network security policy

Upload: audrey-wilson

Post on 03-Jun-2018

227 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/12/2019 Network Security Policy

    1/59

    1

    NETWORK SECURITY POLICY

    Version 1.0

    Submitted by

    Dr. Gatana Kariuki

    9 September 2013

  • 8/12/2019 Network Security Policy

    2/59

    2

    Table of Content

    A. Executive Summary.................................................................................................................. .3

    I. Introduction..........................................................................................................................3

    II. Security Policy Components................................................................................................5

    III. Trends in Network Security...............................................................................................11

    Acceptable Use Policy...................................................................................................................12

    Password Policy........................................................................................................................... ..20

    Workstation Security Policy..........................................................................................................25

    Removable Media Policy...............................................................................................................28

    Server Security Policy....................................................................................................................30

    Antivirus Policy.............................................................................................................................34

    Internet Usage Policy.....................................................................................................................36

    Wireless Communication Policy....................................................................................................50

    Router Security Policy...................................................................................................................54

    Acceptable Encryption Policy........................................................................................................58

  • 8/12/2019 Network Security Policy

    3/59

    3

    A. Executive Summary

    The Government has invested considerable time, money, and people resources into providing

    computer hardware, software, and networking to equip the staff to perform their varied functions.

    However, employment here does not guarantee access to a computer or related resources. As a

    civil servant, it is your responsibility to take reasonable efforts to safeguard the valuable

    equipment and data provided to you.

    Civil servants are representatives of the Government. Any use of computer equipment is an

    extension of that representation. With access to email and the internet, you can represent the

    Government, worldwide, nearly instantly. Al l access needs to be minimally appropriate, and

    preferably of a positive nature.

    Our policies are intended to protect both the Government and the computer user. Violation of

    policies is grounds for disciplinary action, which may include termination. Violation of some

    policies may also call for additional legal or civil actions. Exceptions are handled only by PRIOR

    request and approval of the ICT Department. Requests should be made by way of email

    addressed to the helpdesk.

    I. Introduction

    Business goals and risk analysis drive the need for network security. For a while, information

    security was influenced to some extent by fear, uncertainty, and doubt. Examples of these

    influences included the fear of a new worm outbreak, the uncertainty of providing web services,

    or doubts that a particular leading-edge security technology would fail. But regardless of the

    security implications, business needs have to come first.

    In order to address the security needs of Government of The Gambia (GOTG), the following four

    requirements need to be addressed:-

  • 8/12/2019 Network Security Policy

    4/59

    4

    1. Business needs - What does your organization want to do with the network?

    2. Risk analysis - What is the risk and cost balance?

    3. Security policy - What are the policies, standards, and guidelines that you need to address

    business needs and risks?

    4. Industry best practices - What are the reliable, well-understood, and recommended security

    best practices?

    Figure 1 illustrates the key factors you should consider when designing a secure network:

    Figure 1: Factors Affecting the Design of a Secure Network

  • 8/12/2019 Network Security Policy

    5/59

    5

    II. Security Policy Components

    Figure 2 shows the hierarchy of the organization policy structure that is aimed at effectively

    meeting the needs of all audiences.

    Figure 2: Components of a Comprehensive Security Policy

    a) Governing policy: This policy is a high-level treatment of security concepts that are

    important to the organization. Managers and technical custodians are the intended audience.

    The governing policy controls all security-related interaction among business units and

    supporting departments in the organization. In terms of detail, the governing policy outlines

    the security concepts that are important to the organization for managers and technical

    custodians:

    It controls all security-related interactions among business units and supporting

    departments in the organization.

    It aligns closely with not only existing organization policies, especially human

    resource policies, but also any other policy that mentions security-related issues,

    such as issues concerning email, computer use, or related IT subjects.

    It is placed at the same level as all organization wide policies.

  • 8/12/2019 Network Security Policy

    6/59

    6

    It supports the technical and end-user policies.

    It includes the following key components:

    o A statement of the issue that the policy addresses

    o A statement about your position as IT manager on the policy

    o How the policy applies in the environment

    o The roles and responsibilities of those affected by the policy

    o What level of compliance to the policy is necessary

    o Which actions, activities, and processes are allowed and which are not

    o What the consequences of noncompliance are.

    The General or Governing policy for Government of the Gambia is users of government

    information resources must protect:

    1) Their online identity from use by another individual,

    2) The integrity of computer-based information resources, and

    3) The privacy of electronic information. In addition, users must refrain from seeking

    to gain unauthorized access, honour all copyrights and licenses and respect the

    rights of other information resource.

    b) End-user policies: This document covers all security topics important to end users. In terms

    of detail level, end- user policies answer the what, who, when, and where security

    policy questions at an appropriate level of detail for an end user. End-user policies are

    compiled into a single policy document that covers all the topics pertaining to information

    security that end users should know about, comply with, and implement. This policy may

    overlap with the technical policies and is at the same level as a technical policy. Grouping all

    the end-user policies together means that users have to go to only one place and read one

  • 8/12/2019 Network Security Policy

    7/59

    7

    document to learn everything that they need to do to ensure compliance with the organization

    security policy.

    c) Technical policies: Security staff members use technical policies as they carry out their

    security responsibilities for the system. These policies are more detailed than the governing

    policy and are system or issue specific (for example, access control, router security issues or

    physical security issues). These policies are essentially security handbooks that describe what

    the security staff does, but not how the security staff performs its functions. In terms of

    detail, technical policies answer the what, who, when, and where security pol icy

    questions. The why is left to the owner of the information.

    The following are typical policy categories for technical policies:

    General policies

    o Acceptable use policy (AUP): Defines the acceptable use of equipment and

    computing services, and the appropriate security measures that employees should

    take to protect the corporate resources and proprietary information.

    o Account access request policy: Formalizes the account and access request process

    within the organization. Users and system administrators who bypass the standard

    processes for account and access requests may cause legal action against the

    organization.

    o Acquisition assessment policy: Defines the responsibilities regarding corporate

    acquisitions and defines the minimum requirements that the information security

    group must complete for an acquisition assessment.

  • 8/12/2019 Network Security Policy

    8/59

    8

    o Audit policy: Use to conduct audits and risk assessments to ensure integrity of

    information and resources, investigate incidents, ensure conformance to security

    policies, or monitor user and system activity where appropriate.

    o Information sensitivity policy: Defines the requirements for classifying and

    securing information in a manner appropriate to its sensitivity level.

    o Password policy: Defines the standards for creating, protecting, and changing

    strong passwords.

    o Risk-assessment policy: Defines the requirements and provides the authority for

    the information security team to identify, assess, and remediate risks to the

    information infrastructure that is associated with conducting business.

    o Global web server policy: Defines the standards that are required by all web hosts.

    Email policies

    o Automatically forwarded email policy: Documents the policy restricting

    automatic email forwarding to an external destination without prior approval from

    the appropriate manager or director.

    o Email policy: Defines the standards to prevent tarnishing the public image of the

    organization.

    o Spam policy: The AUP covers spam.

    Remote-access policies

    o Dial-in access policy: Defines the appropriate dial-in access and its use by

    authorized personnel.

    o Remote-access policy: Defines the standards for connecting to the organization

    network from any host or network external to the organization.

  • 8/12/2019 Network Security Policy

    9/59

    9

    o VPN security policy: Defines the requirements for remote-access IP Security

    (IPsec) or Layer 2 Tunneling Protocol (L2TP) VPN connections to the

    organization network.

    Personal device and phone policies

    o Analog and ISDN line policy: Defines the standards to use analog and ISDN lines

    for sending and receiving faxes and for connection to computers.

    o Personal communication device policy: Defines the information security s

    requirements for personal communication devices, such as voicemail,

    smartphones, tablets, and so on.

