Over the last two years, articles have appeared in the press discussing security problems discovered in the WEP encryption scheme used on many 802.11b wireless networks. Although we are using a form of WEP on our wireless network, the security solution we are implementing uses Cisco technology that mitigates the flaws described in the press to a fairly significant extent.
Normal WEP encryption uses a single encryption key for all wireless transmissions. Current attacks on wireless security involve brute force hacking to obtain that key. Our system provides users with individual encryption keys that change each time they log into the wireless network. This means there is no one single key to hack, and because the keys are not static, the system is much harder to attack.
It is important to remember that WEP is not intended to be the only security used in a wireless network. WEP stands for Wired Equivalent Privacy and was just meant to try to make a wireless connection as hard to “sniff” as that of a wired network. In reality, the Cisco solution that we have deployed at ABC Inc. provides significantly more data privacy than a normal wired network connection.
As with the traditional wire-based network, additional security such as the use of encrypted Web pages using SSL and secure remote logins and file transfers using SSH should still be used for high-valued data transactions. The wireless encryption system only protects your data while it travels over the airwaves. As soon as your data hits the local wireless access point in your building, it flows over the building’s standard wired network and is no longer protected by the wireless encryption system.
Two new wireless security solutions will be available over the next year and a half. The new solution, called WiFi Protected Access (WPA), is a subset of the still unfinished IEEE 802.11i security specification and will be usable by both home and enterprise wireless networks. Task Group I is working on 802.11i, and it is still on a path to be complete about this time next year with a fully ratified standard.
WPA will work with the majority of 802.11-based products out today once they’ve gone through a firmware/software upgrade. WPA is forward compatible with 802.11i. By the time 11i is ratified around September of next year, WPA version 2.0 is expected with full 802.11i support. Eventually, the Alliance expects to require WiFi products to shop with WPA turned on as a default. The way WPA will work in the enterprise is similar to the setup of any 802.1X authentication system. The clients and access points must have WPA enabled for encryption to and from an 802.1X with Extensible Authentication Protocol (EAP) authentication server of some sort, such as a RADIUS server, with centralized access management. WiFi Protected Access had several design goals:
WiFi Protected Access was constructed to provide an improved data encryption, which was weak in WEP, and to provide user authentication, which was largely missing in WEP. To improve data encryption, WiFi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a rekeying mechanism. Through these enhancements, TKIP addresses all WEP’s known vulnerabilities. Enterprise-level User Authentication via 802.1x and EAP WEP has almost no user authentication mechanism. To strengthen user authentication, WiFi Protected Access implements 802.1x and the Extensible Authentication Protocol (EAP). Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs “mutual authentication” so that the wireless user doesn’t accidentally join a rogue network that might steal its network credentials.
WiFi Protected Access will be forward-compatible with the IEEE 802.11i security specification currently under development by the IEEE. WiFi Protected Access is a subset of the current 802.11i draft, taking certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of 802.1x and TKIP. These features can also be enabled on most existing WiFi certified products as a software upgrade. The main pieces of the 802.11i draft that are not included in WiFi Protected Access are secure IBSS, secure fast handoff, secure deauthentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement. The IEEE 802.11i specification is expected to be published at the end of 2003.
WiFi Protected Access effectively addresses the WLAN security requirements for the enterprise and provides a strong encryption and authentication solution before the ratification of the IEEE 802.11i standard. In an enterprise with IT resources, WiFi Protected Access should be used in conjunction with an authentication server such as RADIUS to provide centralized access control and management. With this implementation in place, the need for add-on solutions such as VPNs may be eliminated, at least for the express purpose of securing the wireless link in a network.
Normally, wireless networks are outside of the institutional firewall(s). In addition, they use static WEP keys on the WLAN to keep administrative costs low and provide a Network Intrusion Detection (NID) facility to monitor possible attacks emanating from the WLAN to the Internet and other networks. As part of the architecture, it is normally recommended that neither the IP address range nor the domain name of the wireless network be associated with any of the existing internal networks. This will allow for better segregation of wireless traffic and will assist in identifying and filtering traffic to and from this network.
WLANs are normally treated as though they are an untrusted network, like the Internet. Assuming that RF propagation is limited by a thorough site survey and the use of proper antenna and transmitter power settings, the WLAN does not represent any more significant a threat to internal networks than the Internet itself. Because roaming between APs is still in the proprietary domain, it is highly recommended that all APs be purchased from the same vendor. This will ensure that an end station equipped with any 802.11-compatible NIC will be able to roam between APs. In addition, any new vendor-specific security improvements that are introduced may require homogenous APs.
