User acceptance Policy
Scenario
You work for a large, private health care organization that has server, mainframe, and RSA user access. Your organization requires identification of the types of user access policies provided to its employees.
Sean, your manager, just came into your office at 6:00 p.m. on Friday and asks you to write a report detailing these user access policies. He needs you to research a generic template and use that as a starting point from which to move forward. He wants you to complete this task over the weekend as he has just been given a boatload of tasks in the management meeting which ended a few minutes ago. He is counting on you to take some of the load off his shoulders. The report is due to senior management next week.
Assignment Requirements
Choose only (1) SANS template of your choice that is attached within the assignment, fill out throughly.
You will be graded on quality of content in addition to the baseline template and the use of APA references. The last page before the References “Project Summary” section, will summarize why you chose to work on that specific template and account for some of the high-level objectives you plan to present to Sean on your next meeting.
ConsensusPolicy Resource Community
Acceptable Use Policy
Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send email to
policy-resources@sans.org
.
Last Update Status: Updated June 2014
1. Overview
Infosec’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of
Effective security is a team effort involving the participation and support of every
2. Purpose
The purpose of this policy is to outline the acceptable use of computer equipment at
3. Scope
This policy applies to the use of information, electronic and computing devices, and network resources to conduct
This policy applies to employees, contractors, consultants, temporaries, and other workers at
4. Policy
4.1 General Use and Ownership
4.1.1 proprietary information stored on electronic and computing devices whether owned or leased by , the employee or a third party, remains the sole property of . You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.
4.1.2 You have a responsibility to promptly report the theft, loss or unauthorized disclosure of proprietary information.
4.1.3 You may access, use or share proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.
4.1.4 Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
4.1.5 For security and network maintenance purposes, authorized individuals within may monitor equipment, systems and network traffic at any time, per Infosec’s Audit Policy.
4.1.6 reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
4.2 Security and Proprietary Information
4.2.1 All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.
4.2.2 System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
4.2.3 All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
4.2.4 Postings by employees from a
4.2.5 Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
4.3 Unacceptable Use
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
4.3.1 System and Network Activities
The following activities are strictly prohibited, with no exceptions:
1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by
2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which
3. Accessing data, a server or an account for any purpose other than conducting
4. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
5. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
6. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
7. Using a
8. Making fraudulent offers of products, items, or services originating from any
9. Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
10. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
11. Port scanning or security scanning is expressly prohibited unless prior notification to Infosec is made.
12. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
13. Circumventing user authentication or security of any host, network or account.
14. Introducing honeypots, honeynets, or similar technology on the
15. Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
16. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, via any means, locally or via the Internet/Intranet/Extranet.
17. Providing information about, or lists of,
4.3.2 Email and Communication Activities
When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of the company”. Questions may be addressed to the IT Department
1. Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.
3. Unauthorized use, or forging, of email header information.
4. Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies.
5. Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
6. Use of unsolicited email originating from within
7. Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
4.3.3 Blogging and Social Media
1. Blogging by employees, whether using
2.
3. Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of
4. Employees may also not attribute personal statements, opinions or beliefs to
5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials,
5. Policy Compliance
5.1 Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6. Related Standards, Policies and Processes
· Data Classification Policy
· Data Protection Standard
· Social Media Policy
· Minimum Access Policy
· Password Policy
7. Definitions and Terms
The following definition and terms can be found in the SANS Glossary located at:
https://www.sans.org/security-resources/glossary-of-terms/
· Blogging
· Honeypot
· Honeynet
· Proprietary Information
· Spam
8. Revision History
Date of Change | Responsible | Summary of Change |
June 2014 | SANS Policy Team | Updated and converted to new format |
SANS Institute 2014 – All Rights Reserved Page 6
Consensus Policy Resource Community
Remote Access Policy
1. Overview
Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of our ability.
2. Purpose
The purpose of this policy is to define rules and requirements for connecting to
3. Scope
This policy applies to all
4. Policy
It is the responsibility of
General access to the Internet for recreational use through the
Authorized Users will not use
For additional information regarding
4.1 Requirements
4.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. For further information see the Acceptable Encryption Policy and the Password Policy.
4.1.2 Authorized Users shall protect their login and password, even from family members.
4.1.3 While using a
4.1.4 Use of external resources to conduct
4.1.5 All hosts that are connected to
4.1.6 Personal equipment used to connect to
5. Policy Compliance
5.1 Compliance Measurement
The Infosec Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager.
