Practical Connection Assignment: Create User Policy

 Learning Objectives and Outcomes

• Create a report detailing user access policies based on research.
• Explain the details of user policy creation in organizations.

ScenarioYou work for a large, private health care organization that has server, mainframe, and RSA user access. Your organization requires identification of the types of user access policies provided to its employees. Sean, your manager, just came into your office at 6:00 p.m. on Friday and asks you to write a report detailing these user access policies. He needs you to research a generic template and use that as a starting point from which to move forward. He wants you to complete this task over the weekend as he has just been given a boatload of tasks in the management meeting which ended a few minutes ago. He is counting on you to take some of the load off his shoulders. The report is due to senior management next week. Assignment RequirementsChoose only (1) SANS template of your choice  that is attached within the assignment, fill out throughly.You will be graded on quality of content in addition to the baseline template and the use of APA references. The last page before the References “Project Summary” section, will summarize why you chose to work on that specific template and account for some of the high-level objectives you plan to present to Sean on your next meeting.
. Required Deliverables SAN Template 
Be Sure to include a section with APA ReferencesSubmission Requirements

• Format: Microsoft Word
• Font: Times New Roman, 12-Point, Double-Space
• Citation Style: APA
• Length: 4–6 pages

Consensus

Policy

Resource Community

Security Response Plan Policy

Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send email to

policy-resources@sans.org

.

Last Update Status: Updated June 2014

1 Overview

A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines. By requiring business units to incorporate an SRP as part of their business continuity operations and as new products or services are developed and prepared for release to consumers, ensures that when an incident occurs, swift mitigation and remediation ensues.

2 Purpose

The purpose of this policy is to establish the requirement that all business units supported by the Infosec team develop and maintain a security response plan. This ensures that security incident management team has all the necessary information to formulate a successful response should a specific security incident occur.

3 Scope

This policy applies any established and defined business unity or entity within the .

Policy

The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the Infosec Team. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator or champion is further expected to work with the in the development and maintenance of a Security Response Plan.

4.1 Service or Product Description

The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.

4.2 Contact Information

The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).

4.3 Triage

The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.

4.4 Identified Mitigations and Testing

The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.

4.5 Mitigation and Remediation Timelines

The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.

5 Policy Compliance

5.1 Compliance Measurement

Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web. The policy should be reviewed annually.

5.2 Exceptions

Any exception to this policy must be approved by the Infosec Team in advance and have a written record.

5.3 Non-Compliance

Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an SRP

6 Related Standards, Policies and Processes

None.

7 Definitions and Terms

None.

8 Revision History

Date of Change	Responsible	Summary of Change
June 2014	SANS Policy Team	Updated and converted to new format.

SANS Institute 2014 – All Rights Reserved Page 3

Consensus Policy Resource Community

Employee Internet Use Monitoring and Filtering Policy

Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send email to

policy-resources@sans.org

.

Last Update Status:
Retired

1. Overview

See Purpose.

2. Purpose

The purpose of this policy is to define standards for systems that monitor and limit web use from any host within ‘s network. These standards are designed to ensure employees use the Internet in a safe and responsible manner, and ensure that employee web use can be monitored or researched during an incident.

3. Scope

This policy applies to all employees, contractors, vendors and agents with a -owned or personally-owned computer or workstation connected to the network.

This policy applies to all end user initiated communications between ’s network and the Internet, including web browsing, instant messaging, file transfer, file sharing, and other standard and proprietary protocols. Server to Server communications, such as SMTP traffic, backups, automated data transfers or database communications are excluded from this policy.

4. Policy

4.1 Web Site Monitoring

The Information Technology Department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for 180 days.

4.2 Access to Web Site Monitoring Reports

General trending and activity reports will be made available to any employee as needed upon request to the Information Technology Department. Computer Security Incident Response Team (CSIRT) members may access all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside the CSIRT upon written or email request to Information Systems from a Human Resources Representative.