    Application policies

    o Acceptable encryption policy: Defines the requirements for encryption algorithms

    that are used within the organization.

    o Application service provider (ASP) policy: Defines the minimum security criteria

    that an ASP must execute before the organization uses the ASP s services on a

    project.

    o Database credentials coding policy: Defines the requirements for securely storing

    and retrieving database usernames and passwords.

    o Interprocess communications policy: Defines the security requirements that any

    two or more processes must meet when they communicate with each other using a

    network socket or operating system socket.

    o Project security policy: Defines requirements for project managers to review all

    projects for possible security requirements.

  • 8/12/2019 Network Security Policy

    10/59

    10

    o Source code protection policy: Establishes minimum information security

    requirements for managing product source code.

    Network policies

    o Extranet policy: Defines the requirement that third-party organizations that need

    access to the organization networks must sign a third-party connection agreement.

    o Minimum requirements for network access policy: Defines the standards and

    requirements for any device that requires connectivity to the internal network.

    o Network access standards: Defines the standards for secure physical port access

    for all wired and wireless network data ports.o Router and switch security policy: Defines the minimal security configuration

    standards for routers and switches inside a organization production network or

    used in a production capacity.

    o Server security policy: Defines the minimal security configuration standards for

    servers inside a organization production network or used in a production capacity.

    Wireless communication policy: Defines standards for wireless systems that are used to

    connect to the organization networks.

    Document retention policy: Defines the minimal systematic review, retention, and

    destruction of documents received or created during the course of business. The

    categories of retention policy are, among others:

    o Electronic communication retention policy: Defines standards for the retention of

    email and instant messaging.

    o Financial retention policy: Defines standards for the retention of bank statements,

    annual reports, pay records, accounts payable and receivable, and so on.

  • 8/12/2019 Network Security Policy

    11/59

    11

    o Employee records retention policy: Defines standards for the retention of

    employee personal records.

    o Operation records retention policy: Defines standards for the retention of past

    inventories information, training manuals, suppliers lists, and so forth.

    III. Trends in Network Security

    Several trends in business, technology, and innovation influence the need for new paradigms in

    information security. Mobility is one trend. Expect to see billions of new network mobile devices

    moving into the enterprise worldwide over the next few years. Taking into consideration constant

    reductions and streamlining in IT budgets, organizations face serious challenges in supporting a

    growing number of mobile devices at a time when their resources are being reduced.

    The second market transition is cloud computing and cloud services. Organizations of all kinds

    are taking advantage of offerings such as Software as a Service (SaaS) and Infrastructure as a

    Service (IaaS) to reduce costs and simplify the deployment of new services and applications.

    These cloud services add challenges in visibility (how do you identify and mitigate threats that

    come to and from a trusted network?), control (who controls the physical assets, encryption keys,

    and so on?), and trust (do you trust cloud partners to ensure that critical application data is still

    protected when it is off the enterprise network?).

  • 8/12/2019 Network Security Policy

    12/59

    12

    Acceptable Use Policy

    1.0 Overview

    GOTG intentions for publishing an Acceptable Use Policy are not to impose restrictions that are

    contrary to Government s established culture of openness, trust and integrity. GOTG is

    committed to protecting Government's employees, partners and the government from illegal or

    damaging actions by individuals, either knowingly or unknowingly.

    Internet/Intranet/Extranet-related systems, including but not limited to computer equipment,

    software, operating systems, storage media, network accounts providing electronic mail, WWW

    browsing, and FTP, are the property of GOTG. These systems are to be used for business

    purposes in serving the interests of the Government, and of our staff and customers in the course

    of normal operations. Please review Human Resources policies for further details.

    Effective security is a team effort involving the participation and support of every Government

    employee and affiliate who deals with information and/or information systems. It is the

    responsibility of every computer user to know these guidelines, and to conduct their activities

    accordingly. Ignorance is no defence.

    2.0 Purpose

    The purpose of this policy is to outline the acceptable use of computer equipment at

    Government. These rules are in place to protect the employee and Government. Inappropriate

    use exposes Government to risks including virus attacks, compromise of network systems and

    services, and legal issues.

  • 8/12/2019 Network Security Policy

    13/59

    13

    3.0 Scope

    This policy applies to employees, contractors, consultants, temporaries, and other workers at

    Government, including all personnel affiliated with third parties. This policy applies to all

    equipment that is owned or leased by Government.

    4.0 Policy

    4.1 General Use and Ownership

    1. While Government's network administration desires to provide a reasonable level of

    privacy, users should be aware that the data they create on the corporate systems remains

    the property of Government.

    2. Employees are responsible for exercising good judgment regarding the reasonableness of

    personal use. Individual departments are responsible for proposing specific guidelines

    concerning personal use of Internet/Intranet/Extranet systems in collaboration with

    MOICI. In the absence of such policies, employees should be guided by departmental

    policies on personal use, and if there is any uncertainty, employees should consult their

    supervisor or manager.

    3. Government recommends that any information that users consider sensi tive or vulnerable

    be encrypted.

    4. For security and network maintenance purposes, authorized individuals within

    Government may monitor equipment, systems and network traffic at any time, per

    Government s Audit Policy.

    5. Government reserves the right to audit networks and systems on a periodic basis to

    ensure compliance with this policy.

  • 8/12/2019 Network Security Policy

    14/59

    14

    6. To prevent unauthorized access to Government information, only authorized individuals

    within Government will repair computer systems.

    4.2 Security and Proprietary Information

    1. The user interface for information contained on Internet/Intranet/Extranet-related systems

    should be classified as either confidential or not confidential, as defined by corporate

    confidentiality guidelines, details of which can be found in Human Resources policies.

    Examples of confidential information include but are not limited to: government private,

    corporate strategies, sensitive information, trade secrets, specifications, customer lists,

    and research data. Employees should take all necessary steps to prevent unauthorized

    access to this information.

    2. Keep passwords secure and do not share accounts. Authorized users are responsible for

    the security of their passwords and accounts. System level passwords should be changed

    quarterly, user level passwords should be changed every six months.

    3. All PCs, laptops and workstations should be secured with a password-protected

    screensaver with the automatic activation feature set at 10 minutes or less, or by logging-

    off (control-alt-delete for Windows users) when the host will be unattended.

    4. Use encryption of information in compliance with Government 's Acceptable Encryption

    policy.

    5. Because information contained on portable computers is especially vulnerable, special

    care should be exercised. Staff using official portable personal computer, must

    adequately safeguard them against physical damage and burglary at all times. The

    standard encryption tool must be available for encrypting necessary areas of the hard

    disk.

  • 8/12/2019 Network Security Policy

    15/59

    15

    6. Postings by employees from a Government email address to newsgroups should contain a

    disclaimer stating that the opinions expressed are strictly their own and not necessarily

    those of Government, unless posting is in the course of business duties.

    7. All hosts used by the employee that are connected to the Government

    Internet/Intranet/Extranet, whether owned by the employee or Government, shall be

    continually executing approved virus-scanning software with a current virus database

    unless overridden by departmental or group policy.

    8. Employees must use extreme caution when opening e-mail attachments received from

    unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

    4.3. Unacceptable Use

    The following activities are, in general, prohibited. Employees may be exempted from these

    restrictions during the course of their legitimate job responsibilities (e.g., systems administration

    staff may have a need to disable the network access of a host if that host is disrupting production

    services).

    Under no circumstances is an employee of Government authorized to engage in any activity that

    is illegal under local, state or international law while utilizing Government-owned resources.

    The lists below are by no means exhaustive, but attempt to provide a framework for activities

    which fall into the category of unacceptable use.