Concerns over the usage of WEP and its ability to provide adequate security for a network have required additional measures to improve your security. It is useful to think of securing the wireless LAN as you would protect the internal LAN from the public Internet. Using this framework, you could install two firewalls: one at the gateway into your corporate LAN and another between the LAN and the wireless network. The wireless firewall can be configured to pass only VPN traffic. This allows a remote user to connect to the corporate LAN using the VPN. Likewise, a wireless user can authenticate to the wireless infrastructure while still having wireless data encrypted through the VPN tunnel.
By segregating the wireless infrastructure from your wired network, and enabling VPN traffic to pass between them, you create a buffer zone that increases network security. In addition, IPSec, the main IP Layerencryption protocol used in VPN technology, prevents productive traffic sniffing, which will thwart attacks that rely on using WEP for encryption, such as AirSnort. Another advantage of using the VPN approach is if you’ve already deployed a VPN, your remote users are already familiar with the limitations imposed by it. Getting wireless users to be comfortable with similar limitations should be relatively easy.
To empower InfoSec to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.
Risk assessments can be conducted on any entity within ABC Inc. or any outside entity that has signed a Third Party Agreement <Insert Link> and the Acceptable Use Policy <Insert Link> with ABC Inc. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.
The execution, development, and implementation of remediation programs are the joint responsibility of InfoSec and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the InfoSec Risk Assessment Team in the development of a remediation plan.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Entity: Any business unit, department, group, or third party, internal or external to ABC Inc., responsible for maintaining ABC Inc. assets.
Risk: Those factors that could affect confidentiality, availability, and integrity of ABC Inc.’s key information assets and systems. InfoSec is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:___________________________________
Summary:__________________________________
To provide the authority for members of ABC Inc.’s InfoSec team to conduct a security audit on any system at ABC Inc. Audits may be conducted to:
This policy covers the following:
When requested, and for the purpose of performing an audit, any access needed will be provided to members of ABC Inc.’s InfoSec team. This access may include:
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
Information Systems Security’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to ABC Inc.’s established culture of openness, trust, and integrity. Information System Security is committed to protecting ABC Inc.’s employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of ABC Inc. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies at <Insert Link> for further details.
Effective security is a team effort involving the participation and support of every ABC Inc. employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
The purpose of this policy is to outline the acceptable use of computer equipment at ABC Inc. These rules are in place to protect the employee and ABC Inc. Inappropriate use exposes ABC Inc. to risks including virus attacks, compromise of network systems and services, and legal issues.
This policy applies to employees, contractors, consultants, temporaries, and other workers at ABC Inc., including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by ABC Inc.
While ABC Inc.’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of ABC Inc. Because of the need to protect ABC Inc.’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to ABC Inc. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. Information System Security recommends that any information that users consider sensitive or vulnerable be encrypted. For security and network maintenance purposes, authorized individuals within ABC Inc. may monitor equipment, systems, and network traffic at any time, per Information System Security’s Audit Policy. ABC Inc. reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
4.2 Security and Proprietary Information
The user interface for information contained on Internet/Intranet/Extranet- related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines <Insert Link>, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, employee personal data, employee job data, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
All PCs, laptops, and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by locking access to the computer (control-alt-delete for Window platforms users) when the host will be unattended. Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Guidelines” policy.
Postings by employees from an ABC Inc. email address to newsgroups are prohibited unless the posting is in the course of business duties. All hosts used by the employee that are connected to the ABC Inc. Internet/Intranet/ Extranet, whether owned by the employee or ABC Inc., shall be continually executing approved virus-scanning software with a current virus database, unless overridden by departmental or group policy. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
The following activities are strictly prohibited, with no exceptions:
Email and Communications Activities
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Spam: Unauthorized and/or unsolicited electronic mass mailings.
Junk Mail: Unsolicited email. It is also another term for Spam.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form <Insert Link> has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
This policy establishes information security requirements for ABC Inc.’s network to ensure that ABC Inc.’s confidential information and technologies are not compromised, and that production services and other ABC Inc. interests are protected.
This policy applies to all internal networks, ABC Inc. employees, and third parties who access ABC Inc. networks. All existing and future equipment, which fall under the scope of this policy, must be configured according to the referenced documents.
3.1 Ownership Responsibilities
3.2 General Configuration Requirements
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
DMZ (De-Militarized Zone): This describes networks that exist outside of primary corporate firewalls, but are still under ABC Inc. administrative control.
