stbc information security manual - team 4
TRANSCRIPT
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 1/18
STBC Information Security Manual
CET4884 - Team 4
Troy BarnetteJoseph CosmanoGregory Henson
Rodney LambertDaniel Miller
Gerardo PinedaJonathan Stein
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 2/18
STBC Information Security Manual
Table of Contents
Introduction..............................................................................................................3
Chapter 1. Program Policies......................................................................................4
1.1 Information Security Program Charter..............................................................4
1.2 Information Security Program Organization........................................................5
1.3 Information Security Audit Program...................................................................6
1.4 Incident Response and Continuity of Business.....................................................8
1.5 Information Security Awareness Program...........................................................9
Chapter 2. Issue Specific Policies.............................................................................11
2.1 Internet Use Policy........................................................................................11
2.2 Email Policy..................................................................................................12
2.3 Information Classification Policy......................................................................13
2.4 Access Control Policy.....................................................................................14
2.5 Malware Control Policy...................................................................................15
Chapter 3. System Specific Policy............................................................................18
3.1 Workstation Security Configuration..................................................................18
References..............................................................................................................19
2
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 3/18
STBC Information Security Manual
Introduction
This document is prepared to satisfy the requirements of CET4884 (Spring 2010) at theUniversity of Central Florida. Per direction, the formats used in developing this
document are presented in NIST Publication 800-12, Chapter 5: Computer SecurityPolicy.
The Sydney Teddy Bear Company (STBC) is a fictional company for which the students inthe course are employed. For the purposes of this group and assignment, the following
personnel are employees of STBC:
Chief Security Officer: Jonathan Stein
Information Security Directors: Dan Miller, Joseph Cosmano
Information Security Managers: Troy Barnette, Rodney Lambert,
Gerardo Pineda, Gregory Henson
Collaboration in the preparation of this document was done through a shared document
on Google Docs. The original document is located at:
http://docs.google.com/Do c ?
docid=0A d LTUsgiEiQ4ZGM2a3A0b m tfMTAxaGJnYnhiZnc&hl=en
3
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 4/18
STBC Information Security Manual
Chapter 1. Program Policies
1.1 Information Security Program CharterAuthors: Joseph Cosmano, Jonathan Stein, Daniel Miller
Information is vitally important to the success of business operations and the viability of STBC (the "Company"); therefore, the Company has an obligation to ensure that its
information is protected against unauthorized disclosure, modification, or destruction.
A risk management approach will be used in establishing the Company's InformationSecurity Program. This requires the identification, assessment, and mitigation of
vulnerabilities and threats that can significantly impact STBC's information assets.
1.1.1 Purpose
The purpose of this policy is to provide guidelines for STBC employees, vendors,
contractors, and visitors which are designed to maintain the confidentiality, integrity, andavailability of our data and confidential customer information. The goal of this policy is to
ensure that the Company operates within all of the legal guidelines and ethical standards
set forth.
1.1.2 Scope
This policy includes physical, logical, and personnel security strategies that apply to allemployees, vendors, contractors, and visitors of STBC.
1.1.3 Responsibilities
The Chief Information Security Officer is responsible for the content of this policy. The
Director of Human Resources is responsible for disseminating the information contained in
this policy as well as disciplinary actions resulting from non-compliance with the policies of the STBC Information Security Program. Together, the CSO and HR Director will arrangesemiannual meetings to review and update the policy, train and educate employees on the
topics covered in the policy, and perform audits to assure that all policy requirements aremet.
1.1.4 Compliance
The Director of Information Technology will appoint an individual as a compliance auditor.
This individual will perform monthly audits to ensure that STBC is operating in compliancewith the policies of the STBC Information Security Program. Any departments or individuals
found to be in breach of compliance will be reported to their appropriate supervisors and the
Human Resources Department.
All STBC employees, vendors, contractors, and visitors will be held accountable by theHuman Resources department to maintain compliance with this policy. Those found to be inbreach of compliance will be subject to disciplinary action up to and including termination of
employment or contract.
4
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 5/18
STBC Information Security Manual
1.2 Information Security Program OrganizationAuthors: Rodney Lambert, Troy Barnette
1.2.1 Purpose
Effective organization and direction from upper-management are essential to the success of an Information Security Program. The goal of this policy is to clearly define the organization
of roles in the Company with respect to the implementation of the Information SecurityProgram.
