Policies Summary

PolicyApplies ToAdditional Requirements
High Level Policy Creation PolicyUpper Management, Computer Security Officer
High level Information System Security PolicyUpper Management, Computer Security Officer, Users and managers
Password PolicyAll Users
Remote Access PolicyAll Users
  • Define secure remote access methods
  • Define security standards for computers connecting remotely
Computer Training PolicyAll Users
  • Training and employee testing materials
  • Develop a process to define basic minimum computer and security skills
  • Definitions of job roles requiring additional training and the extent of training required.
  • Additional definitions about how violations of this policy shall be handled
  • Additional information about the material to post on posters, login screens, emails and newsletters.
  • Develop a process to be sure appropriate training needed to fulfill the organization's objectives are a useful part of the employee's performance plan and career path. The process should ensure the employee gets the training in a timely fashion based on their performance plan needs.
  • Develop a process to identify any gaps in training. For example, examine help desk calls to determine any training gaps.
  • Develop a process to be sure training is in place to support long term IT plans.
  • Create and maintain a skills database to show training needs, gaps, and achievements. Track employees that have attended training and what training they attended. Determine skills required for the business needs and be sure the training addresses any gaps.
  • A process shall be put into place to ensure that the training team has sufficient knowledge to train users in the appropriate areas. Third parties shall evaluate the training staff annually.
  • A process shall be developed to evaluate the number and type of help desk calls to determine and address:
    • Specific users that need additional training.
    • General areas where additional training is necessary.
  • An annual review of the training program shall be performed to be sure the training program is current with technology trends and the latest security concerns.
  • Alternative training and the most cost effective strategies are reviewed annually and appropriate changes are made. The effectiveness of intranet based training combined with testing to certify learning compentencies versus traditional classroom training should be evaluated.
Acceptable Use PolicyAll Users
  • An organizational formal disciplinary process for staff who are found to have violated organizational security policies and procedures must be developed. Organizational members and associates must be made aware of this process.
User Privilege PolicyDomain AdministratorsDomain policies must be created to enforce the User Privilege Policy
Account Management PolicyAdministrators
  • An organizational formal disciplinary process for staff who are found to have violated organizational security policies and procedures must be developed
  • A detailed Account Creation Procedure must be developed.
  • A detailed Account Modification Procedure must be developed.
  • A detailed Account Removal Procedure must be developed.
  • A detailed Password Reset Procedure must be developed.
Browser Configuration PolicyAll Users, Help Desk staff
Approved Application PolicyAll Users, Help Desk staff, Security?
  • An Application Approval Procedure defining the process and appropriate officials to approve applications must exist or this policy is not effective.
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • A Change Management Policy must exist.
  • A Configuration Management Procedure must exist.
Wireless Communication PolicyAll Users, Telecommunications
  • A Wireless Device Approval Procedure defining the process and appropriate officials to approve wireless makes and models must exist or this policy is not effective.
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Publishing of offered wireless service.
Network Documentation PolicyTelecommunications
  • Management must ensure that this policy is published and appropriate staff agree to abide by the policy.
Network and Server Scanning PolicySecurity, Telecommunications
  • Keep a list of servers, scan times, and administrator contacts for each server.
  • Monthly scanning, notification, and remediation process - A scanning procedure shall be created for all computer systems to be scanned. For each server to be scanned a list of people to be notified shall be maintained. For workstations to be scanned, users may be notified using a group email. The process for performing monthly scans, notifying administrators of the results, and the expected remediation steps or expectation must be defined in detail including how to document false positives and what is expected.
  • Server hardening process showing the step by step process for building a server, installing applications and services, shutting off unneeded services, patching the server with the latest patches for both the operating system and all applications, and performing a vulnerability scan to determine any additional vulnerabilities must be defined.
  • Firewall rule process - The process for getting firewall rules changed, who performs scans, how soon scans are expected to be done, and who provides approvals under what conditions must be defined.
  • False positive process - A process for reporting false positives from scans must be defined outlining what is required to show a vulnerability to be a false positive. For example, screen shots or outputs from programs along with additional documentation may be required to show specific services are running.
Perimeter Security PolicySecurity, Telecommunications
  • Security perimeter device configurations.
  • Firewall rule change process and security perimeter device change process.
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
  • Devices used to secure the network perimeter must be covered by the disaster recovery and business continuity plans.
Internet DMZ Equipment PolicySecurity, Telecommunications
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
  • Devices in the DMZ must be covered by disaster recovery and business continuity plans.
Router Security PolicySecurity, Telecommunications
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
  • Routers must be covered by disaster recovery and business continuity plans.
Telecommunications Communication PolicySecurity, Telecommunications
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
Surf Control PolicySecurity, All Users, Administrators - Proxy server/web filtering
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
Internet Connection PolicySecurity, All Users, Administrators - Proxy server/web filtering
Asset Control PolicyAll Users, Help Desk,Purchasing
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed and the asset transfer procedure is effective.
  • Auditors will check the accuracy of the inventory database every six months.
  • Auditors shall check the number of software licenses recorded in the asset database against the number of licenses being used to be sure the organization is in compliance with software licensing requirements.
  • The asset transfer procedure must be kept up to date to reflect current business practices and needs.
  • A software storage procedure related to the change management policy must be developed. This will ensure that new software is inventoried as part of the purchase and implementation process and ensure changes to software ownership are legal and recorded.
