Appendix A. Wireless Policy Essentials

A.1. Wireless position statement

Over the last two years, articles have appeared in the press discussing security problems discovered in the WEP encryption scheme used on many 802.11b wireless networks. Although we are using a form of WEP on our wireless network, the security solution we are implementing uses Cisco technology that mitigates the flaws described in the press to a fairly significant extent.

Normal WEP encryption uses a single encryption key for all wireless transmissions. Current attacks on wireless security involve brute force hacking to obtain that key. Our system provides users with individual encryption keys that change each time they log into the wireless network. This means there is no one single key to hack, and because the keys are not static, the system is much harder to attack.

It is important to remember that WEP is not intended to be the only security used in a wireless network. WEP stands for Wired Equivalent Privacy and was just meant to try to make a wireless connection as hard to “sniff” as that of a wired network. In reality, the Cisco solution that we have deployed at ABC Inc. provides significantly more data privacy than a normal wired network connection.

As with the traditional wire-based network, additional security such as the use of encrypted Web pages using SSL and secure remote logins and file transfers using SSH should still be used for high-valued data transactions. The wireless encryption system only protects your data while it travels over the airwaves. As soon as your data hits the local wireless access point in your building, it flows over the building’s standard wired network and is no longer protected by the wireless encryption system.

Two new wireless security solutions will be available over the next year and a half. The new solution, called WiFi Protected Access (WPA), is a subset of the still unfinished IEEE 802.11i security specification and will be usable by both home and enterprise wireless networks. Task Group I is working on 802.11i, and it is still on a path to be complete about this time next year with a fully ratified standard.

WPA will work with the majority of 802.11-based products out today once they’ve gone through a firmware/software upgrade. WPA is forward compatible with 802.11i. By the time 11i is ratified around September of next year, WPA version 2.0 is expected with full 802.11i support. Eventually, the Alliance expects to require WiFi products to shop with WPA turned on as a default. The way WPA will work in the enterprise is similar to the setup of any 802.1X authentication system. The clients and access points must have WPA enabled for encryption to and from an 802.1X with Extensible Authentication Protocol (EAP) authentication server of some sort, such as a RADIUS server, with centralized access management. WiFi Protected Access had several design goals:

• Be a strong security solution
• Interoperable
• Security replacement for WEP
• Be software ungradable to existing WiFi certified products
• Be applicable for both home and enterprise users and be available immediately

WiFi Protected Access was constructed to provide an improved data encryption, which was weak in WEP, and to provide user authentication, which was largely missing in WEP. To improve data encryption, WiFi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a rekeying mechanism. Through these enhancements, TKIP addresses all WEP’s known vulnerabilities. Enterprise-level User Authentication via 802.1x and EAP WEP has almost no user authentication mechanism. To strengthen user authentication, WiFi Protected Access implements 802.1x and the Extensible Authentication Protocol (EAP). Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs “mutual authentication” so that the wireless user doesn’t accidentally join a rogue network that might steal its network credentials.

WiFi Protected Access will be forward-compatible with the IEEE 802.11i security specification currently under development by the IEEE. WiFi Protected Access is a subset of the current 802.11i draft, taking certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of 802.1x and TKIP. These features can also be enabled on most existing WiFi certified products as a software upgrade. The main pieces of the 802.11i draft that are not included in WiFi Protected Access are secure IBSS, secure fast handoff, secure deauthentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement. The IEEE 802.11i specification is expected to be published at the end of 2003.

WiFi Protected Access effectively addresses the WLAN security requirements for the enterprise and provides a strong encryption and authentication solution before the ratification of the IEEE 802.11i standard. In an enterprise with IT resources, WiFi Protected Access should be used in conjunction with an authentication server such as RADIUS to provide centralized access control and management. With this implementation in place, the need for add-on solutions such as VPNs may be eliminated, at least for the express purpose of securing the wireless link in a network.

A.1.1. Typical Wireless Security Architectural Concerns

Normally, wireless networks are outside of the institutional firewall(s). In addition, they use static WEP keys on the WLAN to keep administrative costs low and provide a Network Intrusion Detection (NID) facility to monitor possible attacks emanating from the WLAN to the Internet and other networks. As part of the architecture, it is normally recommended that neither the IP address range nor the domain name of the wireless network be associated with any of the existing internal networks. This will allow for better segregation of wireless traffic and will assist in identifying and filtering traffic to and from this network.

WLANs are normally treated as though they are an untrusted network, like the Internet. Assuming that RF propagation is limited by a thorough site survey and the use of proper antenna and transmitter power settings, the WLAN does not represent any more significant a threat to internal networks than the Internet itself. Because roaming between APs is still in the proprietary domain, it is highly recommended that all APs be purchased from the same vendor. This will ensure that an end station equipped with any 802.11-compatible NIC will be able to roam between APs. In addition, any new vendor-specific security improvements that are introduced may require homogenous APs.

Concerns over the usage of WEP and its ability to provide adequate security for a network have required additional measures to improve your security. It is useful to think of securing the wireless LAN as you would protect the internal LAN from the public Internet. Using this framework, you could install two firewalls: one at the gateway into your corporate LAN and another between the LAN and the wireless network. The wireless firewall can be configured to pass only VPN traffic. This allows a remote user to connect to the corporate LAN using the VPN. Likewise, a wireless user can authenticate to the wireless infrastructure while still having wireless data encrypted through the VPN tunnel.

By segregating the wireless infrastructure from your wired network, and enabling VPN traffic to pass between them, you create a buffer zone that increases network security. In addition, IPSec, the main IP Layerencryption protocol used in VPN technology, prevents productive traffic sniffing, which will thwart attacks that rely on using WEP for encryption, such as AirSnort. Another advantage of using the VPN approach is if you’ve already deployed a VPN, your remote users are already familiar with the limitations imposed by it. Getting wireless users to be comfortable with similar limitations should be relatively easy.

A.2. ABC Inc. InfoSec Risk Assessment Policy

Policy No. 1

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

To empower InfoSec to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.

