Security policies

Security Assignment 2 Danny O’Leary

TouchDown Rentals Security Policies

Purpose These policies aim to define the requirements for many different aspects for TouchDown Rentals: 1. Acceptable Use Policy: This policy sets out to give all information in regards of the use of equipment at TouchDown Rentals. They’re in place to protect both Employee and Employer. Not following this policy leads to potential for virus’s and legal issues for TouchDown Rentals. 2. Server Security Policy: This policy aims to give out all information in regards to the standards of internal server equipment at TouchDown Rentals. Effiective use of this policy should lead to minimal unauthorized access to secure information. 3. Workstation Security Policy: This policy aims to give all information in regards to Workstation security. In order to have a secure information, the workstation must also be secure. This policy also provides guidance that ensures the requirements of HIPAA Security Rule “Workstation Security” standards are met. 4. Wireless Communication Policy: This policy aims to secure information and protect it. TouchDown Rentals is currently providing Workstations and also networks with the hopes of meeting goals and missions for the company. 5. Web Application Policy: The purpose of this policy is to give all the information in regards of Web Application assessments. These are performed to spot potential weaknesses in the system and overall improve security of the Web Application. It also goes through what to do when a weakness is found. 6. Remote Access Policy: This is a policy that outlines all the information required when connecting to TouchDown Rentals network. This aims to stop unauthorized use of TouchDown Rentals resources. 7. Disaster Recovery Policy: This policy goes through a Disaster Recovery plan. It will describe the process to recover Data, Applications and IT Systems that may cause a problem.

Scope These policies are for the use of TouchDown Rentals. They aim to secure their information, the use of their workstations, protection their workstations, outline how to use their networks, secure web applications in the company, set recovery plans and outline how to securely connect remotely. These policies apply to everyone working at TouchDown Rentals.

TouchDown Rentals is a car rental service that currently have four workstations which are all running on Windows 8.1. They have two servers which are both running Windows 2012. One server is a backup and the other is for an automated booking system and a database. All Employees of TouchDown rentals are using Google Apps for Work to access email addresss’. The file system which they are sharing files with each other is currently Dropbox for Business. They currently have a single router that is being provided by their local internet service provider.

Policies Acceptable Use Policy General Use: 1. You must ensure that private information belonging to TouchDown Rentals remains private and in accordance with the Data Protection Act. 2. You have a responsibility to report theft of private information that belongs to TouchDown Rentals. 3. The only time that you should be accessing the private information that belongs to TouchDown Rentals is if it is necessary to complete your assigned job duties. 4. In regards to Security and Network Maintenance work, authorized individuals may monitor the equipment, systems and also the network traffic at TouchDown Rentals as long as it is in compliance with Infosecs’ Audit Policy. 5. TouchDown Rentals reserves the right to audit networks and systems regularly to ensure compliance with this policy. Security Information: 6. Any mobile phones and or computer devices that connect to TouchDown Rentals network must do so in accordance with the Minimum Access Policy. 7. Passwords for system level and also user level must do so in accordance with the Password Policy. Access to another user, even if it is deliberate or just through not keeping it secure is prohibited. 8. Any computer device has to be secured with a password protected screensaver feature which is set to 5 minutes or less. If you are leaving the computer device, you must either log off or lock the screen. 9. Any employee must take extreme care when they are opening any email on the network as it may contain some sort of malware. Unacceptable Use: Below are some activities that are prohbitied and employees should not be doing during their employment at TouchDown Rentals. Employees are not allowed to engage in anything that is illegal under local, state, federal or international law while at TouchDown Rentals. 10. Violations of copyright of the rights of any person or company. This includes installation of pirated software or any other unlicensed software for TouchDown Rentals. 11. Copying of material is prohibited. This includes digitization and distribution of images found in magazines, books or any other sources that do not belong to TouchDown Rentals. 12. Access of data or server for other means that do not relate to business involving TouchDown Rentals is prohibited. 13. Putting malicious programs into the network is strictly prohibited. This includes viruses, worms, Trojan Horses, etc) 14. Carrying out any form of fraudulent activity including offers for products, items or services that come from a TouchDown Rentals account is prohibited. 15. Any form of port scanning that is carried out without Infosec’s consent is prohibited. 16. Other forms of malicious activities are also prohibited such as Denial of Service, introducing honeypots to the network or any form of malicious activity that involves the use of scripts.

Email Activities: This concerns anyone in TouchDown Rentals that is using TouchDown Rentals network to access the internet. 17. Sending any form of Junk Mail from the network is prohibited. 18. Sending any form of harassment through the network, this includes language used, size of messages or the amount sent. 19. Forging email headers is prohibited. 20. Creating Ponzi or pyramid schemes is prohibited.

