SECURITY Shweta-15csp021 Srishti-15csp024 PURPOSE The purpose of this policy is to establish administrative direction, procedural requirements, and technical guidance to ensure the appropriate protection of companys information handled by computer networks. SCOPE This policy applies to all who access companys computer networks. Throughout this policy, the word user will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by or administered by the company or its partners. POLICY All information traveling over companys computer networks that has not been specifically identified as the property of other parties will be treated as companys asset. It is the policy to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. In addition, it is the policy to protect information belonging to third parties that have been entrusted to us in a manner consistent with its sensitivity. POLICY Network Access control 1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to internal networks. 2. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. 3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped. 4. Dual (split) tunneling is NOT permitted; only one network connection is allowed. NETWORK ACCESS CONTROL CONTINUED..
5. If a computer or communication system is not functioning properly, the systems
should remain unavailable until such time as the problem has been rectified. 6. Changes to internal networks include loading new software, changing network addresses, reconfiguring routers, and adding remote lines(with the exception of emergency situations), all changes to companys computer networks must use the formal change management process and be documented. 7. Employees must not establish local area networks, FTP servers, web servers, modem connections to existing local area networks, illegal Peer-to-Peer sharing or other multi- user systems for communicating information without the specific approval of the concerned authority. NETWORK ACCESS CONTROL CONTINUED..
8. Remote maintenance ports for companys computer and communication systems
must be disabled until the time they are needed by the vendor. These ports must be disabled immediately after use. 9. Portable devices (smartphones, tablet computers, etc.) using Wi-Fi or commercial data networks should not be used for data transmissions containing confidential personal information unless the connection is encrypted. Such links may be used for electronic communications as long as users understand that confidential personal information must not be transmitted using this technology. LOGON AND LOGOFF PROCESS
1. All users must be positively identified prior to being able to use any multi-user computer or communications system resources. Positive identification for internal networks involves a user ID and password, both of which are unique to an individual user, or an extended user authentication system. 2. VPN users will be automatically disconnected from the network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open. 3. The VPN concentrator is limited to an absolute connection time of 24 hours. SYSTEM ACCESS CONTROL
End-User Passwords 1. The key step is to effectively protect the intellectual property and personal and financial information entrusted to it by students, employees, partners and others. Using passwords that are difficult to guess is key step towards effectively fulfilling the condition. 2. Any password used to access information stored and/or maintained by company must be at least 8 characters long, contain at least one uppercase letter and one number or special character. 3. Passwords will expire annually every 365 days. When a password expires or a change is required, users should create a new password that is not identical to the last three passwords previously employed. 4. Passwords stored electronically may not be stored in readable form where unauthorized persons might discover them. 5. Passwords may not be written down and left in a place where unauthorized persons might discover them. 6. Passwords may never be shared or revealed to anyone other than the authorized user. ACCEPTABLE ENCRYPTION POLICY
Any information that users consider sensitive or vulnerable must be encrypted.
Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate's Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or DiffieHillman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. SERVER SECURITY GUIDELINES Operating System configuration should be in accordance with the guidelines. Services and applications that will not be used must be disabled where practical. Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible. The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. Always use standard security principles of least required access to perform a function. Do not use root when a non-privileged account will do. If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). Servers should be physically located in an access-controlled environment. Servers are specifically prohibited from operating from uncontrolled cubicle areas. SERVER SECURITY GUIDELINES
. Servers must be installed from the bottom up in the rack enclosures.
. System with redundant power supplies must have their power cords plugged into separate power strips. . Power cords must be factory certified. ANTI-VIRUS GUIDELINES Always run the Corporate standard supported anti-virus software. Download and run the current version; download and install anti-virus software updates as they become available. NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash. Delete spam, chain, and other junk email without forwarding, in with Acceptable Use Policy. Avoid direct disk sharing with read/write access unless there is absolutely a business requirement to do so. Back-up critical data and system configurations on a regular basis and store the data in a safe place. REMOTE ACCESS POLICY 1. Secure remote access must be strictly controlled. Control will be enforced via one- time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass-phrase see the Password Policy. 2. At no time should any employee provide their login or email password to anyone, not even family members. 3. Employees and contractors with remote access privileges must ensure that their - owned or personal computer or workstation, which is remotely connected to corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user. 4. Employees and contractors with remote access privileges to corporate network must not use non- email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct business, thereby ensuring that official business is never confused with personal business REMOTE ACCESS POLICY 5. All hosts that are connected to internal networks via remote access technologies must use the most up-to-date anti-virus software (place url to corporate software site here), this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement. 6. Personal equipment that is used to connect to networks must meet the requirements of -owned equipment for remote access. 7. Organizations or individuals who wish to implement non-standard Remote Access solutions to the production network must obtain prior approval from Remote Access Services. RESPONSIBILITIES Network security manager is responsible for adherence of the policy. THANKS