2.0 Scope

Risk assessments can be conducted on any entity within ABC Inc. or any outside entity that has signed a Third Party Agreement <Insert Link> and the Acceptable Use Policy <Insert Link> with ABC Inc. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

3.0 Policy

The execution, development, and implementation of remediation programs are the joint responsibility of InfoSec and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the InfoSec Risk Assessment Team in the development of a remediation plan.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Entity: Any business unit, department, group, or third party, internal or external to ABC Inc., responsible for maintaining ABC Inc. assets.

Risk: Those factors that could affect confidentiality, availability, and integrity of ABC Inc.’s key information assets and systems. InfoSec is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:___________________________________

Summary:__________________________________

A.3. ABC Inc. InfoSec Audit Policy

Policy No. 2

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

To provide the authority for members of ABC Inc.’s InfoSec team to conduct a security audit on any system at ABC Inc. Audits may be conducted to:

• Ensure integrity, confidentiality, and availability of information and resources
• Investigate possible security incidents
• Ensure conformance to ABC Inc. security policies
• Monitor user or system activity where appropriate
• Measure and report on risk

2.0 Scope

This policy covers the following:

• All computer and communication devices that are part of, or associated with, the ABC Inc. Network
• All information stored on ABC Inc. media (digital and hard copy information)

3.0 Policy

When requested, and for the purpose of performing an audit, any access needed will be provided to members of ABC Inc.’s InfoSec team. This access may include:

• User level and/or system level access to any computing or communications device
• Access to information (electronic, hardcopy, etc.) that may be produced, transmitted, or stored on ABC Inc. equipment or premises
• Access to work areas (labs, offices, cubicles, storage areas, etc.)
• Access to interactively monitor and log traffic on ABC Inc. networks

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.4. ABC Inc. InfoSec Acceptable Use Policy

Policy No. 3

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Overview

Information Systems Security’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to ABC Inc.’s established culture of openness, trust, and integrity. Information System Security is committed to protecting ABC Inc.’s employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of ABC Inc. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies at <Insert Link> for further details.

Effective security is a team effort involving the participation and support of every ABC Inc. employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at ABC Inc. These rules are in place to protect the employee and ABC Inc. Inappropriate use exposes ABC Inc. to risks including virus attacks, compromise of network systems and services, and legal issues.

3.0 Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at ABC Inc., including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by ABC Inc.

4.0 Policy

4.1 General Use and Ownership

While ABC Inc.’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of ABC Inc. Because of the need to protect ABC Inc.’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to ABC Inc. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. Information System Security recommends that any information that users consider sensitive or vulnerable be encrypted. For security and network maintenance purposes, authorized individuals within ABC Inc. may monitor equipment, systems, and network traffic at any time, per Information System Security’s Audit Policy. ABC Inc. reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

4.2 Security and Proprietary Information

The user interface for information contained on Internet/Intranet/Extranet- related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines <Insert Link>, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, employee personal data, employee job data, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.

All PCs, laptops, and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by locking access to the computer (control-alt-delete for Window platforms users) when the host will be unattended. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Guidelines” policy.

Postings by employees from an ABC Inc. email address to newsgroups are prohibited unless the posting is in the course of business duties. All hosts used by the employee that are connected to the ABC Inc. Internet/Intranet/ Extranet, whether owned by the employee or ABC Inc., shall be continually executing approved virus-scanning software with a current virus database, unless overridden by departmental or group policy. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

4.3. Unacceptable Use

1. The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
2. Under no circumstances is an employee of ABC Inc. authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing ABC Inc.-owned resources.
3. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

• Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by ABC Inc.
• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which ABC Inc. or the end user does not have an active license is strictly prohibited.
• Exporting software, technical information, encryption software, or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
• Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
• Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
• Using ABC Inc. computing assets to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
• Making fraudulent offers of products, items, or services originating from any ABC Inc. account.
• Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
• Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
• Port scanning or security scanning is expressly prohibited unless prior notification to Information System Security is made.
• Executing any form of network monitoring, which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
• Circumventing user authentication or security of any host, network, or account.
• Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
• Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
• Providing information about, or lists of, ABC Inc. employees to parties outside ABC Inc.

Email and Communications Activities

• Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
• Any form of harassment via email, telephone, or paging, whether through language, frequency, or size of messages.
• Unauthorized use, or forging, of email header information.
• Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
• Creating or forwarding “chain letters,” “Ponzi,” or other “pyramid” schemes of any type.
• Use of unsolicited email originating from within ABC Inc.’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by ABC Inc. or connected via ABC Inc.’s network.
• Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
• Posting of ABC Inc. confidential information by employees is prohibited unless the posting is in the course of business duties.
• Transmission of ABC Inc.’s confidential information to unauthorized recipients (internal or external) by employees is prohibited unless the posting is in the course of business duties.

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6.0 Definitions

Spam: Unauthorized and/or unsolicited electronic mass mailings.

Junk Mail: Unsolicited email. It is also another term for Spam.

7.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

8.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.5. ABC Inc. InfoSec Network Policy

Policy No. 4

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

This policy establishes information security requirements for ABC Inc.’s network to ensure that ABC Inc.’s confidential information and technologies are not compromised, and that production services and other ABC Inc. interests are protected.

2.0 Scope

This policy applies to all internal networks, ABC Inc. employees, and third parties who access ABC Inc. networks. All existing and future equipment, which fall under the scope of this policy, must be configured according to the referenced documents.

