ClientsFirst Network Security Policy
Introduction and Overview
The purpose of this policy is to establish management direction, procedural requirements, and technical guidance to ensure the appropriate protection of ClientsFirst information handled by computer networks.
This policy applies to all employees, contractors, consultants, temporary staff, volunteers, and other workers at ClientsFirst, including those workers affiliated with third parties who access ClientsFirst computer networks. Throughout this policy, the word “worker” will be used to collectively refer to all such individuals, the word “ClientsFirst” will refer to ClientsFirst Plc and all subsidiary companies. The policy also applies to all computer and data communication systems owned by or administered by ClientsFirst.
All information travelling over ClientsFirst computer networks that has not been specifically identified as the property of other parties will be treated as though it is a ClientsFirst corporate asset. It is the policy of ClientsFirst to prohibit unauthorised access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. In addition, it is the policy of ClientsFirst to protect information belonging to third parties that have been entrusted to ClientsFirst in a manner consistent with its sensitivity and in accordance with all applicable agreements.
System Access Control
Users must choose fixed passwords that are difficult to guess. This means that passwords must not be related to a user’s job or personal life. For example, a car number plate number, a spouse’s name, or fragments of an address must not be used. This also means passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms, and slang must not be used. Where this type of systems software is available, users must be prevented from selecting easily-guessed passwords. Users can choose easily-remembered passwords that are difficult for unauthorised parties to guess if they:
- String together several words into a pass phrase.
- Shift a word up, down, left, or right one row on the keyboard.
- Bump characters in a word a certain number of letters up or down the alphabet.
- Transform a regular word according to a specific method, such as making every other letter a number reflecting its position in the word.
- Combine punctuation or numbers with a regular word.
- Create acronyms from words in a song, a poem, or another known sequence of words.
- Deliberately misspell a word.
- Combine a number of personal facts like birth dates and favorite colors.
Users must not construct passwords that are identical or similar to passwords they have previously employed. Where systems software facilities are available, users must be prevented from reusing previous passwords. Users must not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor. For example, users must not employ passwords like “X34JAN” in January and “X34FEB” in February.
Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in data communications software, in web browsers, on hard drives, or in other locations where unauthorized persons might discover them. Passwords must not be written down and left in a place where unauthorized persons might discover them. Aside from initial password assignment and password-reset situations, if there is reason to believe that a password has been disclosed to someone other than the authorized user, the password must be changed immediately.
Passwords must never be shared or revealed to anyone else besides the authorized user. If users need to share computer resident data, they should use electronic mail, public directories on local area network servers, and other mechanisms. This policy does not prevent the use of default passwords, typically used for new user ID assignment or password reset situations, which are then immediately changed when the user next logs onto the involved system. All passwords must be immediately changed if they are suspected of being disclosed or known to have been disclosed to anyone other than the authorized user.
Password System Set-Up
All computers permanently or intermittently connected to ClientsFirst networks must have password access controls. If the computers contain Confidential or Secret information, an extended user authentication system approved by the Information Security Consultant must be used. At the very least, multi-user systems must employ user IDs and passwords unique to each user, and user privilege restriction mechanisms with privileges based on an individual’s need to know. Network-connected, single-user systems must employ hardware or software controls approved by the Information Security Consultant that prevent unauthorized access including a screen blanker triggered by a certain period of no keyboard activity.
Unless an extended user authentication system is involved, computer and communication system access control must be achieved through fixed passwords that are unique to each individual user. Access control to files, applications, databases, computers, networks, and other system resources through shared passwords or group passwords is prohibited. Wherever systems software permits, the display and printing of fixed passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.
Wherever systems software permits, the initial fixed passwords issued to a new user by a security administrator must be valid only for the user’s first online session. At that time, the user must be required to choose another password. This same process applies to the resetting of passwords in the event that a user forgets a password.
All vendor-supplied default fixed passwords must be changed before any computer or communications system is used for production ClientsFirst business. This policy applies to passwords associated with end-user user IDs and passwords associated with privileged user IDs. Where systems software permits, the number of consecutive attempts to enter an incorrect password must be strictly limited. After three unsuccessful attempts to enter a password, the involved user ID must be suspended until reset by a system administrator or temporarily disabled for no less than three minutes. If dial-up connections are involved, the session must be disconnected. If DSL, ISDN, cable modem, or other constant connections are employed, a timeout period must be initiated.
Whenever system security has been compromised or if there is a reason to believe that it has been compromised, the involved system administrator must immediately change all involved privileged user passwords and require every end-user password on the involved system to be changed at the time of the next log on. If systems software does not provide the latter capability, a broadcast message must be sent to all users telling them to change their passwords immediately.
Whenever system security has been compromised or if there is a reason to believe that it has been compromised, a trusted version of the operating system and all security-related software must be reloaded from trusted storage media such as CD-ROMs, magnetic tapes, or original source-code floppy disks. The involved system then must be rebooted. All changes to user privileges taking effect since the time of suspected system compromise must be reviewed immediately by the system administrator for unauthorized modifications.
Logon and Logoff Process
All users must be positively identified prior to being able to use any ClientsFirst multi-user computer or communications system resources. Positive identification for internal ClientsFirst networks involves a user ID and fixed password, both of which are unique to an individual user, or an extended user authentication system. Positive identification for all Internet and dial-up lines involves the use of hand-held tokens, cryptographic challenge and response protocols, or other approved extended user authentication techniques. The combination of a user ID and fixed password does not provide sufficient security for Internet or dial-up connections to ClientsFirst systems or networks. Modems attached to network-connected workstations located in ClientsFirst offices are forbidden unless they have an extended user authentication system approved by our Information Security Consultant.
