Policies

Policies

Cyber Security Policy

The Cyber Security Policy should be distinct from the IT/IS policy of the UCB so that it highlights the risks from cyber threats and the measures to address/reduce these risks. While identifying and assessing the inherent risks, UCBs should keep in view.

    • The technologies adopted – Security incident event management (SIEM), Privilege Identity Management (PIM), Database activity monitoring
    • Delivery channels – Delivery channels: ATM, PoS, IMPS, etc
    • Digital products being offered – Digital products: m-Banking, UPI, e-Wallet, etc
    • Internal and external threats etc… – Internal threats: Critical & sensitive data compromise, password theft, internal source code review, etc.
    • Rate each of these risks as Low, Medium, High and Very High – External threat: DDoS, Ransomware, etc

    IT Architecture/Framework should be security compliant

    The IT architecture/ framework which includes network, server, database and application, end user systems, etc., should take care of security measures at all times and this should be reviewed by the Board or IT Sub-committee of the Board periodically. For this purpose, UCBs may carry out the following steps:

    Network

        • Identify weak/vulnerable areas in IT systems and processes by schedule VAPT test.
        • Cyber crises Management plan. Plan to be execute after attack happened
        • Cyber Security awareness to Board/Management/Employee
        • Do encourage communication within your organization when something happens or seems suspicious.
        • Do testing and auditing of logs and security system so that you make sure people’s awareness is high
        • Apply updated firewall and Allow / restricted access to networks. Proper firewall should be deployed and all the traffic in/out should be filtered, Public IP access should be on white list basis. Internet access to office should be restricted from firewall. Intrusion Prevention System Should be active.
        • USB Flash Drive, Careful on what you plug into your computer. Ever use a USB whose source you don’t know! It can be infected with malware that can even resist formatting
        • You still need antivirus (yes, really), Get protection for your connection! Do a bit of research and choose an antivirus you trust. Antivirus is still very necessary, so don’t skip it
        • Emails, emails are the big gateway for cyber criminals, never access .zip attachments in e-mails from unknown senders, don’t click links in e-mails from unknown senders
        • Do you https? Added “s” is key here. A website starting with https encrypts the data you put in the website and the data you get from it, so that no one can eavesdrop or tamper with the data flow
        • Use private network such as MPLS, other leased lines, VPN, with proper encryption for communication of branches to DC. Inter office network by using IPv6
        • Router configuration should be backup and reviewed timely
        • Restrict unauthorized user, Login banner should be active on all network devices

      Server

          • Allow restricted access to applications wherever permitted, through well-defined processes and approvals including rationale for permitting such access
          • Assess the cost of impact in case of breaches/failures in these areas
          • Separate server for Bank application servers which are not having internet, and separate server for internet
          • Internal server to server accessibility and permissions (LAN)
          • Domain creation – set properties to domain regarding password policy, change frequency
          • Creation of VMware

      Database

          • Allow /restricted access to databases
          • Creation individual user
          • Database access log
          • Database password encryption
          • Archive log, audit mode
          • DR site
          • Backup
          • Backup restoration and testing
          • DR drill activity
          • Allow /restrict access of external devices

      Application

          • Allow restricted access to applications wherever role wise access permitted
          • Required software installation on Application server
          • Encryption of database link, configuration files, user name passwords
          • User name password change frequency
          • Allow /restrict access of external devices

          End User Systems

          • Allow restricted access to applications wherever permitted, through well-defined processes and approvals including rationale for permitting such access

          Cyber Security Policy Systems review

          • Cyber Security Policy should be review every year
          • Documentation, training and awareness program related Bank staff
          • Roles and responsibilities
          • Put in place suitable Cyber Security System to address them,
          • Specify and document clearly the responsibility for each of above steps.

        Basic Cyber Security Controls for Primary (Urban) Cooperative Banks (UCBs)

        1) Inventory Management of Business IT Assets

        1.1 UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: 

              Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.)

        Details of systems where customer data are stored

        Associated business applications, if any

        Criticality of the IT asset (For example, High/Medium/Low)

         

        2) Preventing access of unauthorized software

        3) Environmental Controls

        4) Network Management and Security

        5) Secure Configuration

        6) Anti-virus and Patch Management

        7) User Access Control / Management

        8) Secure mail and messaging systems

        9) Removable Media

        10) User/Employee/Management Awareness

        11) Customer Education and Awareness

        13) Vendor/Outsourcing Risk Management

         

        Description of some of the cyber security threats

        1) Denial of service attack:

        2) Distributed denial of service:

        3) Ransom ware:

        4) Malware:

        5) Phishing:

        6) Pear phishing:

        7) Whaling:

        8) Vishing:

        9) Drive-by downloads:

        10) Browser Gateway frauds:

        11) Ghost administrator exploit:

    Information Technology Policy and Procedure Manual

    Introduction

    The {Business Name} IT Policy and Procedure Manual provides the policies and procedures for selection and use of IT within the business which must be followed by all staff. It also provides guidelines {Business name} will use to administer these policies, with the correct procedure to follow.

    {Business Name} will keep all IT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures.

    Any suggestions, recommendations or feedback on the policies and procedures specified in this manual are welcome.

    These policies and procedures apply to all employees.

    Technology Hardware Purchasing Policy

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Computer hardware refers to the physical parts of a computer and related devices. Internal hardware devices include motherboards, hard drives, and RAM. External hardware devices include monitors, keyboards, mice, printers, and scanners.

     

    Purpose of the Policy

    This policy provides guidelines for the purchase of hardware for the business to ensure that all hardware technology for the business is appropriate, value for money and where applicable integrates with other technology for the business. The objective of this policy is to ensure that there is minimum diversity of hardware within the businessProcedures

    Purchase of Hardware

    Guidance: The purchase of all desktops, servers, portable computers, computer peripherals and mobile devices must adhere to this policy. Edit this statement to cover the relevant technology for your business.

    Purchasing desktop computer systems

    Guidance: For assistance with Choosing hardware and software, including desktop computers, the Business Victoria’s Choosing hardware and software page on the Business Victoria website.

    The desktop computer systems purchased must run a {insert relevant operating system here e.g. Windows} and integrate with existing hardware { insert names of existing technology such as the business server}.

    The desktop computer systems must be purchased as standard desktop system bundle and must be {insert manufacturer type here, such as HP, Dell, Acer etc.}.

    The desktop computer system bundle must include:

    Desktop tower

    Desktop screen of {insert screen size here}

      • Keyboard and mouse You may like to consider stating if these are to be wireless
      • {insert name of operating system, e.g. Windows 7, and software e.g. Office 2013 here}
      • {insert other items here, such as speakers, microphone, webcam, printers etc.}

      The minimum capacity of the desktop must be:

      • {insert speed of computer size (GHz -gigahertz)here}
      • {insert memory (RAM) size here}
      • {insert number of USB ports here}
      • {insert other specifications for desktop here, such as DVD drive, microphone port, etc.}

      Any change from the above requirements must be authorised by {insert relevant job title here}

      All purchases of desktops must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s server system.

      All purchases for desktops must be in line with the purchasing policy in the Financial policies and procedures manual.

      Purchasing portable computer systems

      The purchase of portable computer systems includes {insert names of portable devices here, such as notebooks, laptops, tablets etc.}

      Portable computer systems purchased must run a {insert relevant operating system here e.g. Windows} and integrate with existing hardware { insert names of existing technology such as the business server}.

      The portable computer systems purchased must be {insert manufacturer type here, such as HP, Dell, Acer, etc.}.

      The minimum capacity of the portable computer system must be:

      • {insert speed of computer size (GHz -gigahertz)here}
      • {insert memory (RAM) size here}

       

      • {insert number of USB ports here}
      • {insert other specifications for portable device here, such as DVD drive, microphone port, webcam, speakers, etc.}

      The portable computer system must include the following software provided:

      • {insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}
      • {insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}
      • {insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}

      Any change from the above requirements must be authorised by {insert relevant job title here}

      All purchases of all portable computer systems must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s server system.

      All purchases for portable computer systems must be in line with the purchasing policy in the Financial policies and procedures manual.

    Purchasing server systems

    Server systems can only be purchased by {insert relevant job title here, recommended IT specialist}.

    Server systems purchased must be compatible with all other computer hardware in the business.

    All purchases of server systems must be supported by {insert guarantee and/or warranty requirements here} and be compatible with the business’s other server systems.

    Any change from the above requirements must be authorised by {insert relevant job title here}

    All purchases for server systems must be in line with the purchasing policy in the Financial policies and procedures manual.

    Purchasing computer peripherals

    Computer system peripherals include {insert names of add-on devices such as printers, scanners, external hard drives etc. here}

     

    Computer peripherals can only be purchased where they are not included in any hardware purchase or are considered to be an additional requirement to existing peripherals.

    Computer peripherals purchased must be compatible with all other computer hardware and software in the business.

    The purchase of computer peripherals can only be authorised by {insert relevant job title here, recommended IT specialist or department manager}.

    All purchases of computer peripherals must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s other hardware and software systems.

    Any change from the above requirements must be authorised by {insert relevant job title here}

    All purchases for computer peripherals must be in line with the purchasing policy in the Financial policies and procedures manual.

    Purchasing mobile telephones

    A mobile phone will only be purchased once the eligibility criteria is met. Refer to the Mobile Phone Usage policy in this document.

    The purchase of a mobile phone must be from {insert names authorised suppliers here, such as Telstra etc.} to ensure the business takes advantage of volume pricing based discounts provided by {insert names authorised suppliers here, such as Telstra etc.}. Such discounts should include the purchase of the phone, the phone call and internet charges etc.

    The mobile phone must be compatible with the business’s current hardware and software systems.

    The mobile phone purchased must be {insert manufacturer type here, such as IPhone, Blackberry, Samsung, etc.}.

    The request for accessories (a hands-free kit etc.) must be included as part of the initial request for a phone.

    The purchase of a mobile phone must be approved by {insert relevant job title here} prior to purchase.

    Any change from the above requirements must be authorised by {insert relevant job title here}

     

    All purchases of all mobile phones must be supported by{insert guarantee and/or warranty requirements here}.

    All purchases for mobile phones must be in line with the purchasing policy in the Financial policies and procedures manual.

    Additional Policies for Purchasing Hardware

    Guidance: add, link or remove the policies listed below as required.

    Purchasing Policy

    Mobile phone policy

    Policy for Getting Software

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for the purchase of software for the business to ensure that all software used by the business is appropriate, value for money and where applicable integrates with other technology for the business. This policy applies to software obtained as part of hardware bundle or pre-loaded software.

    Procedures

    Request for Software

    All software, including {insert relevant other types of non-commercial software such as open source, freeware, etc. here} must be approved by {insert relevant job title here} prior to the use or download of such software.

    Purchase of software

    The purchase of all software must adhere to this policy.

    All purchased software must be purchased by {insert relevant job title here}

    All purchased software must be purchased from {insert relevant suppliers names or the words ‘reputable software sellers’ here}

    All purchases of software must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the business’s server and/or hardware system.

    Any changes from the above requirements must be authorised by {insert relevant job title here}

    All purchases for software must be in line with the purchasing policy in the Financial policies and procedures manual.

    Obtaining open source or freeware software

    Open source or freeware software can be obtained without payment and usually downloaded directly from the internet.

    In the event that open source or freeware software is required, approval from {insert relevant job title here} must be obtained prior to the download or use of such software.

    All open source or freeware must be compatible with the business’s hardware and software systems.

    Any change from the above requirements must be authorised by {insert relevant job title here}

    Additional Policies for Obtaining Software

    Guidance: add, link or remove the policies listed below as required.

    Purchasing Policy

    Use of Software policy

    Policy for Use of Software

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for the use of software for all employees within the business to ensure that all software use is appropriate. Under this policy, the use of all open source and freeware software will be conducted under the same procedures outlined for commercial software.

    Procedures

    Software Licensing

    All computer software copyrights and terms of all software licences will be followed by all employees of the business.

    Where licensing states limited usage (i.e. number of computers or users etc.), then it is the responsibility of {insert relevant job title here} to ensure these terms are followed.

    {insert relevant job title here} is responsible for completing a software audit of all hardware twice a year to ensure that software copyrights and licence agreements are adhered to.

    Software Installation

    All software must be appropriately registered with the supplier where this is a requirement.

    {Business Name} is to be the registered owner of all software.

    Only software obtained in accordance with the getting software policy is to be installed on the business’s computers.

    All software installation is to be carried out by {insert relevant job title here}

    A software upgrade shall not be installed on a computer that does not already have a copy of the original version of the software loaded on it.

     

    Software Usage

    Only software purchased in accordance with the getting software policy is to be used within the business.

    Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on use of the software.

    All employees must receive training for all new software. This includes new employees to be trained to use existing software appropriately. This will be the responsibility of {insert relevant job title here}

    Employees are prohibited from bringing software from home and loading it onto the business’s computer hardware.