3.0 Policy

3.1 Ownership Responsibilities

1. Network Operations is responsible for the security of the networks and the network’s impact on the corporation. Network managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined, network managers must do their best to safeguard ABC Inc. from security vulnerabilities.
2. Network Operations is responsible for the network’s compliance with all ABC Inc. security policies. The following are particularly important:
   • ABC Inc. Anti-Virus Policy
   • ABC Inc. Dial-in Policy
   • ABC Inc. Extranet Policy
   • ABC Inc. Password Policy
   • ABC Inc. Password Protection Policy
   • ABC Inc. Remote Access Policy
   • ABC Inc. Router Security Policy
   • ABC Inc. Server Security Policy
   • ABC Inc. VPN Security Policy
   • ABC Inc. Wireless Communications Policy
   • ABC Inc. Physical Security Policy
3. Network Operations is responsible for controlling network access. Access to any given network will only be granted by Network Operations to those individuals with an immediate business need within the network, either short-term or as defined by their ongoing job function. This includes continually monitoring the access list to ensure that those who no longer require access to the network have their access terminated.
4. Network Operations and/or InfoSec reserve the right to interrupt network connections that impact the corporate production network negatively or pose a security risk.
5. Network Operations must manage all network IP addresses, which are routed within ABC Inc. networks.
6. Any network that wants to add an external connection must provide a diagram and documentation to InfoSec with business justification, the equipment, and the IP address space information. InfoSec will review for security concerns and must approve before such connections are implemented. Access to the ABC Inc. network from a third party must use ABC Inc.’s managed firewall.
7. All user passwords must comply with Password Policy. In addition, individual user accounts on any network device must be deleted when no longer authorized within three days. Group account passwords on network computers (Unix, windows, etc.) must be changed quarterly (once every 3 months). Groups accounts must be approved by the IT Network Operations group. For any network device that contains ABC Inc. proprietary information, group account passwords must be changed within three days following a change in group membership.
8. InfoSec will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified through the completion of the Policy Exception Form.

3.2 General Configuration Requirements

1. All external network IP traffic must go through a Network Operations maintained firewall.
2. Original firewall configurations and any changes must be reviewed and approved through the proper IT Operations Change Control process. InfoSec may require security improvements as needed.
3. Networks are prohibited from engaging in port scanning, network auto-discovery, traffic spamming/flooding, and other similar activities that negatively impact the corporate network and/or non-ABC Inc. networks.
4. InfoSec reserves the right to audit all network-related data and administration processes at any time, including but not limited to, inbound and outbound packets, firewalls, and network peripherals.
5. Network gateway devices are required to comply with all ABC Inc. product security advisories and must authenticate against the Corporate Authentication servers.
6. The password for all network gateway devices must be different from all other equipment passwords in the network. The password must be in accordance with Password Policy. The password will only be provided to those who are authorized to administer the network. There will be no group accounts, and anyone accessing these devices will have an individual account.
7. In networks where non-ABC Inc. personnel have physical access (e.g., training networks), direct connectivity to the corporate production network is not allowed. Additionally, no ABC Inc. confidential information can reside on any computer equipment in these networks. Connectivity for authorized personnel from these networks can be allowed to the corporate production network only if authenticated against the Corporate Authentication servers, temporary access lists (lock and key), SSH, client VPNs, or similar technology approved by InfoSec.
8. All network external connection requests must be reviewed and approved by InfoSec. Analog or ISDN lines must be configured to only accept trusted call numbers. Strong passwords must be used for authentication.
9. All networks with external connections must not be connected to ABC Inc. corporate production network or any other internal network directly or via a wireless connection, or via any other form of computing equipment. A waiver from InfoSec is required where air-gapping is not possible (e.g., Partner Connections to third party networks).

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

DMZ (De-Militarized Zone): This describes networks that exist outside of primary corporate firewalls, but are still under ABC Inc. administrative control.

External Connections: Connections that include (but are not limited to) third-party connections, such as a DMZ, data network-to-network, analog and ISDN data lines, or any other Telco data lines.

Extranet: Connections between third parties that require access to connections non-public ABC Inc. resources, as defined in InfoSec’s Extranet policy (link).

Firewall: A device that controls access between networks. It can be a PIX, a router with access control lists, or similar security devices approved by InfoSec.

Internal: A network that is within ABC Inc.’s corporate firewall and connected to ABC Inc.’s corporate production network.

Network: A network is any non-production environment, intended specifically for developing, demonstrating, training, and/or testing of a product.

Network Manager: The individual who is responsible for all network activities and personnel.

Network Owned Gateway Device: A network owned gateway device is the network device that connects the network to the rest of ABC Inc.’s network. All traffic between the network and the corporate production network must pass through the network owned gateway device unless approved by InfoSec.

Network Support Organization: Any InfoSec approved ABC Inc. support organization that manages the networking of non-network networks.

Telco: A Telco is the equivalent to a service provider. Telcos offer network connectivity, e.g., T1, T3, OC3, OC12 or DSL. Telcos are sometimes referred to as “baby bells,” although Sprint and AT&T are also considered Telcos. Telco interfaces include BRI, or Basic Rate Interface, a structure commonly used for ISDN service, and PRI, Primary Rate Interface, a structure for voice/dial-up service.

Traffic: Mass volume of unauthorized and/or unsolicited network Spamming/Flooding traffic.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.6. ABC Inc. InfoSec De-Militarized Zone (DMZ) Policy

Policy No. 5

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

This policy establishes information security requirements for all networks and equipment deployed and located in the ABC Inc. “De-Militarized Zone” (DMZ) as well as screened subnets. Adherence to these requirements will minimize the potential risk to ABC Inc. from the damage to public image caused by unauthorized use of ABC Inc. resources, and the loss of sensitive/company confidential data and intellectual property.

2.0 Scope

ABC Inc. networks and devices (including but not limited to routers, switches, hosts, etc.) that are Internet facing and located outside ABC Inc. corporate Internet firewalls are considered part of the DMZ and are subject to this policy. This includes DMZ in primary Internet Service Provider (ISP) locations and remote locations. All existing and future equipment, which falls under the scope of this policy, must be configured according to the referenced documents. This policy does not apply to information systems and components which reside inside ABC Inc.’s corporate Internet firewalls. Standards for these are defined in the Internal Network Security Policy <Link>.

