lowercase letters
and numeric and punctuation characters. An example of a good passphrase:
"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"
All of the rules above that apply to passwords apply to passphrases.
5.0 Enforcement
including termination of employment. Password cracking or guessing may be performed on a
periodic or random basis by the ICT Department or its delegates. If a password is guessed or
cracked during these exercises, the user/owner will be required to change it.
6.0 Terms and Definitions
Term Definition
Application Administration Account Any account that is for the administration of an
application (e.g., Oracle database administrator,
ISSU administrator).
25
Workstation Security Policy
1.0 Purpose
The purpose of this policy is to provide guidance for workstation security for Government
workstations in order to ensure the security of information on the workstation and information
the workstation may have access to.
2.0 Scope
This policy applies to all Government employees, contractors, workforce members, vendors and
agents with a Government-owned or personal-workstation connected to the Government
network.
3.0 Policy
Appropriate measures must be taken when using workstations to ensure the confidentiality,
integrity and availability of sensitive information, and that access to sensitive information is
restricted to authorized users.
3.1 Employees using workstations shall consider the sensitivity of the information that may
be accessed and minimize the possibility of unauthorized access.
3.2 Government will implement physical and technical safeguards for all workstations that
access electronic protected information to restrict access to authorized users.
3.3 Appropriate measures include:
Restricting physical access to workstations to only authorized personnel.
Securing workstations (screen lock or logout) prior to leaving area to prevent
unauthorized access.
Enabling a password-protected screen saver with a short timeout period to ensure that
workstations that were left unsecured will be protected.
26
Complying with all applicable password policies and procedures.
Ensuring workstations are used for authorized business purposes only.
Never installing unauthorized software on workstations.
Storing all sensitive information, including protected information on network servers.
Keeping food and drink away from workstations in order to avoid accidental spills.
Securing laptops that contain sensitive information by using cable locks or locking
laptops up in drawers or cabinets.
Complying with the Portable Workstation Encryption policy.
Complying with the Anti-Virus policy.
Ensuring that monitors are positioned away from public view. If necessary, install
privacy screen filters or other physical barriers to public viewing.
Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
Exit running applications and close open documents.
Ensuring that all workstations use a surge protector (not just a power strip) or a UPS
(battery backup).
If wireless network access is used, ensure access is secure by following the Wireless
Access policy.
4.0 Enforcement
27
5.0 Definitions
Workstations include: laptops, desktops, PDAs and authorized home workstations accessing the
Government network.
Workforce members include: employees, volunteers, trainees, and other persons under the direct
control of Government.
28
Removable Media Policy
1.0 Overview
Removable media is a well-known source of malware infections and has been directly tied to
the loss of sensitive information in many organizations.
2.0 Purpose
To minimize the risk of loss or exposure of sensitive information maintained by Government
and to reduce the risk of acquiring malware infections on computers operated by Government.
3.0 Scope
This policy covers all computers and servers operating in GOTG.
4.0 Policy
Government staff may only use Government removable media in their work computers.
Government removable media may not be connected to or used in computers that are not owned
or leased by the Government without explicit permission of the Government ICT Department.
Sensitive information should be stored on removable media only when required in the
performance of your assigned duties or when providing information required by other state or
federal agencies. When sensitive information is stored on removable media, it must be
encrypted in accordance with the Government Acceptable Encryption Policy.
Exceptions to this policy may be requested on a case-by-case basis by Government-exception
procedures.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to
and including termination of employment.
29
6.0 Definitions
Removable Media: Device or media that is readable and/or writeable by the end user and is
able to be moved from computer to computer without modification to the computer. This
includes flash memory devices such as thumb drives, cameras, MP3 players and PDAs;
removable hard drives
(including hard drive-based MP3 players); optical disks such as CD and DVD disks; floppy
disks and any commercial music and software disks not provided by Government.
Encryption: A procedure used to convert data from its original form to a format that is
unreadable and/or unusable to anyone without the tools/information needed to reverse the
encryption process.
