CALL US TODAY! |(201) 221-3740 |infocat@catamerica.com |
Free Quote
Name:    
Email:      
Mobile:    
Company:    
Message:    
POLICY STATEMENT
“It is the responsibility of Network Department to provide the necessary protection and confidentiality and security to all corporate data and proprietary software systems, held either centrally, on local storage media /systems. It is also to ensure the continuous availability of data and programs to all authorized members and also to ensure the integrity of all systems and related data.
Summary of Main Security Policies.
  • Confidentiality of all data is to be maintained through discretionary and mandatory access controls.
  • Internet and other external services access are restricted to authorized personnel only.
  • Access to data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment.
  • Only authorized and licensed software may be installed, and installation may only be performed by network Department members.
  • The use of unauthorized software is prohibited. On the event of identifying unauthorized software usage, it will be immediately removed from the workstation without any prior notice.
  • Data may only be transferred for the purposes determined in the Organization’s data-protection policy.
  • All diskette drives and removable media from external sources must be checked for virus checked before they are used within the Organization.
  • Passwords must consist of a mixture of at least 6 or 8 alphanumeric characters, and must be unique.
  • Workstation configurations may only be changed by Network Department members.
  • The physical security of computer equipment will conform to recognized loss prevention guidelines.
  • To prevent the loss of data and configuration settings, measures must be taken to backup the data, applications and the configurations of all workstations.
  • VIRUS PROTECTION
  • The Network Department will keep the virus scanning software up to date at all times for the scanning and removal of suspected viruses.
  • Corporate file-servers will be protected with virus scanning software.
  • Workstations will be protected by virus scanning software.
  • All workstation and server anti-virus software will be regularly updated with the latest anti-virus patches.
  • No disk that is brought in from outside the Organization is to be used until it has been scanned for viruses.
  • All systems will be built from original, clean master copies and their whose write protection will always been in place. Only original master copies will be used until virus scanning has taken place.
  • All removable media containing executable software (software with .EXE and .COM extensions) will be write protected wherever possible.
  • All demonstrations by vendors will be run on their machines and not on the Organization’s machines.
  • Shareware is not to be used, as shareware is one of the most common infection sources. If it is absolutely necessary to use shareware it must be thoroughly scanned before use.
  • New commercial software will be scanned before it is installed as it occasionally contains viruses.
  • All removable media brought in to the Organization by field engineers or support personnel will be scanned by the network & IT Department members before it is used on the site.
  • To enable data to be recovered in the event of virus outbreak regular backups will be taken by the network Department.
  • Users will be kept informed of current procedures and policies.
  • Users will be notified of virus incidents.
  • Employees will be accountable for any breaches of the Organization’s anti-virus policies.
  • Anti-virus policies and procedures will be reviewed regularly.
  • In the event of a possible virus infection. the user must inform the Network Department immediately. The Network Department will remove the infected system from the network then scan the machine and any removable media or other workstations to which the virus may have spread and Quarantine it. Only after the system is thoroughly cleaned from the virus infection, it is connected back to the network.
  • PHYSICAL SECURITY OF COMPUTER EQUIPMENT
    Physical Security of computer equipment will comply with the guidelines as detailed below
    DEFINITIONS
    AREA
    Two or more adjacently linked rooms which, for security purposes, cannot be adequately segregated in physical terms
    COMPUTER SUITE
    Fileservers plus all inter-connected wiring, fixed disks, telecommunication equipment, ancillary, peripheral and terminal equipment linked into the Servers, contained within a purpose built computer suite.
    COMPUTER EQUIPMENT
    All computer equipment not contained within the Computer Suite which will include PC's, monitors, printers, disk drives, modems and associated and peripheral equipment.
    COMPUTER EQUIPMENT
    All computer equipment not contained within the Computer Suite which will include PC's, monitors, printers, disk drives, modems and associated and peripheral equipment.
    HIGH RISK SITUATION(S)
    This refers to any room or AREA which is accessible
  • At ground floor level
  • At first floor level, but accessible from adjoining roof
  • At any level via external fire escapes or other features providing access
  • Rooms in remote, concealed or hidden areas
  • PERSONAL COMPUTERS (PC's)
    Individual computer units with their own internal processing and storage capabilities.
    REQUIRED PHYSICAL SECURITY
    Where an entry is shown as N/A (not applicable) this is due to a higher specification being required thereby removing the necessity for the lower security feature.