External Connections: Connections that include (but are not limited to) third-party connections, such as a DMZ, data network-to-network, analog and ISDN data lines, or any other Telco data lines.
Extranet: Connections between third parties that require access to connections non-public ABC Inc. resources, as defined in InfoSec’s Extranet policy (link).
Firewall: A device that controls access between networks. It can be a PIX, a router with access control lists, or similar security devices approved by InfoSec.
Internal: A network that is within ABC Inc.’s corporate firewall and connected to ABC Inc.’s corporate production network.
Network: A network is any non-production environment, intended specifically for developing, demonstrating, training, and/or testing of a product.
Network Manager: The individual who is responsible for all network activities and personnel.
Network Owned Gateway Device: A network owned gateway device is the network device that connects the network to the rest of ABC Inc.’s network. All traffic between the network and the corporate production network must pass through the network owned gateway device unless approved by InfoSec.
Network Support Organization: Any InfoSec approved ABC Inc. support organization that manages the networking of non-network networks.
Telco: A Telco is the equivalent to a service provider. Telcos offer network connectivity, e.g., T1, T3, OC3, OC12 or DSL. Telcos are sometimes referred to as “baby bells,” although Sprint and AT&T are also considered Telcos. Telco interfaces include BRI, or Basic Rate Interface, a structure commonly used for ISDN service, and PRI, Primary Rate Interface, a structure for voice/dial-up service.
Traffic: Mass volume of unauthorized and/or unsolicited network Spamming/Flooding traffic.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
This policy establishes information security requirements for all networks and equipment deployed and located in the ABC Inc. “De-Militarized Zone” (DMZ) as well as screened subnets. Adherence to these requirements will minimize the potential risk to ABC Inc. from the damage to public image caused by unauthorized use of ABC Inc. resources, and the loss of sensitive/company confidential data and intellectual property.
ABC Inc. networks and devices (including but not limited to routers, switches, hosts, etc.) that are Internet facing and located outside ABC Inc. corporate Internet firewalls are considered part of the DMZ and are subject to this policy. This includes DMZ in primary Internet Service Provider (ISP) locations and remote locations. All existing and future equipment, which falls under the scope of this policy, must be configured according to the referenced documents. This policy does not apply to information systems and components which reside inside ABC Inc.’s corporate Internet firewalls. Standards for these are defined in the Internal Network Security Policy <Link>.
3.1. Ownership and Responsibilities
3.2. General Configuration Requirements
Any employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment.
Access Control List (ACL): Lists kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).
DMZ (de-militarized zone): Networking that exists outside of ABC Inc. primary corporate firewalls, but is still under ABC Inc. administrative control.
Network Support Organization: Any InfoSec-approved support organization that manages the networking of non-lab networks.
Least Access Principle: Access to services, hosts, and networks is restricted unless otherwise permitted.
Internet Services: Services running on devices that are reachable from other devices across a network. Major Internet services include DNS, FTP, HTTP, etc.
Point of Demarcation: The point at which the networking responsibility transfers from a Network Support Organization to the DMZ. Usually a router or firewall.
Screened Subnet: Screened subnets, or perimeter networks, are networks separated from the internal network by a screening router.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of ABC Inc.
All routers and switches connected to ABC Inc. production networks are affected. Routers and switches within the internal networks are not affected. Routers and switches within DMZ areas fall under the DMZ Policy.
Every router must meet the following configuration standards:
“UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.”
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Production Network: The “production network” is the network used in the daily business of ABC Inc. Any network connected to the corporate backbone, either directly or indirectly, which lacks an intervening firewall device. Any network whose impairment would result in direct loss of functionality to ABC Inc. employees or impact their ability to do work.
Lab Network: A “lab network” is defined as any network used for the purposes of testing, demonstrations, training, etc. Any network that is stand-alone or firewalled off from the production network(s) and whose impairment will not cause direct loss to ABC Inc. nor affect the production network.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
This document describes the policy under which third party organizations connect to ABC Inc. networks for the purpose of transacting business related to ABC Inc.
Connections between third parties that require access to non-public ABC Inc. resources fall under this policy, regardless of whether a Telco circuit (such as frame relay or ISDN) or VPN technology is used for the connection. Connectivity to third parties such as the Internet Service Providers (ISPs) that provide Internet access for ABC Inc. or to the Public Switched Telephone Network does NOT fall under this policy.
The following conditions (prerequisites) must be satisfied before extranet usage is granted:
All new extranet connectivity will go through a security review with the InfoSec department. The reviews are to ensure that all access matches the business requirements in the best possible way, and that the principle of least access is followed.