1.2.2 Scope
This policy includes the supervisory, logistical, and administrative roles of employees of
STBC in regards to maintaining and organized Information Security Program.
1.2.3 Responsibilities
The assignment of responsibilities flows from the CEO down to STBC's employees andvendors. All users play a role in keeping information secure at the Sidney Teddy Bear
Company.
• Chief Executive Officer The CEO appoints the Information Security Officer. Thisperson may also appoint employees to assist the Information Security Officer.
• Chief Information Security Officer This employee is responsible for thecoordination of the Information Security Program. The CISO will work throughout the
facility with employees who have access to valuable information. The CISO's major
objective is to utilize risk management to implement and administer a successfulInformation Security Program.
• Vice Presidents of Sales, Operations, Administration and area managers Thisgroup is responsible for identifying information assets "owned" by their areas and
ensuring adequate security for those assets. In addition, they will ensure that theemployees in their specific areas operate within the guidelines of the Information
Security Program and all associated policies.• Information Security Team This team is tasked with developing and implementing
security controls throughout the workplace, delegating access to users, and resolvingsecurity-related conflicts. The Chief Information Security Officer is a primary
member of this team.
• Computer Security Incident Response Team This team is comprised of members
of the Information Security Team. They are responsible for ensuring theeffectiveness of controls implemented for safeguarding the Company's information
assets, and investigating, responding to, assessing and minimizing the damagecaused by information security incidents.
1.2.4 Compliance
The Chief Information Security Officer shall ensure that the requirements andresponsibilities established by this policy are effectively implemented, and that suchresponsibilities are met by all members of the Information Security Program Organization.
1.3 Information Security Audit ProgramAuthor: Gregory Henson
5
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 6/18
STBC Information Security Manual
An effective Audit Program is essential to verifying the functionality of the policies andcontrols implemented in respect to Information Security. Audits ensure that company
assets - physical or otherwise - are having the desired effect upon information security andcan be changed to keep pace with new threats.
1.3.1 Purpose
This policy will provide the Company with guidelines for conducting security audits. Thepurpose of security audits is to assess threats and to revise the controls and policies
designed to ensure information security. Audits will assess Information Security controls for
compliance and adequacy in respect to established policies and procedures.
• Some reasons for audits include:
• Compliance with current security policy and procedures• Investigate possible security breaches through security logs
• Schedule penetration and vulnerability testing
1.3.2 Scope
All communication and computer equipment owned by STBC and the Company's
information assets will be covered by this policy. Audits will be conducted to testeffectiveness and conformity with STBC policies. At the conclusion of an audit, a
detailed report will be submitted to the Chief Information Security Officer.
1.3.3 Responsibilities
All audits are the responsibility of the Chief Information Security Officer. All audit
findings will be documented for concurrence and non-concurrence. Any irregularities orsecurity issues found by the audit team will be reported to the Chief Information
Security Officer. All changes to the audit policy will be review by the STBC IT staff and
approved by senior management.
Audit responsibilities
Information Security Directors:
• Sensitivity of data
• Encryption and Authentication
• Review of security log
• Report of findings includingsuggested corrective action
• Review hiring policies• Emergency
• Data and records backup
Information Security Managers:
• Network firewalls
• Workstation anti-virus
software
• Workstation password
• Open ports
• Servers
• VPN
• Patches
• Report of findings including
suggested corrective action
• Physical facilities
1.3.4 Compliance
Audits are to be preformed as scheduled. Any deviation from the audit schedule should bereported to the CISO. All auditors will be held to the highest level of integrity and ethical
standards. Any auditor found in noncompliance with this policy will be subject disciplinaryaction.
6
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 7/18
STBC Information Security Manual
Audit Controls, Techniques and Procedures
Control Activities Control Techniques Audit Procedures
Sensitivity of Data Check security for data that is
segmented by classification.Network drive, file folders anddirectory need to be secured perclassification.
Review log files.
Review and assess policy andprocedures.
Encryption and Authentication Cryptographic systems are usedfor customer data andauthentication is used to verifyemployees of their identification.