    Unless express approval from {insert relevant job title here} is obtained, software cannot be taken home and loaded on a employees’ home computer

    Where an employee is required to use software at home, an evaluation of providing the employee with a portable computer should be undertaken in the first instance. Where it is found that software can be used on the employee’s home computer, authorisation from {insert relevant job title here} is required to purchase separate software if licensing or copyright restrictions apply. Where software is purchased in this circumstance, it remains the property of the business and must be recorded on the software register by {insert relevant job title here}

    Unauthorised software is prohibited from being used in the business. This includes the use of software owned by an employee and used within the business.

    The unauthorised duplicating, acquiring or use of software copies is prohibited. Any employee who makes, acquires, or uses unauthorised copies of software will be referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action etc.}. The illegal duplication of software or other copyrighted works is not condoned within this business and {insert relevant job title here} is authorised to undertake disciplinary action where such event occurs.

    Breach of Policy

    Where there is a breach of this policy by an employee, that employee will be referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action etc.}

    Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify {insert relevant job title here} immediately. In the event that the breach is not reported and it is determined that an employee failed to report the breach, then that employee will be referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action etc.}

    Additional Policies for Use of Software

    Guidance: add, link or remove the policies listed below as required.

    Technology Hardware Policy

    Obtaining Software policy

    Bring Your Own Device Policy 

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: Edit this policy so it suits the needs of your business.

    At {Business Name} we acknowledge the importance of mobile technologies in improving business communication and productivity. In addition to the increased use of mobile devices, staff members have requested the option of connecting their own mobile devices to {Business Name}’s network and equipment. We encourage you to read this document in full and to act upon the recommendations. This policy should be read and carried out by all staff.

    Purpose of the Policy

    This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and {insert other types of mobile devices} for business purposes. All staff who use or access {Business Name}’s technology equipment and/or services are bound by the conditions of this Policy.

    Procedures

    Current mobile devices approved for business use

    The following personally owned mobile devices are approved to be used for business purposes:

    • {insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}
    • {insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}
    • {insert type of approved mobile devices such as smart phones, tablets, iPhone etc.}
    • {insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}.

    Registration of personal mobile devices for business use

    Guidance: You will need to consider if the business is to have any control over the applications that are used for business purposes and/or used on the personal devices.

    Employees when using personal devices for business use will register the device with {insert relevant job title or department here}.

    {insert relevant job title or department here} will record the device and all applications used by the device.

    Personal mobile devices can only be used for the following business purposes:

    • {insert each type of approved use such as email access, business internet access, business telephone calls etc.}
    • {insert each type of approved use such as email access, business internet access, business telephone calls etc.}
    • {insert each type of approved use such as email access, business internet access, business telephone calls etc.}.

    Each employee who utilises personal mobile devices agrees:

    • Not to download or transfer business or personal sensitive information to the device. Sensitive information includes {insert types of business or personal information that you consider sensitive to the business, for example intellectual property, other employee details etc.}
    • Not to use the registered mobile device as the sole repository for {Business Name}’s information. All business information stored on mobile devices should be backed up
    • To make every reasonable effort to ensure that {Business Name}’s information is not compromised through the use of mobile equipment in a public place. Screens displaying sensitive or critical information should not be seen by unauthorised persons and all registered devices should be password protected
    • To maintain the device with {insert maintenance requirements of mobile devices such as current operating software, current security software etc.}
    • Not to share the device with other individuals to protect the business data access through the device
    • To abide by {Business Name}’s internet policy for appropriate use and access of internet sites etc.
    • To notify {Business Name} immediately in the event of loss or theft of the registered device
    • Not to connect USB memory sticks from an untrusted or unknown source to {Business Name}’s equipment.

    All employees who have a registered personal mobile device for business use acknowledge that the business:

    • Owns all intellectual property created on the device
    • Can access all data held on the device, including personal data
    • Will regularly back-up data held on the device
    • Will delete all data held on the device in the event of loss or theft of the device
    • Has first right to buy the device where the employee wants to sell the device
    • Will delete all data held on the device upon termination of the employee. The terminated employee can request personal data be reinstated from back up data
    • Has the right to deregister the device for business use at any time.

    Keeping mobile devices secure

    The following must be observed when handling mobile computing devices (such as notebooks and iPads):

    • Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever possible they should be kept on the person or securely locked away
    • Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is attended
    • Mobile devices should be carried as hand luggage when travelling by aircraft.

    Exemptions

    This policy is mandatory unless {insert relevant job title or department here} grants an exemption. Any requests for exemptions from any of these directives, should be referred to the {insert relevant job title or department here}.

    Breach of this policy

    Any breach of this policy will be referred to {insert relevant job title} who will review the breach and determine adequate consequences, which can include { insert consequences here such as confiscation of the device and or termination of employment.}

    Indemnity

    {Business Name} bears no responsibility whatsoever for any legal action threatened or started due to conduct and activities of staff in accessing or using these resources or facilities. All staff indemnify {Business Name} against any and all damages, costs and expenses suffered by {Business Name} arising out of any unlawful or improper conduct and activity, and in respect of any action, settlement or compromise, or any statutory infringement. Legal prosecution following a breach of these conditions may result independently from any action by {Business Name}.

    Additional Policies for Business Mobile Phone Use

    Guidance: add, link or remove the policies listed below as required.

    Technology Hardware Purchasing Policy

    Use of Software policy

    Purchasing Policy

    Information Technology Security Policy

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for the protection and use of information technology assets and resources within the business to ensure integrity, confidentiality and availability of data and assets.

    Procedures

    Physical Security

    For all servers, mainframes and other network assets, the area must be secured with adequate ventilation and appropriate access through {insert relevant security measure here, such as keypad, lock etc.}

    It will be the responsibility of {insert relevant job title here} to ensure that this requirement is followed at all times. Any employee becoming aware of a breach to this security requirement is obliged to notify {insert relevant job title here} immediately.

    All security and safety of all portable technology, {insert relevant types here, such as laptop, notepads, iPad etc.} will be the responsibility of the employee who has been issued with the {insert relevant types here, such as laptop, notepads, iPads, mobile phones etc.}. Each employee is required to use {insert relevant types here, such as locks, passwords, etc.} and to ensure the asset is kept safely at all times to protect the security of the asset issued to them.

    In the event of loss or damage, {insert relevant job title here} will assess the security measures undertaken to determine if the employee will be required to reimburse the business for the loss or damage.

    All {insert relevant types here, such as laptop, notepads, iPads etc.} when kept at the office desk is to be secured by {insert relevant security measure here, such as keypad, lock etc.} provided by {insert relevant job title here}

    Information Security

    All {insert relevant data to be backed up here – either general such as sensitive, valuable, or critical business data or provide a checklist of all data to be backed up } is to be backed-up.

    It is the responsibility of {insert relevant job title here} to ensure that data back-ups are conducted {insert frequency of back-ups here} and the backed up data is kept {insert where back up data is to be kept e.g. cloud, offsite venue, employees home etc. here}

    All technology that has internet access must have anti-virus software installed. It is the responsibility of {insert relevant job title here} to install all anti-virus software and ensure that this software remains up to date on all technology used by the business.

    All information used within the business is to adhere to the privacy laws and the business’s confidentiality requirements. Any employee breaching this will be {insert relevant consequence here}

    Technology Access

    Every employee will be issued with a unique identification code to access the business technology and will be required to set a password for access every {insert frequency here}

    Each password is to be {insert rules relating to password creation here, such as number of alpha and numeric etc.} and is not to be shared with any employee within the business.

    {insert relevant job title here} is responsible for the issuing of the identification code and initial password for all employees.

    Where an employee forgets the password or is ‘locked out’ after {insert a number here e.g. three attempts}, then {insert relevant job title here} is authorised to reissue a new initial password that will be required to be changed when the employee logs in using the new initial password.

    The following table provides the authorisation of access:

    Technology – Hardware/ Software

    Persons authorised for access

    {insert name or type of technology here}

    {insert authorised persons or job titles here}

    {insert name or type of technology here}

    {insert authorised persons or job titles here}

    {insert name or type of technology here}

    {insert authorised persons or job titles here}

    {insert name or type of technology here}

    {insert authorised persons or job titles here}

    Employees are only authorised to use business computers for personal use {insert when this is allowable and what they can personally use it for here, such as internet usage etc.}

    For internet and social media usage, refer to the Human Resources Manual.

    It is the responsibility of {insert relevant job title here} to keep all procedures for this policy up to date.

    Additional Policies for Information Technology Security

    Guidance: add, link or remove the policies listed below as required.

    Emergency Management of Information Technology Policy

    Information Technology Administration Policy

    Information Technology Administration Policy

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for the administration of information technology assets and resources within the business.

    Procedures

    All software installed and the licence information must be registered on the {insert where these records are to be kept}. It is the responsibility of {insert relevant job title here} to ensure that this registered is maintained. The register must record the following information:

    • What software is installed on every machine
    • What licence agreements are in place for each software package
    • Renewal dates if applicable.

    {insert relevant job title here} is responsible for the maintenance and management of all service agreements for the business technology. Any service requirements must first be approved by {insert relevant job title here}.

    {insert relevant job title here} is responsible for maintaining adequate technology spare parts and other requirements including {insert specific technology requirements here, such as toners, printing paper etc.}

    A technology audit is to be conducted {insert frequency here e.g. annually} by {insert relevant job title here} to ensure that all information technology policies are being adhered to.

    Any unspecified technology administration requirements should be directed to {insert relevant job title here}

     

    Additional Policies for Information Technology Administration

    Guidance: add, link or remove the policies listed below as required.

    IT Service Agreements Policy

    Purchasing Policy

    Website Policy

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for the maintenance of all relevant technology issues related to the business website.

    Procedures

    Website Register

    The website register must record the following details:

    • List of domain names registered to the business
    • Dates of renewal for domain names
    • List of hosting service providers
    • Expiry dates of hosting

    {insert any other records to be kept in relation to your business website here}.

    The keeping the register up to date will be the responsibility of {insert relevant job title here}.

    {insert relevant job title here} will be responsible for any renewal of items listed in the register.

    Website Content

    All content on the business website is to be accurate, appropriate and current. This will be the responsibility of {insert relevant job title here}

    All content on the website must follow {insert relevant business requirements here where applicable, such as a business or content plan etc.}

    The content of the website is to be reviewed {insert frequency here}

     

    The following persons are authorised to make changes to the business website:

    {insert relevant job title here}

    {insert relevant job title here}

    {insert relevant job title here}

    Basic branding guidelines must be followed on websites to ensure a consistent and cohesive image for the business.

    All data collected from the website is to adhere to the Privacy Act

    Additional Policies for Website Policy

    Guidance: add, link or remove the policies listed below as required.

    Information Technology Security Policy

    Emergency Management of Information Technology policy

    Electronic Transactions Policy

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for all electronic transactions undertaken on behalf of the business.

    The objective of this policy is to ensure that use of electronic funds transfers and receipts are started, carried out, and approved in a secure manner.

    Procedures

    Electronic Funds Transfer (EFT)

    It is the policy of {Business Name} that all payments and receipts should be made by EFT where appropriate.

    All EFT payments and receipts must adhere to all finance policies in the Financial policies and procedures manual.

    All EFT arrangements, including receipts and payments must be submitted to {insert relevant department of the business here, e.g. finance department}.

    EFT payments must have the appropriate authorisation for payment in line with the financial transactions policy in the Financial policies and procedures manual.

    EFT payments must be appropriately recorded in line with finance policy in the Financial policies and procedures manual.

    EFT payments once authorised, will be entered into the {insert title of payment system here e.g. NAB online system} by {insert relevant job title here}

    EFT payments can only be released for payment once pending payments have been authorised by {insert relevant job title here}

     

    For good control over EFT payments, ensure that the persons authorising the payments and making the payment are not the same person.

    All EFT receipts must be reconciled to customer records {insert frequency here e.g. once a week etc.}

    Where EFT receipt cannot be allocated to customer account, it is responsibility of {insert relevant job title here} to investigate. In the event that the customer account cannot be identified within {insert length of time here, such as one month} the receipted funds must be {insert action here such as allocated to suspense account or returned to source etc.}. {insert relevant job title here} must authorise this transaction.

    It is the responsibility of {insert relevant job title here} to annually review EFT authorisations for initial entry, alterations, or deletion of EFT records, including supplier payment records and customer receipt records.

    Electronic Purchases

    All electronic purchases by any authorised employee must adhere to the purchasing policy in the Financial policies and procedures manual.

    Where an electronic purchase is being considered, the person authorising this transaction must ensure that the internet sales site is secure and safe and be able to demonstrate that this has been reviewed.

    All electronic purchases must be undertaken using business credit cards only and therefore adhere to the business credit card policy in the Financial policies and procedures manual.

    Additional Policies for Electronic Transactions Policy

    Guidance: add, link or remove the policies listed below as required.