Sensitive Information: Information which, if made available to unauthorized persons, may
adversely affect Government, its programs, or participants served by its programs. Examples
include, but are not limited to, personal identifiers and, financial information,
Malware: Software of malicious intent/impact such as viruses, worms, and Spyware.
30
Server Security Policy
1.0 Purpose
The purpose of this policy is to establish standards for the base configuration of internal server
equipment that is owned and/or operated by GOTG. Effective implementation of this policy will
minimize unauthorized access to Government proprietary information and technology.
2.0 Scope
This policy applies to server equipment owned and/or operated by Government, and to servers
registered under any Government-owned internal network domain.
This policy is specifically for equipment on the internal Government Network (GovNet).
3.0 Policy
3.1 Ownership and Responsibilities
All internal servers deployed at Government must be owned by an operational group that is
responsible for system administration. Approved server configuration guides must be established
and maintained by each operational group, based on business needs and approved by ICT
Department. Operational groups should monitor configuration compliance and implement an
exception policy tailored to their environment. Each operational group must establish a process
for changing the configuration guides, which includes review and approval by ICT Department.
Servers must be registered within the organization enterprise management system. At a
minimum, the following information is required to positively identify the point of
contact:
o Server contact(s) and location, and a backup contact
o Hardware and Operating System/Version
o Main functions and applications, if applicable
31
Information in the organization enterprise management system must be kept up-to-date.
Configuration changes for production servers must follow the appropriate change
management procedures.
3.2 General Configuration Guidelines
Operating System configuration should be in accordance with approved ICT Department
guidelines.
Services and applications that will not be used must be disabled where practical.
Access to services should be logged and/or protected through access-control methods
such as TCP Wrappers, if possible.
The most recent security patches must be installed on the system as soon as practically
possible, with the only exception being whether the application would interfere with
business requirements.
Trust relationships between systems are a security risk, and their use should be avoided.
Do not use a trust relationship when some other method of communication will do.
Always use standard security principles of least required access to perform a function.
Do not use the root/administrator account when a non-privileged account will do.
If a methodology for secure channel connection is available (i.e., technically feasible),
privileged access must be performed over secure channels, (e.g., encrypted network
connections using SSH or IPSec).
Servers should be physically located in an access-controlled environment.
Servers are specifically prohibited from operating from uncontrolled cubicle areas.
32
3.3 Monitoring
All security-related events on critical or sensitive systems must be logged and audit trails
saved as follows:
o All security related logs will be kept online for a minimum of 1 week.
o Daily incremental tape backups will be retained for at least 1 month.
o Weekly full tape backups of logs will be retained for at least 1 month.
o Monthly full backups will be retained for a minimum of 2 years.
Security-related events will be reported to the ICT Department, who will review logs and
report incidents to ICT management. Corrective measures will be prescribed as needed.
Security-related events include, but are not limited to:
o Port-scan attacks
o Evidence of unauthorized access to privileged accounts
o Anomalous occurrences that are not related to specific applications on the host.
3.4 Compliance
Audits will be performed on a regular basis by authorized organizations within
Government.
Audits will be managed by the internal audit group or ICT Department in accordance
with the Audit Policy. ICT Department will filter findings not related to a specific
operational group and then present the findings to the appropriate support staff for
remediation or justification.
Every effort will be made to prevent audits from causing operational failures or
disruptions.
33
4.0 Enforcement
5.0 Definitions
Term Definition
Server For purposes of this policy, a Server is defined as an internal Government Server.
34
Anti-Virus Policy
Recommended processes to prevent virus problems:
Always run the Corporate standard, supported anti-virus software that is available from
the corporate download site. Download and run the current version; download and install
anti-virus software updates as they become available.
NEVER open any files or macros attached to an email from an unknown, suspicious or
untrustworthy source. Delete these attachments immediately, then "double delete" them
by emptying your Trash.
Delete spam, chain, and other junk email without forwarding, in with Government's
Acceptable Use Policy.
Never download files from unknown or suspicious sources.
Avoid direct disk sharing with read/write access unless there is absolutely a business
requirement to do so.