Assess customer purchasingwebsite for encryption. Reviewemployee identification.
Review of security log System log file will record allactivity within STBC.
Verify all systems are generatinglog files. Review log fileclassification.
Review hiring policies Background checks will beperform on all prospectiveemployees. Security policies willbe reviewed and signed by allprospective employees.
Review policy for hiring. Reviewemployee files.
Emergency An emergency plan has beendocumented and reviewed bypersonnel.
Review policy
Interview personnel
Data and records backup Backup all records and data at aset time interval. Store dataoffsite
Review backup policy.
Review federal and localrequirements.
Network firewalls Firewalls are to be installed toprotect computer systems fromoutside attacks.
Review firewall policy.
Check firewall software for recentupdates.
Review log files.
Workstation anti-virus software Install anti-virus software on allworkstation and update softwarewith new virus definition.
Verify workstation for currentanti-virus software and up to datevirus definition.
Workstation password Passwords are to unique, at least6 characters and expire every 30days.
Review password policy.
Test workstations for compliance.
Open ports Close all unused ports to preventunauthorized access to systems.
Scan each workstation for openports.
Servers Servers will periodically bebacked-up. Servers will beinstalled in a climate controlledroom. Server entrance should be
Verify server rooms are lockedand clean of debris. Check airtemperature.
7
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 8/18
STBC Information Security Manual
keep locked at all times.
VPN VPN will allow personnel the
ability to work offsite.
Review VPN policy.
Verify personnel, accesscredentials, and encryptionmethods.
Patches Software patches will be installed
as necessary. All patches will beapproved by senior managementbefore installation.
Verify software patches are up to
date.
Reports Report will be written after eachaudit and stored for futurereference.
Review audit report policy.
Physical facilities All employees entering STCBfacilities will display an ID badgeat all times. Badge readers willallow authorized employees intoareas of high security. Doorsleading outside will be keptlocked.
Review facilities security policy.
Verify employees.
Verify facilities outside perimeter.
1.4 Incident Response and Continuity of BusinessAuthor: Gerardo Pineda
Preparedness is essential in dealing with a breach of security or natural disaster. A wellprepared disaster response plan combined with a timely and effective response can
determine the difference between a minor incident and a severe business impacting
disaster.
1.4.1 Purpose
This policy defines the general response and reporting procedures to follow in the eventof a security incident or breach. In the event of an information security breach or
natural disaster that would effect the integrity or value of the company or its customersthrough unauthorized access or exploitation from open resources, a response will be
conducted with the appropriated personnel that will assess and handle the incident,developing a response plan and preventing further negative impact. A thorough and
concise reporting would be created that would determine the cause and impact of suchincidents, addressing any vulnerabilities or flaws in the system.
1.4.2 Scope
This policy has effect upon all aspects of information security, response and
documentation of incidents that may affect all levels of information systems resourcesowned and used by the company. Such incidents may include misuse of data,
8
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 9/18
STBC Information Security Manual
exploitation of open resources, theft of valuable data or systems, corruption of software,propagation of malware and/or any other incident that may jeopardize the availability
and consistency of the Company's information systems. This policy does not includedamages to systems owned by employees or any individual not employed by the
company, unless the system otherwise contributed to the incident.
1.4.3 Responsibilities
All suspicious events and/or information security incidents shall be immediately reported to
the Chief Information Security Officer (CISO). An immediate escalation shall be
implemented in which the CISO will determine the severity of the suspicious event and/orincident in order to contain any systems or environment with security breaches that may
affect the overall performance of the company. Affected systems may include those withnetwork security breaches, malware infection, communication failure and/or any data
mishandling. All suspicious events and/or incidents shall be contained and eliminated assoon as there are detected to minimize or eradicate any further propagation that may
complicate or affect the availability of information systems.
A thorough and concise investigation shall be put into action that would examine evidence
of the security breach. Evidence may include affected systems, log files, maliciouscodes/scripts, network penetration logs and any other activity that may pertain to the
suspicious event and/or incident. Additionally, thorough documentation will be generatedand kept on all affected systems, the environment and potential evidence such as external
media (diskette, external hard drive, Zip drives, etc.) that may be recorded for futurereference.