    Information Technology Security Policy

    Finance Policies

    IT Service Agreements Policy

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for all IT service agreements entered into on behalf of the business.

    Procedures

    The following IT service agreements can be entered into on behalf of the business:

    Guidance: Insert the acceptable IT services for your business – the following dot points will assist.

    • Provision of general IT services
    • Provision of network hardware and software
    • Repairs and maintenance of IT equipment
    • Provision of business software
    • Provision of mobile phones and relevant plans
    • Website design, maintenance etc.
    • {insert type of IT service here}.

    All IT service agreements must be reviewed by {insert who should review, recommended lawyer or solicitor} before the agreement is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by {insert relevant job title here}

    All IT service agreements, obligations and renewals must be recorded {insert where the agreements are to be recorded here}

     

    Where an IT service agreement renewal is required, in the event that the agreement is substantially unchanged from the previous agreement, then this agreement renewal can be authorised by {insert relevant job title here}.

    Where an IT service agreement renewal is required, in the event that the agreement has substantially changed from the previous agreement, {insert who should review, recommended lawyer or solicitor} before the renewal is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by {insert relevant job title here}

    In the event that there is a dispute to the provision of IT services covered by an IT service agreement, it must be referred to {insert relevant job title here} who will be responsible for the settlement of such dispute.

    Additional Policies for IT Services Policy

    Guidance: add, link or remove the policies listed below as required.

    Technology Hardware Purchasing Policy

    Emergency Management of Information Technology

    Policy Number: {insert unique number}

    Policy Date: {insert date of policy}

    Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits the needs of your business.

    Purpose of the Policy

    This policy provides guidelines for emergency management of all information technology within the business.

    Procedures

    IT Hardware Failure

    Where there is failure of any of the business’s hardware, this must be referred to {insert relevant job title here} immediately.

    It is the responsibility of {insert relevant job title here} to {insert relevant actions that should be undertaken here} in the event of IT hardware failure.

    It is the responsibility of {insert relevant job title here} to undertake tests on planned emergency procedures {insert frequency here, recommended quarterly} to ensure that all planned emergency procedures are appropriate and minimise disruption to business operations.

    Point of Sale Disruptions

    In the event that point of sale (POS) system is disrupted, the following actions must be immediately undertaken:

    Guidance: Insert the actions required for your business – the following dot points will assist.

    • POS provider to be notified
    • {insert relevant job title here} must be notified immediately
    • All POS transactions to be taken using the manual machine located below the counter
    • For all manual POS transactions, customer signatures must be verified

     

    • {insert other relevant emergency actions here}
    • {insert other relevant emergency actions here}.

    Virus or other security breach

    In the event that the business’s information technology is compromised by software virus or {insert other relevant possible security breaches here} such breaches are to be reported to {insert relevant job title here} immediately.

    {insert relevant job title here} is responsible for ensuring that any security breach is dealt with within {insert relevant timeframe here} to minimise disruption to business operations.

    Website Disruption

    In the event that business website is disrupted, the following actions must be immediately undertaken:

    Guidance: Insert the actions required for your business – the following dot points will assist.

    • Website host to be notified
    • {insert relevant job title here} must be notified immediately
    • {insert other relevant emergency actions here}
    • {insert other relevant emergency actions here}.

    Windows Group Policy

    MS Windows Server 2012 R2 Baseline Security Standards

    Version 1.3

    References:  6.100 – Information Technology and Security Policy

    6.101 – Use of County Information Technology Resources

    Developed:  Host Strengthening & Isolation Work Group, Mitigation of Cyber Terrorism

     

    RELEASE NOTES AND HISTORY LOG

     

    The content in this document will be periodically updated to reflect the changes in the County environment as well as the Microsoft Windows Server 2012 software features and capabilities.  In addition, this document will be constantly maintained to capture industry best practices as the technology and standards continues to evolve.

     

    DATE

    NEW

    VERSION NUMBER

    MODIFIED BY DESCRIPTION of CHANGE
    11/14/2014 1.0 C. Hinton (ISD-ITSS) 1)   SET team developed initial document.
    12/15/2014 1.1 C. Hinton 1)   Remove Password Section and Workstation Section
    2/17/2015 1.2 C. Hinton

    1)   Update Member Server

    Section

    4/01/2015 1.3 C. Hinton

    1)   Added User Account Control value

    2)   Re-numbered all sections

    4/29/2015   C. Hinton

    Confirmation of settings applied on

    live server from Anthony Phung, ISD – Mid-Range Computing.

     

    Table of Contents

     

    1 – Purpose 

    2 – Overview 

    3 – Windows Server 2012 IT Security Policy Checklist – Member Server Policy 

    4 – Windows Server 2012 IT Security Policy Checklist – User Policy 

    5 – Windows Server 2012 IT Security Policy Checklist – DHCP Hardening 

    6 – Windows Server 2012 IT Security Policy Checklist – DNS Hardening

    7 – Windows Server 2012 IT Security Policy Checklist – Web Services

    Hardening 

     

    1   Purpose

     

    The purpose of this document is to establish baseline security standards specific to host strengthening.    These  standards identify the  baseline  security settings  when  using Microsoft Windows Server 2012.

     

    2   Overview

     

    This document, with accompanying Windows Server 2012 Security Checklists, outlines the settings that are to be implemented to provide a baseline level of security for each server running Microsoft Windows Server 2012 either stand alone or as part of a Windows Active Directory/Domain Group Policy.   Descriptions of the settings are found in the Microsoft Windows Server 2012 Security Guide, Version 3.0 and the Center for Internet Security’s Microsoft Windows Server 2012 R2 Benchmark v 1.1.

     

    The settings are divided into categories that correspond to the intended role of the

    Windows Server.  The roles being configured are as follows:

     

    • Member Server Policy
    • User Policy
    • DHCP Services
    • DNS Services
    • Web Service

     

    Microsoft recommends using a new core installation of the operating system to start your configuration work so that Server Manager optimally configures just the roles and features that you select. However, if you cannot perform a new installation, ensure to check the following common security configurations before you start a role-specific setup. This approach  helps  to minimize  the  possibility  of  settings  from  previous  configurations interfering with the server’s security settings for its new role.

     

    The settings in this standards document are grouped into two categories, “Mandatory”

    and “Recommended.” These categories are defined as follows:

     

    Mandatory – All Mandatory settings (in red) must be applied with no exception.

     

    Recommended – All Recommended settings must be applied unless the business operation is severely impacted.  Exceptions to settings in this category must have documented justification for the exception and Department management approval.

     

    3   WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – MEMBER SERVER POLICY

     

    This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Microsoft Windows Server 2012 Security Guide Version 1.0 and the Center for Internet Security’s Microsoft Windows Server 2012 R2 Benchmark v 1.1 provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures.

     

    Organization Name:                                                                                                                Date:                                                                                                                                                      Contact Information:                                                                                                                                            

     

     

    Computer Configuration (Enabled)

    Mandatory

    Recommended

    3.0

    Local Policies/Audit Policy

     

     

    3.0.1

    Audit account logon events – Success, Failure

    X

     

    3.0.2

    Audit account management – Success, Failure

    X

     

    3.0.3

    Audit logon events – Success, Failure

    X

     

    3.0.4

    Audit policy change – Success

    X

     

    3.0.5

    Audit system events – Success *and Failure

    X

     

    3.1

    Local Policies/User Rights Assignment

     

     

    3.1.1

    Access credential manager as a trusted caller – No One*

    X

     

    3.1.2

    Access this computer from the network – Administrators, Authenticated

    Users

     

    X

    3.1.3

    Act as part of the operating system – No One*

     

    X

    3.1.4

    Adjust memory quotas for a process – Administrators, Local Service, Network Service*

     

    X

    3.1.5

    Allow log on locally – Administrators

     

    X

    3.1.6

    Allow log on through Remote Desktop Services – Administrators, Remote

    Desktop Users*

     

    X

    3.1.7

    Back up files and directories – Administrators

     

    X

    3.1.8

    Change the system time – Administrators, Local Service*

     

    X

    3.1.9

    Change the time zone – Administrators, Local Service*

     

     

    3.1.10

    Create a pagefile – Administrators*

     

    X

    3.1.11

    Create a token object – No One*

     

    X

    3.1.12

    Create global objects – Administrators, Local Service, Network Service, Service*

     

    X

    3.1.13

    Create permanent shared objects – No One*

     

    X

    3.1.14

    Create symbolic links – Administrators*

     

    X

    3.1.15

    Debug programs – Administrators*

     

    X

    3.1.16

    Deny access to this computer from the network – Guests

    X

     

    3.1.17

    Deny log on as a batch job – Guests

    X

     

    3.1.18

    Deny log on as a service – Guests

    X

     

    3.1.19

    Deny log on locally – Guests*

    X

     

    3.1.20

    Deny log on through Remote Desktop Services – Guests

    X

     

    3.1.21

    Enable computer and user accounts to be trusted for delegation – No One*

     

    X

    3.1.22

    Force shutdown from a remote system – Administrators*

     

    X

    3.1.23

    Generate security audits – Local Service, Network Service*

     

    X

    3.1.24

    Impersonate a client after authentication – Administrators, Local Service, Network Service, Service*

     

    X

    3.1.25

    Increase scheduling priority – Administrators*

     

    X

    3.1.26

    Load and unload device drivers – Administrators*

     

    X

     

    3.1.27

    Lock pages in memory – No One*

     

    X

    3.1.28

    Manage auditing and security log – Administrators*

     

    X

    3.1.29

    Modify an object label – No One

     

    X

    3.1.30

    Modify firmware environment values – Administrators*

     

    X

    3.1.31

    Perform volume maintenance tasks – Administrators*

     

    X

    3.1.32

    Profile single process – Administrators*

    X

     

    3.1.33

    Profile system performance – Administrators, NT Service\WdiServiceHost*

    X

     

    3.1.34

    Replace a process level token – Local Service, Network Service*

     

    X

    3.1.35

    Restore files and directories – Administrators

     

    X

    3.1.36

    Shutdown the system – Administrators

    X

     

    3.1.37

    Take ownership of files or other objects – Administrators*

     

    X

    3.2

    Local Policies/Security Options

     

     

    3.2.1

    Accounts

     

     

    3.2.1.1

    Block Microsoft accounts –  Users can’t add or log on with Microsoft accounts

     

    X

    3.2.1.2

    Guests account status – Disabled*

    X

     

    3.2.1.3

    Limit local account use of blank passwords to console logon only – Enabled*

    X

     

    3.2.1.4

    Rename administrator account

    X

     

    3.2.1.5

    Rename Guest account

     

    X

    3.2.2

    Audit

     

     

    3.2.2.1

    Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings – Enabled

     

    X

    3.2.2.2

    Shut down system immediately if unable to log security audits – Disabled*

     

    X

    3.2.3

    Devices

     

     

    3.2.3.1

    Allowed to format and eject removable media – Administrators*

     

    X

    3.2.3.2

    Prevent users from installing printer drivers – Enabled*

    X

     

    3.2.4

    Domain Member

     

     

    3.2.4.1

    Digitally encrypt or sign secure channel data (always) – Enabled*

     

    X

    3.2.4.2

    Digitally encrypt secure channel data (when possible) – Enabled*

     

    X

    3.2.4.3

    Digitally sign secure channel data (when possible) – Enabled*

     

    X

    3.2.4.4

    Disable machine account password changes – Disabled*

    X

     

    3.2.4.5

    Maximum machine account password age – 30 days or fewer

    X

     

    3.2.4.6

    Require strong (Windows 2000 or later) session key – Enabled

    X

     

    3.2.5

    Interactive Logon

     

     

    3.2.5.1

    Do not display last user name – Enabled

    X

     

    3.2.5.2

    Do not require CTRL+ALT+DEL – Disabled*

    X

     

    3.2.5.3

    Machine inactivity limit – 300 to 600 seconds

    X

     

    3.2.5.4

    Message text for users attempting to log on –

     

    X

     

    This computer system, including all related equipment, networks, and networked devices, are the property of Los Angeles County. This computer system is intended for authorized use only, and is being monitored for all lawful purposes. All information received, sent or stored on Los Angeles County computer systems may be, examined, recorded, copied, and used for authorized purposes. Evidence of illegal or unauthorized use may be used for criminal, administrative, or other adverse action. Unauthorized users are subject to prosecution. Click OK if you agree to the above terms.