    4.3.0 System and Network Activities

    The following activities are strictly prohibited, with no exceptions:

    1. Violations of the rights of any person or company protected by copyright, trade secret,

    patent or other intellectual property, or similar laws or regulations, including, but not

  • 8/12/2019 Network Security Policy

    16/59

    16

    limited to, the installation or distribution of "pirated" or other software products that are

    not appropriately licensed for use by Government.

    2. Unauthorized copying of copyrighted material including, but not limited to, digitization

    and distribution of photographs from magazines, books or other copyrighted sources,

    copyrighted music, and the installation of any copyrighted software for which

    Government or the end user does not have an active license is strictly prohibited.

    3. Exporting software, technical information, encryption software or technology, in

    violation of international or regional export control laws, is illegal. The appropriate

    management should be consulted prior to export of any material that is in question.

    4. Introduction of malicious programs into the network or server (e.g., viruses, worms,

    Trojan horses, e-mail bombs, etc.).

    5. Revealing your account password to others or allowing use of your account by others.

    This includes family and other household members when work is being done at home.

    6. Using a Government computing asset to actively engage in procuring or transmitting

    material that is in violation of sexual harassment or hostile workplace laws in the user's

    local jurisdiction.

    7. Making fraudulent offers of products, items, or services originating from any

    Government account.

    8. Making statements about warranty, expressly or implied, unless it is a part of normal job

    duties.

    9. Effecting security breaches or disruptions of network communication. Security breaches

    include, but are not limited to, accessing data of which the employee is not an intended

    recipient or logging into a server or account that the employee is not expressly authorized

  • 8/12/2019 Network Security Policy

    17/59

    17

    to access, unless these duties are within the scope of regular duties. For purposes of this

    section, "disruption" includes, but is not limited to, network sniffing, pinged floods,

    packet spoofing, denial of service, and forged routing information for malicious purposes.

    10. Port scanning or security scanning is expressly prohibited unless prior notification to I CT

    Department is made.

    11. Executing any form of network monitoring which will intercept data not intended for the

    employee's host, unless this activity is a part of the employee's normal job/duty.

    12. Circumventing user authentication or security of any host, network or account.

    13. Interfering with or denying service to any user other than the employee's host (forexample, denial of service attack).

    14. Using any program/script/command, or sending messages of any kind, with the intent to

    interfere with, or disable, a user's terminal session, via any means, locally or via the

    Internet/Intranet/Extranet.

    15. Providing information about, or lists of, Government employees to parties outside

    Government.

    4.3.1 Emai l and Communications Activi ti es

    1. Sending unsolicited email messages, including the sending of "junk mail" or other

    advertising material to individuals who did not specifically request such material (email

    spam).

    2. Any form of harassment via email, telephone or paging, whether through language,

    frequency, or size of messages.

    3. Unauthorized use, or forging, of email header information.

  • 8/12/2019 Network Security Policy

    18/59

    18

    4. Solicitation of email for any other email address, other than that of the poster's account,

    with the intent to harass or to collect replies.

    5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.

    6. Use of unsolicited email originating from within Government's networks of other

    Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service

    hosted by Government or connected via Government's network.

    7. Posting the same or similar non-business-related messages to large numbers of Usenet

    newsgroups (newsgroup spam).

    4.4.

    Blogging

    1. Blogging by employees, whether using Government property and systems or personal

    computer systems, is also subject to the terms and restrictions set forth in this Policy.

    Limited and occasional use of Government systems to engage in blogging is acceptable,

    provided that it is done in a professional and responsible manner, does not otherwise

    violate Government s policy, is not detrimental to Government s best interests, and does

    not interfere with an employees regular work duties. Blogging from Government s

    systems is also subject to monitoring.

    2. Government s Confidential In formation policy also applies to blogging. As such,

    Employees are prohibited from revealing any Government confidential or proprietary

    information, trade secrets or any other material covered by Government s Confidential

    Information policy when engaged in blogging.

    3. Employees shall not engage in any blogging that may harm or tarnish the image,

    reputation and/or goodwill of Government and/or any of its employees. Employees are

    also prohibited from making any discriminatory, disparaging, defamatory or harassing

  • 8/12/2019 Network Security Policy

    19/59

    19

    comments when blogging or otherwise engaging in any conduct prohibited by

    Government s Non -Discrimination and Anti-Harassment policy.

    4. Employees may also not attribute personal statements, opinions or beliefs to Government

    when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions

    in blogs, the employee may not, expressly or implicitly, represent themselves as an

    employee or representative of Government. Employees assume any and all risk

    associated with blogging.

    5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or

    export controlled materials, Government s trademarks, logos and any other Governmentintellectual property may also not be used in connection with any blogging activity .

    5.0 Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to and

    including termination of employment.

    6.0 Definitions

    Term Definition

    Blogging Writing a blog. A blog (short for weblog) is a personal online journal that is

    frequently updated and intended for general public consumption.

    Spam Unauthorized and/or unsolicited electronic mass mailings.

    7.0 Revision History

    Original Issue Date: 9/9/2013

  • 8/12/2019 Network Security Policy

    20/59

    20

    Password Policy

    1.0 Overview

    Passwords are an important aspect of computer security. A poorly chosen password may result

    in unauthorized access and/or exploitation of Government resources. All users, including

    contractors and vendors with access to Government systems, are responsible for taking the

    appropriate steps, as outlined below, to select and secure their passwords.

    2.0 Purpose

    The purpose of this policy is to establish a standard for creation of strong passwords, the

    protection of those passwords, and the frequency of change.

    3.0 Scope

    The scope of this policy includes all personnel who have or are responsible for an account (or

    any form of access that supports or requires a password) on any system that resides at any

    Government facility, has access to the Government network, or stores any non-public

    Government information.

    4.0 Policy

    4.1 General

    All system-level passwords (e.g., root, enable, Windows Administrator, application

    administration accounts, etc.) must be changed on at least a quarterly basis.

    All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at

    least every six months.

    User accounts that have system-level privileges granted through group memberships or

    programs must have a unique password from all other accounts held by that user.

  • 8/12/2019 Network Security Policy

    21/59

    21

    Where SNMP is used, the community strings must be defined as something other than the

    standard defaults of "public," "private" and "system" and must be different from the

    passwords used to log in interactively. A keyed hash must be used where available (e.g.,

    SNMPv2).

    All user-level and system-level passwords must conform to the guidelines described

    below.

    4.2 Guidelines

    A. General Password Construction Guidelines

    All users at GOTG should be aware of how to select strong passwords.

    Strong passwords have the following characteristics:

    Contain at least three of the five following character classes:

    o Lower case characters

    o Upper case characters

    o Numbers

    o Punctuation

    o Special characters (e.g. @#$%^&* ()_+|~ -=\`{}[]:";'/ etc)

    Contain at least fifteen alphanumeric characters.

    Weak passwords have the following characteristics:

    The password contains less than fifteen characters

    The password is a word found in a dictionary (English or foreign).

    The password is a common usage word such as:

    o Names of family, pets, friends, co-workers, fantasy characters, etc.

    o Computer terms and names, commands, sites, companies, hardware, software.

    mailto:@#$%^&*mailto:@#$%^&*
  • 8/12/2019 Network Security Policy

    22/59

    22

    o The words "", "sanjose", "sanfran" or any derivation.

    o Birthdays and other personal information such as addresses and phone numbers.

    o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

    o Any of the above spelled backwards.

    o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

    Try to create passwords that can be easily remembered. One way to do this is create a password

    based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May

    Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some

    other variation.

    (NOTE: Do not use either of these examples as passwords!)

    B. Password Protection Standards

    Always use different passwords for Government accounts from other non-Government

    access (e.g., personal ISP account, option trading, benefits, etc.).

