IT Security Policy

Management of Security
The first stage in the implementation of the 3 stage model is the appointment of a 'trust worthy' employee to the position of system administrator (SA). The position is dependant upon the security level required and the size of the company along with the budget allocated for the position.

Policy is the first and most important tool that must be agreed upon by the management team prior to any IT infrastructure being put in place. It shows a commitment to the further development of IT within the company and initialises the future developments due to new technology or changing markets.

A senior manager would normally take the full responsibility for IT security within the organisation. The security policy document should be one that is workable and dynamic within the organisations functions. The security policy should state the broad general aims of security.

The policy should also take into consideration the various Acts in legislation so as not to impinge on any persons rights to data protection or copyrights etc. Staff should also be kept aware of all developments of the policy as it goes along, and they should be asked to report any breaches of security or threats that they are aware of. An example of this could be a virus downloaded onto a staff member's computer from an external floppy disk. The policy is the framework for an overall IT policy within the organisation. Lastly the policy must be monitored at some level to ensure that the staff is adhering to it, and to see if the policy is working as it should and not unduly hindering staff members in their working roles.

Awareness can be instilled in the organisation by training new employees in the methods of operating securely such as how documentation of security procedures occurs and reminders of the various levels of security throughout the business.

Again this starts from an employee dealing with individual customer queries by email, to an employee that may be brokering deals with major new customers within the area of business. Security awareness will undoubtedly be higher for the latter employee.

In general employees should see the value of the IT security policy and be aware of its benefit to the company. Should they feel that the security is lacking their comments and suggestions must be given attention and in so doing help promote a higher awareness and the protection of the organisations information assets.

Personnel Management
IT security depends wholly on the employees that carry it out from day to day. If staff are aware of the security issues and the confidential nature of the individuals work to outside competitors then the security battle is half won. Awareness and co-operation have been dealt with but should new staff members be employed then the IT security policy should be pressed home with the personnel. And as mentioned, training and promotion of awareness should be made at an early stage.

New staff should be given enough security clearance within the systems to allow them to perform their tasks without hindrance; they should not be given free access to any systems that are irrelevant to the daily performance of their job. A good example of these restrictions on staff would be the ability to delete, update or reorganise systems and applications that have been set up by the SA. Although, within each of these employees roles, that function may be necessary for the daily performance of their particular tasks. 'Job functions should be organised so that there is little and preferably no interaction between people undertaking different duties. Social contact should not be discouraged but detailed involvement in each others work can lead to distraction, interference or, at worst, collusion in fraud.' (Elbra, nd, Pg.18)

This entirely depends on the type of company and again the level of internal security required. Split authority is necessary where a sensitive function should and must be carried out by more than one person. An example of this would be where it may be necessary for two different key holders to open a server room that hosts the organisations entire information source. Important functions should not be restricted to the capability of one person, which makes sense within a small to medium enterprise as mentioned earlier. People who leave the organisation or have been dismissed should have their access rights and passwords revoked at the appropriate time, dependant on the circumstances.

Logs and monitoring of IT activity must be kept by a senior IT security person for a period of 90 days; a policy on this must be signed by all employees.

IT Security Policy [PC, Intranet & Internet]
KPMG's global survey on E-fraud found that companies underestimated the internal threat to it security. ?Although most of the respondents thought hackers, poor implementation of security policies and lack of employee awareness were the greatest threats to their systems. In reality, disgruntled or former employees, or external service providers who have a long-term relationship with the company, are most likely to commit an attack, or cause a security breach...

PC and Security Guidelines for Users

This is a sample security document that informs each PC user of their responsibility when using equipment owned by their organisation. It covers the following:

PC Ownership
Informs the user of the companies Fixed Asset Register [if applicable]. This register identifies the user the PC is assigned to and the location of that PC. If the location is changed or it is reassigned the administrator must be informed by the user or their manager.

Copyright/Licensing Law

The policy is used to inform the PC user that software and documentation purchased by their organisation is controlled by the appropriate copyright and licensing laws. Software may only be installed on the hardware it was intended for. Every installation of software must have a license, which matches the unique serial number of that software. The combination of these to items is proof of ownership. Un-authorised copies of software must not be made or used. To have the same serial number appearing on more than one PC is only allowed if the extra licenses needed have been purchased. If unlicensed software is installed the organisation is open to prosecution by the Federation Against Software Theft (FAST). This FAST has considerable statutory powers to investigate and regulate all software licensing.