Always scan a flash disk from an unknown source for viruses before using it.
Back-up critical data and system configurations on a regular basis and store the data in a
safe place.
If lab testing conflicts with anti-virus software, run the anti-virus utility to ensure a clean
machine, disable the software, then run the lab test. After the lab test, enable the anti-
virus software. When the anti-virus software is disabled, do not run any applications that
could transfer a virus, e.g., email or file sharing.
New viruses are discovered almost every day. Periodically check the Lab Anti-Virus
Policy and this Recommended Processes list for updates.
35
36
Internet usage Policy
The Internet usage Policy applies to all Internet users (individuals working for the Government,
including permanent full-time and part-time employees, contract workers, temporary agency
workers, business partners, and vendors) who access the Internet through the computingor
networking resources. The Government's Internet users are expected to be familiar with and to
comply with this policy, and are also required to use their common sense and exercise their good
judgment while using Internet services.
1.0 Consequences of Violations
Violations of the I nternet usage Policywill be documented and can lead to revocation of
system privileges and/or disciplinary action up to and including termination.
Additionally, the Government may at its discretion seek legal remedies for damages incurred as a
result of any violation. The Government may also be required by law to report certain illegal
activities to the proper enforcement agencies.
Before access to the Internet via government network is approved, the potential Internet user is
required to read this Internet usage Policy and sign an acknowledgment form (located on the last
page of this document). The signed acknowledgment form should be turned in and will be kept
on file at the facility granting the access. For questions on the Internet usage Policy, contact the
ICT Department.
2. USAGE THREATS
Internet connectivity presents the government with new risks that must be addressed to safeguard
the facilitys vital information assets. These risks include:
37
2.1 Inappropriate Use of Resources
Access to the Internet by personnel that is inconsistent with business needs results in the misuse
of resources. These activities may adversely affect productivity due to time spent using or
"surfing" the Internet. Additionally, the company may face loss of reputation and possible legal
action through other types of misuse.
2.2 Misleading or False Information
All information found on the Internet should be considered suspect until confirmed by another
reliable source. There is no quality control process on the Internet, and a considerable amount of
its information is outdated or inaccurate.
3. INTERNET SERVICES
Access to the Internet will be provided to users to support business activities and only on an as-
needed basis to perform their jobs and professional roles.
3.1 User Services
3.1.1 Internet Services Allowed
Internet access is to be used for business purposes only. Capabilities for the following
standard Internet services will be provided to users as needed:
E-mail - Send/receive E-mail messages to/from the Internet (with or without document
attachments).
Browsing - WWW services as necessary for business purposes, using a hypertext transfer
protocol (HTTP) or hypertext transfer protocol secure (HTTPS) browser tool. Full access
38
to the Internet; limited access from the Internet to dedicated company public web servers
only.
File Transfer Protocol (FTP) - Send data/files and receive in-bound data/files, as
necessary for business purposes.
Telnet - Standard Internet protocol for terminal emulation. User Strong Authentication
required for Internet initiated contacts into the company.
Management reserves the right to add or delete services as business needs change or conditions
warrant. All other services will be considered unauthorized access to/from the Internet and
will not be allowed.
3.2 Request & Approval Procedures
Internet access will be provided to users to support business activities and only as needed to
perform their jobs.
3.2.1 Request for Internet Access
As part of the Internet access request process, the employee is required to read both this Internet
usage Policy and the Acceptable Use Policy. The user must then sign the statements (located on
the last page of each document) that he/she understands and agrees to comply with the policies.
Users not complying with these policies could be subject to disciplinary action up to and
including termination.
Policy awareness and acknowledgment, by signing the acknowledgment form, is required
before access will be granted.
39
3.2.2 Approval
Internet access is requested by the user or users manager submitting an IT Access Request form
to the ICT department along with an attached copy of a signed Internet Usage Acknowledgment
Form.
3.2.3 Removal of privileges
Internet access will be discontinued upon termination of employee, completion of contract, end
of service of non-employee, or disciplinary action arising from violation of this policy. In the
case of a change in job function and/or transfer the original access code will be discontinued, and
only reissued if necessary and a new request for access is approved.