3.3 Internet Use Filtering System

The Information Technology Department shall block access to Internet websites and protocols that are deemed inappropriate for ’s corporate environment. The following protocols and categories of websites should be blocked:

· Adult/Sexually Explicit Material

· Advertisements & Pop-Ups

· Chat and Instant Messaging

· Gambling

· Hacking

· Illegal Drugs

· Intimate Apparel and Swimwear

· Peer to Peer File Sharing

· Personals and Dating

· Social Network Services

· SPAM

, Phishing and Fraud

· Spyware

· Tasteless and Offensive Content

· Violence, Intolerance and Hate

· Web Based Email

3.4 Internet Use Filtering Rule Changes

The Information Technology Department shall periodically review and recommend changes to web and protocol filtering rules. Human Resources shall review these recommendations and decide if any changes are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy.

3.5 Internet Use Filtering Exceptions

If a site is mis-categorized, employees may request the site be un-blocked by submitting a ticket to the Information Technology help desk. An IT employee will review the request and un-block the site if it is mis-categorized.

Employees may access blocked sites with permission if appropriate and necessary for business purposes. If an employee needs access to a site that is blocked and appropriately categorized, they must submit a request to their Human Resources representative. HR will present all approved exception requests to Information Technology in writing or by email. Information Technology will unblock that site or category for that associate only. Information Technology will track approved exceptions and report on them upon request.

5. Policy Compliance

5.1 Compliance Measurement

The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the Infosec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6 Related Standards, Policies and Processes

None.

7 Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

· Peer to Peer File Sharing

· Social Networking Services

· SPAM

· Phishing

· Hacking

8 Revision History

Date of Change	Responsible	Summary of Change
July 2014	SANS Policy Team	Converted to new format and retired

SANS Institute 2014 – All Rights Reserved Page 1

Consensus Policy Resource Community

Remote Access Policy

1. Overview

Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of our ability.

2. Purpose

The purpose of this policy is to define rules and requirements for connecting to ‘s network from any host. These rules and requirements are designed to minimize the potential exposure to from damages which may result from unauthorized use of resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical internal systems, and fines or other financial liabilities incurred as a result of those losses.

3. Scope

This policy applies to all employees, contractors, vendors and agents with a -owned or personally-owned computer or workstation used to connect to the network. This policy applies to remote access connections used to do work on behalf of , including reading or sending email and viewing intranet web resources. This policy covers any and all technical implementations of remote access used to connect to networks.

4. Policy

It is the responsibility of employees, contractors, vendors and agents with remote access privileges to ‘s corporate network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to .

General access to the Internet for recreational use through the network is strictly limited to employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”). When accessing the network from a personal computer, Authorized Users are responsible for preventing access to any computer resources or data by non-Authorized Users. Performance of illegal activities through the network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Acceptable Use Policy.

Authorized Users will not use networks to access the Internet for outside business interests.

For additional information regarding ‘s remote access connection options, including how to obtain a remote access login, free anti-virus software, troubleshooting, etc., go to the Remote Access Services website (company url).

4.1 Requirements

4.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. For further information see the Acceptable Encryption Policy and the Password Policy.

4.1.2 Authorized Users shall protect their login and password, even from family members.

4.1.3 While using a -owned computer to remotely connect to ‘s corporate network, Authorized Users shall ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an Authorized User or Third Party.

4.1.4 Use of external resources to conduct business must be approved in advance by InfoSec and the appropriate business unit manager.

4.1.5 All hosts that are connected to internal networks via remote access technologies must use the most up-to-date anti-virus software (place url to corporate software site here), this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement.

4.1.6 Personal equipment used to connect to ‘s networks must meet the requirements of -owned equipment for remote access as stated in the Hardware and Software Configuration Standards for Remote Access to Networks.

5. Policy Compliance

5.1 Compliance Measurement

The Infosec Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager.

5.2 Exceptions

Any exception to the policy must be approved by Remote Access Services and the Infosec Team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6 Related Standards, Policies and Processes

Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of ’s network:

· Acceptable Encryption Policy

· Acceptable Use Policy

· Password Policy

· Third Party Agreement

· Hardware and Software Configuration Standards for Remote Access to Networks

7 Revision History

Date of Change	Responsible	Summary of Change
June 2014	SANS Policy Team	Updated and converted to new format.
April 2015	Christopher Jarko	Added an Overview; created a group term for company employees, contractors, etc. (“Authorized Users”); strengthened the policy by explicitly limiting use of company resources to Authorized Users only; combined Requirements when possible, or eliminated Requirements better suited for a Standard (and added a reference to that Standard); consolidated list of related references to end of Policy.

SANS Institute 2014 – All Rights Reserved Page 3