3.0 Policy

3.1. Ownership and Responsibilities

1. All new DMZs must present a business justification with sign-off at the business unit Vice President level. InfoSec must keep the business justifications on file.
2. DMZ system owning organizations are responsible for assigning managers, point of contact (POC), and back up POC, for each system. The DMZ owners must maintain up to date POC information with InfoSec and the corporate enterprise management system, if one exists. DMZ system managers or their backup must be available around-the-clock for emergencies.
3. Changes to the connectivity and/or purpose of existing DMZ system/application and establishment of new DMZ system/applications must be requested through an ABC Inc. Network Support Organization and approved by InfoSec.
4. All ISP connections must be maintained by an ABC Inc. Network Support Organization.
5. A Network Support Organization must maintain a firewall device between the DMZ and the Internet.
6. The Network Support Organization and InfoSec reserve the right to interrupt connections if a security concern exists.
7. The Network Support Organization will provide and maintain network devices deployed in the DMZ up to the Network Support Organization point of demarcation.
8. The Network Support Organization must record all DMZ address spaces and current contact information must be stored in a secure location.
9. The Network Support Organization is ultimately responsible for their DMZ complying with this policy.
10. Immediate access to equipment and system logs must be granted to members of InfoSec and the Network Support Organization upon request, in accordance with the Audit Policy.
11. Individual accounts must be deleted within three days when access is no longer authorized. Group account passwords must comply with the Password Policy and must be changed within three days from a change in the group membership.
12. InfoSec will address non-compliance waiver requests on a case-by-case basis through the submission of a Policy Exception Form.

3.2. General Configuration Requirements

1. Internal production resources must not depend upon resources on the DMZ networks.
2. DMZs must be connected through a firewall to access ABC Inc.’s corporate internal networks. Any form of cross-connection which bypasses the firewall device is strictly prohibited.
3. DMZs should be in a physically separate room from any internal networks. If this is not possible, the equipment must be in a locked rack or cage with limited access. In addition, the DMZ Manager must maintain a list of who has access to the equipment.
4. DMZ Managers are responsible for complying with the following related policies:
   1. Password Policy
   2. Wireless Communications Policy
   3. Anti-Virus Policy
5. The Network Support Organization maintained firewall devices must be configured in accordance with least-access principles and the DMZ business needs. All firewall filters will be maintained by InfoSec.
6. Original firewall configurations and any changes must be reviewed and approved through proper IT Operations change control processes (including both general configurations and rule sets). InfoSec may require additional security measures as needed.
7. Traffic from DMZ to the ABC Inc. internal network, including VPN access, falls under the Remote Access Policy
8. All routers and switches not used for testing and/or training must conform to the DMZ Router and Switch standardization documents.
9. Operating systems of all hosts internal to the DMZ running Internet Services must be configured to the secure host installation and configuration standards. [Add URL link to internal configuration standards].
10. Current applicable security patches/hot-fixes for any applications that are Internet services must be applied. Administrative owner groups must have processes in place to stay current on appropriate patches/hot-fixes at the first available opportunity.
11. All applicable security patches/hot-fixes recommended by the vendor must be installed. Administrative owner groups must have processes in place to stay current on appropriate patches/hot-fixes at the first available opportunity.
12. Services and applications not serving business requirements must be disabled.
13. ABC Inc. confidential information is prohibited on equipment in DMZs where non-ABC Inc. personnel have physical access.
14. Remote administration must be performed over secure channels (e.g., encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.

5.0 Definitions

Access Control List (ACL): Lists kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).

DMZ (de-militarized zone): Networking that exists outside of ABC Inc. primary corporate firewalls, but is still under ABC Inc. administrative control.

Network Support Organization: Any InfoSec-approved support organization that manages the networking of non-lab networks.

Least Access Principle: Access to services, hosts, and networks is restricted unless otherwise permitted.

Internet Services: Services running on devices that are reachable from other devices across a network. Major Internet services include DNS, FTP, HTTP, etc.

Point of Demarcation: The point at which the networking responsibility transfers from a Network Support Organization to the DMZ. Usually a router or firewall.

Screened Subnet: Screened subnets, or perimeter networks, are networks separated from the internal network by a screening router.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.7. ABC Inc. InfoSec Router Policy

Policy No. 6

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of ABC Inc.

2.0 Scope

All routers and switches connected to ABC Inc. production networks are affected. Routers and switches within the internal networks are not affected. Routers and switches within DMZ areas fall under the DMZ Policy.

3.0 Policy

Every router must meet the following configuration standards:

1. No local user accounts are configured on the router. Routers must use TACACS+ for all user authentication.
2. The enable password on the router must be kept in a secure encrypted form. The router must have the enable password set to the current production router password from the router’s support organization.
3. Disallow the following:
   1. IP directed broadcasts
   2. Incoming packets at the router sourced with invalid addresses such as RFC1918 address
   3. TCP small services
   4. UDP small services
   5. All source routing
   6. All web services running on router
4. Use corporate standardized SNMP community strings.
5. Access rules are to be added as business needs arise.
6. The router must document router configurations and point of contact(s).
7. Each router must have the following statement posted in clear view:

“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.”

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Production Network: The “production network” is the network used in the daily business of ABC Inc. Any network connected to the corporate backbone, either directly or indirectly, which lacks an intervening firewall device. Any network whose impairment would result in direct loss of functionality to ABC Inc. employees or impact their ability to do work.

Lab Network: A “lab network” is defined as any network used for the purposes of testing, demonstrations, training, etc. Any network that is stand-alone or firewalled off from the production network(s) and whose impairment will not cause direct loss to ABC Inc. nor affect the production network.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.8. ABC Inc. InfoSec Extranet Policy

Policy No. 7

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

This document describes the policy under which third party organizations connect to ABC Inc. networks for the purpose of transacting business related to ABC Inc.

2.0 Scope

Connections between third parties that require access to non-public ABC Inc. resources fall under this policy, regardless of whether a Telco circuit (such as frame relay or ISDN) or VPN technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for ABC Inc. or to the Public Switched Telephone Network does NOT fall under this policy.