All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted
to users must be re-evaluated by management annually. In response to feedback from
management, systems administrators must promptly revoke all privileges no longer needed by
users.
4. USAGE POLICIES
4.1 Resource Usage
Access to the Internet will be approved and provided only if reasonable business needs are
identified. Internet services will be granted based on an employees current job responsibilities.
If an employee moves to another business unit or changes job functions, a new Internet access
request must be submitted within 5 days.
User Internet access requirements will be reviewed periodically by ICT departments to ensure
that continuing needs exist.
40
4.2 Allowed Usage
Internet usage is granted for the sole purpose of supporting business activities necessary to carry
out job functions. All users must follow the corporate principles regarding resource usage and
exercise good judgment in using the Internet. Questions can be addressed to the ICT Department.
Acceptable use of the Internet for performing job functions might include:
Communication between employees and non-employees for business purposes;
IT technical support downloading software upgrades and patches;
Review of possible vendor web sites for product information;
Reference regulatory or technical information.
Research
4.3 Personal Usage
Using Government computer resources to access the Internet for personal purposes, without
approval from the users manager and the IT department, may be considered cause for
disciplinary action up to and including termination.
All users of the Internet should be aware that the organization network creates an audit log
reflecting request for service, both in-bound and out-bound addresses, and is periodically
reviewed.
Users who choose to store or transmit personal information such as private keys, credit card
numbers or certificates or make use of Internet "wallets" do so at their own risk. The
Government is not responsible for any loss of information, such as information stored in the
wallet, or any consequential loss of personal property.
4.4 Prohibited Usage
Information stored in the wallet, or any consequential loss of personal property.
41
Acquisition, storage, and dissemination of data which is illegal, pornographic, or which
negatively depicts race, sex or creed is specifically prohibited.
The Government also prohibits the conduct of a business enterprise, political activity,
engaging in any form of intelligence collection from our facilities, engaging in fraudulent
activities, or knowingly disseminating false or otherwise libelous materials.
Other activities that are strictly prohibited include, but are not limited to:
Accessing government information that is not within the scope of ones work. This
includes unauthorized reading of government account information, unauthorized access of
personnel file information, and accessing information that is not needed for the proper execution
of job functions.
Misusing, disclosing without proper authorization, or altering government or personnel
information. This includes making unauthorized changes to a personnel file or sharing electronic
customer or personnel data with unauthorized personnel.
Deliberate pointing or hyper-linking of Government Web sites to other Internet/WWW
sites whose content may be inconsistent with or in violation of the aims or policies of the
Government.
Any conduct that would constitute or encourage a criminal offense, lead to civil liability,
or otherwise violate any regulations, local, state, national or international law.
Use, transmission, duplication, or voluntary receipt of material that infringes on the
copyrights, trademarks, trade secrets, or patent rights of any person or organization. Assume that
all materials on the Internet are copyright and/or patented unless specific notices state otherwise.
42
Transmission of any proprietary, confidential, or otherwise sensitive information without
the proper controls.
Creation, posting, transmission, or voluntary receipt of any unlawful, offensive, libelous,
threatening, harassing material, including but not limited to comments based on race, national
origin, sex, sexual orientation, age, disability, religion, or political beliefs.
Any form of gambling.
Unless specifically authorized under the provisions of section 4.3, the following activities are
also strictly prohibited:
Unauthorized downloading of any shareware programs or files for use without
authorization in advance from the ICT Department and the users manager.
Any ordering (shopping) of items or services on the Internet.
Playing of any games.
Forwarding of chain letters.
Participation in any on-line contest or promotion.
Acceptance of promotional gifts.
Bandwidth both within the government and in connecting to the Internet is a shared, finite
resource. Users must make reasonable efforts to use this resource in ways that do not negatively
affect other employees. Specific departments may set guidelines on bandwidth use and resource
allocation, and may ban the downloading of particular file types.