    Always use different passwords for various Government access needs whenever possible.

    For example, select one password for systems that use directory services (i.e. LDAP,

    Active Directory, etc.) for authentication and another for locally authenticated access.

    Do not share Government passwords with anyone, including administrative assistants or

    secretaries. All passwords are to be treated as sensitive, confidential Government

    information.

    Passwords should never be written down or stored on-line without encryption.

    Do not reveal a password in email, chat, or other electronic communication.

    Do not speak about a password in front of others.

    Do not hint at the format of a password (e.g., "my family name").

  • 8/12/2019 Network Security Policy

    23/59

    23

    Do not reveal a password on questionnaires or security forms.

    If someone demands a password, refer them to this document and direct them to the ICT

    Department.

    Always decline the use of the "Remember Password" feature of applications (e.g.,

    Internet Explorer, Mozilla Firefox, Google Chrome, Ms Outlook).

    If an account or password compromise is suspected, report the incident to the ICT Department.

    C. Application Development Standards

    Application developers must ensure their programs contain the following security precautions.

    Applications:

    Shall support authentication of individual users, not groups.

    Shall not store passwords in clear text or in any easily reversible form.

    Shall provide for some sort of role management, such that one user can take over the

    functions of another without having to know the other's password.

    Shall support TACACS+, RADIUS and/or X.509 with LDAP security retrieval wherever

    possible.

    D. Use of Passwords and Passphrases for Remote Access Users

    Access to the Government network via remote access is to be controlled using either a one-time

    password authentication or a public/private key system with a strong passphrase.

    E. Passphrases

    Passphrases are generally used for public/private key authentication. A public/private key system

    defines a mathematical relationship between the public key that is known by all, and the private

    key, that is known only to the user. Without the passphrase to "unlock" the private key, the user

    cannot gain access.

  • 8/12/2019 Network Security Policy

    24/59

    24

    Passphrases are not the same as passwords. A passphrase is a longer version of a password and

    is, therefore, more secure. A passphrase is typically composed of multiple words. Because of

    this, a passphrase is more secure against "dictionary attacks."

    A good passphrase is relatively long and contains a combination of upper and lowercase letters

    and numeric and punctuation characters. An example of a good passphrase:

    "The*?#> *@TrafficOnThe101Was*!#ThisMorning "

    All of the rules above that apply to passwords apply to passphrases.

    5.0 Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to and

    including termination of employment. Password cracking or guessing may be performed on a

    periodic or random basis by the ICT Department or its delegates. If a password is guessed or

    cracked during these exercises, the user/owner will be required to change it.

    6.0 Terms and Definitions

    Term Definition

    Application Administration Account Any account that is for the administration of an

    application (e.g., Oracle database administrator,

    ISSU administrator).

    7.0 Revision History

    Original Issue Date: 9/9/2013

    mailto:*@TrafficOnThe101Was*!#ThisMorningmailto:*@TrafficOnThe101Was*!#ThisMorning
  • 8/12/2019 Network Security Policy

    25/59

    25

    Workstation Security Policy

    1.0 Purpose

    The purpose of this policy is to provide guidance for workstation security for Government

    workstations in order to ensure the security of information on the workstation and information

    the workstation may have access to.

    2.0 Scope

    This policy applies to all Government employees, contractors, workforce members, vendors and

    agents with a Government-owned or personal-workstation connected to the Government

    network.

    3.0 Policy

    Appropriate measures must be taken when using workstations to ensure the confidentiality,

    integrity and availability of sensitive information, and that access to sensitive information is

    restricted to authorized users.

    3.1 Employees using workstations shall consider the sensitivity of the information that may

    be accessed and minimize the possibility of unauthorized access.

    3.2 Government will implement physical and technical safeguards for all workstations that

    access electronic protected information to restrict access to authorized users.

    3.3 Appropriate measures include:

    Restricting physical access to workstations to only authorized personnel.

    Securing workstations (screen lock or logout) prior to leaving area to prevent

    unauthorized access.

    Enabling a password-protected screen saver with a short timeout period to ensure that

    workstations that were left unsecured will be protected.

  • 8/12/2019 Network Security Policy

    26/59

    26

    Complying with all applicable password policies and procedures.

    Ensuring workstations are used for authorized business purposes only.

    Never installing unauthorized software on workstations.

    Storing all sensitive information, including protected information on network servers.

    Keeping food and drink away from workstations in order to avoid accidental spills.

    Securing laptops that contain sensitive information by using cable locks or locking

    laptops up in drawers or cabinets.

    Complying with the Portable Workstation Encryption policy.

    Complying with the Anti-Virus policy.

    Ensuring that monitors are positioned away from public view. If necessary, install

    privacy screen filters or other physical barriers to public viewing.

    Ensuring workstations are left on but logged off in order to facilitate after-hours updates.

    Exit running applications and close open documents.

    Ensuring that all workstations use a surge protector (not just a power strip) or a UPS

    (battery backup).

    If wireless network access is used, ensure access is secure by following the Wireless

    Access policy.

    4.0 Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to and

    including termination of employment.

  • 8/12/2019 Network Security Policy

    27/59

    27

    5.0 Definitions

    Workstations include: laptops, desktops, PDAs and authorized home workstations accessing the

    Government network.

    Workforce members include: employees, volunteers, trainees, and other persons under the direct

    control of Government.

    6.0 Revision History

    Original Issue Date: 9/9/2013

  • 8/12/2019 Network Security Policy

    28/59

    28

    Removable Media Policy

    1.0 Overview

    Removable media is a well-known source of malware infections and has been directly tied to

    the loss of sensitive information in many organizations.

    2.0 Purpose

    To minimize the risk of loss or exposure of sensitive information maintained by Government

    and to reduce the risk of acquiring malware infections on computers operated by Government.

    3.0 Scope

    This policy covers all computers and servers operating in GOTG.

    4.0 Policy

    Government staff may only use Government removable media in their work computers.

    Government removable media may not be connected to or used in computers that are not owned

    or leased by the Government without explicit permission of the Government ICT Department .

    Sensitive information should be stored on removable media only when required in the

    performance of your assigned duties or when providing information required by other state or

    federal agencies. When sensitive information is stored on removable media, it must be

    encrypted in accordance with the Government Acceptable Encryption Policy .

    Exceptions to this policy may be requested on a case-by-case basis by Government-exception

    procedures.

    5.0 Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to

    and including termination of employment.

  • 8/12/2019 Network Security Policy

    29/59

    29

    6.0 Definitions

    Removable Media : Device or media that is readable and/or writeable by the end user and is

    able to be moved from computer to computer without modification to the computer. This

    includes flash memory devices such as thumb drives, cameras, MP3 players and PDAs;

    removable hard drives

    (including hard drive-based MP3 players); optical disks such as CD and DVD disks; floppy

    disks and any commercial music and software disks not provided by Government.

    Encryption : A procedure used to convert data from its original form to a format that is

    unreadable and/or unusable to anyone without the tools/information needed to reverse the

    encryption process.

    Sensitive Information : Information which, if made available to unauthorized persons, may

    adversely affect Government , its programs, or participants served by its programs. Examples

    include, but are not limit ed to, personal identifiers and, financial information,

    Malware : Software of malicious intent/impact such as viruses, worms, and Spyware.

    7.0 Revision History

    Original Issue Date: 9/9/2013

  • 8/12/2019 Network Security Policy

    30/59

    30

    Server Security Policy

    1.0 Purpose

    The purpose of this policy is to establish standards for the base configuration of internal server

    equipment that is owned and/or operated by GOTG. Effective implementation of this policy will

    minimize unauthorized access to Government proprietary information and technology.