3.0 Policy

3.1 Prerequisites

The following conditions (prerequisites) must be satisfied before extranet usage is granted:

• Security Review
• Third Party Connection Agreement
• Business Case
• Point of Contact

3.1.1 Security Review

All new extranet connectivity will go through a security review with the InfoSec department. The reviews are to ensure that all access matches the business requirements in the best possible way, and that the principle of least access is followed.

3.1.2 Third Party Connection Agreement

All new connection requests between third parties and ABC Inc. require that the third party and ABC Inc. representatives agree to and sign the Third Party Agreement. This agreement must be signed by the Vice President of the Sponsoring Organization as well as a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the relevant extranet group. Documents pertaining to connections into ABC Inc. DMZs are to be kept on file with the IT Operations Department.

3.1.3 Business Case

All production extranet connections must be accompanied by a valid business justification, in writing, that is approved by a project sponser. DMZ connections must be approved by the InfoSec Department. Typically this function is handled as part of the Third Party Agreement.

3.1.4 Point Of Contact

The Sponsoring Organization must designate a person to be the Point of Contact (POC) for the extranet connection. The POC acts on behalf of the Sponsoring Organization, and is responsible for those portions of this policy and the Third Party Agreement that pertain to it. In the event that the POC changes, the relevant extranet organization must be informed promptly. A POC must also be identified for the external party to the extranet connection.

3.2 Establishing Connectivity

Sponsoring Organizations within ABC Inc. that wish to establish connectivity to a third party are to file a new site request <Check for correct terminology> with the IT Operation group. The extranet group will engage InfoSec to address security issues inherent in the project. If the proposed connection is to terminate within a DMZ at ABC Inc., the Sponsoring Organization must engage the InfoSec department. The Sponsoring Organization must provide full and complete information as to the nature of the proposed access to the extranet group and InfoSec department, as requested. All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will ABC Inc. rely upon the third party to protect ABC Inc.’s network or resources.

3.3 Modifying or Changing Connectivity and Access

All changes in access must be accompanied by a valid business justification, and are subject to security review. Changes are to be implemented via corporate change management process. The Sponsoring Organization is responsible for notifying the IT Operations group and/or InfoSec when there is a material change in their originally provided information so that security and connectivity evolve accordingly.

3.4 Terminating Access

When access is no longer required, the Sponsoring Organization within ABC Inc. must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The IT Operations group must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be depreciated, and/or are no longer being used to conduct ABC Inc. business, will be terminated immediately. Should a security incident or a finding that a circuit has been depreciated and is no longer being used to conduct ABC Inc. business necessitate a modification of existing permissions, or termination of connectivity, InfoSec and/or the IT Operations group will notify the POC or the Sponsoring Organization of the change prior to taking any action.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Circuit: For the purposes of this policy, circuit refers to the method of network access, whether it’s through traditional ISDN, Frame Relay etc., or via VPN/Encryption technologies.

Sponsoring Organization: The ABC Inc. organization who requested that the third party have access into ABC Inc.

Third Party: A business that is not a formal or subsidiary part of ABC Inc.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.9. ABC Inc. InfoSec Remote Access Policy

Policy No. 8

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

The purpose of this policy is to define standards for connecting to ABC Inc.’s network from any host. These standards are designed to minimize the potential exposure to ABC Inc. from damages which may result from unauthorized use of ABC Inc. resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical ABC Inc. internal systems, etc.

2.0 Scope

This policy applies to all ABC Inc. employees, contractors, vendors, and agents with an ABC Inc.-owned or personally-owned computer or workstation used to connect to the ABC Inc. network. This policy applies to remote access connections used to do work on behalf of ABC Inc., including reading or sending email and viewing intranet web resources. Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.

3.0 Policy

3.1 General

1. It is the responsibility of ABC Inc. employees, contractors, vendors, and agents with remote access privileges to ABC Inc.’s corporate network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to ABC Inc.
2. General access to the Internet for recreational use by immediate household members through the ABC Inc. Network on personal computers is permitted for employees that have flat-rate services. The ABC Inc. employee is responsible to ensure the family member does not violate any ABC Inc. policies, does not perform illegal activities, and does not use the access for outside business interests. The ABC Inc. employee bears responsibility for the consequences should the access be misused.
3. Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of ABC Inc.’s network:
   1. Acceptable Use Policy
   2. Virtual Private Network (VPN) Policy
   3. Wireless Communications Policy
4. For additional information regarding ABC Inc.’s remote access connection options, including how to order or disconnect service, cost comparisons, troubleshooting, etc., go to the Remote Access Services website.

3.2 Requirements

1. Secure remote access must be strictly controlled. Control will be enforced via one-time password authentication or public/private keys with strong passphrases. For information on creating a strong passphrase, see the Password Policy.
2. At no time should any ABC Inc. employee provide their login or email password to anyone, not even family members.
3. ABC Inc. employees and contractors with remote access privileges must ensure that their ABC Inc.-owned or personal computer or workstation, which is remotely connected to ABC Inc.’s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
4. ABC Inc. employees and contractors with remote access privileges to ABC Inc.’s corporate network must not use non-ABC Inc. email accounts (i.e., Hotmail, Yahoo, AOL), or other external resources to conduct ABC Inc. business, thereby ensuring that official business is never confused with personal business.
5. Routers for dedicated ISDN lines configured for access to the ABC Inc. network must meet minimum authentication requirements of CHAP.
6. Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not permitted at any time.
7. Frame Relay must meet minimum authentication requirements of Data Link Connection Identifier (DLCI) standards.
8. Non-standard hardware configurations must be approved by Remote Access Services, and InfoSec must approve security configurations for access to hardware.
9. All hosts that are connected to ABC Inc. internal networks via remote access technologies must use the most up-to-date antivirus software (place URL to corporate software site here), this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.
10. Personal equipment that is used to connect to ABC Inc.’s networks must meet the requirements of ABC Inc.-owned equipment for remote access.
11. Organizations or individuals who wish to implement nonstandard Remote Access solutions to the ABC Inc. production network must obtain prior approval from Remote Access Services and InfoSec.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Cable Modem: Cable companies such as AT&T Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps. Cable is currently available only in certain communities.