If you have any questions about Acceptable Use, contact the ICT Department
4.5 Software License
The Government strongly supports strict adherence to software vendors license agreements.
When at work, or when government computing or networking resources are employed, copying
43
of software in a manner not consistent with the vendors license is strictly forbidden. Questions
regarding lawful versus unlawful copying should be referred to the ICT Department for review
or to request a ruling from the Legal Department before any copying is done.
Similarly, reproduction of materials available over the Internet must be done only with the
written permission of the author or owner of the document. Unless permission from the
copyright owner(s) is first obtained, making copies of material from magazines, journals,
newsletters, other publications and online documents is forbidden unless this is both reasonable
and customary. This notion of "fair use" is in keeping with international copyright laws.
Using government computer resources to access the Internet for personal purposes, without
approval from the users manager and the ICT department, may be considered cause for
disciplinary action up to and includingtermination.
All users of the Internet should be aware that the government network creates an audit log
reflecting request for service, both in-bound and out-bound addresses, and is periodically
reviewed.
Users who choose to store or transmit personal information such as private keys, credit card
numbers or certificates or make use of Internet "wallets" do so at their own risk. The
Government is not responsiblefor any loss of information stored in the wallet, or any
consequential loss of personal property.
4.6 Review of Public Information
All publicly-writeable directories on Internet-connected computers will be reviewed and cleared
each evening. This process is necessary to prevent the anonymous exchange of information
inconsistent with government business. Examples of unauthorized public information include
44
pirated information, passwords, credit card numbers, and pornography.
4.7 Expectation of Privacy
4.7.1 Monitoring
Users should consider their Internet activities as periodically monitored and limit their activities
accordingly.
Management reserves the right to examine e-mail, personal file directories, web access, and other
information stored on company computers, at any time and without notice. This examination
ensures compliance with internal policies and assists with the management of company
information systems.
4.7.1.1Web Site Monitoring
The ICT Department shall monitor Internet use from all computers and devices connected to the
corporate network. For all traffic the monitoring system must record the source IP Address, the
date, the time, the protocol, and the destination site or server. Where possible, the system should
record the User ID of the person or account initiating the traffic. Internet Use records must be
preserved for 180 days.
4.7.1.2Access toWeb Site Monitoring Reports
General trending and activity reports will be made available to any employee as needed upon
request to the ICT Department. ICT Department may access all reports and data if necessary to
respond to a security incident. Internet Use reports that identify specific users, sites, teams, or
devices will only be made available to associates outside the ICT Department upon written or
email request to ICT Department from a Human Resources Representative.
45
4.7.1.3I nternet Use FilteringSystem
The ICT Department shall block access to Internet websites and protocols that are deemed
inappropriate for Government network. The following protocols and categories of websites
should be blocked:
Adult/Sexually Explicit Material
Advertisements & Pop-Ups
Chat and Instant Messaging
Gambling
Hacking
Illegal Drugs
Intimate Apparel and Swimwear
Peer to Peer File Sharing
Personals and Dating
Social Network Services
SPAM, Phishing and Fraud
Spyware
Tasteless and Offensive Content
Violence, Intolerance and Hate
4.7.1.4I nternet Use Filtering Rule Changes
The ICT Department shall periodically review and recommend changes to web and protocol
filtering rules. Human Resources shall review these recommendations and decide if any changes
are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use
Policy.
46
4.7.1.5I nternet Use Filtering Exceptions
If a site is mis-categorized, employees may request the site be un-blocked by submitting a ticket
to the ICT help desk. An ICT staff will review the request and un-block the site if it is mis-
categorized.
Employees may access blocked sites with permission if appropriate and necessary for business
purposes. If an employee needs access to a site that is blocked and appropriately categorized,
they must submit a request to their Human Resources (HR) representative. HR will present all
approved exception requests to Information Technology in writing or by email. ICT Department
will unblock that site or category for that associate only. Information Technology will track
approved exceptions and report on them upon request.