    2.0 Scope

    This policy applies to server equipment owned and/or operated by Government, and to servers

    registered under any Government-owned internal network domain.

    This policy is specifically for equipment on the internal Government Network (GovNet).

    3.0 Policy

    3.1 Ownership and Responsibilities

    All internal servers deployed at Government must be owned by an operational group that is

    responsible for system administration. Approved server configuration guides must be established

    and maintained by each operational group, based on business needs and approved by ICT

    Department. Operational groups should monitor configuration compliance and implement an

    exception policy tailored to their environment. Each operational group must establish a process

    for changing the configuration guides, which includes review and approval by ICT Department.

    Servers must be registered within the organization enterprise management system. At a

    minimum, the following information is required to positively identify the point of

    contact:

    o Server contact(s) and location, and a backup contact

    o Hardware and Operating System/Version

    o Main functions and applications, if applicable

  • 8/12/2019 Network Security Policy

    31/59

    31

    Information in the organization enterprise management system must be kept up-to-date.

    Configuration changes for production servers must follow the appropriate change

    management procedures.

    3.2 General Configuration Guidelines

    Operating System configuration should be in accordance with approved ICT Department

    guidelines.

    Services and applications that will not be used must be disabled where practical.

    Access to services should be logged and/or protected through access-control methods

    such as TCP Wrappers, if possible.

    The most recent security patches must be installed on the system as soon as practically

    possible, with the only exception being whether the application would interfere with

    business requirements.

    Trust relationships between systems are a security risk, and their use should be avoided.

    Do not use a trust relationship when some other method of communication will do.

    Always use standard security principles of least required access to perform a function.

    Do not use the root/administrator account when a non-privileged account will do.

    If a methodology for secure channel connection is available (i.e., technically feasible),

    privileged access must be performed over secure channels, (e.g., encrypted network

    connections using SSH or IPSec).

    Servers should be physically located in an access-controlled environment.

    Servers are specifically prohibited from operating from uncontrolled cubicle areas.

  • 8/12/2019 Network Security Policy

    32/59

    32

    3.3 Monitoring

    All security-related events on critical or sensitive systems must be logged and audit trails

    saved as follows:

    o All security related logs will be kept online for a minimum of 1 week.

    o Daily incremental tape backups will be retained for at least 1 month.

    o Weekly full tape backups of logs will be retained for at least 1 month.

    o Monthly full backups will be retained for a minimum of 2 years.

    Security-related events will be reported to the ICT Department, who will review logs and

    report incidents to ICT management. Corrective measures will be prescribed as needed.

    Security-related events include, but are not limited to:

    o Port-scan attacks

    o Evidence of unauthorized access to privileged accounts

    o Anomalous occurrences that are not related to specific applications on the host.

    3.4 Compliance

    Audits will be performed on a regular basis by authorized organizations within

    Government.

    Audits will be managed by the internal audit group or ICT Department in accordance

    with the Audit Policy. ICT Department will filter findings not related to a specific

    operational group and then present the findings to the appropriate support staff for

    remediation or justification.

    Every effort will be made to prevent audits from causing operational failures or

    disruptions.

  • 8/12/2019 Network Security Policy

    33/59

    33

    4.0 Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to and

    including termination of employment.

    5.0 Definitions

    Term Definition

    Server For purposes of this policy, a Server is defined as an internal Government Server.

    6.0 Revision History

    Original Issue Date: 9/9/2013

  • 8/12/2019 Network Security Policy

    34/59

    34

    Anti-Virus Policy

    Recommended processes to prevent virus problems:

    Always run the Corporate standard, supported anti-virus software that is available from

    the corporate download site. Download and run the current version; download and install

    anti-virus software updates as they become available.

    NEVER open any files or macros attached to an email from an unknown, suspicious or

    untrustworthy source. Delete these attachments immediately, then "double delete" them

    by emptying your Trash.

    Delete spam, chain, and other junk email without forwarding, in with Government's

    Acceptable Use Policy.

    Never download files from unknown or suspicious sources.

    Avoid direct disk sharing with read/write access unless there is absolutely a business

    requirement to do so.

    Always scan a flash disk from an unknown source for viruses before using it.

    Back-up critical data and system configurations on a regular basis and store the data in a

    safe place.

    If lab testing conflicts with anti-virus software, run the anti-virus utility to ensure a clean

    machine, disable the software, then run the lab test. After the lab test, enable the anti-

    virus software. When the anti-virus software is disabled, do not run any applications that

    could transfer a virus, e.g., email or file sharing.

    New viruses are discovered almost every day. Periodically check the Lab Anti-Virus

    Policy and this Recommended Processes list for updates.

  • 8/12/2019 Network Security Policy

    35/59

    35

    1.0 Revision History

    Original Issue Date: 9/9/2013

  • 8/12/2019 Network Security Policy

    36/59

    36

    Internet usage Policy

    The Internet usage Policy applies to all Internet users (individuals working for the Government ,

    including permanent full-time and part-time employees, contract workers, temporary agency

    workers, business partners, and vendors) who access the Internet through the computin g or

    networking resources. The Government's Internet users are expected to be familiar with and to

    comply with this policy, and are also required to use their common sense and exercise their good

    judgment while using Internet services.

    1.0 Consequences of Violations

    Violations of the I nternet usage Policy will be documented and can lead to revocation of

    system privileges and/or disciplinary action up to and including termination.

    Additionally, the Government may at its discretion seek legal remedies for damages incurred as a

    result of any violation. The Government may also be required by law to report certain illegal

    activities to the proper enforcement agencies.

    Before access to the Internet via government network is approved, the potential Internet user is

    required to read this Internet usage Policy and sign an acknowledgment form (located on the last

    page of this document). The signed acknowledgment form should be turned in and will be kept

    on file at the facility granting the access. For questions on the Internet usage Policy, contact the

    ICT Department.

    2. USAGE THREATS

    Internet connectivity presents the government with new risks that must be addressed to safeguard

    the facility s vital information assets. These risks include:

  • 8/12/2019 Network Security Policy

    37/59

    37

    2.1 Inappropriate Use of Resources

    Access to the Internet by personnel that is inconsistent with business needs results in the misuse

    of resources. These activities may adversely affect productivity due to time spent using or

    "surfing" the Internet. Additionally, the company may face loss of reputation and possible legal

    action through other types of misuse.

    2.2 Misleading or False Information

    All information found on the Internet should be considered suspect until confirmed by another

    reliable source. There is no quality control process on the Internet, and a considerable amount of

    its information is outdated or inaccurate.

    3. INTERNET SERVICES

    Access to the Internet will be provided to users to support business activities and only on an as-

    needed basis to perform their jobs and professional roles .

    3.1 User Services

    3.1.1 Internet Services Allowed

    Internet access is to be used for business purposes only. Capabilities for the following

    standard Internet services will be provided to users as needed:

    E-mail - Send/receive E-mail messages to/from the Internet (with or without document

    attachments).

    Browsing - WWW services as necessary for business purposes, using a hypertext transfer

    protocol (HTTP) or hypertext transfer protocol secure (HTTPS) browser tool. Full access

  • 8/12/2019 Network Security Policy

    38/59

    38

    to the Internet; limited access from the Internet to dedicated company public web servers

    only.

    File Transfer Protocol (FTP) - Send data/files and receive in-bound data/files, as

    necessary for business purposes.

    Telnet - Standard Internet protocol for terminal emulation. User Strong Authentication

    required for Internet initiated contacts into the company.

    Management reserves the right to add or delete services as business needs change or conditions

    warrant. All other services will be considered unauthorized access to/from the Internet and

    will not be allowed.

    3.2 Request & Approval Procedures

    Internet access will be provided to users to support business activities and only as needed to

    perform their jobs.