3.1.2 Third Party Connection Agreement
All new connection requests between third parties and ABC Inc. require that the third party and ABC Inc. representatives agree to and sign the Third Party Agreement. This agreement must be signed by the Vice President of the Sponsoring Organization as well as a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the relevant extranet group. Documents pertaining to connections into ABC Inc. DMZs are to be kept on file with the IT Operations Department.
All production extranet connections must be accompanied by a valid business justification, in writing, that is approved by a project sponser. DMZ connections must be approved by the InfoSec Department. Typically this function is handled as part of the Third Party Agreement.
The Sponsoring Organization must designate a person to be the Point of Contact (POC) for the extranet connection. The POC acts on behalf of the Sponsoring Organization, and is responsible for those portions of this policy and the Third Party Agreement that pertain to it. In the event that the POC changes, the relevant extranet organization must be informed promptly. A POC must also be identified for the external party to the extranet connection.
Sponsoring Organizations within ABC Inc. that wish to establish connectivity to a third party are to file a new site request <Check for correct terminology> with the IT Operation group. The extranet group will engage InfoSec to address security issues inherent in the project. If the proposed connection is to terminate within a DMZ at ABC Inc., the Sponsoring Organization must engage the InfoSec department. The Sponsoring Organization must provide full and complete information as to the nature of the proposed access to the extranet group and InfoSec department, as requested. All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will ABC Inc. rely upon the third party to protect ABC Inc.’s network or resources.
3.3 Modifying or Changing Connectivity and Access
All changes in access must be accompanied by a valid business justification, and are subject to security review. Changes are to be implemented via corporate change management process. The Sponsoring Organization is responsible for notifying the IT Operations group and/or InfoSec when there is a material change in their originally provided information so that security and connectivity evolve accordingly.
When access is no longer required, the Sponsoring Organization within ABC Inc. must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The IT Operations group must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are found to be depreciated, and/or are no longer being used to conduct ABC Inc. business, will be terminated immediately. Should a security incident or a finding that a circuit has been depreciated and is no longer being used to conduct ABC Inc. business necessitate a modification of existing permissions, or termination of connectivity, InfoSec and/or the IT Operations group will notify the POC or the Sponsoring Organization of the change prior to taking any action.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Circuit: For the purposes of this policy, circuit refers to the method of network access, whether it’s through traditional ISDN, Frame Relay etc., or via VPN/Encryption technologies.
Sponsoring Organization: The ABC Inc. organization who requested that the third party have access into ABC Inc.
Third Party: A business that is not a formal or subsidiary part of ABC Inc.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
The purpose of this policy is to define standards for connecting to ABC Inc.’s network from any host. These standards are designed to minimize the potential exposure to ABC Inc. from damages which may result from unauthorized use of ABC Inc. resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical ABC Inc. internal systems, etc.
This policy applies to all ABC Inc. employees, contractors, vendors, and agents with an ABC Inc.-owned or personally-owned computer or workstation used to connect to the ABC Inc. network. This policy applies to remote access connections used to do work on behalf of ABC Inc., including reading or sending email and viewing intranet web resources. Remote access implementations that are covered by this policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL, VPN, SSH, and cable modems, etc.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Cable Modem: Cable companies such as AT&T Broadband provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps. Cable is currently available only in certain communities.
CHAP: Challenge Handshake Authentication Protocol (CHAP) is an authentication method that uses a one-way hashing function. The Data Link Connection Identifier (DLCI) is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a frame relay network. DLCI identifies a particular PVC endpoint within a user’s access channel in a frame relay network, and has local significance only to that channel.
Dial-in Modem: A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name “modem” for modulator/ demodulator.
Dual Homing: Having concurrent connectivity to more than one network from a computer or network device. Examples include: Being logged into the corporate network via a local Ethernet connection, and dialing into AOL or other Internet service provider (ISP). Being on an ABC Inc.-provided Remote Access home network, and connecting to another network, such as a spouse’s remote access. Configuring an ISDN router to dial into ABC Inc. and an ISP, depending on packet destination.
DSL: Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 2 Mbps downstream (to the user) and slower speeds upstream (to the Internet).
Frame Relay: A method of communication that incrementally can go from the speed of an ISDN to the speed of a T1 line. Frame Relay has a flat-rate billing charge instead of a per time usage. Frame Relay connects via the telephone company’s network.