4.7.2 E-mail Confidentiality
Users should be aware that clear text e-mail is not a confidential means of communication. The
company cannot guarantee that electronic communications will be private. Employees should be
aware that electronic communications can, depending on the technology, be forwarded,
intercepted, printed, and stored by others. Users should also be aware that once an e-mail is
transmitted it may be altered. Deleting an e-mail from an individual workstation will not eliminate
it from the various systems across which it has been transmitted.
4.8 Maintaining Corporate Image
4.8.1 Representation
When using government resources to access and use the Internet, users must realize they
represent the Government. Whenever employees state an affiliation to the company, they must
47
also clearly indicate that "the opinions expressed are my own and not necessarily those of the
Government". Questions may be addressed to the IT Department.
4.8.2 Company Materials
Users must not place government material (examples: internal memos, press releases, product or
usage information, documentation, etc.) on any mailing list, public news group, or such service.
Any posting of materials must be approved by the employees manager and the public relations
department and will be placed by an authorized individual.
4.8.3 Creating Web Sites
All individuals and/or government units wishing to establish a WWW home page or site must
first develop business, implementation, and maintenance plans. Formal authorization must be
obtained through the ICT Department. This will maintain publishing and content standards
needed to ensure consistency and appropriateness.
In addition, contents of the material made available to the public through the Internet must be
formally reviewed and approved before being published. All material should be submitted to the
ICT Director for initial approval to continue. All company pages are owned by, and are the
ultimate responsibility of the ICT Director.
All company web sites must be protected from unwanted intrusion through formal security
measures which can be obtained from the ICT department.
4.9 Periodic Reviews
4.9.1 Usage Compliance Reviews
To ensure compliance with this policy, periodic reviews will be conducted. These reviews will
include testing the degree of compliance with usage policies.
48
4.9.2 Policy Maintenance Reviews
Periodic reviews will be conducted to ensure the appropriateness and the effectiveness of usage
policies. These reviews may result in the modification, addition, or deletion of usage policies to
better suit company information needs.
5. REFERENCES
5.1 Points of Contact
If you need assistance regarding the following topics related to Internet usage, contact the ICT
Department for additional assistance.
6. INTERNET USAGE COVERAGE ACKNOWLEDGMENT FORM
After reading this policy, please sign the coverage form and submit it to your facilitys ICT
department or granting facilitys ICT department for filing.
By signing below, the individual requesting Internet access through government computing
resources hereby acknowledges receipt of and compliance with the Internet Usage Policy.
Furthermore, the undersigned also acknowledges that he/she has read and understands this policy
before signing this form.
Internet access will not be granted until this acknowledgment form is signed by the individuals
manager. After completion, the form is filed in the individuals human resources file (for
permanent employees), or in a folder specifically dedicated to Internet access (for contract
workers, etc.), and maintained by the ICT department. These acknowledgment forms are subject
to internal audit.
49
ACKNOWLEDGMENT
I have read the Internet Usage Policy. I understand the contents, and I agree to comply
with the said Policy.
Location (Location and address)
Business Purpose
Name
Signature ______________________________Date __________________
Manager/Supervisor Signature _________________Date ___________
50
Wireless Communication Policy
1.0 Overview
The purpose of this policy is to secure and protect the information assets owned by GOTG.
Government provides computer devices, networks, and other electronic information systems to
meet missions, goals, and initiatives. Government grants access to these resources as a privilege
and must manage them responsibly to maintain the confidentiality, integrity, and availability of
all information assets.
This policy specifies the technical requirements that wireless infrastructure devices must satisfy
to connect to government network. Only those wireless infrastructure devices that meet the
requirements specified in this standard or are granted an exception by the ICT Department are
approved for connectivity to government network.
2.0 Scope
All employees, contractors, consultants, temporary and other workers at Government, including
all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf
of GOTG must adhere to this policy. This policy applies to all wireless infrastructure devices that
connect to government network or reside on a government site that provide wireless connectivity
to endpoint devices including, but not limited to, laptops, desktops, cellular phones, tablets and
personal digital assistants (PDAs). This includes any form of wireless communication device
capable of transmitting packet data.