    3.2.1 Request for Internet Access

    As part of the Internet access request process, the employee is required to read both this Internet

    usage Policy and the Acceptable Use Policy . The user must then sign the statements (located on

    the last page of each document) that he/she understands and agrees to comply with the policies.

    Users not complying with these policies could be subject to disciplinary action up to and

    including termination.

    Policy awareness and acknowledgment, by signing the acknowledgment form, is required

    before access will be granted.

  • 8/12/2019 Network Security Policy

    39/59

    39

    3.2.2 Approval

    Internet access is requested by the user or user s manager submitting an IT Access Request form

    to the ICT department along with an attached copy of a signed Internet Usage Acknowledgment

    Form.

    3.2.3 Removal of privileges

    Internet access will be discontinued upon termination of employee, completion of contract, end

    of service of non-employee, or disciplinary action arising from violation of this policy. In the

    case of a change in job function and/or transfer the original access code will be discontinued, and

    only reissued if necessary and a new request for access is approved .

    All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted

    to users must be re -evaluated by management annually. In response to feedback from

    management, systems administrators must promptly revoke all privileges no longer needed by

    users.

    4. USAGE POLICIES

    4.1 Resource Usage

    Access to the Internet will be approved and provided only if reasonable business needs are

    identified. Internet services will be granted based on an employee s current job responsibilities.

    If an employee moves to another business unit or changes job functions, a new Internet access

    request must be submitted within 5 days .

    User Internet access requirements will be reviewed periodically by ICT departments to ensure

    that continuing needs exist.

  • 8/12/2019 Network Security Policy

    40/59

    40

    4.2 Allowed Usage

    Internet usage is granted for the sole purpose of supporting business activities necessary to carry

    out job functions. All users must follow the corporate principles regarding resource usage and

    exercise good judgment in using the Internet. Questions can be addressed to the ICT Department.

    Acceptable use of the Internet for performing job functions might include:

    Communication between employees and non-employees for business purposes;

    IT technical support downloading software upgrades and patches;

    Review of possible vendor web sites for product information;

    Reference regulatory or technical information.

    Research

    4.3 Personal Usage

    Using Government computer resources to access the Internet for personal purposes, without

    approval from the user s manager and the IT department, may be con sidered cause for

    disciplinary action up to and including termination.

    All users of the Internet should be aware that the organization network creates an audit log

    reflecting request for service, both in-bound and out-bound addresses, and is periodically

    reviewed.

    Users who choose to store or transmit personal information such as private keys, credit card

    numbers or certificates or make use of Internet "wallets" do so at their own risk. The

    Government is not responsible for any loss of information, such as information stored in the

    wallet, or any consequential loss of personal property .

    4.4 Prohibited Usage

    Information stored in the wallet, or any consequential loss of personal property.

  • 8/12/2019 Network Security Policy

    41/59

    41

    Acquisition, storage, and dissemination of data which is illegal, pornographic, or which

    negatively depicts race, sex or creed is specifically prohibited .

    The Government also prohibits the conduct of a business enterprise, political activity,

    engaging in any form of intelligence collection from our facilities, engaging in fraudulent

    activities, or knowingly disseminating false or otherwise libelous materials.

    Other activities that are strictly prohibited include, but are not limited to:

    Accessing government information that is not within the scope of one s work. This

    includes unauthorized reading of government account information, unauthorized access of

    personnel file information, and accessing information that is not needed for the proper execution

    of job functions.

    Misusing, disclosing without proper authorization, or altering government or personnel

    information. This includes making unauthorized changes to a personnel file or sharing electronic

    customer or personnel data with unauthorized personnel.

    Deliberate pointing or hyper-linking of Government Web sites to other Internet/WWW

    sites whose content may be inconsistent with or in violation of the aims or policies of the

    Government .

    Any conduct that would constitute or encourage a criminal offense, lead to civil liability,

    or otherwise violate any regulations, local, state, national or international law.

    Use, transmission, duplication, or voluntary receipt of material that infringes on the

    copyrights, trademarks, trade secrets, or patent rights of any person or organization. Assume that

    all materials on the Internet are copyright and/or patented unless specific notices state otherwise.

  • 8/12/2019 Network Security Policy

    42/59

    42

    Transmission of any proprietary, confidential, or otherwise sensitive information without

    the proper controls.

    Creation, posting, transmission, or voluntary receipt of any unlawful, offensive, libelous,

    threatening, harassing material, including but not limited to comments based on race, national

    origin, sex, sexual orientation, age, disability, religion, or political beliefs.

    Any form of gambling.

    Unless specifically authorized under the provisions of section 4.3, the following activities are

    also strictly prohibited:

    Unauthorized downloading of any shareware programs or files for use without

    authorization in advance from the I CT Department and the user s manager.

    Any ordering (shopping) of items or services on the Internet.

    Playing of any games.

    Forwarding of chain letters.

    Participation in any on-line contest or promotion.

    Acceptance of promotional gifts.

    Bandwidth both within the government and in connecting to the Internet is a shared, finite

    resource. Users must make reasonable efforts to use this resource in ways that do not negatively

    affect other employees. Specific departments may set guidelines on bandwidth use and resource

    allocation, and may ban the downloading of particular file types.

    If you have any questions about Acceptable Use, contact the ICT Department

    4.5 Software License

    The Government strongly supports strict adherence to software vendors license agreements.

    When at work, or when government computing or networking resources are employed, copying

  • 8/12/2019 Network Security Policy

    43/59

    43

    of software in a manner not consistent with the vendor s license is strictly forbidden. Questions

    regarding lawful versus unlawful copying should be referred to the ICT Department for review

    or to request a ruling from the Legal Department before any copying is done.

    Similarly, reproduction of materials available over the Internet must be done only with the

    written permission of the author or owner of the document. Unless permission from the

    copyright owner(s) is first obtained, making copies of material from magazines, journals,

    newsletters, other publications and online documents is forbidden unless this is both reasonable

    and customary. This notion of "fair use" is in keeping with international copyright laws.

    Using government computer resources to access the Internet for personal purposes, without

    approval from the user s manager and the I CT department, may be considered cause for

    disciplinary action up to and inclu ding termination .

    All users of the Internet should be aware that the government network creates an audit log

    reflecting request for service, both in-bound and out-bound addresses, and is periodically

    reviewed.

    Users who choose to store or transmit personal information such as private keys, credit card

    numbers or certificates or make use of Internet "wallets" do so at their own risk. The

    Government is not responsib le for any loss of information stored in the wallet, or any

    consequential loss of personal property .

    4.6 Review of Public Information

    All publicly-writeable directories on Internet-connected computers will be reviewed and cleared

    e ach evening. This process is necessary to prevent the anonymous exchange of information

    inconsistent with government business. Examples of unauthorized public information include

  • 8/12/2019 Network Security Policy

    44/59

    44

    pirated information, passwords, credit card numbers, and pornography.

    4.7 Expectation of Privacy

    4.7.1 Monitoring

    Users should consider their Internet activities as periodically monitored and limit their activities

    accordingly.

    Management reserves the right to examine e -mail, personal file directories, web access, and other

    information stored on company computers, at any time and without notice. This examination

    ensures compliance with internal policies and assists with the management of company

    information systems.4.7.1.1 Web Site Moni torin g

    The ICT Department shall monitor Internet use from all computers and devices connected to the

    corporate network. For all traffic the monitoring system must record the source IP Address, the

    date, the time, the protocol, and the destination site or server. Where possible, the system should

    record the User ID of the person or account initiating the traffic. Internet Use records must be

    preserved for 180 days.