ISDN: There are two flavors of Integrated Services Digital Network or ISDN: BRI and PRI. BRI is used for home office/remote access. BRI has two “Bearer” channels at 64kbit (aggregate 128kb) and 1 D channel for signaling info. PRI is short for Primary-Rate Interface, a type of ISDN service designed for larger organizations. PRI includes 23 B-channels (30 in Europe) and one D-Channel.
One-time password (OTP): A security system that requires a new password every time a user authenticates themselves. OTP generates these passwords using either the MD4 or MD5 hashing algorithms.
Remote Access: Any access to ABC Inc.’s corporate network through a non-ABC Inc.-controlled network, device, or medium.
Split-tunneling: Simultaneous direct access to a non-ABC Inc. network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into ABC Inc.’s corporate network via a VPN tunnel. Virtual Private Network (VPN) is a method for accessing a remote network via “tunneling” through the Internet.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
The purpose of this policy is to protect ABC Inc.’s electronic information from being inadvertently compromised by authorized personnel using a dial-in connection.
The scope of this policy is to define appropriate dial-in access and its use by authorized personnel.
Note: Dial-in accounts are considered ‘as needed’ accounts. Account activity is monitored, and if a dial-in account is not used for a period of six months, the account will expire and no longer function. If dial-in access is subsequently required, the individual must request a new account as described above.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private Network (VPN) connections to the ABC Inc. corporate network.
This policy applies to all ABC Inc. employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the ABC Inc. network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator. Site-to-site VPN connection policies are covered in the Extranet Policy.
Approved ABC Inc. employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy. Additionally:
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
This policy prohibits access to ABC Inc. networks via unsecured wireless communication mechanisms. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by InfoSec are approved for connectivity to ABC Inc.’s networks.
This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, Blackberries, etc.) connected to any of ABC Inc.’s internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to ABC Inc.’s networks do not fall under the purview of this policy.
3.1 Register Access Points and Cards
All wireless Access Points/Base Stations connected to the corporate network must be registered and approved by InfoSec. These Access Points/Base Stations are subject to periodic penetration tests and audits. All wireless Network Interface Cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered with InfoSec
All wireless LAN access must use corporate-approved vendor products and security configurations.
3.3 VPN Encryption and Authentication
All computers with wireless LAN devices must utilize a corporate-approved Virtual Private Network (VPN) configured to drop all unauthenticated and unencrypted traffic. To comply with this policy, wireless implementations must maintain point to point hardware encryption of at least 56 bits. All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address. All implementations must support and employ strong user authentication which checks against an external database such as TACACS+, RADIUS, or something similar.
The SSID shall be configured so that it does not contain any identifying information about the organization, such as the company name, division title, employee name, or product identifier.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
User Authentication: A method by which the user of a wireless system can be verified as a legitimate user independent of the computer or operating system being used.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by ABC Inc. Effective implementation of this policy will minimize unauthorized access to ABC Inc. proprietary information and technology.
This policy applies to server equipment owned and/or operated by ABC Inc., and to servers registered under any ABC Inc.-owned internal network domain. This policy is specifically for equipment on the internal ABC Inc. network. For secure configuration of equipment external to ABC Inc. on the DMZ, refer to the DMZ Policy.
3.1 Ownership and Responsibilities
All internal servers deployed at ABC Inc. must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by InfoSec. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by InfoSec.
Servers must be registered within the corporate IT Network Operations. At a minimum, the following information is required to positively identify the point of contact:
3.2 General Configuration Guidelines
All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:
Security-related events will be reported to InfoSec, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:
Audits will be performed on a regular basis by authorized organizations within ABC Inc. Audits will be managed by the internal audit group or InfoSec, in accordance with the Audit Policy. InfoSec will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. Every effort will be made to prevent audits from causing operational failures or disruptions.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
DMZ: De-militarized Zone. A network segment external to the corporate production network.
Server: For purposes of this policy, a Server is defined as an internal ABC Inc. Server. Desktop machines and Lab equipment are not relevant to the scope of this policy.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of ABC Inc.’s entire corporate network. As such, all ABC Inc. employees (including contractors and vendors with access to ABC Inc. systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any ABC Inc. facility, has access to the ABC Inc. network, or stores any non-public ABC Inc. information.
A. General Password Construction Guidelines
Passwords are used for various purposes at ABC Inc. Some of the more common uses include: user-level accounts, web accounts, email accounts, screensaver protection, voicemail password, and local router logins. Since very few systems have support for onetime tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
Strong passwords have the following characteristics:
Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r∼” or some other variation. NOTE: Do not use these examples as passwords!