The Government ICT department must approve exceptions to this policy in advance.
51
3.0 Statement of Requirements
3.1 General Requirements
All wireless infrastructure devices that connect to government network or provide access to
Government Confidential, Highly Confidential, or Restricted information must:
3.1.1 Use Extensible Authentication Protocol-Fast Authentication via Secure Tunneling (EAP-
FAST), Protected Extensible Authentication Protocol (PEAP), or Extensible
Authentication Protocol-Translation Layer Security (EAP-TLS) as the authentication
protocol.
3.1.2 Use Temporal Key Integrity Protocol (TKIP) or Advanced Encryption System (AES)
protocols with a minimum key length of 128 bits.
3.2 Lab and Isolated Wireless Device Requirements
3.2.1 Lab device Service Set Identifier (SSID) must be different from government production
device SSID.
3.2.2 Broadcast of lab device SSID must be disabled.
3.3 Home Wireless Device Requirements
All home wireless infrastructure devices that provide direct access to government network, such
as those behind remote access or hardware VPN, must adhere to the following:
3.3.1 Enable WiFi Protected Access Pre-shared Key (WPA-PSK), EAP-FAST, PEAP, or EAP-
TLS
3.3.2 When enabling WPA-PSK, configure a complex shared secret key (at least 20 characters)
on the wireless client and the wireless access point
3.3.3 Disable broadcast of SSID
3.3.4 Change the default SSID name
52
3.3.5 Change the default login and password
4 Enforcement
Any employee found to have violated the policy may be subject to disciplinary action, up to and
including termination of employment. Any violation of the policy by a temporary worker,
contractor or vendor may result in the termination of their contract or assignment with
Government.
Definitions
Term Definition
AES Advanced Encryption System
Government network
A wired or wireless network including indoor, outdoor, and
alpha networks that provide connectivity to corporate services.
Corporate connectivity A connection that provides access to government network.
EAP-FAST
Extensible Authentication Protocol-Fast Authentication via
Secure Tunneling: authentication protocol for wireless
networks.
EAP-TLS
Extensible Authentication Protocol-Translation Layer
Security, used to create a secured connection for 802.1X by
pre-installing a digital certificate on the client computer.
Remote Access
Telecommuter
An end-to-end hardware VPN solution for teleworker access
to the government network.
53
Information assets
Information that is collected or produced and the underlying
hardware, software, services, systems, and technology that is
necessary for obtaining, storing, using, and securing that
information which is recognized as important and valuable to
an organization.
PEAP
Protected Extensible Authentication Protocol, a protocol used
for transmitting authentication data, including passwords, over
802.11 wireless networks
Service Set Identifier
(SSID)
A set of characters that give a unique name to a wireless local
area network.
TKIP
Temporal Key Integrity Protocol, an encryption key that's part
of WPA.
WPA-PSK WiFi Protected Access pre-shared key
Revision History
Date of Change Responsible Summary of Change
54
Router Security Policy
1.0 Purpose
This document describes a required minimal security configuration for all routers and switches
connecting to a production network or used in a production capacity at or on behalf of GOTG.
2.0 Scope
All routers and switches connected to Government production networks are affected. Routers
and switches within internal, secured labs are not affected.
3.0 Policy
Every router must meet the following configuration standards:
1. No local user accounts are configured on the router. Routers must use TACACS+ for all
user authentications.
2. The enable password on the router must be kept in a secure encrypted form. Reversible
encryption algorithms, such as the Cisco type 7 Vigenre cypher, are unacceptable. The
router must have the enable password set to the current production router password from
the router's support organization.
3. The following services or features must be disabled:
a. IP directed broadcasts
b. TCP small services
c. UDP small services
d. All source routing
e. All web services running on router
f. Auto-configuration
4. The following services should be disabled unless a business need is provided:
55
a. Cisco discovery protocol and other discovery protocols
b. Dynamic trunking
c. Scripting environments, such as the TCL shell
5. The following services must be configured:
a. Password-encryption
b. NTP configured to a corporate standard source
6. Use corporate standardized SNMP community strings. Default strings, such as public or
private must be removed. SNMP must be configured to use the most secure version of
the protocol allowed for by the combination of the device and management systems.
