module 03



Security Policies

Security Policies


Students name

Course Name_ year_ term quarter Rasmussen College

Professor’s Name

Deliverable 3: Security Policies

Access Control Policy

1.0 Purpose

The purpose is to implement policies and procedures to ensure that physical access controls exist that ensure that all cardholder data can only be accessed by authorized personnel.

2.0 Scope

This policy applies to all <company name> employees, contractors, consultants, and temps who utilize <company name> IT resources described herein their assigned job responsibilities.

3.0 Policy

3.1 Facility Access

1. Facility entry controls will be implemented to limit and monitor physical access to systems that process or transmit cardholder data.

2. Physical access to publicly accessible network jacks, wireless access points, gateways, and handheld devices will be restricted.

3.2 Visitors

1. Procedures will exist to help personnel to easily distinguish between employees and visitors in areas where cardholder data is accessible.

2. All visitors will be authorized before entering areas where cardholder data is processed or maintained.

3. All visitors will be given a token, such as a badge or access device, which identifies them as non-employees, and will be required to surrender the device before leaving the facility or on the data of expiration.

4. All visitors to sensitive area must complete a visitor’s log which will be maintained for a minimum of three months, unless otherwise restricted by law.

3.3 Media Controls

1. All media back-ups will be stored in a secure location, preferably in an offsite facility, such as an alternate or backup site, or a commercial storage facility.

2. All paper and electronic media (including computers, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data will be physically secured.

3. Strict control will be maintained over the internal and external distribution of any kind of media that contains cardholder data, such that the media is identified as confidential, and will only be sent by secured and traceable courier.

4. Management will approve in advance any and all media being moved from a secured area.

5. Strict control will be maintained over the storage and accessibility of media that contains cardholder data such that it is inventoried securely stored, and protected by a password.

6. Media containing cardholder data will be destroyed when it is no longer needed for business or legal reasons. The means of destruction will be cross-cut shred, incineration or pulping of hardcopy materials. Electronic data will be destroyed using a method (purge, degauss, or shred) which ensures that cardholder data cannot be reconstructed.

3.4 Individual Access

1. All systems and applications which store critical information will require a unique user name for all users.

2. All unique user names will require a password, token device, or biometrics to authenticate the user.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition


6.0 References

7.0 Revision History

Initial effective date:

Acceptable Encryption Policy

1.0 Purpose

The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

2.0 Scope

This policy applies to all <Company Name> employees and affiliates.

3.0 Policy

Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate's Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hellman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. <Company Name>’s key length requirements will be reviewed annually and upgraded as technology allows.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by InfoSec. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

Proprietary Encryption An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.

Symmetric Cryptosystem A method of encryption in which the same key is used for both encryption and decryption of the data.

Asymmetric Cryptosystem A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).

6.0 Revision History

Audit Vulnerability Scan Policy

1.0 Purpose

The purpose of this agreement is to set forth our agreement regarding network security scanning offered by the <Internal or External Audit Name> to the <Company Name>. <Internal or External Audit Name> shall utilize <Approved Name of Software> to perform electronic scans of Client’s networks and/or firewalls or on any system at <Company Name>.

Audits may be conducted to:

· Ensure integrity, confidentiality and availability of information and resources

· Investigate possible security incidents ensure conformance to <Company Name> security policies

· Monitor user or system activity where appropriate.

2.0 Scope

This policy covers all computer and communication devices owned or operated by <Company Name>. This policy also covers any computer and communications device that are present on <Company Name> premises, but which may not be owned or operated by <Company Name>. The <Internal or External Audit Name> will not perform Denial of Service activities.

3.0 Policy

When requested, and for the purpose of performing an audit, consent to access needed will be provided to members of <Internal or External Audit Name>. <Company Name> hereby provides its consent to allow of <Internal or External Audit Name> to access its networks and/or firewalls to the extent necessary to allow [Audit organization] to perform the scans authorized in this agreement. <Company Name> shall provide protocols, addressing information, and network connections sufficient for <Internal or External Audit Name> to utilize the software to perform network scanning.

This access may include:

· User level and/or system level access to any computing or communications device

· Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on <Company Name> equipment or premises

· Access to work areas (labs, offices, cubicles, storage areas, etc.)

· Access to interactively monitor and log traffic on <Company Name> networks.

3.1 Network Control.

If Client does not control their network and/or Internet service is provided via a

second or third party, these parties are required to approve scanning in writing if scanning is to occur outside of the <Company Name’s> LAN. By signing this agreement, all involved parties acknowledge that they authorize of <Internal or External Audit Name> to use their service networks as a gateway for the conduct of these tests during the dates and times specified.

3.2 Service Degradation and/or Interruption. Network performance and/or availability may be affected by the network scanning. <Company Name> releases <Internal or External Audit Name> of any and all liability for damages that may arise from network availability restrictions caused by the network scanning,

unless such damages are the result <Internal or External Audit Name>’s gross negligence or intentional


3.3 Client Point of Contact During the Scanning Period. <Company Name> shall identify in writing a person to be available if the result <Internal or External Audit Name> Scanning Team has questions regarding data discovered or requires assistance.