The degree of all damages shall be determined by the CISO from all collected data and
he/she will then determine any further action to be taken. If the severity of the incident is of
high risk such as to cause systems to be removed from the network, a managerialnotification shall be required in order to address any critical action.
The CISO shall be responsible for the development of a Disaster Response Plan in
collaboration with the Information Security Team. The CISO will be responsible for securingorganizational approval and necessary funding, while the IST will determine technicalrequirements.
1.4.4 Compliance
All Incident Response personnel shall comply with the above procedures in order to ensure
system and network control. Failure to comply with such procedures may result indisciplinary action up to and including termination of employment.
1.5 Information Security Awareness Program
Author: Jonathan Stein
Securing an organization's information starts with securing the front-lines: the users of the
organization's information systems. A successful security program can be directly tied tosecurity awareness, so training and compliance are fundamental to achieving this goal. This
policy intends to create an Information Security Awareness Program with the express goalof educating the Company's network users on what they can do to provide for Information
Security, as well as teaching them to identify bad practices and threats to security.
9
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 10/18
STBC Information Security Manual
1.5.1 Purpose
All users who are granted access to STBC information systems must be aware of the
importance of protecting the Company's information assets. The purpose of the InformationSecurity Awareness Program Policy is to provide guidelines to the Company and its
employees on the development, implementation, and review of information securityeducation programs and to foster a culture of continued learning in regards to Information
Security.
1.5.2 Scope
All persons who have been granted access to STBC information systems and/or data,including full-time and part-time employees, contractors, vendors, temporary workers, and
others granted access are covered by this policy.
1.5.3 Responsibilities
The Information Security (IS) department will be responsible for developing and maintaining
an Information Security Awareness training program. Alternatively, a commerciallyavailable program may be purchased so long as it meets the minimum requirements set
forth below.
The Human Resources (HR) department will be responsible for ensuring that all currentemployees, new hires, and others as determined by the scope of this policy adequately
complete the training in accordance with this policy.
At a minimum, the selected education program must cover the following topics: viruses,
spyware, world wide web use, information classification, best practices, worst practices,encryption, backup procedures, physical security, passwords, and social engineering
techniques such as phishing.
New hires must undergo training prior to being granted access to the Company'sinformation systems. The program must be reviewed and revised annually to reflect the
latest developments in information security threats. All employees must undergo annual
retraining and recertification in this program following the annual review.
In the event of a significant development in network security - such as a major threat or
security incident on the Company network - special training should be developed internallyand deployed to users in a responsively fast manner in order to address the Company's
needs in response to the development. Recommendations for this requirement will comefrom any Chief or Director of Information Security.
Users who are found in violation of any Information Security related policy will have theirnetwork access privileges revoked until such time as they have completed a review of the
training program established by this policy as directed by the Director of Human Resources.
1.5.4 Compliance
All managers are responsible for supervising their subordinates' use of STBC informationsystems. Users who do not satisfy the requirements of this policy will have their
network access privileges revoked, and may be subject to disciplinary actions up to andincluding termination of employment or contract.
10
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 11/18
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 12/18
STBC Information Security Manual
found in violation of the policy will be subject to disciplinary action up to and includingtermination and possible legal action.
2.1.6 Points of Contact and Supplementary Information
Any issues regarding the statutes of this policy may be referred to the Director of
Information Security. Issues of non-compliance should be referred to the Director of Human Resources.
2.2 Email PolicyAuthor: Daniel Miller
2.2.1 Issue Statement
Email is possibly the most often used means of communications in business today. It is
essential that email systems are constantly available, secure, and capable of handling the
communications needs of the entire company.
However, email introduces several caveats which must be addressed. It is well known thatemail may often appear impersonal, and subtleties such as intonation and meaning may be
lost or misconstrued by the recipient of a message. In addition, email can be a primarythreat vector for the introduction of viruses and malware and the unauthorized disclosure of
sensitive information.
2.2.2 Statement of the Organization's Position
Much of the communication within STBC is through email. As such, it is very important thatwe maintain a high level of quality and professionalism within those communications. In
addition to ensuring professionalism, the company must also ensure the availability of emailsystems and prevent exposure to security threats.