CHAP: Challenge Handshake Authentication Protocol (CHAP) is an authentication method that uses a one-way hashing function. The Data Link Connection Identifier (DLCI) is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a frame relay network. DLCI identifies a particular PVC endpoint within a user’s access channel in a frame relay network, and has local significance only to that channel.

Dial-in Modem: A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name “modem” for modulator/ demodulator.

Dual Homing: Having concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the corporate network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP). Being on an ABC Inc.-provided Remote Access home network, and connecting to another network, such as a spouse’s remote access. Configuring an ISDN router to dial into ABC Inc. and an ISP, depending on packet destination.

DSL: Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).

Frame Relay: A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company’s network.

ISDN: There are two flavors of Integrated Services Digital Network or ISDN: BRI and PRI. BRI is used for home office/remote access. BRI has two “Bearer” channels at 64kbit (aggregate 128kb) and 1 D channel for signaling info. PRI is short for Primary-Rate Interface, a type of ISDN service designed for larger organizations. PRI includes 23 B-channels (30 in Europe) and one D-Channel.

One-time password (OTP): A security system that requires a new password every time a user authenticates themselves. OTP generates these passwords using either the MD4 or MD5 hashing algorithms.

Remote Access: Any access to ABC Inc.’s corporate network through a non-ABC Inc.-controlled network, device, or medium.

Split-tunneling: Simultaneous direct access to a non-ABC Inc. network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into ABC Inc.’s corporate network via a VPN tunnel. Virtual Private Network (VPN) is a method for accessing a remote network via “tunneling” through the Internet.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.10. ABC Inc. InfoSec Dial-In Access Policy

Policy No. 9

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

The purpose of this policy is to protect ABC Inc.’s electronic information from being inadvertently compromised by authorized personnel using a dial-in connection.

2.0 Scope

The scope of this policy is to define appropriate dial-in access and its use by authorized personnel.

3.0 Policy

1. ABC Inc. employees and authorized third parties (customers, vendors, etc.) can use dial-in connections to gain access to the corporate network through vendor solutions approved and provided by IT Operations. Dial-in access should be strictly controlled, using one-time password authentication. Dial-in access should be requesting using the corporate account request process.
2. It is the responsibility of employees with dial-in access privileges to ensure a dial-in connection to ABC Inc. is not used by non-employees to gain access to company information system resources. An employee who is granted dial-in access privileges must remain constantly aware that dial-in connections between their location and ABC Inc. are literal extensions of ABC Inc.’s corporate network, and that they provide a potential path to the company’s most sensitive information. The employee and/or authorized third party individual must take every reasonable measure to protect ABC Inc.’s assets.
3. Only IT Operations approved dial-in numbers will be used.
4. Analog and non-GSM digital cellular phones cannot be used to connect to ABC Inc.’s corporate network, as their signals can be readily scanned and/or hijacked by unauthorized individuals. Only GSM standard digital cellular phones are considered secure enough for connection to ABC Inc.’s network. For additional information on wireless access to the ABC Inc. network, consult the InfoSec Wireless Communications Policy.
5. For a third party using dial-in or remote access:
   • All connections or accounts must have an expiry date with a duration of 12 months or end of contract, whichever comes first.
   • A new network access request must to be submitted to extend the access time period beyond the expiration date.
   • There will be no auto-renewal upon expiration. Connection will be automatically disabled upon expiration date.

Note: Dial-in accounts are considered ‘as needed’ accounts. Account activity is monitored, and if a dial-in account is not used for a period of six months, the account will expire and no longer function. If dial-in access is subsequently required, the individual must request a new account as described above.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.11. ABC Inc. InfoSec VPN Communication Policy

Policy No. 10

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the ABC Inc. corporate network.

2.0 Scope

This policy applies to all ABC Inc. employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the ABC Inc. network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator. Site-to-site VPN connection policies are covered in the Extranet Policy.

3.0 Policy

Approved ABC Inc. employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy. Additionally:

1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to ABC Inc. internal networks.
2. VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.
3. When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped.
4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
5. VPN gateways will be set up and managed by ABC Inc. network operational groups.
6. All computers connected to ABC Inc. internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.
7. VPN users will be automatically disconnected from ABC Inc.’s network after 30 minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
8. The VPN concentrator is limited to an absolute connection time of 24 hours.
9. Users of computers that are not ABC Inc.-owned equipment must configure the equipment to comply with ABC Inc.’s VPN and Network policies.
10. Only InfoSec-approved VPN clients may be used.
11. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of ABC Inc.’s network, and as such are subject to the same rules and regulations that apply to ABC Inc.-owned equipment, i.e., their machines must be configured to comply with InfoSec’s Security Policies.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.12. ABC Inc. InfoSec Wireless Communication Policy

Policy No. 11

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

This policy prohibits access to ABC Inc. networks via unsecured wireless communication mechanisms. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by InfoSec are approved for connectivity to ABC Inc.’s networks.

2.0 Scope

This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, Blackberries, etc.) connected to any of ABC Inc.’s internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to ABC Inc.’s networks do not fall under the purview of this policy.

3.0 Policy

3.1 Register Access Points and Cards

All wireless Access Points/Base Stations connected to the corporate network must be registered and approved by InfoSec. These Access Points/Base Stations are subject to periodic penetration tests and audits. All wireless Network Interface Cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered with InfoSec

3.2 Approved Technology

All wireless LAN access must use corporate-approved vendor products and security configurations.

3.3 VPN Encryption and Authentication

All computers with wireless LAN devices must utilize a corporate-approved Virtual Private Network (VPN) configured to drop all unauthenticated and unencrypted traffic. To comply with this policy, wireless implementations must maintain point to point hardware encryption of at least 56 bits. All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address. All implementations must support and employ strong user authentication which checks against an external database such as TACACS+, RADIUS, or something similar.