    4.7.1.2 Access to Web Site M oni tori ng Reports

    General trending and activity reports will be made available to any employee as needed upon

    request to the ICT Department. ICT Department may access all reports and data if necessary to

    respond to a security incident. Internet Use reports that identify specific users, sites, teams, or

    devices will only be made available to associates outside the ICT Department upon written or

    email request to ICT Department from a Human Resources Representative.

  • 8/12/2019 Network Security Policy

    45/59

    45

    4.7.1.3 I ntern et Use F il teri ng System

    The ICT Department shall block access to Internet websites and protocols that are deemed

    inappropriate for Government network. The following protocols and categories of websites

    should be blocked:

    Adult/Sexually Explicit Material

    Advertisements & Pop-Ups

    Chat and Instant Messaging

    Gambling

    Hacking

    Illegal Drugs

    Intimate Apparel and Swimwear

    Peer to Peer File Sharing

    Personals and Dating

    Social Network Services

    SPAM, Phishing and Fraud

    Spyware

    Tasteless and Offensive Content

    Violence, Intolerance and Hate

    4.7.1.4 I ntern et Use F il teri ng Rule Changes

    The ICT Department shall periodically review and recommend changes to web and protocol

    filtering rules. Human Resources shall review these recommendations and decide if any changes

    are to be made. Changes to web and protocol filtering rules will be recorded in the Internet Use

    Policy.

  • 8/12/2019 Network Security Policy

    46/59

    46

    4.7.1.5 I ntern et Use F il teri ng Exceptions

    If a site is mis-categorized, employees may request the site be un-blocked by submitting a ticket

    to the ICT help desk. An ICT staff will review the request and un-block the site if it is mis-

    categorized.

    Employees may access blocked sites with permission if appropriate and necessary for business

    purposes. If an employee needs access to a site that is blocked and appropriately categorized,

    they must submit a request to their Human Resources (HR) representative. HR will present all

    approved exception requests to Information Technology in writing or by email. ICT Department

    will unblock that site or category for that associate only. Information Technology will track

    approved exceptions and report on them upon request.

    4.7.2 E-mail Confidentiality

    Users should be aware that clear text e-mail is not a confidential means of communication. The

    company cannot guarantee that electronic communications will be private. Employees should be

    aware that electronic communications can, depending on the technology, be forwarded,

    intercepted, printed, and stored by others. Users should also be aware that once an e -mail is

    transmitted it may be altered. Deleting an e -mail from an individual workstation will not eliminate

    it from the various systems across which it has been transmitted.

    4.8 Maintaining Corporate Image

    4.8.1 Representation

    When using government resources to access and use the Internet, users must realize they

    represent the Government. Whenever employees state an affiliation to the company, they must

  • 8/12/2019 Network Security Policy

    47/59

    47

    also clearly indicate that "the opinions expressed are my own and not necessarily those of the

    Government". Questions may be addressed to the IT Department.

    4.8.2 Company Materials

    Users must not place government material (examples: internal memos, press releases, product or

    usage information, documentation, etc.) on any mailing list, public news group, or such service.

    Any posting of materials must be approved by the employee s manager and the public relations

    department and will be placed by an authorized individual.

    4.8.3 Creating Web Sites

    All individuals and/or government units wishing to establish a WWW home page or site mustfirst develop business, implementation, and maintenance plans. Formal authorization must be

    obtained through the ICT Department. This will maintain publishing and content standards

    needed to ensure consistency and appropriateness.

    In addition, contents of the material made available to the public through the Internet must be

    formally reviewed and approved before being published. All material should be submitted to the

    ICT Director for initial approval to continue. All company pages are owned by, and are the

    ultimate responsibility of the ICT Director.

    All company web sites must be protected from unwanted intrusion through formal security

    measures which can be obtained from the ICT department.

    4.9 Periodic Reviews

    4.9.1 Usage Compliance Reviews

    To ensure compliance with this policy, periodic reviews will be conducted. These reviews will

    include testing the degree of compliance with usage policies.

  • 8/12/2019 Network Security Policy

    48/59

    48

    4.9.2 Policy Maintenance Reviews

    Periodic reviews will be conducted to ensure the appropriateness and the effectiveness of usage

    policies. These reviews may result in the modification, addition, or deletion of usage policies to

    better suit company information needs.

    5. REFERENCES

    5.1 Points of Contact

    If you need assistance regarding the following topics related to Internet usage, contact the ICT

    Department for additional assistance .

    6. INTERNET USAGE COVERAGE ACKNOWLEDGMENT FORM

    After reading this policy, please sign the coverage form and submit it to your facility s I CT

    department or granting facility s ICT department for filing .

    By signing below, the individual requesting Internet access through government computing

    resources hereby acknowledges receipt of and compliance with the Internet Usage Policy.

    Furthermore, the undersigned also acknowledges that he/she has read and understands this policy

    before signing thi s form.

    Internet access will not be granted until this acknowledgment form is signed by the individual s

    manager. After completion, the form is filed in the individual s h uman resources file (for

    permanent employees), or in a folder specifically dedicated to Internet access (for contract

    workers, etc.), and maintained by the ICT department. These acknowledgment forms are subject

    to internal audit.

  • 8/12/2019 Network Security Policy

    49/59

    49

    ACKNOWLEDGMENT

    I have read the Internet Usage Policy. I understand the contents, and I agree to comply

    with the said Policy.

    Location (L ocation an d address)

    Business Purpose

    Name

    Signature ______________________________ Date _________________ _

    Manager/Supervisor Signature _________________Date ___________

  • 8/12/2019 Network Security Policy

    50/59

    50

    Wireless Communication Policy

    1.0 Overview

    The purpose of this policy is to secure and protect the information assets owned by GOTG.

    Government provides computer devices, networks, and other electronic information systems to

    meet missions, goals, and initiatives. Government grants access to these resources as a privilege

    and must manage them responsibly to maintain the confidentiality, integrity, and availability of

    all information assets.

    This policy specifies the technical requirements that wireless infrastructure devices must satisfy

    to connect to government network. Only those wireless infrastructure devices that meet the

    requirements specified in this standard or are granted an exception by the ICT Department are

    approved for connectivity to government network.

    2.0 Scope

    All employees, contractors, consultants, temporary and other workers at Government, including

    all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf

    of GOTG must adhere to this policy. This policy applies to all wireless infrastructure devices that

    connect to government network or reside on a government site that provide wireless connectivity

    to endpoint devices including, but not limited to, laptops, desktops, cellular phones, tablets and

    personal digital assistants (PDAs). This includes any form of wireless communication device

    capable of transmitting packet data.

    The Government ICT department must approve exceptions to this policy in advance.

  • 8/12/2019 Network Security Policy

    51/59

    51

    3.0 Statement of Requirements

    3.1 General Requirements

    All wireless infrastructure devices that connect to government network or provide access to

    Government Confidential, Highly Confidential, or Restricted information must:

    3.1.1 Use Extensible Authentication Protocol-Fast Authentication via Secure Tunneling (EAP-

    FAST), Protected Extensible Authentication Protocol (PEAP), or Extensible

    Authentication Protocol-Translation Layer Security (EAP-TLS) as the authentication

    protocol.

    3.1.2 Use Temporal Key Integrity Protocol (TKIP) or Advanced Encryption System (AES)

    protocols with a minimum key length of 128 bits.

    3.2 Lab and Isolated Wireless Device Requirements

    3.2.1 Lab device Service Set Identifier (SSID) must be different from government production

    device SSID.