Server Security Policy General Requirements: 1. Any server that is used by TouchDown Rentals must come from some form of a system administrator. Server Configuration guides must be established and maintained by each system administrator based on TouchDown Rentals needs which are approved by Infosec. This must also include some way of changing the configuration guides, which again has to be approved by Infosec. Below are some of the things that these servers have to have:  Servers must be registered to the corporate enterprise management system.  Some information is always needed and easily retrieved: Server contacts and location, backup contact. Hardware version, OS version, Main functions if needed.  It must be kept up to date. 2. In regards to Security and Network Maintenance work, authorized individuals may monitor the equipment, systems and also the network traffic at TouchDown Rentals as long as it is in compliance with Infosecs’ Audit Policy Configuration: 3. Any Operating System at TouchDown Rentals should be in accordance with Infosec guidelines. 4. Applications that are not in use should be disabled until they are being used again. 5. Web Application Firewalls should be used when someone is trying to access a service. 6. The Operating System should always have the latest up to date security patch and should regularly be checked to see if there is a new update. 7. Trust relationships should be used sparingly and if there’s another method of communication is possible. 8. All servers should be found at an access-controlled environment. Monitoring: 9. 10. 11. 12.

Every security log should be kept online for a minimum of two weeks. Backups of files that have changed something will be kept for one month. Weekly backups of the system will be made and kept for at least one month. Monthly copies of the system will be made and kept for at least 5 years.

(Sans.org, 2015)

Workstation Security Policies This policy aims to make sure sensitive information is restricted to just authorized users and no one else. It also makes sure that workstations are confidential of any sensitive information. 1. Any worker who is working on a workstation must understand the sensitivity of the information that may be on them and aim to stop unauthorized access to this information. 2. TouchDown Rentals will have safeguards in place to prevent unauthorized access. These include: a. Access to workstations is to authorized personnel only. b. Workstations must be logged off or locked if someone is leaving the area or no longer using it. c. Any computer device has to be secured with a password protected screensaver feature which is set to 5 minutes or less. If you are leaving the computer device, you must either log off or lock the screen. d. Never install software on the workstations without prior consent. e. Complying with different policies: i. Wireless communication policy f. Exiting applications that are not being used.

Wireless Communication Policy Any device that connects to the network at TouchDown Rentals must abide by the following rules: 1. They have to follow the Wireless Communication Standard. 2. The networks have to be installed and maintained by one of TouchDown Rentals support team. 3. Everyone has to use TouchDown Rentals approved authentication protocols and infrastructure. 4. Encryption protocols also must be used. 5. Devices that do not provide connection to the network must follow a series of guidelines: a. It must comply with the Lab Security Policy b. Not interfere with any network that TouchDown Rentals has. Home Wireless Device: 1. Wireless devices that provide access to TouchDown Rentals network must use standard remote access authentication.

Web Application Security Policies 1. Any new application release for the company will be fully assessed before it is approved and goes live. 2. Any third party web application for the company will be fully assessed before it is approved and goes live. 3. Point Releases - will be assessed based on a level of the risks that the change may have. 4. Patch Releases – will be assessed based on a level of the risks that the change may have. 5. Emergency Releases – An emergency release can skip the review status and carry out what it’s set out to do until a more appropriate time in which it can then be assessed. 6. Any security issue that has been found during an assessment of any Web Application must be given a risk level. The risk levels that TouchDown Rentals use are the OWASP Risk Rating Methodology: a. HIGH RISK: Any Web Application that has an OWASP high risk rating is to be fixed as soon as possible and it is highly recommended that a temporary fix put in place while the fix is being carried out if possible. The Web Application should be taken offline immediately. These fixes should be carried out using an Emergency Release. b. MEDIUM RISK: Any Web Application that has a medium risk on the OWASP risk rating methodology should be further reviewed. These risks should put a temporary fix in place as soon as possible. If there is a potential risk, it should be taken offline immediately. These fixes should be carried out in either a Point Release or a Patch Release. These should be delayed only if there is currently a HIGH RISK OWASP ranking rating somewhere at the same time. c. LOW RISK: Any Web Application that has a low risk on the OWASP risk rating methodology should be further reviewed and scheduled for a fix. These should only be carried out if there is no pending High Risk or Medium Risk at the same time. 7. Infosec will determine security levels for TouchDown Rentals. The levels are: a. FULL: A full assessment is one that carries out all known vulnerabilities on a Web Application. It uses both manual and automated tools based on the OWASP Testing Guide. It will use manual penetration testing on any discovered vulnerabilities to determine the risk of what could possible happen with the vulnerability. b. QUICK: A quick assessment is one that uses automated scan of a system for one of the OWASP Top Ten Web Application Security Risks at a minimum. The amount can vary depending on what is being tested. c. TARGETED: This is used to test new features that a Web Application might have. It’s targeted at a specific part of the Web Application and should be done so accordingly.