    Security Marking
    All computer hardware should be prominently security marked by branding or providing the serial code based on the sequence policy. Advisory signs informing that all property has been security marked should be prominently displayed externally. The following are considered inferior methods of security marking text comprised solely of initials or abbreviations, marking by paint or ultra violet ink (indelible or otherwise), or adhesive labels that do not include an etching facility.
    Locking of PC cases
    PC's fitted with locking cases will be kept locked at all times.
    Siting of Computers
    Wherever possible, COMPUTER EQUIPMENT should be kept at least 1.5 meters away from external windows in HIGH RISK SITUATIONS.
    Blinds /obscure filming
    All external windows to rooms containing COMPUTER EQUIPMENT at ground floor level or otherwise visible to the public should be fitted with window blinds or obscure filming.
    Location of Intruder Alarms
    Detection devices should be located within the room or AREA and elsewhere in the premises to ensure that unauthorized access to the room or AREA is not possible without detection. This should include an assessment as to whether access is possible via external elevations, doors, windows and roof lights.
    Check Detectors
    Building managers should ensure, as part of their normal duties at locking up time that internal space detectors have not been individually obscured nor had their field of vision restricted.
    Improved Protection of Signal Transmission
    Unless telephone wires directly enter the protected premises underground, signaling to the Alarm Receiving Centre should be by monitored direct line.
    AREA Construction
    Partitions separating the room or AREA from adjoining rooms and corridors should be a minimum of 100mm solid, non lightweight block work or brickwork devoid of glazing or other openings except for protected doors as defined below. If glazing is essential for lighting or other purposes, it should be upgraded by being supplemented internally with 1.5mm mesh, security shutters or bars or supplemented with 7.5mm laminated glass.
    Improved AREA Construction
    Partitions separating the room or AREA from adjoining rooms and corridors should be a minimum of 150mm solid, non lightweight block work or brickwork devoid of glazing or other openings except for protected doors as defined below. Where glazing is essential for lighting or other purposes this should be protected by security shutters or bars. Secure doors giving access to the room or AREA, from within the building, should be solid timber at least 45mm thick and unglazed. The locking should be by 2 mortise deadlocks to with registered keys, a micro switch being available for an alarm shunt lock. Door fittings should comprise 3 hinges, supplemented by 2 hinge bolts if outward opening doors. Inward opening doors to room or AREA should have a London bar (a metal strip strengthening the locking post of the door frame).
    External Windows to Have Locks
    All opening windows within the perimeter of the room or AREA should be fitted with key-operated window locks.
    HIGH RISK SITUATIONS
    Where the room or AREA is classified as being in a HIGH RISK SITUATION the following additional protection should be provided. Windows to external elevations should be fitted with security shutters or bars instead of locks. Any door in the external elevation should be provided with a security shutter where practical. Considerations should be given to replacement of fire exit doors which cannot be secured in this fashion, and any other doors designated as fire escapes by the Fire Prevention Officer, with proprietary security doors and frames fitted with a four point locking bolt and an alarm vibration sensor.
    COMPUTER SUITE
  • The computer suite should be housed in a purpose built room.
  • Partitions separating the room or AREA from adjoining rooms and corridors should be a minimum of 150mm solid non lightweight blockwork or brickwork devoid of glazing or other openings except for protected doors as defined below. Where glazing is essential for lighting or other purposes this should be protected by bars.
  • Secure doors giving access to the room or AREA, from within the building, should be solid timber at least 45mm thick and unglazed. The locking should be by 2 mortise deadlocks with registered keys, a micro switch being available for an alarm shunt lock. Door fittings should comprise 3 hinges, supplemented by 2 hinge bolts if outward opening doors. Inward opening doors to room or AREA should have a London bar (a metal strip strengthening the locking post of the door frame).
  • The computer suite should contain an adequate air conditioning system to provide a stable operating environment to reduce the risk of system crashes due to component failure.
  • No water pipes, rain water pipes or drainage pipes should run within or above the computer suite to reduce the risk of flooding.
  • The floor within the computer suite should be a raised false floor to allow computer cables to run beneath the floor and reduce the risk of damage to computer equipment in the case of flooding.
  • Power points should be raised from the floor to allow the smooth shutdown of computer systems in case of flooding.