5.2 Exceptions
Any exception to the policy must be approved by Remote Access Services and the Infosec Team in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6 Related Standards, Policies and Processes
Please review the following policies for details of protecting information when accessing the corporate network via remote access methods, and acceptable use of
· Acceptable Encryption Policy
· Acceptable Use Policy
· Password Policy
· Third Party Agreement
· Hardware and Software Configuration Standards for Remote Access to
7 Revision History
Date of Change | Responsible | Summary of Change |
June 2014 | SANS Policy Team | Updated and converted to new format. |
April 2015 | Christopher Jarko |
Added an Overview; created a group term for company employees, contractors, etc. (“Authorized Users”); strengthened the policy by explicitly limiting use of company resources to Authorized Users only; combined Requirements when possible, or eliminated Requirements better suited for a Standard (and added a reference to that Standard); consolidated list of related references to end of Policy. |
SANS Institute 2014 – All Rights Reserved Page 3
Consensus Policy Resource Community
Employee Internet Use Monitoring and Filtering Policy
Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send email to
policy-resources@sans.org
.
Last Update Status:
Retired
1. Overview
See Purpose.
2. Purpose
The purpose of this policy is to define standards for systems that monitor and limit web use from any host within
3. Scope
This policy applies to all
This policy applies to all end user initiated communications between
4. Policy
4.1 Web Site Monitoring
The Information Technology Department shall monitor Internet use from all computers and devices connected to the corporate network. For all traffic the monitoring system must record the source IP Address, the date, the time, the protocol, and the destination site or server. Where possible, the system should record the User ID of the person or account initiating the traffic. Internet Use records must be preserved for 180 days.
4.2 Access to Web Site Monitoring Reports
General trending and activity reports will be made available to any employee as needed upon request to the Information Technology Department. Computer Security Incident Response Team (CSIRT) members may access all reports and data if necessary to respond to a security incident. Internet Use reports that identify specific users, sites, teams, or devices will only be made available to associates outside the CSIRT upon written or email request to Information Systems from a Human Resources Representative.
3.3 Internet Use Filtering System
The Information Technology Department shall block access to Internet websites and protocols that are deemed inappropriate for
· Adult/Sexually Explicit Material
· Advertisements & Pop-Ups
· Chat and Instant Messaging
· Gambling
· Hacking
· Illegal Drugs
· Intimate Apparel and Swimwear
· Peer to Peer File Sharing
· Personals and Dating
· Social Network Services
· SPAM
, Phishing and Fraud
· Spyware
· Tasteless and Offensive Content
· Violence, Intolerance and Hate
· Web Based Email
3.4 Internet Use Filtering Rule Changes
The Information Technology Department shall periodically review and recommend changes to web and protocol filtering rules. Human Resources shall review these recommendations and decide if any changes are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use Monitoring and Filtering Policy.
3.5 Internet Use Filtering Exceptions
If a site is mis-categorized, employees may request the site be un-blocked by submitting a ticket to the Information Technology help desk. An IT employee will review the request and un-block the site if it is mis-categorized.
Employees may access blocked sites with permission if appropriate and necessary for business purposes. If an employee needs access to a site that is blocked and appropriately categorized, they must submit a request to their Human Resources representative. HR will present all approved exception requests to Information Technology in writing or by email. Information Technology will unblock that site or category for that associate only. Information Technology will track approved exceptions and report on them upon request.
5. Policy Compliance
5.1 Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions
Any exception to the policy must be approved by the Infosec team in advance.
5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6 Related Standards, Policies and Processes
None.
7 Definitions and Terms
The following definition and terms can be found in the SANS Glossary located at:
https://www.sans.org/security-resources/glossary-of-terms/
· Peer to Peer File Sharing
· Social Networking Services
· SPAM
· Phishing
· Hacking
8 Revision History
Date of Change | Responsible | Summary of Change |
July 2014 | SANS Policy Team | Converted to new format and retired |
SANS Institute 2014 – All Rights Reserved Page 1
Consensus
Policy
Resource Community
Security Response Plan Policy
Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or updated version of this policy, please send email to
policy-resources@sans.org
.
Last Update Status: Updated June 2014
1 Overview
A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines. By requiring business units to incorporate an SRP as part of their business continuity operations and as new products or services are developed and prepared for release to consumers, ensures that when an incident occurs, swift mitigation and remediation ensues.
2 Purpose
The purpose of this policy is to establish the requirement that all business units supported by the Infosec team develop and maintain a security response plan. This ensures that security incident management team has all the necessary information to formulate a successful response should a specific security incident occur.
3 Scope
This policy applies any established and defined business unity or entity within the
Policy
The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the Infosec Team. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator or champion is further expected to work with the
4.1 Service or Product Description
The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.
4.2 Contact Information
The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).
4.3 Triage
The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.
4.4 Identified Mitigations and Testing
The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.
4.5 Mitigation and Remediation Timelines
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.
5 Policy Compliance
5.1 Compliance Measurement
Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web. The policy should be reviewed annually.
5.2 Exceptions
Any exception to this policy must be approved by the Infosec Team in advance and have a written record.
5.3 Non-Compliance
Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an SRP
6 Related Standards, Policies and Processes
None.
7 Definitions and Terms
None.
8 Revision History
Date of Change | Responsible | Summary of Change |
June 2014 | SANS Policy Team | Updated and converted to new format. |
SANS Institute 2014 – All Rights Reserved Page 3