Remote Access Policies (For Employees Working At Home) Employees who are working from home must be their network should follow the same policies that an Employee who are working at the TouchDown Rentals. It is the Employees responsibility to follow these considerations. Recreational use of the device connected to the home network is permitted. It is the Employees responsibility that his/her family does not violate any of TouchDown Rentals policies, that they do not perform any illegal activities that may harm TouchDown Rentals and that they do not use the device for anything that is outside TouchDown Rentals interests. If this is broken, the Employee will be held responsible. It is also the Employees responsibility to read the following policies: 1. Acceptable Usage Policy for Employees 2. Wireless Communication Policy Requirements: 1. Remote Access must be controlled at all times and must also be secure. To secure and control this, strong pass phrases must be used to authenticate the user. 2. An employee should never provide their login information or their TouchDown Rentals email to anyone. 3. Employees working from home must make sure that the device or workstation that they are using from home is not connected to any network that they do not have full control over. This only applies to the device they are using for TouchDown Rentals business. 4. Employees working from home must never use a personal email address that is not belonging to TouchDown Rentals for any business that involves TouchDown Rentals. 5. An employee working from home is not allowed to reconfigure their device or workstation for the purpose of split-tunnelling or dual homing is not permitted at any time. 6. Any hardware changes that an Employee is wanting to change within the device or workstation must be approved by Infosec’s security configuration for access to hardware. 7. All Employees that are working from home must keep up-to-date anti-virus software. 8. Any personal equipment that is used to connect to TouchDown Rentals network must meet the requirements of TouchDown Rentals owned equipment for remote access.

Disaster Recovery Plan Contingency Plan: The different contingency plans that TouchDown Rentals use are: 1. Computer Emergency Response Plan: This involves what can the immediate actions be in certain events. Who is to be contacted? When, and how? Who is to be contacted: Manager of TouchDown Rentals When is he to be contacted: In the case of emergency, as soon as possible How is he to be contacted: Email or Phone 2. Succession Plan: This describes the flow of responsibility when staff are away or unavilible from their duties. Manager – Manager Finance Person – Manager (If finance person is away) Customer Support Agent – Customer Support Agent (If one customer support agent is away) 3. Data Study: This is the way data at TouchDown Rentals is stored by its criticality and confidentiality. 4. Criticality of Service List: This is the way services at TouchDown Rentals is listed and provided in their order of importance. 1. Back Ups 2. Main Server 3. Database 4. Automated Book System 5. Data Backup and Registration Plan: This details what is being backed up, how it’s being saved, where it’s being saved and how often it’s actually being backed up. It describes also how the data can be recovered in case of emergency. Whole system being saved to the cloud. Backed up hourly. Retrieved by contacting cloud provider.

6. Equipment Replacement Plan: This lists the equipment that is crucial to the running of TouchDown Rentals. 1. Server Rental 2. Workstations 3. Updated Operating Systems 4. Updated Anti Virus 7. Mass Media Management: This lists who is allowed to deal with mass media: a. Manager

Enforcement TouchDown Rentals could go about implementing the security policies in many different ways. In regards to any confidential information that the system may have, in accordance to the policies they could make it hard for a user to access them by only giving them what they need to do the job at hand. They can monitor network usage to see if everyone is obeying the policies on their network. They could hold talks about how important they are and break down what every employee should be doing every day. It is also recommended to make a copy of the policies for every employee and these should be updated consistently. The policies should be explained in detail to every new employee to the company.

Definitions Infosec: A company that specializes in security related aspects. Split-Tunnelling: This a concept that allows a user to connect to a network using a VPN. OWASP: is a community dedicated to web application security. Port Scanning: This software searches for open ports that may be vulnerable on a network.

Revision History Date Of Change 23rd April 2015

Responsible Infosec

Summary Of Change Updated document with additional policy

References   

 



Sans.org, (2015). [online] Available at: http://www.sans.org/securityresources/policies/server-security/pdf/server-security-policy [Accessed 23 Apr. 2015]. Sans.org, (2015). [online] Available at: http://www.sans.org/securityresources/policies/general/pdf/disaster-recovery-plan-policy [Accessed 24 Apr. 2015]. Sans.org, (2015). [online] Available at: http://www.sans.org/securityresources/policies/application-security/pdf/web-application-security-policy [Accessed 24 Apr. 2015]. Sans.org, (2015). [online] Available at: http://www.sans.org/securityresources/policies/general/pdf/acceptable-use-policy [Accessed 24 Apr. 2015]. Sans.org, (2015). [online] Available at: http://www.sans.org/securityresources/policies/server-security/pdf/workstation-security-for-hipaa-policy [Accessed 24 Apr. 2015]. Sans.org, (2015). [online] Available at: http://www.sans.org/securityresources/policies/network-security/pdf/wireless-communication-policy [Accessed 24 Apr. 2015].