3.4 Setting the SSID

The SSID shall be configured so that it does not contain any identifying information about the organization, such as the company name, division title, employee name, or product identifier.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

User Authentication: A method by which the user of a wireless system can be verified as a legitimate user independent of the computer or operating system being used.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.13. ABC Inc. InfoSec Server Policy

Policy No. 12

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by ABC Inc. Effective implementation of this policy will minimize unauthorized access to ABC Inc. proprietary information and technology.

2.0 Scope

This policy applies to server equipment owned and/or operated by ABC Inc., and to servers registered under any ABC Inc.-owned internal network domain. This policy is specifically for equipment on the internal ABC Inc. network. For secure configuration of equipment external to ABC Inc. on the DMZ, refer to the DMZ Policy.

3.0 Policy

3.1 Ownership and Responsibilities

All internal servers deployed at ABC Inc. must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by InfoSec. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by InfoSec.

Servers must be registered within the corporate IT Network Operations. At a minimum, the following information is required to positively identify the point of contact:

• Server contact(s) and location, and a backup contact
• Hardware and Operating System/Version
• Main functions and applications, if applicable
• Information in the corporate enterprise management system must be kept up-to-date.
• Configuration changes for production servers must follow the appropriate change management procedures.

3.2 General Configuration Guidelines

• Operating System configuration should be in accordance with approved InfoSec guidelines.
• Services and applications that will not be used must be disabled where practical.
• Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible.
• The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.
• Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do.
• Always use standard security principles of least required access to perform a function.
• Do not use root when a non-privileged account will do.
• User accounts that have system-level privileges granted through group memberships or programs such as “sudo” must have a unique password from all other accounts held by that user.
• If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels (e.g., encrypted network connections using SSH or IPSec).
• Servers should be physically located in an access-controlled environment.
• Servers are specifically prohibited from operating from uncontrolled cubicle areas.
• Current applicable security patches/hot-fixes for any applications that are Internet services must be applied. Administrative owner groups must have processes in place to stay current on appropriate patches/ hot-fixes at the first available opportunity.

3.3 Monitoring

All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:

• All security related logs will be kept online for a minimum of 1 week.
• Daily incremental tape backups will be retained for at least 1 month.
• Weekly full tape backups of logs will be retained for at least 1 month.
• Monthly full backups will be retained for a minimum of 2 years.

Security-related events will be reported to InfoSec, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

• Port-scan attacks
• Evidence of unauthorized access to privileged accounts
• Anomalous occurrences that are not related to specific applications on the host

3.4 Compliance

Audits will be performed on a regular basis by authorized organizations within ABC Inc. Audits will be managed by the internal audit group or InfoSec, in accordance with the Audit Policy. InfoSec will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. Every effort will be made to prevent audits from causing operational failures or disruptions.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

DMZ: De-militarized Zone. A network segment external to the corporate production network.

Server: For purposes of this policy, a Server is defined as an internal ABC Inc. Server. Desktop machines and Lab equipment are not relevant to the scope of this policy.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.14. ABC Inc. InfoSec Password Policy

Policy No. 13

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of ABC Inc.’s entire corporate network. As such, all ABC Inc. employees (including contractors and vendors with access to ABC Inc. systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any ABC Inc. facility, has access to the ABC Inc. network, or stores any non-public ABC Inc. information.

4.0 Policy

4.1 General

• All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.
• All production system-level passwords must comply with IT Operations and/or Application Support procedures.
• All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every four months.
• User accounts that have system-level privileges granted through group memberships or programs such as “sudo” must have a unique password from all other accounts held by that user.
• Passwords should not be inserted into email messages or other forms of electronic communication in cleartext. When passwords must be sent through email, they must be temporary in nature (e.g., forced password change within a 24-hour period).
• Default passwords must not be used.
• All user-level and system-level passwords must conform to the guidelines described below.

4.2 Guidelines

A. General Password Construction Guidelines

Passwords are used for various purposes at ABC Inc. Some of the more common uses include: user-level accounts, web accounts, email accounts, screensaver protection, voicemail password, and local router logins. Since very few systems have support for onetime tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:

• The password contains less than eight characters.
• The password is a word found in a dictionary (English or foreign).
• The password is a common usage word such as:
• Names of family, pets, friends, co-workers, fantasy characters, etc.
• Computer terms and names, commands, sites, companies, hardware, software.
• The words “ABC Inc.”, “sanjose”, “sanfran” or any derivation.
• Birthdays and other personal information such as addresses and phone numbers.
• Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
• Any of the above spelled backwards.
• Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Strong passwords have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z).
• Have digits and punctuation characters as well as letters (0-9, !@#$%^&*()_+/∼−=`{}[]:”;’<>?,./).
• Are at least eight alphanumeric characters long.
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.

Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r∼” or some other variation. NOTE: Do not use these examples as passwords!

B. Password Protection Standards

• Do not use the same password for ABC Inc. accounts as for other non-ABC Inc. access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don’t use the same password for various ABC Inc. access needs. For example, select one password for the Engineering systems and a separate password for IT systems. Also, select a separate password to be used for an NT account and a UNIX account.
• Do not share ABC Inc. passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential ABC Inc. information. Here is a list of “don’ts”:
• Don’t reveal a password over the phone to ANYONE.
• Don’t reveal a password in an email message.
• Don’t reveal a password to the boss.
• Don’t talk about a password in front of others.
• Don’t hint at the format of a password (e.g., “my family name”).
• Don’t reveal a password on questionnaires or security forms.
• Don’t share a password with family members.
• Don’t reveal a password to co-workers while on vacation.
• If someone demands a password, refer them to this document or have them call someone in the InfoSec Department.
• Do not use the “Remember Password” feature of applications (e.g., Eudora, OutLook, Netscape Messenger). Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
• Change passwords at least once every six months (except system-level passwords, which must be changed quarterly). The recommended change interval is every four months.
• If an account or password is suspected to have been compromised, report the incident to InfoSec and change all passwords.
• Password cracking or guessing may be performed on a periodic or random basis by InfoSec or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

C. Application Development Standards

Application developers must ensure their programs contain the following security precautions. Applications:

• should support authentication of individual users, not groups.
• should not store passwords in cleartext or in any easily reversible form.
• should provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
• should support TACACS+, RADIUS and/or X.509 with LDAP security retrieval, wherever possible.
• must support dynamic passwords

Note: See the Application Password Policy

D. Use of Passwords and Passphrases for Remote Access Users

Access to the ABC Inc. Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

E. Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to “unlock” the private key, the user cannot gain access.