  • A process for acquiring and establishing the owner and custodian of assets in compliance with the change management policy must be created. This process must be communicated to potential custodians and owners of assets. The process must provide for appointing owners based on their knowledge and experience in relation to systems, data and controls along with their business responsibility for the information on the asset. Owners and custodians of assets must agree with IT development, change management, security, and operations functional areas and processes.
  • An asset tracking database custodian must be assigned by management. The database custodian will not be responsible for the physical security of the assets that are tracked in the database.
Equipment and Media Disposal PolicyAll Users, Help Desk, Telecommunications, Security, Server team
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed and the asset disposal procedure is effective.
  • Auditors will check the accuracy of the inventory database every six months.
  • The asset transfer procedure must be kept up to date to reflect current business practices and needs.
  • A data removal procedure reflecting processes for removal of data sensitivity of various sensitivity levels must be created. The process must consider the technologies used to erase the data securely on various media.
Mobile Computer Policy and Mobile Device PolicyAll Users, Help Desk, Security
  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed.
  • Procedure for scanning mobile computers for malware.
  • Procedure used to secure mobile computers including patching, hardening, installing anti-virus with updates, and installing a software firewall.
  • Procedure for configuring computers to encrypt cache information.
  • Procedure for configuring computers to delete temporary information when the session ends.
  • Procedure for encrypting and decrypting sensitive data which is associated with the Encryption Policy.
  • Memory Device agreement form indicating users agree to abide by the policy to use these devices.
  • If the device has wireless capability it must comply with the Wireless Communication Policy.
IT Equipment Purchase and Failure Prevention PolicyServer Teams, Security
Software Tracking PolicyHelp Desk, Purchasing, All Users, Program Development, System Engineering, Project Management
  • A software tracking database must be created. It is up to the head of the IT department to delegate that responsibility.
  • A software checkout procedure must be developed by the software librarian.
  • A procedure for promoting code from a test environment to QA environment, then to a production environment must be created.
Software Licensing PolicyHelp Desk, Purchasing, All Users, Program Development, System Engineering, Project Management
  • Contractor must agree as a part of terms of their contract to abide by licensing and copyright laws.
  • Auditors must auditor systems for compliancy on an annual basis.
  • Auditors must annually audit systems to determine the software being used and determine whether the inventory system accurately reflects the number of users and the number of licenses for the software applications in use.
Intellectual Property Rights PolicyAll Users, Program Development, System Engineering, Project Management
  • A software tracking database must be created. It is up to the head of the IT department to delegate that responsibility.
  • A software checkout procedure must be developed by the software librarian.
  • A procedure for promoting code from a test environment to QA environment, then to a production environment must be created.
Virus Protection PolicyHelp Desk, Server team, Security, Auditing, All Users
  • A list of tested and approved anti-virus products must be created.
  • A list of prohibited file attachments must be created and maintained. Users must be informed about the types of file attachments that are blocked and what happens to email with those types of attachments. A work around for sending some types of files must be provided to users.
  • Additional instructions/procedures about installing and maintaining specific anti-virus products on workstations and servers must be provided.
  • Auditors should periodically audit servers to be sure anti-virus was installed and is properly maintained according to this policy.
  • A central log shall be created and virus and security incidents shall be tracked in it. The number and severity of incidents is reported to management.
Patch Management PolicyHelp Desk, Server team, Security, Auditing, Program Development, Telecommunications, All Users
  • Procedures for updating servers should be written in compliance with the Change Management Policy.
  • Auditors should periodically audit servers to be sure updates are being applied according to policy.
  • Auditors should audit workstations to be sure they are being updated within the designated timeframe.
System Lockdown PolicyHelp Desk, Server team, Security, Auditing, Telecommunications
Server Monitoring PolicyServer team, Security, Auditing, Telecommunications
  • A list of processes that should be running on each server must be created.
  • Files that are required to be backed up should be recorded for each server.
  • Procedures for checking servers should be written and a form should be created either on paper or in electronic format.
  • Performance of servers should be monitored at least monthly and a baseline performance indicator for all servers should be kept. Server performance reports should be sent to management.
  • Auditors should audit every six months to be sure all servers are being monitored regularly. Auditors must report results to senior management.
Backup and Recovery PolicyServer team, Security, Auditing, Telecommunications
  • Files that are required to be backed up should be recorded for each server.
  • Auditors should audit every six months to be sure all servers are being backed up regularly. Auditors must report results to senior management.
Server Documentation PolicyServer team, Security, Auditing, Telecommunications
Printer and Computer Naming PolicyServer team, Auditing, Telecommunications
IP Address Assignment PolicyServer team, Auditing, Telecommunications
  • Determine how to prevent manual setting of IP addresses which could cause network conflicts. Possibly establish penalities for violation of the policy such as contractors may void their contract.
Audit Trail PolicyServer team, Auditing, Telecommunications
  • Procedures for ensuring that automated tools comply with security requirements and auditing requirements must be developed.
  • More detail about what is audited for each system type must be provided. This includes what system, security, and application events are logged on each type of server such as mail server, print server, file server, web server, and others.
  • Additional detail about the level of access for the business need and based on system type and interoperability must be created.
Authentication Mechanism PolicyServer team, Auditing, Telecommunications, Help Desk, Security, System Engineering
Computer Center Operations PolicyServer team, Auditing, Telecommunications, System Engineering, Facilities