2.2.3 Applicability
This policies applies to all personnel who have an email account with STBC.
2.2.4 Roles and Responsibilities
The Chief Information Security Officer shall be responsible for the enforcement of this
policy.
The Director of Information Technology shall establish maximum attachment size limits, file-
extension blacklists, mailbox quotas, spam filters, and other necessary restrictions followinga thorough review of email needs and habits in the company. These restrictions shall be
reviewed on a semi-annual basis, or at the request of any Director or Chief of the Company.
2.2.5 ComplianceSTBC reserves the right to monitor all email communications. This is to ensure the quality of service to clients, vendors, and business partners. This will also ensure that all
communications are business related and free of impropriety. STBC-provided emailaccounts are for business use only.
The Department of Information Technology shall implement and enforce all controls andrestrictions established by the Director of IT.
12
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 13/18
STBC Information Security Manual
Sending or forwarding emails with pornography or discriminatory content will be treated asharassment and will be dealt with accordingly.
Any violation of this policy will be directed to the Chief Information Security Officer. Theinfractions of the employee will be documented and recorded in the employee's personnel
file.
2.2.6 Points of Contact and Supplementary Information
Any questions or issues with these policies are to be directed to the offices the Chief Information Security Officer.
Employees may reference the following website for information on email-writing. W ritingEffective Email http://jerz.setonhill.edu/writing/e-text/e-mail.htm
2.3 Information Classification PolicyAuthor: Gregory Henson
2.3.1 Issue Statement
All employees at STBC have a responsibility to protect information from destruction or
unauthorized access. The disclosure of sensitive data can cause damages to thecompany, and as such, data classification can aid in ensuring that such data is properly
marked in order to adequately protect it.
2.3.2 Statement of the Organization’s Position
STBC has the obligation to protect its customer and employees, and the implementation
of an information classification scheme will help to fulfill this. STBC will comply withlocal and federal regulation as they pertains to the classification of information.
2.3.3 Applicability
All data - on paper copy or electronic media - will be covered by this policy. All personnel
granted access to classified information shall be required to have a signed non-disclosureagreement in their personnel file.
2.3.4 Roles and Responsibilities
A senior manager who is considered the "owner" of a piece of information, or its
"stakeholder", is solely responsible for classifying such information. Written authorizationfrom the stakeholder must be obtained in order to change a classification.
All employees are responsible for safeguarding information protected under a classification
level.
The Human Resources Department shall be responsible for conducting background checks to
identify any personnel who may not warrant clearance to classified information.
2.3.5 Compliance
All information used, created or owned by STBC should be classified into the following
categories:
• Unclassified Public: Data that is not critical or confidential to the company,
employees or customer. Examples of unclassified public would include but arenot limited to product brochures, newsletters and public web site information.
13
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 14/18
STBC Information Security Manual
• Proprietary: Data that is regulated by management. Examples of proprietarydata would include but are not limited to security and financial information and
operating procedures.• Customer Confidential: Data that contains customer information and is
regarded as having the highest level of confidentiality and integrity. Thisinformation is considered critical to the company and it customers. The company
must comply with all local, state and federal regulations. Examples of customerconfidential data would include but are not limited to customer credit cards
numbers, bank data, phone number and street addresses.• Company Confidential: Data that contains company information and is
regarded as having the highest level of confidentiality and integrity. Thecompany must comply with all local, state and federal regulations. Examples of
company confidential data would include but are not limited to employeeinformation, contracts and accounting information.
Any violation of this policy will be directed to senior management for investigation. Allinfractions will warrant an audit of this policy. An incident report will be generated for
future records. Any employee found in violation of the policy will be subject to disciplinary
action up to and including termination and possible legal action.
2.3.6 Points of Contact and Supplementary Information
Information Security issues or questions should be directed to the office of the Chief
Information Security Officer. Policy compliance questions should be directed to the HumanResource office.
2.4 Access Control PolicyAuthor: Gerardo Pineda
2.4.1 Issue StatementStrict access controls that maintain availability of data are an important requirement of securing information. It is vital to guarantee information and resources are properly
protected against illicit access and improper alteration that may cause harm or jeopardizethe integrity and value of the company. The goal of the access control policy to ensure that
data is available to authorized personnel at any time they may need it without limitation totheir geographical or logical location.