     

     

    3.2.5.5

    Message title for users attempting to log on – Not Defined

     

    X

    3.2.5.6

    Number of previous logons to cache (in case domain controller is not available) – 4  logon or fewer

    X

     

    3.2.5.7

    Prompt user to change password before expiration – 14 days*

    X

     

    3.2.5.8

    Smart card removal behavior – Lock Workstation

     

    X

    3.2.6

    Microsoft Network Client

     

     

    3.2.6.1

    Digitally sign communications (always) – Enabled

     

    X

    3.2.6.2

    Digitally sign communications (if server agrees) – Enabled*

     

    X

    3.2.6.3

    Send unencrypted password to third-party SMB servers – Disabled*

    X

     

    3.2.7

    Microsoft Network Server

     

     

    3.2.7.1

    Amount of idle time required before suspending session – 15 minutes*

     

    X

    3.2.7.2

    Digitally sign communications (always) – Enabled

     

    X

    3.2.7.3

    Digitally sign communications (if client agrees) – Enabled

     

    X

    3.2.7.4

    Disconnect clients when logon hours expire – Enabled*

     

    X

    3.2.7.5

    Server SPN target name validation level – Accept if provided by client

     

    X

    3.2.8

    Network Access

     

     

    3.2.8.1

    Allow anonymous SID/Name translation – Disabled*

    X

     

    3.2.8.2

    Do not allow anonymous enumeration of SAM accounts – Enabled*

    X

     

    3.2.8.3

    Do not allow anonymous enumeration of SAM accounts and shares – Enabled

    X

     

    3.2.8.4

    Let Everyone permissions apply to anonymous users – Disabled*

    X

     

    3.2.8.5

    Named Pipes that can be accessed anonymously – None*

     

     

    3.2.8.6

    Remotely accessible registry paths – * System\CurrentControlSet\Control\ProductOptions Systems\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion

     

    X

    3.2.8.7

    Remotely accessible registry paths and sub-paths – * System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog.

     

    X

    3.2.8.8

    Restrict anonymous access to Named Pipes and Shares – Enabled*

    X

     

    3.2.8.9

    Shares that can be accessed anonymously – None*

    X

     

    3.2.8.10

    Sharing and security model for local accounts – Classic – local users authenticate as themselves*

     

    X

    3.2.9

    Network Security

     

     

    3.2.9.1

    Allow Local System to use computer identity for NTLM – Enabled

     

    X

    3.2.9.2

    Allow LocalSystem NULL session fallback – Disabled

     

    X

    3.2.9.3

    Allow PKU2U authentication requests to this computer to use online identities – Disabled*

    X

     

    3.2.9.4

    Configure encryption types allowed for Kerberos – RC4\AES128\AES256\Future types

     

    X

    3.2.9.5

    Do not store LAN Manager hash value on next password change – Enabled*

    X

     

    3.2.9.6

    Force logoff when logon hours expire – Enabled

     

    X

    3.2.9.7

    LAN Manager authentication level – Send NTLMv2 response only. Refuse

    LM & NTLM

    X

     

    3.2.9.8

    LDAP client signing requirements – Negotiate signing*

     

    X

    3.2.9.9

    Minimum session security for NTLM SSP based (including secure RPC)

    clients –

    Require NTLMv2 session security

    Require 128-bit encryption

    X

     

    3.2.9.10

    Minimum session security for NTLM SSP based (including secure RPC)

    servers –

    Require NTLMv2 session security

    Require 128-bit encryption

    X

     

    3.2.10

    Recovery Console

     

     

    3.2.10.1

    Allow automatic administrative logon – Disabled*

    X

     

    3.2.10.2

    Allow floppy copy and access to all drives and all folders – Disabled*

     

    X

    3.2.11

    Shutdown

     

     

    3.2.11.1

    Allow system to be shut down without having to log on – Disabled*

    X

     

    3.2.12

    Cryptography

     

     

    3.2.12.1

    Use FIPS compliant algorithms for encryption, hashing, and signing – Disabled

     

    X

    3.2.13

    System Objects

     

     

    3.2.13.1

    Require case insensitivity for non-Windows subsystems – Enabled*

     

    X

    3.2.13.2

    Strengthen default permissions of internal system objects (e.g., Symbolic

    Links) – Enabled*

     

    X

    3.2.14

    System Settings

     

     

    3.2.14.1

    Optional subsystems – None

     

    X

    3.2.14.2

    Use Certificate Rules on Windows Executables for Software Restriction

    Policies – Enabled

     

    X

    3.2.15

    User Account Control

     

     

    3.2.15.1

    Admin Approval Mode for the Built-in Administrator account – Enabled

     

    X

    3.2.15.2

    Allow UIAccess application to prompt for elevation without using the secure desktop – Disabled*

     

    X

    3.2.15.3

    Behavior of the elevation prompt for administrators in Admin Approval

    Mode – Prompt for consent on the secure desktop

     

    X

    3.2.15.4

    Behavior of the elevation prompt for standard users – Automatically deny elevation requests

     

    X

    3.2.15.5

    Detect application installation and prompt for elevation – Enabled*

     

    X

    3.2.15.6

    Only elevate UIAccess applications that are installed in secure locations – Enabled*

     

    X

    3.2.15.7

    Run all administrators in Admin Approval Mode – Enabled*

     

    X

    3.2.15.8

    Switch to the secure desktop when prompting for elevation – Enabled*

     

    X

    3.2.15.9

    Virtualize file and registry write failures to per-user locations – Enabled*

     

    X

    3.2.16

    Event Log

     

     

    3.2.16.1

    Maximum application log size – 32,768 KB

     

    X

    3.2.16.2

    Maximum security log size –196,608 KB

     

    X

    3.2.16.3

    Maximum system log size –32,768 KB

     

    X

    3.2.16.4

    Retention method for application log – As needed

     

    X

    3.2.16.5

    Retention method for security log – As needed

     

    X

    3.2.16.6

    Retention method for system log – As needed

     

    X

     

    3.17

    Registry

     

     

     

    MACHINE\SOFTWARE\Microsoft\Windows

    NT\CurrentVersion\Winlogon\AutoAdminLogon

     

     

    3.17.1

    Permissions

     

     

    3.17.1.1

    Deny – BUILTIN\Users – Full control – This key and subkeys

    X

     

    3.17.1.2

    Allow – CREATOR OWNER – Full control – Subkeys only

     

    X

    3.17.1.3

    Allow – NT AUTHORITY\SYSTEM – Full control – This key and subkeys

     

    X

    3.17.1.4

    Allow – BUILTIN\Administrators – Full control – This key and subkeys

     

    X

    4.4

    Administrative Templates

     

     

    4.4.1

    Systems/Internet Communication Management/Internet

    Communication Settings

     

     

    4.4.1.1

    Turn off the Windows Messenger Customer Experience Improvement

    Program – Enabled

     

    X

    4.4.4

    Windows Components/Terminal Services/Remote Desktop

    Connection Client

     

     

    4.4.4.1

    Do not allow passwords to be saved – Enabled

    X

     

    4.5

    User Configuration (Disabled)

     

     

     

    Policies

     

     

     

    Administrative Templates

     

     

     

    Policy definitions (ADMX files) retrieved from the local machine

     

     

    4.5.1

    Windows Components/Attachment Manager

     

     

    4.5.1.1

    Notify antivirus programs when opening attachments – Enabled

    X

     

     

     

     

     

     

     

    Document reviewed and approved by responsible Department manager:

     

     

    Signature:                                                                                       Date:                                    

     

    4   WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – USER POLICY

     

    This checklist notes the additional steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Your Domain Controller should follow the checklist below in addition to or instead of Member Server Policies. Copies of this completed checklist may prove useful for long-term documentation of preventative measures.

     

    Organization Name:                                                                         Date:                                             Contact Information:                                                                                                                                            

     

     

    4.0

    General

    Mandatory

    Recommended

    4.1

    Delegation

     

     

     

    These groups and users have the specified permission for this GPO

     

     

    4.1.1

    \Domain Admins – Edit settings, delete, modify security – Not inherited

     

    X

    4.1.2

    \Enterprise Admins – Edit settings, delete, modify security – Not inherited

     

    X

    4.1.3

    NT AUTHORITY\Authenticated Users – Read (from Security Filtering) – Not inherited

     

    X

    4.1.4

    NT AUTHORITY\ENTERPRISE DOMAIN Controllers – Read – Not inherited

     

    X

    4.1.5

    NT AUTHORITY\SYSTEM – Edit settings, delete, modify security – Not inherited

     

    X

    4.2

    Computer Configuration (Disabled)

     

     

    4.3

    User Configuration (Enabled)

     

     

    4.3.1

    Windows Settings/Internet Explorer Maintenance/URLs

     

     

    4.3.1.1

    Home page URL – Department discretion

     

    X

    4.3.1.2

    Search bar URL – Not configured

     

    X

    4.3.1.3

    Online Support page URL – Not configured

     

    X

     

     

     

     

     

     

     

     

    Document reviewed and approved by responsible Department manager:

     

     

    Signature:                                                                                             Date:                               

     

     

    5  WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – DHCP Hardening

     

    This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures. This checklist does not represent a complete solution, and should not be taken as such.

     

    Organization Name:                                                                                                                   Date:                                                                                                                                                     Contact Information:                                                                                                                                            

     

     

    5.0

    General

    Mandatory

    Recommended

    5.0.1

    Dedicate a computer to running the DHCP Server role.

     

    X

    5.0.2

    Deploy a Server Core installation of Windows Server 2012.

     

    X

    5.0.3

    Use DHCPv6 functionality

     

    X

    5.0.4

    Eliminate computers running rogue DHCP services.

     

    X

    5.0.5

    Add DHCP reservation and exclusion ranges for IP Addresses

    X

     

    5.0.6

    Use NAP to enforce Computer Configuration Health

     

    X

    5.0.7

    Restrict DHCP security group membership

    X

     

    5.0.8

    Configure DNS record ownership to help prevent stale DNS records

     

    X

    5.0.9

    Relevant Group Policy Settings

     

     

    5.0.10

    DHCP Administrators – Domain Admins

    X

     

    5.0.11

    DHCP Users – Not created

     

    X

     

     

     

     

     

     

     

     

    Document reviewed and approved by responsible Department manager:

     

     

    Signature:                                                                                        Date:                                     

     

     

    6   WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – DNS Hardening

     

    This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures. This checklist does not represent a complete solution, and should not be taken as such.

     

    Organization Name:                                                                                                                   Date:                  Contact Information:                                                                                                                                  

     

     

    6.0

    General

    Mandatory

    Recommended

    6.0.1

    Deploy a Server Core installation of Windows Server 2012

     

    X

    6.0.2

    Protect DNS zones in unsecured locations by using read-only domain controllers (RODCs).

     

    X

    6.0.3

    Combine the DNS and AD DS server roles on the same server

     

    X

    6.0.4

    Configure zones to use secure dynamic updates

     

    X

    6.0.5

    Restrict zone transfers to specific server computers running DNS.

    X

     

    6.0.6

    Deploy separate server computers for internal and external DNS resolution.

     

    X

    6.0.7

    Configure the firewall to protect the internal DNS namespace

     

    X

    6.0.8

    Enable recursion to only the appropriate DNS servers.

     

    X

    6.0.9

    Configure DNS to ignore non-authoritative resource records.

     

    X

    6.0.10

    Configure root hints for the internal DNS namespace.

     

    X

     

     

     

     

     

     

     

     

    Document reviewed and approved by responsible Department manager:

     

     

    Signature:                                                                                            Date:                                

     

    7   WINDOWS SERVER 2012 IT SECURITY POLICY CHECKLIST – Web Services Hardening

     

    This checklist notes the steps needed to secure servers running Windows Server 2012 through the use of Group Policies. The Windows Server 2012 Security Guide provides detailed explanation of these settings. Copies of this completed checklist may prove useful for long-term documentation of preventative measures. This checklist does not represent a complete solution, and should not be taken as such.

     

    Organization Name:                                                                                   Date:                                    Contact Information:                                                                                                                                            

     

     

    7.0

    General

    Mandatory

    Recommended

    7.0.1

    Deploy a Server Core installation of Windows Server 2012

     

    X

    7.0.2

    Install the application development environment

     

    X

    7.0.3

    Set the authentication mechanism

     

    X

    7.0.4

    Remove unused IIS components

    X

     

    7.0.5

    Configure a unique binding

     

    X

    7.0.6

    Move Root Directories to a separate data partition

    X

     

    7.0.7

    Configuring user account permissions

    X

     

    7.0.8

    Enable Secure Sockets Layers (SSL)

     

    X

    7.0.9

    Consider additional specialized security configuration measures

     

     

    7.0.10

    Access control list hardening by specifying particular users in the ACL for content directory instead of allowing all domain users access to the site.

     

    X

    7.0.11

    Limit access to the Web site by using the built-in IIS7 URL Authorization feature

     

    X

    7.0.12

    Restrict the IP Addresses of the client browsers you allow to connect to the

    Web server using the IPv4 Restriction Lists feature.

     

    X

    7.0.13

    Control many HTTP features, such as HTTP verbs, HTTP headers and URL

    size using the Request Filtering feature.