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against “dictionary attacks.” A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase:

“The*?#>*@TrafficOnThe101Was*&#!#ThisMorning”.

All of the rules above that apply to passwords apply to passphrases.

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6.0 Definitions

Application Administration Account: Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator).

7.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

8.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.15. ABC Inc. InfoSec Application Password Policy

Policy No. 14

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

This policy states the requirements for securely storing and retrieving application usernames and passwords (i.e., application credentials) for use by a program that will access an application running on one of ABC Inc.’s networks.

Computer programs running on ABC Inc.’s networks often require the use of one of the many internal application servers. In order to access one of these applications, a program must authenticate to the application by presenting acceptable credentials. The application privileges that the credentials are meant to restrict can be compromised when the credentials are improperly stored.

2.0 Scope

This policy applies to all software that will access an ABC Inc., multi-user production application.

3.0 Policy

3.1 General

In order to maintain the security of ABC Inc.’s internal applications, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program’s source code in cleartext. Application credentials must not be stored in a location that can be accessed through a web server.

3.2 Specific Requirements

3.2.1. Storage of Database User Names and Passwords

• Application user names and passwords may be stored in a file separate from the executing body of the program’s code. This file must not be world readable.
• Application credentials may reside on the application server. In this case, a hash number identifying the credentials may be stored in the executing body of the program’s code.
• Application credentials may be stored as part of an authentication server (i.e., an entitlement directory), such as an LDAP server used for user authentication. Application authentication may occur on behalf of a program as part of the user authentication process at the authentication server. In this case, there is no need for programmatic use of application credentials.
• Application credentials may not reside in the documents tree of a web server.
• Pass through authentication (i.e., Oracle OPS$ authentication) must not allow access to the application based solely upon a remote user’s authentication on the remote host.
• Passwords or passphrases used to access an application must adhere to the Password Policy.

3.2.2. Retrieval of Application User Names and Passwords

If stored in a file that is not source code, then application user names and passwords must be read from the file immediately prior to use. Immediately following application authentication, the memory containing the user name and password must be released or cleared.

The scope into which you may store application credentials must be physically separated from the other areas of your code, e.g., the credentials must be in a separate source file. The file that contains the credentials must contain no other code but the credentials (i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials.

For languages that execute from source code, the credentials’ source file must not reside in the same browseable or executable file directory tree in which the executing body of code resides.

3.2.3. Access to Application User Names and Passwords

Every program or every collection of programs implementing a single business function must have unique application credentials.

Application passwords used by programs are system-level passwords as defined by the Password Policy. Developer groups must have a process in place to ensure that application passwords are controlled and changed in accordance with the InfoSec Password Policy. This process must include a method for restricting knowledge of application passwords to a need-to-know basis.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

Application: Any program, or database which provides access to information (e.g. SAP, Siebel, Oracle, SQL Server…).

Computer language: A language used to generate programs. Credentials: Something you know (e.g., a password or pass phrase) and/or something that identifies you (e.g., a user name, a fingerprint, voiceprint, retina print) are presented for authentication.

Entitlement: The level of privilege that has been authenticated and authorized. The privileges level at which to access resources.

Executing body: The series of computer instructions that the computer executes to run a program.

Hash: An algorithmically generated number that identifies a datum or its location.

LDAP: Lightweight Directory Access Protocol, a set of protocols for accessing information directories.

Module: A collection of computer language instructions grouped together either logically or physically. A module may also be called a package or a class, depending upon which computer language is used.

Name space: A logical area of code in which the declared symbolic names are known and outside of which these names are not visible.

Production: Software that is being used for a purpose other than when software is being implemented or tested.

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.16. ABC Inc. InfoSec Anti-Virus Policy

Policy No. 15

Effective date Month/Day/Year

Implement by Month/Day/Year

1.0 Purpose

To establish requirements which must be met by all computers connected to ABC Inc. lab networks to ensure effective virus detection and prevention.

2.0 Scope

This policy applies to all ABC Inc. computers that are Windows-based or utilize Windows-based file directory sharing. This includes, but is not limited to, desktop computers, laptop computers, file/ftp/tftp/proxy servers, and any Windows-based lab equipment such as traffic generators.

3.0 Policy

All ABC Inc. PC-based lab computers must have ABC Inc.’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Information System Admins and Managers are responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into ABC Inc.’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy. Refer to ABC Inc.’s IT Anti-Virus Web page to help prevent virus problems. Noted exceptions: Machines with operating systems other than those based on Microsoft products are exempted at the current time.

4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5.0 Definitions

6.0 Exceptions

Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).

7.0 Revision History

Date ___/____/_____

Version:_______________________

Author:____________________________________

Summary:__________________________________

A.17. ABC Inc. InfoSec Policy Exception Form

Requestor’s Name:

Requestor’s Phone Number:

Date:

Policy for which Exception is being requested:

A brief description of the justification for the request, including the organizations that would benefit from the exception:

Compensating procedures to be implemented to mitigate risk:

A technical description of the situation that is to exist after grant of the exception:

A risk analysis, including the organizations that might be put at risk by the exception:

The organizations responsible for implementing the exception

Requestor____________________________

Signature____________________________

Date_______________________________

CIO________________________________

Signature____________________________

Date________________________________

CIO________________________________

Signature____________________________

Date________________________________