7. Access control lists must be used to limit the source and type of traffic that can terminate
on the device itself.
8. Access control lists for transiting the device are to be added as business needs arise.
9. The router must be included in the corporate enterprise management system with a
designated point of contact.
10. Each router must have the following statement presented for all forms of login whether
remote or local:
"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You
must have explicit permission to access or configure this device. All activities performed
on this device may be logged, and violations of this policy may result in disciplinary
action, and may be reported to law enforcement. There is no right to privacy on this
device. Use of this system shall constitute consent to monitoring."
56
11. Telnet may never be used across any network to manage a router, unless there is a secure
tunnel protecting the entire communication path. SSH version 2 is the preferred
management protocol.
12. Dynamic routing protocols must use authentication in routing updates sent to neighbors.
Password hashing for the authentication string must be enabled when supported.
13. A corporate standard will be created and reviewed at least annually to define items
required but not defined in this policy, such as NTP servers.
14. The corporate router configuration standard will define the category of sensitive routing
and switching devices, and require additional services or configuration on sensitive
devices including:
a. IP access list accounting
b. Device logging
c. Incoming packets at the router sourced with invalid addresses, such as RFC1918
addresses, or those that could be used to spoof network traffic shall be dropped.
d. Router console and modem access must be restricted by additional security
controls.
4.0 Enforcement
5.0 Exceptions
Exceptions to this policy must be documented and approved in writing by the ICT Director or
their authorized representative. Documented exceptions must be available to auditors.
57
6.0 Definitions
Terms Definitions
Production Network The "production network" is the network used in the daily business
of Government. Any network connected to the corporate backbone,
either directly or indirectly, which lacks an intervening firewall
device. Any network whose impairment would result in direct loss
of functionality to Government employees or impact their ability to
do work.
Lab Network A "lab network" is defined as any network used for the purposes of
testing, demonstrations, training, etc. Any network that is stand-
alone or firewalled off from the production network(s) and whose
impairment will not cause direct loss to Government nor affect the
production network.
Access Control List (ACL) Lists kept by routers to control access to or from the router for a
number of services (for example, to prevent packets with a certain
IP address from leaving a particular interface on the router).
58
Acceptable Encryption Policy
1.0 Purpose
The purpose of this policy is to provide guidance that limits the use of encryption to those
algorithms that have received substantial public review and have been proven to work
effectively. Additionally, this policy provides direction to ensure that Government regulations
are followed, and legal authority is granted for the dissemination and use of encryption
technologies outside of the United States.
2.0 Scope
This policy applies to all Government employees and affiliates.
3.0 Policy
All Government encryption shall be done using approved cryptographic modules. Common and
recommended ciphers include AES 256, Triple DES and RSA. Symmetric cryptosystem key
lengths must be at least 128 bits. Asymmetric crypto-system keys must be of a length that yields
equivalent strength.Governments key length requirements shall be reviewed annually as part of
the yearly security review and upgraded as technology allows.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by
qualified experts outside of the vendor in question and approved by Government. Be aware that
the export of encryption technologies is restricted by the U.S. Government. Residents of
countries other than the United States should make themselves aware of the encryption
technology laws of the country in which they reside.
4.0 Enforcement
59
5.0 Definitions
Term Definition
Proprietary Encryption An algorithm that has not been made public and/or has not
withstood public scrutiny. The developer of the algorithm
could be a vendor, an individual, or the government.
Symmetric Cryptosystem A method of encryption in which the same key is used for
both encryption and decryption of the data.
Asymmetric Cryptosystem A method of encryption in which two different keys are
used: one for encrypting and one for decrypting the data
(e.g., public-key encryption).

Network Security Policy

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Network Security Policy

Загружено:

Авторское право:

Доступные форматы

1

NETWORK SECURITY POLICY

Вам также может понравиться