Вы находитесь на странице: 1из 17



SECURITY Shweta-15csp021
The purpose of this policy is to establish administrative direction, procedural
requirements, and technical guidance to ensure the appropriate protection of
companys information handled by computer networks.
This policy applies to all who access companys computer networks. Throughout this
policy, the word user will be used to collectively refer to all such individuals. The
policy also applies to all computer and data communication systems owned by or
administered by the company or its partners.
All information traveling over companys computer networks that has not been
specifically identified as the property of other parties will be treated as companys
asset. It is the policy to prohibit unauthorized access, disclosure, duplication,
modification, diversion, destruction, loss, misuse, or theft of this information. In
addition, it is the policy to protect information belonging to third parties that have
been entrusted to us in a manner consistent with its sensitivity.
Network Access control
1. It is the responsibility of employees with VPN privileges to ensure that
unauthorized users are not allowed access to internal networks.
2. VPN use is to be controlled using either a one-time password authentication such as
a token device or a public/private key system with a strong passphrase.
3. When actively connected to the corporate network, VPNs will force all traffic to
and from the PC over the VPN tunnel: all other traffic will be dropped.
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.

5. If a computer or communication system is not functioning properly, the systems

should remain unavailable until such time as the problem has been rectified.
6. Changes to internal networks include loading new software, changing network
addresses, reconfiguring routers, and adding remote lines(with the exception of
emergency situations), all changes to companys computer networks must use the
formal change management process and be documented.
7. Employees must not establish local area networks, FTP servers, web servers, modem
connections to existing local area networks, illegal Peer-to-Peer sharing or other multi-
user systems for communicating information without the specific approval of the
concerned authority.

8. Remote maintenance ports for companys computer and communication systems

must be disabled until the time they are needed by the vendor. These ports must be
disabled immediately after use.
9. Portable devices (smartphones, tablet computers, etc.) using Wi-Fi or commercial
data networks should not be used for data transmissions containing confidential
personal information unless the connection is encrypted. Such links may be used for
electronic communications as long as users understand that confidential personal
information must not be transmitted using this technology.

1. All users must be positively identified prior to being able to use any multi-user
computer or communications system resources. Positive identification for internal networks
involves a user ID and password, both of which are unique to an individual user, or an
extended user authentication system.
2. VPN users will be automatically disconnected from the network after thirty minutes of
inactivity. The user must then logon again to reconnect to the network. Pings or other
artificial network processes are not to be used to keep the connection open.
3. The VPN concentrator is limited to an absolute connection time of 24 hours.

End-User Passwords
1. The key step is to effectively protect the intellectual property and personal and financial
information entrusted to it by students, employees, partners and others. Using passwords that
are difficult to guess is key step towards effectively fulfilling the condition.
2. Any password used to access information stored and/or maintained by company must be
at least 8 characters long, contain at least one uppercase letter and one number or special
3. Passwords will expire annually every 365 days. When a password expires or a change is
required, users should create a new password that is not identical to the last three passwords
previously employed.
4. Passwords stored electronically may not be stored in readable form where unauthorized
persons might discover them.
5. Passwords may not be written down and left in a place where unauthorized persons might
discover them.
6. Passwords may never be shared or revealed to anyone other than the authorized user.

Any information that users consider sensitive or vulnerable must be encrypted.

Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used
as the basis for encryption technologies. These algorithms represent the actual cipher
used for an approved application. For example, Network Associate's Pretty Good
Privacy (PGP) uses a combination of IDEA and RSA or DiffieHillman, while Secure
Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be
at least 56 bits.
Operating System configuration should be in accordance with the guidelines.
Services and applications that will not be used must be disabled where practical.
Access to services should be logged and/or protected through access-control methods such
as TCP Wrappers, if possible.
The most recent security patches must be installed on the system as soon as practical, the only
exception being when immediate application would interfere with business requirements.
Always use standard security principles of least required access to perform a function.
Do not use root when a non-privileged account will do.
If a methodology for secure channel connection is available (i.e., technically feasible),
privileged access must be performed over secure channels, (e.g., encrypted network
connections using SSH or IPSec).
Servers should be physically located in an access-controlled environment.
Servers are specifically prohibited from operating from uncontrolled cubicle areas.

. Servers must be installed from the bottom up in the rack enclosures.

. System with redundant power supplies must have their power cords plugged into
separate power strips.
. Power cords must be factory certified.
Always run the Corporate standard supported anti-virus software. Download and
run the current version; download and install anti-virus software updates as they
become available.
NEVER open any files or macros attached to an email from an unknown, suspicious
or untrustworthy source. Delete these attachments immediately, then "double delete"
them by emptying your Trash.
Delete spam, chain, and other junk email without forwarding, in with Acceptable Use
Avoid direct disk sharing with read/write access unless there is absolutely a business
requirement to do so.
Back-up critical data and system configurations on a regular basis and store the
data in a safe place.
1. Secure remote access must be strictly controlled. Control will be enforced via one-
time password authentication or public/private keys with strong pass-phrases. For
information on creating a strong pass-phrase see the Password Policy.
2. At no time should any employee provide their login or email password to anyone,
not even family members.
3. Employees and contractors with remote access privileges must ensure that their -
owned or personal computer or workstation, which is remotely connected to
corporate network, is not connected to any other network at the same time, with the
exception of personal networks that are under the complete control of the user.
4. Employees and contractors with remote access privileges to corporate network
must not use non- email accounts (i.e., Hotmail, Yahoo, AOL), or other external
resources to conduct business, thereby ensuring that official business is never confused
with personal business
5. All hosts that are connected to internal networks via remote access technologies
must use the most up-to-date anti-virus software (place url to corporate software site
here), this includes personal computers. Third party connections must comply with
requirements as stated in the Third Party Agreement.
6. Personal equipment that is used to connect to networks must meet the requirements
of -owned equipment for remote access.
7. Organizations or individuals who wish to implement non-standard Remote Access
solutions to the production network must obtain prior approval from Remote Access
Network security manager is responsible for adherence of the policy.