Acceptable Use Policy
SANS (www.sans.org) provides a wide range of security policies freely available on its website. These policies are based on these publicly available policies. Visiting SANS can complement what you learn from and implement based on this chapter. We will use a fictitious company called Granite Systems and show how it based its policies on those recommended by SANS.
In this policy, the company’s IT security department is known simply as the Corporate Security Team for Granite Systems. Granite Systems and other Granite Systems–specific departments appear in italics throughout the policy; if you want to reuse this policy, you can replace these designations with your own.
Policy Overview
The Corporate Security Team’s intentions for publishing an Acceptable Use Policy are not to impose restrictions contrary to Granite Systems’ established culture of openness, trust, and integrity. Corporate Security is committed to protecting Granite Systems’ employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/intranet/extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Granite Systems. These systems are to be used for business purposes that serve the interests of the company, its clients, and its customers.
Effective security is a corporatewide team effort involving the participation and support of every Granite Systems employee, contractor, business partner, or any affiliates who deal with information and information systems. It is the responsibility of every computer user to know the guidelines contained within this security policy and to conduct their activities accordingly.
Purpose
The purpose of this security policy is to outline the acceptable use of computer equipment at Granite Systems. These rules are in place to protect the employee and Granite Systems. Inappropriate use exposes Granite Systems to risks, including but not limited to virus attacks, compromise of network systems and services, and legal issues.
Scope
This security policy applies to employees, contractors, consultants, temporaries, and other workers at Granite Systems, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by Granite Systems, to include personal equipment that might come in contact with the corporate IT infrastructure.
General Use and Ownership
1. Although Granite Systems’ Corporate Security Team wants to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Granite Systems. Because of the need to protect Granite Systems’ network, management cannot guarantee the confidentiality of information stored on any network device belonging to Granite Systems.
2. Employees are responsible for exercising good judgment about the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/intranet/extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use and, if there is any uncertainty, employees should consult their supervisor or manager.
3. The Corporate Security Team recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see the Corporate Security Team’s Information Sensitivity Policy. For guidelines on encrypting email and documents, go to Security Team’s Awareness Initiative.
Note
In many cases, you will see a security policy that references other policies within an organization. This is considered reasonable and considered a best practice. This enables you to keep a policy specific to the topic at hand. Consider the preceding points, which reference encryption of data. Realistically, everyone within an organization must read and sign an acceptable use security policy; however, compare that to those who would be expected to encrypt data, a vastly different list and type of person. Thus, these policies are kept separate, thereby allowing or preventing confusion on the part of the user.
4. For security and network maintenance purposes, authorized individuals within Granite Systems may monitor equipment, systems, and network traffic at any time, per the Corporate Security Team’s Audit Policy.
5. Granite Systems reserves the right to audit any and all networks and related systems on a periodic or ad hoc basis to ensure compliance with this policy.
Note
Items 4 and 5 are chief. They enable your organization to notify all personnel that you can and will monitor and audit the network in all ways and on a regular, as-needed basis. It is crucial for these statements to be present because this enables employees to know that they will be watched in some fashion.
Security and Proprietary Information
1. The user interface for information contained on Internet/intranet/extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, the details of which can be found in the Granite Systems Human Resources policies. Examples of confidential information include but are not limited to the following:
• Company private or confidential
• Corporate strategies or projections
• Competitor-sensitive or competitive analyses
• Trade secrets, patents, test results
• Specifications, operating parameters
• Customer lists and data
• Research data
Employees should take all necessary steps to prevent unauthorized access to this information. If an employee suspects that such information has been released outside the company, he should notify Corporate Security immediately.
2. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their own passwords and accounts. System-level passwords should be changed quarterly; user-level passwords should be changed every six months, but this might vary by organization requirements.
3. All PCs, laptops, and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging off (Ctrl-Alt-Delete for WinXP users) when the host will be unattended.
Note
The items discussed in 2 and 3 presuppose that best practices are being used. This means there is a dependency that servers require users to change passwords and that these passwords follow specific guidelines, as you will see later in the section, “Password Policy.”
4. Use of strong encryption of information in compliance with Corporate Security Acceptable Encryption Use policy.
5. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips.”
6. Postings by employees from an Granite Systems email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Granite Systems, unless posting is in the course of business duties.
7. All hosts used by the employee that are connected to the Granite Systems Internet/intranet/extranet, whether owned by the employee or Granite Systems, shall be continually executing approved virus-scanning software with a current virus database.
Note
This portion of the policy reflects the strong trend of people checking email from multiple PCs and different physical locations. Consider an employee who might check his free web mail service at work and download a file that contains a virus without realizing it. The goal here is to ensure that, when at work, an approved virus checker catches this virus. However, if an employee accesses the same email from a home PC that she uses to connect to the corporate network, the vulnerability and ramifications should be closely considered.