3.4 Scanning period. <Company Name> and <Internal or External Audit Name> Scanning Team shall identify in writing the allowable dates for the scan to take place.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Revision History

<COMPANY NAME> Email Use Policy

1.0 Purpose

To prevent tarnishing the public image of <COMPANY NAME> When email goes out from <COMPANY NAME> the general public will tend to view that message as an official policy statement from the <COMPANY NAME>.

2.0 Scope

This policy covers appropriate use of any email sent from a <COMPANY NAME> email address and applies to all employees, vendors, and agents operating on behalf of <COMPANY NAME>.

3.0 Policy

3.1 Prohibited Use. The <COMPANY NAME> email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any <COMPANY NAME> employee should report the matter to their supervisor immediately.

3.2 Personal Use.

Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a <COMPANY NAME> email account is prohibited. Virus or other malware warnings and mass mailings from <COMPANY NAME> shall be approved by <COMPANY NAME> VP Operations before sending. These restrictions also apply to the forwarding of mail received by a <COMPANY NAME> employee.

3.3 Monitoring

<COMPANY NAME> employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. <COMPANY NAME> may monitor messages without prior notice. <COMPANY NAME> is not obliged to monitor email messages.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Term Definition

Email The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook.

Forwarded email Email resent from an internal network to an outside point.

Chain email or letter Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.

Sensitive information Information is considered sensitive if it can be damaging to <COMPANY NAME> or its customers' reputation or market standing.

Virus warning. Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.

Unauthorized Disclosure The intentional or unintentional revealing of restricted information to people, both inside and outside <COMPANY NAME>, who do not have a need to know that information.

6.0 Revision History

Remote Access


The purpose of this policy is to establish an authorized method for controlling mobile computing and storage devices that contain or access information resources at the <Company Name>.


With advances in computer technology, mobile computing and storage devices have become useful tools to meet the business needs at the <COMPANY NAME>. These devices are especially susceptible to loss, theft, hacking, and the distribution of malicious software because they are easily portable and can be used anywhere. As mobile computing becomes more widely used, it is necessary to address security to protect information resources at the <COMPANY NAME>.

Persons Affected:

<COMPANY NAME> employees, consultants, vendors, contractors, students, and others who use mobile computing and storage devices on the network at the <COMPANY NAME>.


It is the policy of the <COMPANY NAME> that mobile computing and storage devices containing or accessing the information resources at the <COMPANY NAME> must be approved prior to connecting to the information systems at the <COMPANY NAME>. This pertains to all devices connecting to the network at the <COMPANY NAME>, regardless of ownership.

Mobile computing and storage devices include, but are not limited to: laptop computers, personal digital assistants (PDAs), plug-ins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned or <Organization Name> owned, that may connect to or access the information systems at the <COMPANY NAME>. A risk analysis for each new media type shall be conducted and documented prior to its use or connection to the network at the <COMPANY NAME> unless the media type has already been approved by the Desktop Standards Committee. The Desktop Standards Committee will maintain a list of approved mobile computing and storage devices.

Mobile computing and storage devices are easily lost or stolen, presenting a high risk for unauthorized access and introduction of malicious software to the network at the <COMPANY NAME>. These risks must be mitigated to acceptable levels.

Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive <COMPANY NAME> information must use encryption or equally strong measures to protect the data while it is being stored.

Unless written approval has been obtained from the Data Resource Manager and Chief Information Security Officer, databases or portions thereof, which reside on the network at the <COMPANY NAME>, shall not be downloaded to mobile computing or storage devices.

Technical personnel and users, which include employees, consultants, vendors, contractors, and students, shall have knowledge of, sign, and adhere to the Computer Use and Information Security Policy Agreement (<COMPANY NAME> 350). Compliance with the Remote Access Standards, the Mobile Media Standards, and other applicable policies, procedures, and standards is mandatory.


Minimum Requirements:

· To report lost or stolen mobile computing and storage devices, call the Enterprise Help Desk at xxx-xxx-xxxx. For further procedures on lost or stolen handheld wireless devices, please see the PDA Information and Procedures section.

· The <COMPANY NAME> Desktop Standards Committee shall approve all new mobile computing and storage devices that may connect to information systems at the <COMPANY NAME>.

· Any non-departmental owned device that may connect to the <COMPANY NAME> network must first be approved by technical personnel such as those from the <COMPANY NAME> Desktop Support. Refer to the Mobile Media Standards for detailed information.

· Submit requests for an exception to this policy to the Information Protection Services Office via the Policy Exception Request form (EXEC 205).

Roles and Responsibilities:

Users of mobile computing and storage devices must diligently protect such devices from loss of equipment and disclosure of private information belonging to or maintained by the <COMPANY NAME> and they must annually complete the <COMPANY NAME> 350. Before connecting a mobile computing or storage device to the network at <COMPANY NAME>, users must ensure it is on the list of approved devices issued by the ISD.

The Enterprise Help Desk must be notified immediately upon detection of a security incident, especially when a mobile device may have been lost or stolen.