    3.2.2 Broadcast of lab device SSID must be disabled.

    3.3 Home Wireless Device Requirements

    All home wireless infrastructure devices that provide direct access to government network, such

    as those behind remote access or hardware VPN, must adhere to the following:

    3.3.1 Enable WiFi Protected Access Pre-shared Key (WPA-PSK), EAP-FAST, PEAP, or EAP-

    TLS

    3.3.2 When enabling WPA-PSK, configure a complex shared secret key (at least 20 characters)

    on the wireless client and the wireless access point

    3.3.3 Disable broadcast of SSID

    3.3.4 Change the default SSID name

  • 8/12/2019 Network Security Policy

    52/59

    52

    3.3.5 Change the default login and password

    4 Enforcement

    Any employee found to have violated the policy may be subject to disciplinary action, up to and

    including termination of employment. Any violation of the policy by a temporary worker,

    contractor or vendor may result in the termination of their contract or assignment with

    Government.

    Definitions

    Term Definition

    AES Advanced Encryption System

    Government network A wired or wireless network including indoor, outdoor, and

    alpha networks that provide connectivity to corporate services.

    Corporate connectivity A connection that provides access to government network.

    EAP-FAST

    Extensible Authentication Protocol-Fast Authentication via

    Secure Tunneling: authentication protocol for wireless

    networks.

    EAP-TLS

    Extensible Authentication Protocol-Translation Layer

    Security, used to create a secured connection for 802.1X by

    pre-installing a digital certificate on the client computer.

    Remote Access

    Telecommuter

    An end-to-end hardware VPN solution for teleworker access

    to the government network.

  • 8/12/2019 Network Security Policy

    53/59

    53

    Information assets

    Information that is collected or produced and the underlying

    hardware, software, services, systems, and technology that is

    necessary for obtaining, storing, using, and securing that

    information which is recognized as important and valuable to

    an organization.

    PEAP

    Protected Extensible Authentication Protocol, a protocol used

    for transmitting authentication data, including passwords, over

    802.11 wireless networks

    Service Set Identifier

    (SSID)

    A set of characters that give a unique name to a wireless local

    area network.

    TKIPTemporal Key Integrity Protocol, an encryption key that's part

    of WPA.

    WPA-PSK WiFi Protected Access pre-shared key

    Revision H istory

    Date of Change Responsible Summary of Change

  • 8/12/2019 Network Security Policy

    54/59

    54

    Router Security Policy

    1.0 Purpose

    This document describes a required minimal security configuration for all routers and switches

    connecting to a production network or used in a production capacity at or on behalf of GOTG.

    2.0 Scope

    All routers and switches connected to Government production networks are affected. Routers

    and switches within internal, secured labs are not affected.

    3.0 Policy

    Every router must meet the following configuration standards:

    1. No local user accounts are configured on the router. Routers must use TACACS+ for all

    user authentications.

    2. The enable password on the router must be kept in a secure encrypted form. Reversible

    encryption algorithms, such as the Cisco type 7 Vigenre cypher, are unacceptable. The

    router must have the enable password set to the current production router password from

    the router's support organization.

    3. The following services or features must be disabled:

    a. IP directed broadcasts

    b. TCP small services

    c. UDP small services

    d. All source routing

    e. All web services running on router

    f. Auto-configuration

    4. The following services should be disabled unless a business need is provided:

  • 8/12/2019 Network Security Policy

    55/59

    55

    a. Cisco discovery protocol and other discovery protocols

    b. Dynamic trunking

    c. Scripting environments, such as the TCL shell

    5. The following services must be configured:

    a. Password-encryption

    b. NTP configured to a corporate standard source

    6. Use corporate standardized SNMP community strings. Default strings, such as public or

    private must be removed. SNMP must be configured to use the most secure version of

    the protocol allowed for by the combination of the device and management systems.

    7. Access control lists must be used to limit the source and type of traffic that can terminate

    on the device itself.

    8. Access control lists for transiting the device are to be added as business needs arise.

    9. The router must be included in the corporate enterprise management system with a

    designated point of contact.

    10. Each router must have the following statement presented for all forms of login whether

    remote or local:

    "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You

    must have explicit permission to access or configure this device. All activities performed

    on this device may be logged, and violations of this policy may result in disciplinary

    action, and may be reported to law enforcement. There is no right to privacy on this

    device. Use of this system shall constitute consent to monitoring."

  • 8/12/2019 Network Security Policy

    56/59

    56

    11. Telnet may never be used across any network to manage a router, unless there is a secure

    tunnel protecting the entire communication path. SSH version 2 is the preferred

    management protocol.

    12. Dynamic routing protocols must use authentication in routing updates sent to neighbors.

    Password hashing for the authentication string must be enabled when supported.

    13. A corporate standard will be created and reviewed at least annually to define items

    required but not defined in this policy, such as NTP servers.

    14. The corporate router configuration standard will define the category of sensitive routing

    and switching devices, and require additional services or configuration on sensitive

    devices including:

    a. IP access list accounting

    b. Device logging

    c. Incoming packets at the router sourced with invalid addresses, such as RFC1918

    addresses, or those that could be used to spoof network traffic shall be dropped.

    d. Router console and modem access must be restricted by additional security

    controls.

    4.0 Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to and

    including termination of employment.

    5.0 Exceptions

    Exceptions to this policy must be documented and approved in writing by the ICT Director or

    their authorized representative. Documented exceptions must be available to auditors.

  • 8/12/2019 Network Security Policy

    57/59

    57

    6.0 Definitions

    Terms Definitions

    Production Network The "production network" is the network used in the daily business

    of Government. Any network connected to the corporate backbone,

    either directly or indirectly, which lacks an intervening firewall

    device. Any network whose impairment would result in direct loss

    of functionality to Government employees or impact their ability to

    do work.

    Lab Network A "lab network" is defined as any network used for the purposes of

    testing, demonstrations, training, etc. Any network that is stand-

    alone or firewalled off from the production network(s) and whose

    impairment will not cause direct loss to Government nor affect the

    production network.

    Access Control List (ACL) Lists kept by routers to control access to or from the router for a

    number of services (for example, to prevent packets with a certain

    IP address from leaving a particular interface on the router).

    7.0 Revision History

    Original Issue Date: 9/9/2013

  • 8/12/2019 Network Security Policy

    58/59

    58

    Acceptable Encryption Policy

    1.0 Purpose

    The purpose of this policy is to provide guidance that limits the use of encryption to those

    algorithms that have received substantial public review and have been proven to work

    effectively. Additionally, this policy provides direction to ensure that Government regulations

    are followed, and legal authority is granted for the dissemination and use of encryption

    technologies outside of the United States.

    2.0 Scope

    This policy applies to all Government employees and affiliates.

    3.0 Policy

    All Government encryption shall be done using approved cryptographic modules. Common and

    recommended ciphers include AES 256, Triple DES and RSA. Symmetric cryptosystem key

    lengths must be at least 128 bits. Asymmetric crypto-system keys must be of a length that yields

    equivalent strength.Government skey length requirements shall be reviewed annually as part of

    the yearly security review and upgraded as technology allows.

    The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by

    qualified experts outside of the vendor in question and approved by Government. Be aware that

    the export of encryption technologies is restricted by the U.S. Government. Residents of

    countries other than the United States should make themselves aware of the encryption

    technology laws of the country in which they reside.

    4.0 Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to and

    including termination of employment.

  • 8/12/2019 Network Security Policy

    59/59

    5.0 Definitions

    Term Definition

    Proprietary Encryption An algorithm that has not been made public and/or has not

    withstood public scrutiny. The developer of the algorithm

    could be a vendor, an individual, or the government.

    Symmetric Cryptosystem A method of encryption in which the same key is used for

    both encryption and decryption of the data.

    Asymmetric Cryptosystem A method of encryption in which two different keys are

    used: one for encrypting and one for decrypting the data

    (e.g., public-key encryption).

    6.0 Revision History

    Original Issue Date: 9/9/2013