     

    X

     

     

     

     

     

     

     

     

    Document reviewed and approved by responsible Department manager:

     

     

    Signature:                                                                                             Date:                                

     

    Windows Server Hardning

    Virtual Galaxy Info Tech Pvt Ltd Checklist

    Step To Do MFD UT Note Cat I Cat II/III Min Std
        Preparation and Installation          
    1   If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.   § ! ! 4.5.1
    2   Consider using the Security Configuration Wizard to assist in hardening the host.   §      
        Service Packs and Hotfixes          
    3   Install the latest service packs and hotfixes from Microsoft.   § ! ! 4.5.2
    4   Enable automatic notification of patch availability.   § ! ! 4.5.5
        User Account Policies          
    5   Set minimum password length. 1.1.4 § ! !  
    6   Enable password complexity requirements. 1.1.5 § !    
    7   Do not store passwords using reversible encryption. (Default) 1.1.6 § ! !  
    8   Configure account lockout policy. 1.2 § ! !  
        User Rights Assignment          

    9

     

    Restrict the ability to access this computer from the network to Administrators and Authenticated Users.

    2.2.2

     

     

     

     

    10

     

    Do not grant any users the ‘act as part of the operating system’ right. (Default)

    2.2.3

     

    !

    !

     

    11

     

    Restrict local logon access to Administrators.

    2.2.6

    §

     

     

     

    12

     

    Deny guest accounts the ability to logon as a service, a batch job, locally, or via RDP.

    2.2.18-21

     

    !

     

     

     

     

    Security Settings

     

     

     

     

     

    13

     

    Place the University warning banner in the Message Text for users attempting to log on.

    2.3.7.4

    §

    !

    !

    4.5.10

    14

     

    Disallow users from creating and logging in with Microsoft accounts.

    2.3.1.1

    §

    !

    !

     

    15

     

    Disable the guest account. (Default)

    2.3.1.2

     

    !

    !

     

    16

     

    Require Ctrl+Alt+Del for interactive logins. (Default)

    2.3.7.2

     

    !

    !

     

    17

     

    Configure machine inactivity limit to protect idle interactive sessions.

    2.3.7.3

     

    !

    !

     

    18

     

    Configure Microsoft Network Client to always digitally sign communications.

    2.3.8.1

     

    !

     

     

    19

     

    Configure Microsoft Network Client to digitally sign communications if server agrees. (Default)

    2.3.8.2

     

    !

    !

     

    20

     

    Disable the sending of unencrypted passwords to third party SMB servers.

    2.3.8.3

     

    !

    !

    4.5.6

    21

     

    Configure Microsoft Network Server to always digitally sign communications.

    2.3.9.2

     

    !

     

     

    22

     

    Configure Microsoft Network Server to digitally sign communications if client agrees.

    2.3.9.3

     

    !

     

     

     

     

    Network Access Controls

     

     

     

     

     

    23

     

    Disable anonymous SID/Name translation. (Default)

    2.3.11.1

     

    !

    !

     

    24

     

    Do not allow anonymous enumeration of SAM accounts. (Default)

    2.3.11.2

     

    !

    !

    4.5.5

    25

     

    Do not allow anonymous enumeration of SAM accounts and shares.

    2.3.11.3

     

    !

     

    4.5.5

    26

     

    Do not allow everyone permissions to apply to anonymous users. (Default)

    2.3.11.4

     

    !

    !

    4.5.12

    27

     

    Do not allow any named pipes to be accessed anonymously.

    2.3.11.5

     

    !

     

    4.5.12

    28

     

    Restrict anonymous access to named pipes and shares. (Default)

    2.3.11.8

     

    !

    !

    4.5.12

    29

     

    Do not allow any shares to be accessed anonymously.

    2.3.11.9

     

    !

     

     

    30

     

    Require the “Classic” sharing and security model for local accounts. (Default)

    2.3.11.10

     

    !

    !

    4.5.12

     

     

    Network Security Settings

     

     

     

     

     

    31

     

    Allow Local System to use computer identity for NTLM.

    2.3.12.1

     

     

     

     

    32

     

    Disable Local System NULL session fall-back.

    2.3.12.2

     

     

     

     

    33

     

    Configure allowable encryption types for Kerberos.

    2.3.12.4

     

     

     

     

    34

     

    Do not store LAN Manager hash values.

    2.3.12.5

     

    !

    !

    4.5.13

    35   Set LAN Manager authentication level to only allow NTLMv2 and refuse LM and NTLM. 2.3.12.7   !   4.5.13
    36   Enable the Windows Firewall in all profiles (domain, private, public). (Default) 9.{{1-3}}.1   ! ! 4.5.5
    37   Configure the Windows Firewall in all profiles to block inbound traffic by default. (Default) 9.{{1-3}}.2   ! !  
        Active Directory Domain Member Security Settings          
    38   Digitally encrypt or sign secure channel data (always). (Default) 2.3.6.1   !   4.5.6
    39   Digitally encrypt secure channel data (when possible). (Default) 2.3.6.2   ! ! 4.5.6
    40   Digitally sign secure channel data (when possible). (Default) 2.3.6.3   ! ! 4.5.6
    41   Require strong (Windows 2000 or later) session keys. 2.3.6.6   !    
    42   Configure the number of previous logons to cache. 2.3.7.6 §      
        Audit Policy Settings          
    43   Configure Account Logon audit policy. 17.1 § !    
    44   Configure Account Management audit policy. 17.2 § ! !  
    45   Configure Logon/Logoff audit policy. 17.5 § ! !  
    46   Configure Policy Change audit policy. 17.7 § ! !  
    47   Configure Privilege Use audit policy. 17.8 § !    
        Event Log Settings          

    48

     

    Configure Event Log retention method and size.

    18.7.19

    §

    !

    !

    4.6.1

    49

     

    Configure log shipping (e.g. to Spunk).

     

    §

     

     

     

     

     

    Additional Security Protection

     

     

     

     

     

    50

     

    Disable or uninstall unused services.

     

     

    !

     

     

    51

     

    Disable or delete unused users.

     

     

    !

     

     

    52

     

    Configure user rights to be as secure as possible.

     

    §

    !

     

     

    53

     

    Ensure all volumes are using the NTFS file system.

     

    §

    !

     

     

    54

     

    Configure file system permissions.

     

    §

    !

     

     

    55

     

    Configure registry permissions.

     

    §

    !

     

     

    56

     

    Disallow remote registry access if not required.

    2.3.11.6

    §

     

     

     

     

     

    Additional Steps

     

     

     

     

     

    57

     

    Set the system date/time and configure it to synchronize against campus time servers.

     

    §

    !

     

     

    58

     

    Install and enable anti-virus software.

     

    §

    !

    !

     

    59

     

    Install and enable anti-spyware software.

     

    §

    !

     

     

    60

     

    Configure anti-virus software to update daily.

     

    §

    !

    !

     

    61

     

    Configure anti-spyware software to update daily.

     

    §

    !

     

     

    62

     

    Provide secure storage for Confidential (category-I) Data as required. Security can be provided by means such as, but not limited to, encryption, access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate.

     

    §

    !

     

     

    63

     

    Install software to check the integrity of critical operating system files.

     

    §

    !

     

     

    64

     

    If RDP is utilized, set RDP connection encryption level to high.  Make sure to restrict RDP access to local VPN group and local campus management subnets.  Do not allow RDP to be available to the Internet at large.

     

    §

    !

     

     

     

     

    Physical Security

     

     

     

     

     

    65

     

    Set a BIOS/firmware password to prevent alterations in system start up settings.

     

     

     

     

    4.4.1

    66

     

    Disable automatic administrative logon to recovery console.

    2.3.13.1

     

    !

     

     

    67

     

    Do not allow the system to be shut down without having to log on. (Default)

    2.3.14.1

     

    !

    !

     

    68

     

    Configure the device boot order to prevent unauthorized booting from alternate media.

     

     

    !

     

    4.4.1

    69

     

    Configure a screen-saver to lock the console’s screen automatically if the host is left unattended.

     

    §

    !

    !

     

    UT NOTE: ADDENDUM

    This list provides specific tasks related to the computing environment at The University of Texas at Austin.

    UT Note: Addendum

    1

    If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.

    2

    The Security Configuration Wizard can greatly simplify the hardening of the server. Once the role for the host is defined, the Security Configuration Wizard can help create a system configuration based specifically on that role. It does not completely get rid of the need to make other configuration changes, though. More information is available at: Security Configuration Wizard.

    3

    There are several methods available to assist you in applying patches in a timely fashion:

    Microsoft Update Service

    ·         Microsoft Update checks your machine to identify missing patches and allows you to download and install them.

    ·         This is different than the “Windows Update” that is the default on Windows. Microsoft Update includes updates for many more Microsoft products, such as Office and Forefront Client Security.

    ·         This service is compatible with Internet Explorer only. 

    Windows AutoUpdate via WSUS
    ITS offers a Windows Server Update Services Server for campus use using Microsoft’s own update servers. It includes updates for additional Microsoft products, just like Microsoft Update, and provides additional administrative control for software deployment.

    Microsoft Baseline Security Analyzer
    This is a free host-based application that is available to download from Microsoft. In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found.

    4

    Configure Automatic Updates from the Automatic Updates control panel

    ·         On most servers, you should choose either “Download updates for me, but let me choose when to install them,” or “Notify me but don’t automatically download or install them.”

    ·         The campus Windows Server Update Services server can be used as the source of automatic updates.

    5

    Configuring the minimum password length settings is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires passwords be a minimum of 8 characters in length. It is strongly recommended that passwords be at least 14 characters in length (which is also the recommendation of CIS).  Longer passwords (e.g., more than 20 characters) offer much more protection (entropy) in the event a password hash is obtained and an attacker is attempting to crack it.

    6

    Configuring the password complexity setting is important only if another method of ensuring compliance with university password standards is not in place. The Information Resources Use and Security Policy requires that passwords contain letters, numbers, and special characters.

    7

    If this option is enabled, the system will store passwords using a weak form of encryption that is susceptible to compromise. This configuration is disabled by default.

    8

    Instead of the CIS recommended values, the account lockout policy should be configured as follows:

    ·         Account lockout duration — 5 minutes

    ·         Account lockout threshold — 5 failed attempts

    ·         Reset account lockout counter — 5 minutes

    11

    Any account with this role is permitted to log in to the console. By default, this includes users in the Administrators, Users, and Backup Operators groups. It’s unlikely that non-administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device.

    13

    The text of the university’s official warning banner can be found on the ISO’s web site. You may add localized information to the banner as long as the university banner is included.

    14

    The use of Microsoft accounts can be blocked by configuring the group policy object at: 

    Computer Configuration\Windows Settings\Security Settings\Local Policies\

    Security Options\Accounts: Block Microsoft accounts

    This setting can be verified by auditing the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser

    42

    Logon information for domain accounts can be cached locally to allow users who have previously authenticated to do so again even if a domain controller cannot be contacted. By default 10 accounts will be cached locally, but there is a risk that in the event of a compromise an attacker could locate the cached credentials and use a brute force attack to discover the passwords. Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users.

    The group policy object below should be set to 4 or fewer logins:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)

     

    43

    The Account Logon audit policy logs the results of validation tests of credentials submitted for user account logon requests. The server that is authoritative for the credentials must have this audit policy enabled. For domain member machines, this policy will only log events for local user accounts.

    Configure the group policy object below to match the listed audit settings:

    Computer Configuration\Windows Settings\Security Settings\

    Advanced Audit Policy Configuration\Audit Policies\Account Logon\

    ·         Credential Validation — Success and Failure

    44

    Configure the group policy object below to match the listed audit settings:

    Computer Configuration\Windows Settings\Security Settings\

    Advanced Audit Policy Configuration\Audit Policies\Account Management\

    ·         Computer Account Management — Success and Failure

    ·         Other Account Management Events — Success and Failures

    ·         Security Group Management — Success and Failure

    ·         User Account Management — Success and Failure

    45

    Configure the group policy object below to match the listed audit settings:

    Computer Configuration\Windows Settings\Security Settings\

    Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\

    ·         Account Lockout — Success

    ·         Logoff — Success

    ·         Logon — Success and Failure

    ·         Other Logon/Logoff Events — Success and Failure

    ·         Special Logon — Success

    46

    Configure the group policy object below to match the listed audit settings:

    Computer Configuration\Windows Settings\Security Settings\

    Advanced Audit Policy Configuration\Audit Policies\Policy Change\

    ·         Audit Policy Change — Success and Failure

    ·         Authentication Policy Change — Success

    47

    Configure the group policy object below to match the listed audit settings:

    Computer Configuration\Windows Settings\Security Settings\

    Advanced Audit Policy Configuration\Audit Policies\Privilege Use\

    ·         Sensitive Privilege Use — Success and Failure

    48

    The university requires the following event log settings instead of those recommended by the CIS Benchmark:

    ·         Application: Maximum log size — 32,768 KB

    ·         Security: Maximum log size  196,608 KB

    ·         Setup: Maximum log size — 32,768 KB

    ·         System: Maximum log size — 32,768 KB

    The recommended retention method for all logs is: Overwrite events older than 14 days

    These are minimum requirements. The most important log here is the security log. 100 MB is a suggested minimum, but if you have a high-volume service, make the file as large as necessary to make sure at least 14 days of security logs are available. You may increase the number of days that you keep, or you may set the log files to not overwrite events.