8. Employees must use extreme caution when opening email attachments received from unknown senders that might contain viruses, email bombs, or Trojan horse code (malicious code). When in doubt, employees are advised to manually scan showing the original headers of the document and contact Corporate Security before opening them.
Unacceptable Use
The following activities are, in general, prohibited. Employees can be exempted from these restrictions during the course of their legitimate job responsibilities. (For example, systems administration staff might have a need to disable the network access of a host if that host is disrupting production services.)
Under no circumstances is an employee of Granite Systems authorized to engage in any activity that is illegal under local, state, federal, or international law while using Granite Systems-owned resources.
The lists that follow are by no means exhaustive, but they attempt to provide a framework for activities that fall into the category of unacceptable use. If an employee has any questions about the appropriateness of an action, he should contact Corporate Security for clarification.
System and Network Activities
The following activities are strictly prohibited, with no exceptions:
1. Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property or similar laws or regulations, including, but not limited to the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Granite Systems.
2. Unauthorized copying of copyrighted material including, but not limited to digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Granite Systems or the end user does not have an active license is strictly prohibited.
3. Exporting software, technical information, encryption software, or technology in violation of international or regional export control laws is illegal. The appropriate employee manager should be consulted prior to export of any material that is in question.
Note
These first several instances are imperative for a security policy and an organization on many different levels. Consider probably the most vocal and legally active organizations on the Internet:
Recording Industry Association of America (www.riaa.org)
Report Cable Theft (www.cabletheft.com/)
Business Software Alliance (www.bsa.org/)
These organizations monitor theft, pirating, copyright violations, and so on, and prosecute those who engage in these activities. Individuals and businesses have been the primary legal targets of those engaged in this activity; they have been successful and are set to tackle educational institutions and the pirating that goes on from their campuses.
4. Introduction of malicious programs into the network or server (for example, malicious code including viruses, worms, Trojan horses, email bombs, and so on).
5. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is done at home.
No one in the company will ever ask for your password. If a technical difficulty occurs, they will reset the password. Never reveal your password to anyone and, if asked, report the request to corporate security immediately.
6. Using a Granite Systems computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
7. Making fraudulent offers of products, items, or services originating from any Granite Systems account.
8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging in to a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, any denial of service, and forged routing information for malicious purposes.
10. Port scanning or security scanning (vulnerability assessment or penetration testing in wired or wireless networks) is expressly prohibited unless prior notification to Corporate Security Team or authorized company executive is made.
11. Executing any form of sanctioned network monitoring that will intercept data that is not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
12. Circumventing user authentication or security controls of any host, network, or account.
13. Interfering with or denying service to any user other than the employee’s host (for example, any denial of service attack).
14. Using any program/script/command, or sending messages of any kind with the intent to interfere with or disable a user’s terminal session via any means, locally or via the Internet/intranet/extranet.
15. Providing information about or lists of Granite Systems employees to parties outside Granite Systems.
Email and Communications Activities
1. Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
2. Any form of harassment via email, telephone, or paging, whether through language, frequency, or size of messages.
3. Unauthorized use or forging of email header information and email encryption to obscure data in some cases.
4. Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
5. Creating or forwarding “chain letters,” “Ponzi,” or other “pyramid” schemes of any type.
6. Use of unsolicited email originating from within Granite Systems’ networks of other Internet/intranet/extranet service providers on behalf of, or to advertise, any service hosted by Granite Systems or connected via Granite Systems’ network.
7. Posting the same or similar nonbusiness-related messages to large numbers of Usenet newsgroups (newsgroup spam or social networking site).
Enforcement
Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment and law enforcement inclusion if necessary.
Conclusion
Every security policy should end with a few common elements to clear up any potential miscommunication and confusion on the part of the users now that they understand what is permitted and what is not:
1. Enforcement: The main element is the enforcement and the ramifications to an employee if these policies are violated.
2. Definitions: Not every employee or user will understand some of the terminology used in a policy; therefore, it is a good idea to provide yet another level of clarification by defining industry-specific terms.
3. Revisions: Changes are always applied to policies such as these. The source of these changes alter with time; however, it might be a change in management, new laws, or perhaps a clarification of older laws, new threats against your network’s security, your company has decided it wants to become certified (for example, ISO), or perhaps your company has new technology that needs to be covered. All these factors might require a policy change, and it is wise to document the changes.
Although these kinds of policies have a tendency to upset people who think they are entitled to something from their employer, they are not; they are there to contribute to the company’s business goals. This fundamental truth enables the policy to protect the company, its employees, and everyone associated with it. Quoting from Star Trek II: The Wrath of Khan, “The needs of the many outweigh the needs of the few.” Being one of a few power users in my organization, I do not look forward to approving policies; however, it is the right thing to do for the company.