The Information Protection Services Office is responsible for the mobile device policy at the <COMPANY NAME> and shall conduct a risk analysis to document safeguards for each media type to be used on the network or on equipment owned by the <COMPANY NAME>.

The Information Systems Division is responsible for developing procedures for implementing this policy. The Desktop Standards Committee will maintain a list of approved mobile computing and storage devices and will make the list available on the intranet.


CD: A compact disc (sometimes spelled disk) is a small, portable, round medium made of molded polymer (close in size to the floppy disc) for electronically recording, storing, and playing back audio, video, text, and other information in digital form.

DVD: The digital versatile disc stores much more than a CD and is used for playing back or recording movies. The audio quality on a DVD is comparable to that of current audio compact discs. A DVD can also be used as a backup media because of its large storage capacity.

Flash Drive: A plug-and-play portable storage device that uses flash memory and is lightweight enough to attach to a key chain. The computer automatically recognizes the removable drive when the device is plugged into its USB port. A flash drive is also known as a keychain drive, USB drive, or disk-on-key. A keychain drive, which looks very much like an ordinary highlighter marker pen, can be used in place of a floppy disk, Zip drive disk, or CD.

Handheld wireless device: A communication device small enough to be carried in the hand or pocket and is also known as a Personal Digital Assistant (PDA). Various brands are available, and each performs some similar or some distinct functions. It can provide access to other internet services, can be centrally managed via a server, and can be configured for use as a phone or pager. In addition, it can include software for transferring files and for maintaining a built-in address book and personal schedule.

Media Type: For the purpose of this policy, the term “media type” is interchangeable with “mobile device.” Not to be confused with media makes, models, or brands.

Media Type Model: Refers to the brand of media device such as Sony, Treo, or IBM.

Mobile Devices: Mobile media devices include, but are not limited to: PDAs, plug-ins, USB port devices, CDs, DVDs, flash drives, modems, handheld wireless devices, and any other existing or future media device.

Modems: A device that modulates and demodulates information so that two computers can communicate over a phone line, cable line, or wireless connection. The connection talks to the modem, which connects to another modem that in turn talks to the computer on its side of the connection. The two modems talk back and forth until the two computers have no further need of either modem’s translation services.

PDA: The Personal Digital Assistant is also known as a handheld. It is any small mobile hand-held device that provides computing and information storage and retrieval capabilities for personal or business use, often for keeping schedule calendars and address book information handy. Many people use the name of one of the popular PDA products as a generic term, such as Hewlett-Packard's Palmtop and 3Com's PalmPilot.

Plug-In: Programs that can easily be installed and used as part of your Web browser. A plug-in application is recognized automatically by the browser, and its function is integrated into the main HTML file that is being presented. Among popular plug-ins is Adobe's Acrobat, a document presentation and navigation program that provides a view of documents just as they look in the print medium. There are hundreds of plug-in devices.

Wireless Networking Cards: Mobile device for wireless internet connectivity from a laptop. This card allows mobile users the ability to access a secured connection to the internet via a specified vendor.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2006 All Ri

Removable Media

1.0 Overview

Removable media is a well-known source of malware infections and has

been directly tied to the loss of sensitive information in many


2.0 Purpose

To minimize the risk of loss or exposure of sensitive information

maintained by <Company Name> and to reduce the risk of acquiring malware

infections on computers operated by <Company Name>.

3.0 Scope

This policy covers all computers and servers operating in <company


4.0 Policy

<Company Name> staff may only use <Company Name> removable media in

their work computers. <Company Name>removable media may not be

connected to or used in computers that are not owned or leased by the

<Company Name> without explicit permission of the <Company Name> info

sec staff. Sensitive information should be stored on removable media

only when required in the performance of your assigned duties or when

providing information required by other state or federal agencies. When

sensitive information is stored on removable media, it must be

encrypted in accordance with the <Company Name> Acceptable Encryption


Exceptions to this policy may be requested on a case-by-case basis by

<Company Name>-exception procedures.

5.0 Enforcement

Any employee found to have violated this policy may be subject to

disciplinary action, up to and including

termination of employment.

6.0 Definitions

Removable Media: Device or media that is readable and/or writeable by

the end user and is able to be moved from computer to computer without

modification to the computer. This includes flash memory devices such

as thumb drives, cameras, MP3 players and PDAs; removable hard drives

(including hard drive-based MP3 players); optical disks such as CD and

DVD disks; floppy disks and any commercial music and software disks not

provided by <Company Name>.

Encryption: A procedure used to convert data from its original form to

a format that is unreadable and/or unusable to anyone without the

tools/information needed to reverse the encryption process.

Sensitive Information: Information which, if made available to

unauthorized persons, may adversely affect <Company Name>, its programs,

or participants served by its programs. Examples include, but are not

limited to, personal identifiers and , financial information,

Malware: Software of malicious intent/impact such as viruses, worms,

and Spyware.

7.0 Revision History

Original Issue Date:

***Add in Three additional polices***

Rasmussen College