    Note that if the event log reaches its maximum size and no events older than the number of days you specified exist to be deleted, or if you have disabled overwriting of events, no new events will be logged. This may happen deliberately as an attempt by an attacker to cover his tracks. For critical services working with Cat 1 or other sensitive data, you should use Syslog, Splunk, Intrust, or a similar service to ship logs to another device.

    Another option is to configure Windows to rotate event log files automatically when an event log reaches its maximum size as described in the article http://support.microsoft.com/kb/312571 using the AutoBackupLogFiles registry entry.

    49

    It is highly recommended that logs are shipped from any Category I devices to a service like Splunk, which provides log aggregation, processing, and real-time monitoring of events among many other things. This helps to ensure that logs are preserved and unaltered in the event of a compromise, in addition to allowing proactive log analysis of multiple devices.

    The ISO maintains a centrally-managed Splunk service that may be leveraged.  Please see the on-boarding form for more details.  

    52

    Configure user rights to be as secure as possible, following the recommendations in section 2.2 of the CIS benchmark. Every attempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from the user rights lists.

    53

    Volumes formatted as FAT or FAT32 can be converted to NTFS, by using the convert.exe utility provided by Microsoft. Microsoft has provided instructions on how to perform the conversion. Windows servers used with Category I data must use the NTFS file system for all partitions where Category I data is to be stored.

    54

    Be extremely careful, as setting incorrect permissions on system files and folders can render a system unusable.

    55

    Be extremely careful, as setting incorrect permissions on registry entries can render a system unusable.

    56

    Some remote administration tools, such as Microsoft Systems Management Server, require remote registry access to managed devices. Disabling remote registry access may cause such services to fail. If remote registry access is not required, it is recommended that the remote registry service be stopped and disabled.

    If remote registry access is required, the remotely accessible registry paths should still be configured to be as restrictive as possible. The group policy object below controls which registry paths are available remotely:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\

    Security Options\Network access: Remotely accessible registry paths

    This object should be set to allow access only to:

    ·         System\CurrentControlSet\Control\ProductOptions

    ·         System\CurrentControlSet\Control\Server Applications

    ·         Software\Microsoft\Windows NT\CurrentVersion

    Further restrictions on the registry paths and subpaths that are remotely accessible can be configured with the group policy object:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\

    Security Options\Network access: Remotely accessible registry paths and sub-paths

    57

    By default, domain members synchronize their time with domain controllers using Microsoft’s Windows Time Service. The domain controller should be configured to synchronize its time with an external time source, such as the university’s network time servers.

    ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators.

    58

    ISO provides Cisco AMP, a managed, cloud-based malware protection service, free of charge for all university-owned devices. More information about obtaining and using AMP is at https://security.utexas.edu/education-outreach/anti-virus.

    59

    Anti-spyware software is only required to be installed if the server is used to browse Web sites not specifically related to the administration of the server, which is not recommended. At a minimum, SpyBot Search and Destroy should be installed. Consider installing a secondary anti-spyware application, such as SpyWare Blaster, EMS Free Surfer, or AdAware.

    An additional measure that can be taken is to install Firefox with the NoScript and uBlock add-ons.

    60

    Cisco AMP is the recommended anti-virus solution. Microsoft Forefront may also be used, and can be configured directly or through the use of GPOs, which can simplify the management of multiple servers.

    61

    Spyware Blaster – Enabling auto-update functionality requires the purchase of an additional subscription. 
    SpyBot Search and Destroy – Automatic update tasks can be created inside the program itself and are scheduled using the Windows Task Scheduler.

    1.    In the Spybot Application, click on Mode –> Advanced View.

    2.    Click Settings on the left hand side of the window.

    3.    You should now see an option labeled “Scheduler.” Select that option.

    4.    Adding the task to update automatically is relatively straightforward. 

    o    Click Add to create a task.

    o    Click Edit to edit the task schedule.

    o    In the Scheduled Task window that pops up, enter the following In the Run field:

    §  C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe” /AUTOUPDATE /TASKBARHIDE /AUTOCLOSE

    o    Click the Schedule tab and choose a time for it to update. The duration of the update is very brief, but it is processor intensive, so consider scheduling it to occur during periods of low usage. The task should be scheduled daily.

    62

    Windows provides the Encrypting File System as a built-in mechanism to allow the encryption of individual users’ files and folders. Be aware of the caveats involved in the use of EFS before implementing it for general use, though. Other options such as PGP and GNUPG also exist.

    Another encryption option to consider is whole-disk encryption, which encrypts the entire contents of the drive instead of just specific files and folders. Windows comes with BitLocker for this.

    If encryption is being used in conjunction with Category I data, one of the solutions listed in the Approved Encryption Methods (EID required) must be implemented.

    63

    Windows has a feature called Windows Resource Protection which automatically checks certain key files and replaces them if they become corrupted. It is enabled by default.

    You can audit in much more in depth using Tripwire. Modern versions of Tripwire require the purchase of licenses in order to use it. The Tripwire management console can be very helpful for managing more complex installations.

    64

    This setting is configured by group policy object at:

    \Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security

    This policy object should be configured as below:

    ·         Set client connection encryption level — High

    ·         Require use of specific security layer for remote (RDP) connections — SSL (TLS 1.0)

    ·         Require user authentication for remote connections by using Network Level Authentication — Enabled

    69

    1.    Open the Display Properties control panel.

    2.    Select the Screen Saver tab.

    3.    Select a screen saver from the list. Although there are several available, consider using a simple one such as “Blank.”

    4.    The value for Wait should be no more than 15 minutes.

    5.    Select the On resume, password protect option.

     

    Data Security Policy

    Introduction

     

    With each new piece of technology comes new potential for data security breach.  The dangers  inherent in using a smartphone  or tablet are quite different from those associated  with a laptop. Even the convenience of wireless internet has more opportunities for attack than traditional hard-wired systems. While most security measures focus on external threats from hackers and malicious downloads, internal threats account for twice as much monetary loss as external threats. An internal threat could be the deletion or dissemination of computer files related to a client’s case. One  employee could also share their password with another,  granting someone  access beyond the scope of their position.

    To prevent the intentional or unintentional problems created by employee use of software and equipment, developing a thorough data securities policy is more important than ever. This policy should provide employees with information regarding the acceptable  use of mobile technology as well as password security and wireless access policies to protect confidential data.                                  

    While most security measures  focus on external  threats from hackers and malicious downloads, internal threats account for twice as much monetary  loss as external  threats.

     

     

    Elements of a data security policy

     

    A law firm depends  on protecting confidential client information. Most of this information is available in electronic format for accessibility in and out of the office. Preventing client information from mysteriously growing legs or disappearing is crucial to a law firm’s well-being.

     

    11 Office Computers and Server

     There are some truths that should be self-evident but need to be spelled out in a written policy, because  inevitably an employee will otherwise do the unthinkable. Some may ignore the Not Safe for Work (NSFW) tag and view pornography if they are ‘off the clock’ during a break or lunch hour, while others may decide to run a personal business or game server using the firm’s servers. Both of these activities expose the office to security risks.

     Some less obvious but equally risky behavior is the desire to download software from the internet onto company computers and/or servers. An employee could simply be looking for a tool to make them more efficient in their job. However, looking in the wrong place and downloading the wrong file could install malicious software onto your system.

     Perhaps the scariest danger  is the easiest one to complete: deleting files. Deleting a file can sometimes be as simple as hitting the wrong key combination, resulting in a mad dash to the IT specialist with the order to “retrieve!” said file from the trash bin. On those occasions that the deletion wasn’t noticed right away, IT can spend a significant amount of time with the backup locating the document to hopefully restore it.

     To prevent these and other related computer and server nightmares, create an acceptable  use policy as part of your data security package. Restrict who has the right to download executable files (programs) and who can modify items in certain folders. Firewalls, virus scan and anti- spam software should be installed, updated  and the system regularly scanned.

     

    DATA-SECURITY TIPS

    Create an acceptable use policy as party of your data  security package. Restrict who can download files. Make sure you have  virus scan  and anti-spam software installed.

     

    v Secure Backups

     Is losing a day’s worth of work acceptable, let alone a week? Backing up the office servers every night and storing that data off-site can save a law firm. Disasters don’t wait for you to be prepared  before they strike. Servers, like other computers, can die without warning. Having a full backup available allows you to upload  your data onto a  new server (after a new server is acquired and built) and continue working without having to reinvent lost work. It’s even better when you have a redundant system, and you can simply switch to your backup server and continue on as if nothing has happened.

    There are different varieties of backup systems available. Cloud backups remove the need for equipment but require extra vigilance regarding security when selecting a company. USB backups give the convenience of a portable backup, but proper security must be maintained  since they are small and easily lost. Older tape backups require special equipment, someone  diligently managing  the process, and secure storage.

     

     DATA SECURITY TOOLKIT

     

    When planning your backup system, budget may be a factor in deciding which route you take. However, you have to pick a system you will use. Saving money isn’t a value if it’s tedious work that never actually gets done and you don’t have a current backup when you need it.

     Your backup policy should include determination for how long backup copies will be kept. Additional USB drives can be purchased  to maintain offsite backups. If using the tape system, have a series of tapes that you rotate. Because tapes deteriorate,  replace them on a regular basis to prevent problems. Keeping end of month or end of year backups offsite may be helpful as well.

    w  Password Security

     Recent headlines highlight the continued problem of creating simple passwords that are quickly hacked because  they are easier to remember. If a site requires a complicated password, some people will write it down and attach the post-it note to their computer so they have easy access to it when they need it. Others save a document in the system with their list of  passwords to various sites. Any of these methods are hazards that can provide unauthorized access to your system.

     To combat the dangers  of password accessibility, provide minimum requirements of at least eight characters and combinations of the following: lowercase letters, uppercase  letters, numbers, and special characters.  Simple common words or the individual’s name and date of birth should be prohibited. Provide some examples of possible strong passwords that would be easy to remember, such as word combinations (previous addresses: Main#202ParkDrive).  Passwords should be scheduled to be changed  on a regular basis, and passwords should not be able to be used over and over again in succession.

    In addition to making sure individual passwords are truly secure, be sure that the system passwords for wireless access and other equipment are also changed. These hidden passwords can open up the entire system to hackers even if  you think you’ve created a secure system with layers of access.

     x internet use

     Preventing employees from ever surfing to a non- work-related website can be cost prohibitive for small and medium sized firms. However, having a clear internet use policy can help limit the types of sites they visit. Streaming music and video use a lot of bandwidth, and downloaded  files from file sharing sites can contain malware or expose the firm to liability  if  material was copyrighted. Some employees may be tempted to spend too much time on activities such as online shopping, social media or travel planning,

     Again, use the theory that if  it isn’t forbidden, they will do it. Specifically list any types of sites that you do not want your employees visiting on your office computer. Security settings can be set to block porn sites, gambling sites, social media and even web- based email sites

     DATA-SECURITY TIPS. Make sure you have a clear internet use policy     which can limit the   types  of sites your employees visit. Streaming music and video uses a lot of bandwidth and downloading files can expose you to malware  or copyright  issues.

     

    Risk  Management Practice Guide of Lawyers

    The logic behind blocking personal,  web-based email is prevention of employees from opening emails and visiting a nefarious site or opening an infected  attachment,  thereby compromising your system because  their personal email was not as secure. Employees may inadvertently or maliciously transmit client confidential or law firm proprietary information using their personal webmail, circumventing other safeguards the firm has established concerning such information. Remind employees that, like email, browsing history is subject to being reviewed.

    E-mail

    Misuse of company email is one of the most common problems faced, and covers a large variety of actions. Sending a free “Happy Birthday!” card from a free website can introduce massive spamming into your system and bog down your server. Employees may use company e-mail for running a personal business with less thought than storing hard files on the computers or servers. A good Samaritan employee may send out emails to everyone in the firm regarding a fundraising event for a local charity, and follow up with four or five reminders. Personal use of the firm email system should be addressed  to reduce the amount of server space such items consume.

    E-mail policies should also include limits on the size of attachments as appropriate. Consider this: an e-mail with a 10MB attachment  is received and then forwarded to ten other employees. This attachment now consumes 120MB of server space as each individual copy of the e-mail is stored on the server, plus the copy in the sent folder. Depending on your e-mail client, a copy of the e-mail may also be stored on each and every computer.

    The above space consumption issue illustrates the reasoning behind another policy: e-mail retention policy. Case-related e-mails and attachments should be uploaded  into a practice management system or database, protecting them from accidental deletion and making them accessible to all employees who may need the information. Storing emails that need to be saved outside of the e-mail system also prevents the dreaded  moment when the recipient is out of the office and IT has to search their e-mail so another employee can access the information.