2.4.2 Statement of the Organization's Position
All access to classified information shall be limited to personnel with appropriate credentials.
Unique user identification shall be given to all system users by the Chief Information
Security Officer (CISO) to ensure access to sensitive information on a need-to-know basis.
2.4.3 Applicability
This policy applies to all employees, vendors and contractors of STBC who are granted
access to the Company's information assets, with special consideration for access toclassified information.
2.4.4 Roles and Responsibilities
The Chief Information Security Officers (CISO) shall be required to maintain and submitaccount activation and/or termination requests. In addition, the CISO shall establish
14
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 15/18
STBC Information Security Manual
procedures for responding to the event of unauthorized access to confidential informationwhose disclosure would jeopardize the company’s value or its customer’s privacy.
The Department of Information Technology shall be responsible for network-, systems-, andapplciations- level implementation of access controls.
The Department of Human Resources shall be responsible for distributing identification
badges and keys to all employees for physical security needs.
The Department of Operations shall be responsible for maintaining locks on doors torestricted areas, maintaining id-badge reading systems, and maintaining surveillance
systems.
2.4.5 Compliance
Each person will be responsible for the confidentiality of their access credentials. Users arenot to share or otherwise make known to others any information about their unique user ID,
passwords, or other credentials that would allow others to access confidential, restricted and
unclassified material. Additionally, the CISO shall ensure users are aware of whatinformation they have or do not have access to.
All users shall be responsible for locking or logging off when they leave their system
unattended. Such practice will increase system security. Systems shall be deployed withan automatic inactivity lock procedure that would increase data safekeeping for unattended
systems that may be used to obtain information by unauthorized personnel.
All employees must display ID badges when on company property, and keys to secured
areas shall be assigned only to essential personnel.
In the event of an unauthorized access incident, a report shall be given to the CISO for
thorough examination. The CISO will then direct the implementation of measures to prevent
future incident.
Failure to comply with this policy will be referred to senior management for disciplinary
action. Any unauthorized disclosure of classified information will conclude in termination of employment and/or possibly legal action.
2.4.6 Points of Contact and Supplementary Information
Questions about this policy, as well as access requests in regards to protected informationmay be directed to the office of the Chief Information Security Officer.
2.5 Malware Control PolicyAuthor: Rodney Lambert
2.5.1 Issue Statement
Malware is malicious code which may infect a computer and introduce a security threat suchas a "keylogger" or "backdoor". There are many kinds of malware, including viruses,
trojans, worms, and adware. They have the potential to expose the company's sensitiveinformation to the outside world and hamper the performance and functionality of the
computer network.
By keeping malware free from our computers, we can add value to the over all goal and
mission of the STBC organization.
15
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 16/18
STBC Information Security Manual
2.5.2 Statement of the Organization's Position
The Company must protect information systems against malware. The primary goal is to
ensure the security of our information, employees and customers and to gain a highperformance from the network. Management would like to ensure all employees can
reliably and securely access their workstations and information at all times.
2.5.3 Applicability
This policy applies to all physical assets attached to the STBC network whether on-site orremotely connected. It also applies to company property or any property a SBTC employee
may own.
All employees, vendors, and contractors will be responsible for compliance with this policy.
2.5.4 Roles and Responsibilities
The Director of Information Security shall ensure that all computer workstations, servers,and other hardware are configured in compliance with this policy. All employees are
otherwise responsible for informing the Computer Security Incident Response Team of anysuspicious processes or behaviors encountered on their workstation.
2.5.5 Compliance
No employee is to disable, alter, reconfigure, or otherwise tamper with any software or
other product intended to detect malware installed on their workstation or on the network.
The company will install a mainstream antivirus/antimalware software and software firewallon all workstations and servers to ensure our computer’s are running at optimal speeds.
Additional measures, such as a hardware filter may be implemented at the direction of the
CISO.
The Information Technology Department will block web sites that may contain malware
which could harm our computers.
The company will provide at no cost to all employees antivirus/antimalware software to
protect their home computers and/or portable computers which may be used for STBCbusiness. The software chosen may be the same as used internally by the company, or a
different product may be chosen, so long as it provides highly-reliable antivirus andantimalware protection and regular updates at no cost to the employee. Vendors and
Contractors will not be provided with the software.