Any software or documentation developed by their organisation is protected by copyright and licensing laws and is restricted in use to only authorised employees, agent or subcontractors of the organisation.

Any infringement of the copyright laws could leave the organisation and its employees [under software piracy laws] open to prosecution.

Security
It is the responsibility of the user to ensure that if confidential information is stored on their PC, it should be moved to secure office accommodation to prevent its use by unauthorised persons. If the PC, its hard disk, disks or tape storage device have to be moved, particular care should be taken to ensure they are not lost, stolen or damaged. Users who use portable/laptop computers are responsible for the security of their computer equipment, software and data.

Passwords
Users Passwords are confidential and it is the user?s responsibility to ensure that their password is not disclosed to any other person, including IT employees. If it is necessary for a user to write down their password they should be placed in a sealed envelope and kept by their manager/supervisor. A screen saver password will protect your data if you have to leave your desk temporarily. This feature should not be disabled. All passwords expire after 90 days and must be changed at first logon attempt after this time. Passwords must be at least 8 characters and must not be dictionary words. Ideally they should be made up of letters, digits and special characters.

If a user suspects:

1. Their password is known they should have it changed by contacting their IT helpdesk immediately
2. If there has been an un-authorised attempt to log onto their PC they should contact the IT helpdesk manager immediately.

Viruses
Anti-Virus software is installed on every organisation PC; it is there to protect all data on these PCs. Viruses are computer programs that are designed to be disruptive, harmful and to corrupt data. Viruses can enter the PC by two ways:

1. Over the network link to the PC, it maybe contained within an E-mail or downloaded from a website
2. Installed onto the PC either from a floppy disk or a CD. Many computer games contain viruses, the use of which is prohibited on all organisation PC's. Run a virus check on all software before loading onto your PC.

Disks
Advise on how to handle disks and a warning that their mishandling will result in the loss of data. The disks should be kept in secure disk storage boxes and kept away from any equipment, which may contain magnetic fields such as, monitors, telephones etc. Use the write-protect tabs on each disk to prevent accidentally writing over important data on that disk.

If a disk is being used regularly, it is important to examine and replace any suspect disks by copying the data to a new disk.

Back-up
Advise the user on how best to back-up their data and the security advantages of carrying out regular back-ups of their data. Tell them which files to back-up daily, only the files they have worked on that day, weekly, all the critical files and Monthly, all the data files. By following this procedure, in the event of a crash or virus attack the most data that will be lost will be one day.

Additional Software/Hardware
The procedures to be followed if any non-supported hardware/software is required

Training
A contact phone number, e-mail address or Intranet address for details of available IT courses.

Support/Help
A contact phone number, including times of operation should the user need any support/help in using hardware/applications.

Email and Internet Usage
'We advise clients on establishing appropriate and practical policies with respect to employees' use of the Internet and e-mail.˙This area also covers matters such as the ownership of intellectual property rights in works created by employees during the period of employment.˙Given the importance to our clients of ensuring that they maintain these intellectual property rights, we regularly draft employee agreements to ensure that our clients' rights in these matters are respected.? (William Fry, nd)

Code of Conduct

This is a sample Code of Conduct document that specifies the basic principles for Internet and Email use.

Business Use only
The Internet or email service is to be used for legitimate business reasons only. The simple guideline is to treat the use of the Internet/email as you would any other form of communication, such as the telephone.

Email communications with clients should be treated the same as letters or faxes and are subject to the same organisational standards.

Retrieval of Information
It is forbidden to download any software or images without reference to IT support. Such actions can leave the organization?s network exposed to malicious code or a virus attack. Illegal or unlicensed programs/images, downloaded can leave the organisation in violation of Copyright law.

No employee may send on behalf of the organisation any email, or posting to a bulletin board which:

1. May damage the repartition of the organisation or one of their clients
2. Is illegal, defamatory, libels, obscene or offences
3. Which may be considered by a normal person to cause distress, sexual, racial or other harassment
4. May cause discrimination
5. Infringe Copyright law
6. Constitutes spamming

© Trinity Solutions 2002 ~ 2012