    An essential element of an e-mail policy is reminding employees that the office email system is firm property and not their personal account.  As such, any office email account is subject to review. Remind employees that office e-mail is representative of the firm and should present a professional image.

     

     

    Z Metadata

    Perhaps the most overlooked data security danger is metadata contained in document editing programs. Both Microsoft Word and WordPerfect contain information regarding previous edits made to a document. This means that deleting confidential information from one client document to reuse for another could expose the former client’s information to the latter if the recipient knows where to look. These features can be turned off, preventing data from being stored in the first place.

    Files sent electronically should be scrubbed for metadata. Special programs can be purchased  to ensure that this information is not forwarded along with your document and can be integrated into your email system. If you do not want the recipient to make changes to your document, send the document as a PDF. Sending as a PDF strips most of the metadata from a file, but a PDF contains some of its own. Be sure to adjust the security options as appropriate.

           9            9 Remote access

    Employees may need to access the firm’s system when they are out of the office occasionally. Prohibiting employees from using public computers or using wireless access in public places removes the exposure of client data from hackers because security settings in these circumstances are often lower than those created for the office.

    To make connecting to the office more secure, consider establishing a virtual private network (VPN). A VPN connects you to your office computer over the internet, alleviating the need to actually access files through a questionable  internet connection. Communications sent through the VPN are encrypted, so any data intercepted would not be usable.

      

      Smartphones, Tablets and Remote Storage Devices

     The trickiest part of data security is protecting the mobile data that leaves the building. Smartphones and tablets all contain internet connections but often do not have all of their security measures activated as a firm laptop would provide. A USB drive often contains pure, unencrypted files available for anyone who plugs the drive into their computer; worse yet, it is small enough to easily lose.

     Any device used to access client data should have password protection requirements. Even a USB device can be purchased that requires password access. For smartphones and tablets, require passwords at start up and after a period of idle time. Also, develop a remote wipe program protocol should any device ever be lost or stolen. Any document downloaded and stored should be encrypted. When travelling, be careful not to leave your device in ‘airplane mode as this often disables the ability to enact a remote wipe program as it disconnects the device from data systems used to locate it.

     Upon return to the office, require that remote storage devices such as USB and flash drives be scanned  by virus and malware scanners to prevent infection from any outside sources. Have protocols in place regarding the use of personal USB devices

    with office computers to avoid inadvertently infecting office computers with unprotected devices. Consider restricting access to USB ports to certain employees, or even disable ports to prevent misuse.

     The trickiest part of data security is protecting  the mobile data that leaves the building. Smartphones and tablets all contain  internet connections but often do not have all of their security measures  activated  as a firm laptop  would provide.

     

    When an employee Leaves

     

    Often the biggest threat to your data is within your own company. A disgruntled or exiting employee can easily delete files from your system or take files out of the office without notice. Locking down data from employees can be the hardest part of data security.

     

    When an employee leaves, immediately lock their computer, e-mail, remote access and any other access privilege to prevent them from accessing information. Create protocols within the firm for who may need to access an employee’s files. If the employee has any equipment, such as a laptop or USB drive, at home, verify that it is returned before they exit the premises on their final day.

     

     Visitors and Contractors

     

    From time to time, office visitors may need to use office computers or email. Any temporary account established should have a notice regarding expectation of privacy. Passcodes for these accounts should also expire immediately after use. This ensures someone  temporarily allowed into your system won’t be able to access your confidential data later, when you’re not looking.

     

    System contractors obviously need access to keep everything up-to-date  and running smoothly. However, they may not understand  the importance of the confidentiality of the information they may access in the process of completing their work. A Vendor/ Contractor Confidentiality Agreement should be completed by all of those who will be accessing your system to ensure that confidentiality is maintained.

    Security Audit

    To ensure all facets of your system are properly secure, consider a third party security audit. A trained professional will see any holes in your protection that could leak confidential information.

    The auditor will be able to provide you with suggestions to improve your security to prevent data security breaches  in the future. This may include the purchase of additional security software, or simply changing internet usage habits. The end result will be a safer practice.

     

     

    Sample Policy Table of Contents

    Overview

    Purpose

    Scope

    Network/Server Security

    Server Configuration Guidelines

    Security-related Events

    Router Security

    Server Malware Protection

    Backup Procedures

    Workstation Security

    Authorized Users

    Safeguards

    Software Installation

    Malware Protection

    Password Security

    Requirements

    Standards

    Protective Measures

    Passphrases

    Acceptable Use

    General  Use and Ownership Security and Proprietary Information Unacceptable Use

    Wireless

    Encryption

    Standards

    Mobile Device Encryption

    E-mail

    Prohibited Use

    Personal Use

    E-mail Retention

    Monitoring

    Metadata

    Definition.

    Removing Metadata

    Remote access

    Persons Affected General  Standards Requirements

    Mobile Computing and Storage Devices

    Virtual Private Network (VPN) Employee Termination Removing access

    Returning mobile devices Visitor and Contractor Access Permission

    Contractors Remote Access Enforcement

     

    OVER VIEW

    1. Purpose – <Firm Name> is entrusted with the responsibility to provide professional legal advice to clients who provide us with confidential information. Inherent in this responsibility is an obligation to provide appropriate protection against theft of data and malware threats, such as viruses and spyware applications. The purpose of this policy is to establish standards for the base configuration of equipment that is owned and/or operated by <Firm Name> or equipment that accesses <Firm Name>’s internal systems. Effective implementation of this policy will minimize unauthorized access to <Firm Name> proprietary information and technology and protect confidential client information.
    2. Scope – This policy applies to equipment owned and/or operated by <Firm Name>, and to employees

    connecting to any <Firm Name>-owned network domain.

    NETWORK/SERVER SECURITY

    1. Server Configuration Guidelines
    2. the most recent security patches must be installed on the system as soon as practical, the only exception

    being when immediate application would interfere with business requirements.

    1. Servers should be physically located in an access-controlled environment.

    iii.  Servers are specifically prohibited from being operated from uncontrolled cubicle areas.

    1. Security-related Events – Security-related events will be reported to the It management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
    2. Port-scan attacks
    3. Evidence of unauthorized access to privileged accounts

    iii.  Anomalous occurrences that are not related to specific applications on the host.

    1. Router Security
    2. the enable password on the router must be kept in a secure encrypted form. the router must have the

    enable password set to the current production router password from the router’s support organization.

    1. Disallow the following:
    2. IP directed broadcasts
    3. Incoming packets at the router sourced with invalid addresses such as RFC1918 address
    4. TCP small services
    5. UDP small services
    6. All source routing
    7. Web services running on router

    iii.  Access rules are to be added as business needs arise.

    1. Each router must have the following statement posted in clear view: “Unauthorized ACCESS to THIS     Network DEVICE IS Prohibited. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. there is no right to privacy on this device.”
    2. Server Malware Protection
    3. Anti-Virus – All servers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:
    4. Non-administrative users have remote access capability
    5. The system is a file server
    6. Share access is open to this server from systems used by non-administrative users
    7. HTTP/FTP access is open from the Internet

     

    Other “risky” protocols/applications are available to this system from the Internet at the discretion of the <Firm      Name> IT department.

    1. Mail Server Anti-Virus – If the target system is a mail server it MUST have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server. Local anti-virus scanning applications MAY be disabled during backups if an external anti-virus application still scans inbound e-mails while the backup is being performed.

    iii. Anti-Spyware – All servers MUST have an anti-spyware application installed that offers real-time protection to the target system if they meet one or more of the following conditions:

    1. Any system where non-technical or non-administrative users have remote access to the system and ANY outbound access is permitted to the Internet
    2. Any system where non-technical or non-administrative users have the ability to install software on their own
    3. Notable Exceptions – Exceptions to above requirements may be deemed acceptable with proper documentation if one of the following notable conditions applies to this system:
    4. the system is a SQL server
    5. the system is used as a dedicated mail server
    6. the system is not a Windows based platform
    7. backup Procedures
    8. Daily backups – backup software shall be scheduled to run nightly to capture all data from the previous day.
    9. backup logs are to be reviewed to verify that the backup was successfully completed.
    10. One responsible party should be available to supervise backups each day. If the designated backup specialist is not available, an alternative should be named to oversee the process.
    11. Backup data storage shall not be on the <Firm Name>’s premises. In case of a disaster, backup tapes

    should be available for retrieval and not subject to destruction.

    iii.  Data on hard drives will be backed up daily, and mobile devices shall be brought in to be backed up on a weekly basis or as soon as practical if on an extended travel arrangement.

    1. test restoration process regularly and create written instructions in the event It personnel are not available to restore data when needed.

     

    III. work Station Security

    1. Authorized Users – Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information is restricted to authorized users.
    2. Safeguards – <Firm Name> will implement physical and technical safeguards for all workstations that access

                  electronic confidential information to restrict access to authorized users. Appropriate measures include:

    1. Restricting physical access to workstations to only authorized personnel.
    2. Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.

          iii.  Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.

    1. Complying with all applicable password policies and procedures.
    2. Ensuring workstations are used for authorized business purposes only vi.  Never installing unauthorized software on workstations.

    vii. Storing all confidential information on network servers.

    viii. Keeping food and drink away from workstations in order to avoid accidental spills.

    1. Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets.

     

    1. Complying with the Portable Workstation Encryption policy.
    2. Complying with the Anti-Virus policy.

    xii. Ensuring that monitors are positioned away from public view.  If necessary, install privacy screen filters or other physical barriers to public viewing.

    xiii. Ensuring workstations are left on but logged off in order to facilitate after-hours updates.  Exit running applications and close open documents.

    xiv. Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup). xv.  If wireless network access is used, ensure access is secure by following the Wireless Access policy.

    1. Software Installation
    2. Employees may not install software on <Firm Name’s> computing devices operated within the <Firm Name> network. Software requests must first be approved by the requester’s manager and then be made to the It department in writing or via e-mail. Software must be selected from an approved software list, maintained by the IT department, unless no selection on the list meets the requester’s need. The IT department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
    3. This policy covers all computers, servers, and other computing devices operating within <Firm Name>’s

    network.

    1. Malware Protection
    2. Anti-Virus – All <Firm Name> computers must have <Firm Name>’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into <Firm Name>’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use policy.

     

    1. PASSWORD SECURITY
    2. Requirements
    3. All system-level passwords (Administrator, etc.) must be changed on a quarterly basis, at a minimum.
    4. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.

    iii. All user-level and system-level passwords must conform to the standards described below.

    1. Standards – All users at <Firm Name> should be aware of how to select strong passwords. Strong passwords have the  following characteristics:
    2. Contain at least three of the five following character classes:
    3. Lower case characters
    4. Upper case characters
    5. Numbers
    6. Punctuation
    7. “Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:”;’<>/ etc.)
    8. Contain at least eight to fifteen alphanumeric characters.

    iii. the password is NOT a word found in a dictionary (English or foreign).

    1. the password is NOT a common usage word such as:
    2. Computer terms and names, commands, sites, companies, hardware, software. Passwords should NEVER be “Password1” or any derivation.
    3. the words “<Firm Name>”, “<City>”, or any derivation.
    4. Names of family, pets, friends, co-workers, etc.

     

    1. birthdays and other personal information such as addresses and phone numbers.
    2. Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
    3. Any of the above spelled backwards.
    4. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
    5. try to create passwords that can be easily remembered. One way to do this is create a password based on

    a song title, affirmation, or other phrase.

    1. Protective Measures
    2. Do not share <Firm Name> passwords with anyone, including administrative assistants or secretaries. All

    passwords are to be treated as sensitive, confidential <Firm Name> information.

    1. Passwords should never be written down or stored on-line without encryption.

    iii.  Do not reveal a password in email, chat, or other electronic communication.

    1. Do not speak about a password in front of others.
    2. Do not hint at the format of a password (e.g., “my family name”).
    3. Do not reveal a password on questionnaires or security forms.

    vii. If someone demands a password, refer them to this document and direct them to the It Department. viii. Always decline the use of the “Remember Password” feature of applications.

    1. Passphrases – Access to the <Firm Name> Networks via remote access is to be controlled using either a one- time password authentication or a public/private key system with a strong passphrase.
    2. A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: “Joe&Me1Rbudz”
    3. All of the rules above that apply to passwords apply to passphrases.

    ACCEPTABLE USE

    1. General Use and Ownership
    2. While <Firm Name>’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of <Firm Name>.
    3. Any information that users consider sensitive or vulnerable be encrypted.

    iii.  For security and network maintenance purposes, authorized individuals within <Firm Name> may

    monitor equipment, systems and network traffic at any time.

    1. Security and Proprietary Information
    2. The user interface for information contained on <Firm Name>’s systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines. Employees should take all necessary steps to prevent unauthorized access to this information.
    3. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.

    iii.  All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when unattended.