  • Where possible generator power should provided to the computer suite to help protect the computer systems in the case of a major power failure.
  • Access to the computer suite is restricted to IT Department staff.
  • All contractors working within the computer suite are to be supervised at all times and the It Department is to be notified of their presence and provided with details of all work to be carried out, at least 48 hours in advance of its commencement.
  • ACCESS CONTROL
  • Users will only be given sufficient rights to all systems to enable them to perform their job activities. User rights will be kept to a minimum at all times.
  • Users requiring access to systems must make a written application on the forms provided by the I.T Department.
  • Where possible no one person will have full rights to any system. The NETWORK Department will control network/server passwords and system passwords will be assigned by the system administrator in the end-user department. The system administrator will be responsible for maintaining the data integrity of the end-user department’s data and for determining end-user access rights.
  • Access to the network/servers and systems will be by individual username and password or by smartcard and PIN number/biometric.
  • Usernames and passwords must not be shared by users.
  • Usernames and passwords should not be written down.
  • Usernames will consist of initials and surname.
  • All users will have an alphanumeric password of at least 8 characters.
  • Passwords will expire every 40 days and must be unique.
  • Intruder detection will be implemented where possible. The user account will be locked after 3 incorrect attempts.
  • The Network Department will be notified of all the employees who have left the organization and have been relieved of their services. The Network Department would then remove those employees' acess rights to all systems.
  • Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example a fire safe in the Network Department.
  • Auditing will be implemented on all systems to record login attempts/failures, successful logins and changes made to all systems.
  • Network Department staff will not login as root on to UNIX, Linux systems, but will use the SU command to obtain root privileges.
  • Use of the Admin username on Novell systems and the Administrator username on Windows is to be kept to a minimum.
  • Default passwords on systems such as Oracle and SQLServer will be changed after installation.
  • On UNIX and Linux systems, rights to rlogin, ftp, telnet, SSH will be restricted to Network Department staff only.
  • Where possible users will not be given access to the UNIX, or Linux shell prompt.
  • Access to the network/servers will be restricted to normal working hours. Users requiring access outside normal working hours must request such access in writing on the forms provided by the Network Department.
  • File systems will have the maximum security implemented that is possible. Where possible users will only be given Read and Filescan rights to directories, files will be flagged as read only to prevent accidental deletion.
  • LAN Security
    Hubs & Switches
  • LAN equipment, hubs, bridges, repeaters, routers, switches will be kept in secure hub rooms. Hub rooms will be kept locked at all times. Access to hub rooms will be restricted to Network Department staff only, other staff and contractors who require access to hub rooms will notify the Network Department in advance so that the necessary supervision can be arranged.
  • Workstations
  • Users must logout of their workstations when they leave their workstation for any length of time. Alternatively Windows workstations may be locked.
  • All unused workstations must be switched off outside working hours.
  • Wiring
  • All network wiring will be fully documented.
  • All unused network points will be de-activated when not in use.
  • All network cables will be periodically scanned and readings recorded for future reference.
  • Users must not place or store any item on top of network cabling.
  • Redundant cabling schemes will be used where possible.
  • Monitoring Software
  • The use of LAN analyzer and packet sniffing software is restricted to the Network Department personnel.
  • Department
  • LAN analyzers and packet sniffers will be securely locked up when not in use.
  • Intrusion detection systems will be implemented to detect unauthorized access to the network Servers.
  • All servers will be kept securely under lock and key.
  • Access to the system console and server disk/tape drives will be restricted to authorized Network Department staff only.
  • Electrical Security
  • All servers will be connected to a UPS that also condition the power supply.
  • All hubs, bridges, repeaters, routers, switches and other critical network equipment will also be connected to a UPS.
  • In the event of a major power failure, the UPS will have sufficient power to keep the network and servers running until the power generator takes over.
  • Software will be installed on all servers to implement an orderly shutdown in the event of a total power failure.
  • All UPS systems will be tested periodically.
  • Inventory Management
  • The Network Department will keep a full inventory of all computer equipment and software in use in the entire organization.
  • Computer hardware and software audits will be carried out periodically via the use of a desktop inventory package. These audits will be used to track unauthorized copies of software and unauthorized changes to hardware and software configurations.
  • Server Specific Security
    This section applies to Windows, UNIX and Linux.
    The operating system will be kept up to date and patched on a regular basis.
  • Servers will be checked daily for viruses.