B. Password Protection Standards
C. Application Development Standards
Application developers must ensure their programs contain the following security precautions. Applications:
Note: See the Application Password Policy
D. Use of Passwords and Passphrases for Remote Access Users
Access to the ABC Inc. Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.
Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to “unlock” the private key, the user cannot gain access.
Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against “dictionary attacks.” A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase:
“The*?#>*@TrafficOnThe101Was*&#!#ThisMorning”.
All of the rules above that apply to passwords apply to passphrases.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Application Administration Account: Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator).
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Systems Security Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
This policy states the requirements for securely storing and retrieving application usernames and passwords (i.e., application credentials) for use by a program that will access an application running on one of ABC Inc.’s networks.
Computer programs running on ABC Inc.’s networks often require the use of one of the many internal application servers. In order to access one of these applications, a program must authenticate to the application by presenting acceptable credentials. The application privileges that the credentials are meant to restrict can be compromised when the credentials are improperly stored.
This policy applies to all software that will access an ABC Inc., multi-user production application.
In order to maintain the security of ABC Inc.’s internal applications, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program’s source code in cleartext. Application credentials must not be stored in a location that can be accessed through a web server.
3.2.1. Storage of Database User Names and Passwords
3.2.2. Retrieval of Application User Names and Passwords
If stored in a file that is not source code, then application user names and passwords must be read from the file immediately prior to use. Immediately following application authentication, the memory containing the user name and password must be released or cleared.
The scope into which you may store application credentials must be physically separated from the other areas of your code, e.g., the credentials must be in a separate source file. The file that contains the credentials must contain no other code but the credentials (i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials.
For languages that execute from source code, the credentials’ source file must not reside in the same browseable or executable file directory tree in which the executing body of code resides.
3.2.3. Access to Application User Names and Passwords
Every program or every collection of programs implementing a single business function must have unique application credentials.
Application passwords used by programs are system-level passwords as defined by the Password Policy. Developer groups must have a process in place to ensure that application passwords are controlled and changed in accordance with the InfoSec Password Policy. This process must include a method for restricting knowledge of application passwords to a need-to-know basis.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Application: Any program, or database which provides access to information (e.g. SAP, Siebel, Oracle, SQL Server…).
Computer language: A language used to generate programs. Credentials: Something you know (e.g., a password or pass phrase) and/or something that identifies you (e.g., a user name, a fingerprint, voiceprint, retina print) are presented for authentication.
Entitlement: The level of privilege that has been authenticated and authorized. The privileges level at which to access resources.
Executing body: The series of computer instructions that the computer executes to run a program.
Hash: An algorithmically generated number that identifies a datum or its location.
LDAP: Lightweight Directory Access Protocol, a set of protocols for accessing information directories.
Module: A collection of computer language instructions grouped together either logically or physically. A module may also be called a package or a class, depending upon which computer language is used.
Name space: A logical area of code in which the declared symbolic names are known and outside of which these names are not visible.
Production: Software that is being used for a purpose other than when software is being implemented or tested.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
To establish requirements which must be met by all computers connected to ABC Inc. lab networks to ensure effective virus detection and prevention.
This policy applies to all ABC Inc. computers that are Windows-based or utilize Windows-based file directory sharing. This includes, but is not limited to, desktop computers, laptop computers, file/ftp/tftp/proxy servers, and any Windows-based lab equipment such as traffic generators.
All ABC Inc. PC-based lab computers must have ABC Inc.’s standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Information System Admins and Managers are responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free. Any activities with the intention to create and/or distribute malicious programs into ABC Inc.’s networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy. Refer to ABC Inc.’s IT Anti-Virus Web page to help prevent virus problems. Noted exceptions: Machines with operating systems other than those based on Microsoft products are exempted at the current time.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Exceptions to information system security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a Policy Exception Form has been prepared by the data owner or management, and where this form has been approved by both the CSO or Director of InfoSec and the Chief Information Officer (CIO).
Version:_______________________
Author:____________________________________
Summary:__________________________________
Policy for which Exception is being requested:
A brief description of the justification for the request, including the organizations that would benefit from the exception:
Compensating procedures to be implemented to mitigate risk:
A technical description of the situation that is to exist after grant of the exception:
A risk analysis, including the organizations that might be put at risk by the exception:
The organizations responsible for implementing the exception
Requestor____________________________
Signature____________________________
Date_______________________________
CIO________________________________
Signature____________________________
Date________________________________
CIO________________________________
18.117.91.153