    1. All PCs, laptops and workstations used by the employee that are connected to the <Firm Name> network, whether owned by the employee or <Firm Name>, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy.
    2. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or trojan horse code.

    Unacceptable Use

    1. the following activities are, in general, prohibited. the lists below are by no means exhaustive, but

    attempt to provide a framework for activities which fall into the category of unacceptable use.

    1. Under no circumstances is an employee of <Firm Name> authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing <Firm Name>-owned resources.
    2. Violations of the rights of any person or Firm protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by

    <Firm Name>.

    1. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which <Firm Name> or the end user does not have an active license is strictly prohibited.
    2. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. the appropriate management should be consulted prior to export of any material that is in question.
    3. Introduction of malicious programs into the network or server (e.g., viruses, worms, trojan horses, e-mail bombs, etc.).
    4. Revealing your account password to others or allowing use of your account by others. this includes family and other household members when work is being done at home
    5. Using a <Firm Name> computing asset to actively engage in procuring or transmitting material that

    is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.

    1. Making fraudulent offers of products, items, or services originating from any <Firm Name> account.
    2. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
    3. Port scanning or security scanning is expressly prohibited unless prior notification to the IT

    department is made.

    1. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
    2. Circumventing user authentication or security of any host, network or account
    3. Interfering with or denying service to any user other than the employee’s host (for example, denial of

    service attack)

    1. Using any program/script/command, or sending messages of any kind, with the intent to interfere

    with, or disable, a user’s terminal session, via any means, locally or via the Internet.

    1. Providing information about, or lists of, <Firm Name> employees to parties outside <Firm Name>.
    2. Wireless Access
    3. <Firm Name> Device Requirements – All wireless devices that reside at a <Firm Name> site and

    connect to a <Firm Name> network must:

    1. be installed, supported, and maintained by the It department.
    2. Use <Firm Name> approved authentication protocols and infrastructure.
    3. Use <Firm Name> approved encryption protocols.
    4. Maintain a hardware address (MAC address) that can be registered and tracked.

    DATA SECURITY TOOLKIT

    Home Wireless Device Requirements

    1. Wireless devices that provide direct access to the <Firm Name> corporate network, must conform to the security       protocols as detailed for <Firm Name> wireless devices.
    2. Wireless devices that fail to conform to security protocols must be installed in a manner that prohibits direct access to the <Firm Name> corporate network. Access to the <Firm Name> corporate network through this device must use standard remote access authentication.

     

    1. ENCRYPTION
    2. Standards – Proven, standard algorithms should be used as the basis for encryption technologies. these algorithms represent the actual cipher used for an approved application. Key lengths must be at least 128 bits.

    <Firm Name>’s key length requirements will be reviewed annually and upgraded as technology allows.

    1. Mobile Device Encryption
    2. Scope – All mobile devices containing stored data owned by <Firm Name> must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, tablets, and smartphones.
    3. Laptops – Laptops must employ full disk encryption with an approved software encryption package.  No

    <Firm Name> data may exist on a laptop in clear text.

    iii.  tablet and smartphones – Any <Firm Name> data stored on a smartphone or tablet must be saved to an encrypted file system using <Firm Name>-approved software.  <Firm Name> shall also employ remote wipe technology to remotely disable and delete any data stored on a <Firm Name> tablet or smartphone which is reported lost or stolen.

    1. Keys – All keys used for encryption and decryption must meet complexity requirements described in

    <Firm Name>’s Password Security policy.

    VII.      E-MAIL

    1. Prohibited Use – <FIRM NAME> e-mail system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any e-mails with this content from any <FIRM NAME> employee should report the matter to their supervisor immediately. the following activities are strictly prohibited, with no exceptions:
    2. Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising material to

    individuals who did not specifically request such material (e-mail spam).

    1. Any form of harassment via e-mail, telephone or paging, whether through language, frequency, or size of

    messages.

    iii.  Unauthorized use, or forging, of e-mail header information.

    1. Solicitation of e-mail for any other e-mail address, other than that of the poster’s account, with the intent

    to harass or to collect replies.

    1. Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.

     

    1. Use of unsolicited e-mail originating from within <Firm Name>’s networks of other Internet/Intranet/ Extranet service providers on behalf of, or to advertise, any service hosted by <Firm Name> or connected via <Firm Name>’s network.

    vii. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups

    (newsgroup spam).

     

    1. Personal Use – Using a reasonable amount of <FIRM NAME> resources for personal e-mails is acceptable, but non work related e-mail shall be saved in a separate folder from work related e-mail. Sending chain letters or joke e-mails from a <FIRM NAME> e-mail account is prohibited. Virus or other malware warnings and mass mailings

    from <FIRM NAME> shall be approved by <FIRM NAME> It department before sending. these restrictions also apply to the forwarding of mail received by a <FIRM NAME> employee.

    1. E-mail Retention
    2. Administrative Correspondence – <Firm Name> Administrative Correspondence includes, though is not limited to clarification of established Firm policy, including holidays, time card information, dress code, work place behavior and any legal issues such as intellectual property violations. All e-mail with the information sensitivity label Management Only shall be treated as Administrative Correspondence.

    <Firm Name> Administration is responsible for e-mail retention of Administrative Correspondence.

    1. Fiscal Correspondence – <Firm Name> Fiscal Correspondence is all information related to revenue and expense for the Firm. <Firm Name> bookkeeper is responsible for all fiscal correspondence.

    iii. General Correspondence – <Firm Name> General Correspondence covers information that relates to customer interaction and the operational decisions of the business. <Firm Name> is responsible for e-mail retention of General   Correspondence.

    1. Ephemeral Correspondence – <Firm Name> Ephemeral Correspondence is by far the largest category and includes personal e-mail, requests for recommendations or review, e-mail related to product development, updates and status reports.
    2. Encrypted Communications – <Firm Name> encrypted communications should be stored in a manner that protects the confidentiality of the information, but in general, information should be stored in a decrypted format.
    3. Recovering Deleted E-mail via backup Media – <Firm Name> maintains backups from the e-mail server and once a quarter a set of backups is taken out of the rotation and they are moved offsite. No effort will be made to remove e-mail from the offsite backups.
    4. Monitoring – <FIRM NAME> employees shall have no expectation of privacy in anything they store, send or receive on the Firm’s e-mail system. <FIRM NAME> may monitor messages without prior notice. <FIRM NAME> is not obliged to monitor e-mail messages.

     

    VIII.  METADATA

    1. Definition – When you create and edit your documents, information about you and the edits you make is automatically created and hidden within the document file. Metadata can often be sensitive or confidential information, and can be potentially damaging or embarrassing. On its Web site, Microsoft indicates that the following metadata may be stored in documents created in all versions of Word, Excel and PowerPoint:
    2. your name and initials (or those of the person who created the file)
    3. the name of your computer

    iii.  your firm or organization name

    1. the name and type of the printer you printed the document on document revisions, including deleted text that is no longer visible on the screen vi. document versions

    vii. information about any template used to create the file

    viii. hidden text ix.  comments

    1. Removing Metadata
    2. Microsoft
    3. Disable “allow fast saves” feature.
    4. “Inspect Document” and remove flagged items. “Inspect Document” will vary depending on your

    software version. In 2010, it is located under File->Info->Check For issues.

     

    1. Third party software will help identify and clean metadata from your documents if it is necessary to send documents in native format. Verify appropriate software with the It department.
    2. WordPerfect

     

    1. Uncheck Save Undo/Redo items with document. It can allow you to view hundreds of past changes in terms of what text was cut, copied and even deleted from the document.
    2. There is no software program that easily and automatically removes metadata from WordPerfect documents.

    iii. Converting to PDF

    1. Converting files to PDF format with Adobe Acrobat or other PDF creators will usually strip out most metadata.
    2. In Acrobat, Select File, then Document Properties to view the summary metadata information within a PDF file. Add further restrictions on how the document can be accessed, used, copied and printed in the Security Options settings as needed.

     

    1. REMOTE ACCESS
    2. Persons Affected – <FIRM NAME> employees, consultants, vendors, contractors, students, and others who use mobile computing and storage devices on the network at the <FIRM NAME>.
    3. General Standards – It is the responsibility of <Firm Name> employees, contractors, vendors and agents with remote access privileges to <Firm Name>’s corporate network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to <Firm Name>.
    4. Requirements
    5. Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases. For information on creating a strong pass- phrase see the Password policy.
    6. At no time should any <Firm Name> employee provide their login or e-mail password to anyone, not even family members.

    iii.  <Firm Name> employees and contractors with remote access privileges must ensure that their <Firm Name>-owned or personal computer or workstation, which is remotely connected to <Firm Name>’s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

     

    1. <Firm Name> employees and contractors with remote access privileges to <Firm Name>’s corporate network must not use non-<Firm Name> e-mail accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct <Firm Name> business, thereby ensuring that official business is never confused with personal business.

     

    1. Routers configured for access to the <Firm Name> network must meet minimum authentication requirements .
    2. Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not permitted at any time.

    vii. Non-standard hardware configurations must be approved by the IT department, and <Firm Name>

    must approve security configurations for access to hardware.

    viii. All PCs, laptops and workstations that are connected to <Firm Name> internal networks via remote access technologies must use the most up-to-date anti-virus software (place URL to corporate software site here), this includes personal computers.

    1. Personal equipment that is used to connect to <Firm Name>’s networks must meet the requirements of

    <Firm Name>-owned equipment for remote access.

    1. Individuals who wish to implement non-standard Remote Access solutions to the <Firm Name>

    production network must obtain prior approval from the It department. d.   Mobile Computing and Storage Devices.

    1. Items covered – Mobile computing and storage devices include, but are not limited to: laptop computers,

     

    plug-ins, Universal Serial bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, smartphones, tablets, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or <Firm Name> owned, that may connect to or access the information systems at the <FIRM NAME>.

    1. Risks – Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the <FIRM NAME>. these risks must be mitigated to acceptable levels.

    iii. Encryption – Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive <FIRM NAME> information must use encryption or equally strong measures to protect the data while it is being stored.

    1. Database – Databases or portions thereof, which reside on the network at the <FIRM NAME>, shall not be downloaded to mobile computing or storage devices.
    2. Minimum Requirements:
    3. Report lost or stolen mobile computing and storage devices to the It department.
    4. Non-departmental owned device that may connect to the <FIRM NAME> network must first be approved by the It department.
    5. Compliance with the Remote Access policy is mandatory. e. Virtual Private Network (VPN)
    6. Persons affected – this policy applies to all <Firm Name> employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the <Firm Name> network.
    7. Connectivity – Approved <Firm Name> employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.

    iii. Requirements

    1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to <Firm Name> internal networks.
    2. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.

     

    1. When actively connected to the corporate network, VPNs will force all traffic to and from the PC

    over the VPN tunnel: all other traffic will be dropped.

    1. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
    2. VPN gateways will be set up and managed by <Firm Name>’s IT department.
    3. All computers connected to <Firm Name> internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.
    4. VPN users will be automatically disconnected from <Firm Name>’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
    5. the VPN concentrator is limited to an absolute connection time of 24 hours.
    6. Users of computers that are not <Firm Name>-owned equipment must configure the equipment to comply with <Firm Name>’s VPN and Network policies.
    7. Only <Firm Name>-approved VPN clients may be used.

    11. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of <Firm Name>’s network, and as such are subject to the same rules regulations that apply to <Firm Name>-owned equipment, i.e., their machines must be configured to comply with <Firm Name>’s Security Policies.

     

    1. EMPLOYEE TERMINATION
    2. Removing access – An employee’s credentials shall be inactivated immediately upon termination of

        employment. this includes, but is not limited to the following:

    1. <Firm Name’s> database
    2. Workstation access iii. E-mail access
    3. Remote access to <Firm Name>’s network
    4. VPN client access
    5. Any other access to <Firm Name>’s network or programs
    6. Returning mobile devices – Any employee in possession of firm portable devices shall return such devices before   exiting the premises on their final day of employment. Mobile devices include, but are not limited to, the following:
    7. <Firm Name>-owned smartphone ii. <Firm Name>-owned tablet

    iii. Laptop

    1. USB drive
    2. CD or DVD containing <Firm Name> client information

     

    1. VISITOR AND CONTRACTOR ACCESS
    2. Permission – Visitors who require internet network access will need permission the IT department. After credentials are arranged, activities on the network will be subject to the Acceptable Use policy. Visitor use of employee credentials is not permitted under any circumstances.
    3. Contractors – Contractors making changes to the network should notify the It department if any interruption of services is anticipated. Prior arrangement should be made to notify all staff of the interruption if possible.
    4. Remote Access – Remote Access to <Firm Name> networks are governed by the <Firm Name> Remote Access policy.

     

     XII.      ENFORCEMENT

    1. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment

     

     

     

     

     

     

    Get In Touch