  • Servers will be locked in a secure room.
  • Where appropriate the server console feature will be activated.
  • Remote management passwords will be different to the Admin/Administrator/root password.
  • Users possessing Admin/Administrator/root rights will be limited to trained members of the Network Department staff only.
  • Use of the Admin/Administrator/root accounts will be kept to a minimum.
  • Assigning security equivalences that give one user the same access rights as another user will be avoided where possible.
  • Users access to data and applications will be limited by the access control features.
  • Intruder detection and lockout will be enabled.
  • The system auditing facilities will be enabled.
  • Users must logout or lock their workstations when they leave their workstation for any length of time.
  • All unused workstations must be switched off outside working hours.
  • All accounts will be assigned a password of a minimum of 8 characters.
  • Users will change their passwords every 40 days.
  • Unique passwords will be used.
  • The number of grace logins will be limited to 3.
  • The number of concurrent connections will be limited to 1.
  • Network login time restrictions will be enforced preventing users from logging in to the network outside normal working hours.
  • In certain areas users will be restricted to logging in to specified workstations only.
  • UNIX & Linux Specific Security
  • Direct root access will be limited to the system console only.
  • Network Department staff requiring root access must make use of the SU command.
  • Use of the root account will be kept to a minimum.
  • All UNIX and Linux system accounts will be password protected, lP etc.
  • Remote login facilities will be restricted to authorized Network Department staff only.
  • FTP facilities will be restricted to authorized Network Services staff only.
  • TELNET facilities will be restricted to authorized users.
  • SSH facilities will be restricted to authorized users.
  • Users access to data and applications will be limited by the access control features.
  • Users will not have access to the $ prompt.
  • All accounts will be assigned a password of a minimum of 8 characters.
  • Wide Area Network Security
  • Wireless LANs will make use of the most secure encryption and authentication facilities available.
  • Users will not install their own wireless equipment under any circumstances.
  • Dial-in modems will only be used when really required. If at all a modem must be used dial-back modems should be used. A secure VPN tunnel is the preferred option.
  • Modems will not be used by users without notifying the Network Department and obtaining their approval.
  • Where dial-in modems are used, the modem will be unplugged from the telephone network and the access software disabled when not in use.
  • Modems will only be used only when really required, in normal circumstances all communications should pass through the Organization’s router and firewall.
  • Where leased lines are used, the associated channel service units will be locked up to prevent access to their monitoring ports.
  • All bridges, routers and gateways will be kept locked up in secure areas.
  • Unnecessary protocols will be removed from routers.
  • The preferred method of connecting to other Organization’s network is by a secure VPN connection, using IPSEC or SSL.
  • All connections made to the Organization’s network by other organizations will be Logged.
  • TCP/IP & Internet Security
  • Permanent connections to the Internet will be via the means of a firewall to regulate network traffic.
  • Permanent connections to other external networks, for offsite processing etc., will be via the means of a firewall to regulate network traffic.
  • Where firewalls are used, a dual homed firewall (a device with more than one TCP/IP address) will be the preferred solution.
  • Network equipment will be configured to close inactive sessions.
  • Where modem pools or remote access servers are used, these will be situated on the DMZ or non-secure network side of the firewall.
  • Workstation access to the Internet will be via the Organisation’s proxy server and website content scanner.
  • All incoming e-mail will be scanned by the Organisation’s e-mail content scanner.
  • Voice System Security
  • DISA port access (using inbound 0800 numbers) on the PBX will be protected by a secure password.
  • The maintenance port on the PBX will be protected with a secure password.
  • The default DISA and maintenance passwords on the PBX will be changed to user defined passwords.
  • Call accounting will be used to monitor access to the maintenance port, DISA ports and abnormal call patterns.
  • DISA ports will be turned off during non working hours.
  • Internal and external call forwarding privileges will be separated, to prevent inbound calls being forwarded to an external line.
  • The operator will Endeavour to ensure that an outside call is not transferred to an external line.
  • Use will be made of multilevel passwords and access authentication where available on the PBX.
  • Voice mail accounts will use a password with a minimum length of six digits.
  • The voice mail password should never match the last six digits of the phone number.
  • The caller to a voice mail account will be locked out after three attempts at password validation.
  • Dialing calling party pays numbers will be prevented.
  • Telephone bills will be checked carefully to identify any misuse of the telephone system.