Anyone found disseminating malicious code intentionally or otherwise will be dealt with
severely. The Director of Human Resources is responsible for disciplinary action arising fromviolations of this policy. Depending on the severity of the offense, a written warning may be
issued and documented in the employee's personnel file. The second offense will result intermination and possible legal action. Contractor or vendors found in violation of this policy
may be subject to termination of contract and/or possible legal action.2.5.6 Points of Contact and Supplementary Information
Questions or issues regarding this policy should be directed to the Director of Information Security. Employees may obtain copies of free antivirus software from the
office of the Director of Information Security.
16
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 17/18
STBC Information Security Manual
Chapter 3. System Specific Policy
3.1 Workstation Security ConfigurationAuthor: Joseph Cosmano
3.1.1 Security Objectives
In conjunction with our overall security policy, our system specific policy is designed toensure the confidentiality, integrity, and availability of STBC data. Specifically, the security
objective can be further defined to provide privileged users with the resources needed toefficiently perform their job duties while minimizing the risk of security breach or negative
impact to STBC or it's customers. The implementation of system specific security measuresshould be prioritized based on constraints to ensure that the overall security objectives
meet or exceed managements expectations.
3.1.2 Operational Security Rules• Physical access to workstations are limited to authorized personnel only.
• Use of workstations are only for sanctioned business functions.Workstation operating systems must be kept up to date by applying vendor supplied patches on regularintervals. "Zero Day" exploits will be handled as quickly as possible.
• Workstations are required to be password protected and configured toautomatically lock after 5 minutes of inactivity.
• Passwords must be of sufficient strength, which is defined as using at least 10alphanumeric and special characters of varying in case that do not match
dictionary words.
• The maximum acceptable password age is 30 days. After 30 days users must berequired to change their password to a unique password not used in at least 5
cycles of age expiration.• Workspaces must be kept clean and clear of sensitive information.• Food and drinks are not permitted near workspaces.
• Anti-Virus software will be installed and kept up to date on all workstations.• No hardware or software will be installed onto the workstations by non-IT staff.
• Any portable workstations must use full disk encryption.
3.1.3 Policy Implementation
STBC will implement both technical and non-technical controls to ensure that operationalsecurity policy is enforced. Hardware devices in combination with software will be used
to enforce and audit policy compliance. Despite the best efforts to implement policy thatwill meet our security needs while sufficiently protecting our assets, the dynamic nature
of business may require special cases where operation outside of normal policy may be
required. Departmental mangers will bring these scenarios to the attention of the ITDirector who can authorize such changes to be made.
17
8/8/2019 STBC Information Security Manual - Team 4
http://slidepdf.com/reader/full/stbc-information-security-manual-team-4 18/18
STBC Information Security Manual
References
"Data Classification Security Policy." 12 April 2004. The George Washington University.10 April 2010 <http://my.gwu.edu/files/policies/DataClassificationPolicy.pdf>.
Department of Homeland Security. "Open Storage Area Standards for CollateralClassified Information." 22 February 2005. Department of Homeland Security. 10 April
2010<http://www.dhs.gov/xlibrary/assets/foia/mgmt_directive_11046_open_storage_area_s
tandards_for_collateral_classified_information.pdf>.
Mitnick, Kevin D and William L Simon. The Art of Deception. Indianapolis: WileyPublishing, 2002.
"Sample Information Security Program Charter." 9 March 2009. HORSE - Holistic
Operational Readiness Security Evaluation. 26 March 2010<http://www.lazarusalliance.com/horsewiki/index.php/Sample_Information_Security_Pr
ogram_Charter:>.
Sans Institute. "SANS Workstation Security Policy." 2008. SANS Institute. 3 Apr 2010
<http://www.sans.edu/resources/student_projects/200802_002.doc>.
USGAO. "Federal Information Systems Audit Control Manual." 2 February 2009. US
Government Accountability Office. <http://www.gao.gov/new.items/d09232g.pdf>.Whitman, Michael. Principles of Information Security. Canada: Thomson, 2009.
18