Modems connected to isolated computers, such as portable computers and home computers, are permissible, as long as an approved personal computer firewall is installed, and the related communications software is not left in an enabled state such that it could receive incoming calls.
Where systems software permits, every logon banner on multi-user computers must include a special notice. This notice must state the system is for the use of authorized users only, by continuing to use the system, the user represents that he or she is an authorized user, the user acknowledges that all system usage is logged, and the user understands that violations of ClientsFirst information security policies and other requirements may trigger disciplinary action up to and including dismissal, and civil or criminal prosecution.
The logon process for network-connected ClientsFirst computer systems must simply ask the user to log on, providing prompts as needed. Specific information about the organization managing the computer, the computer operating system, the network configuration, or other internal matters must not be provided until a user has successfully provided both a valid user ID and a valid password.
If there has been no activity on a computer terminal, workstation, or personal computer for a certain period of time, the system must automatically blank the screen and suspend the session. Re-establishment of the session must take place only after the user has provided a valid password. The recommended period of time is 15 minutes. An exception to this policy will be made in those cases where the immediate area surrounding a system is physically secured by locked doors, secured-room badge readers, or similar technology.
With the exception of electronic bulletin boards or other systems where all regular users are anonymous, users are prohibited from logging into any ClientsFirst system or network anonymously, for example, by using guest user IDs. If users employ systems facilities that permit them to change the active user ID to gain certain privileges, they must have initially logged on employing a user ID that clearly indicates their identity.
Limiting System Access
The computer and communications system privileges of all users, systems, and independently operating programs such as agents, must be restricted based on the need to know. This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists.
Default user file permissions must not automatically permit anyone on the system to read, write, execute or delete a file. Although users may reset permissions on a file-by-file basis, such permissive default file permissions are prohibited. Default file permissions granted to limited groups of people who have a genuine need to know are permitted.
Users with personal computers are responsible for administering a screen saver program securing access to their machine’s hard disk drive, and setting passwords for all applications and systems software that provide the capability.
ClientsFirst computer and communications systems must restrict access to the computers that users can reach over ClientsFirst networks. These restrictions can be implemented through routers, gateways, firewalls, and other network components. These restrictions must be used to, for example, control the ability of a user to log on to a certain computer then move from that computer to another.
Process for Granting System Privileges
Requests for new user IDs and changed privileges must be in writing or email and approved by the user’s manager before a system administrator fulfils these requests. Documents reflecting these requests must be retained for a period of at least one year.
Individuals who are not ClientsFirst employees must not be granted a user ID or be given privileges to use ClientsFirst computers or networks unless the written approval of a department head has been obtained.
Privileges granted to users who are not ClientsFirst employees must be granted for periods of 90 days or less. As needed, users who are not ClientsFirst employees must have their privileges reauthorized by the sponsoring department head every 90 days.
Special privileges, such as the default ability to write to the files of other users, must be restricted to those responsible for systems administration or systems security. An exception to this policy can be made if a department head has approved the exception in writing. Configuration changes, operating system changes, and related activities that require system privileges must be performed by system administrators, not end users.
Third-party vendors must not be given Internet or dial-up privileges to ClientsFirst computers or networks unless the system administrator determines that they have a legitimate business need. These privileges must be enabled only for the time period required to accomplish the approved tasks, such as remote maintenance. If a perpetual or long-term connection is required, then the connection must be established by approved extended user authentication methods.
All users wishing to use ClientsFirst internal networks, or multi-user systems that are connected to ClientsFirst internal networks, must sign a compliance statement prior to being issued a user ID. If a certain user already has a user ID, a signature must be obtained prior to receiving a renewed user ID. The latter process must be performed periodically.
Process for Revoking System Access
All user IDs must have the associated privileges revoked after a certain period of inactivity not exceeding 30 days. If a computer or communication system access control subsystem is not functioning properly, it must default to denial of privileges to users. If access control subsystems are malfunctioning, the systems must remain unavailable until such time as the problem has been rectified.
Users must not test or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by the team manager. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful, and will be considered serious violations of ClientsFirst policy.
Customer requests that ClientsFirst security mechanisms be compromised must not be satisfied unless the Information Security Consultant approves in advance or ClientsFirst is compelled to comply by law. Short-cuts bypassing systems security measures, pranks, and practical jokes involving the compromise of systems security measures are absolutely prohibited. The privileges granted to users must be reevaluated by management every six months. In response to feedback from, system administrators must promptly revoke all privileges no longer needed by users.
Management must report all significant changes in worker duties or employment status promptly to the system administrators responsible for user IDs associated with the involved persons. For all personnel changes, the Human Resources department also must issue a notice of status change to all system administrators who might be responsible for a system on which the involved worker might have a user ID.
Establishment of Access Paths
Changes to ClientsFirst internal networks include loading new software, changing network addresses, reconfiguring routers, and adding dial-up lines. With the exception of emergency situations, all changes to ClientsFirst computer networks must be approved in advance. Emergency changes to networks must be made by authorised persons.. This process prevents unexpected changes from leading to denial of service, unauthorized disclosure of information, and other problems. This process applies not only to workers, but also to vendor personnel.
Workers must not establish electronic bulletin boards, local area networks, FTP servers, web servers, modem connections to existing local area networks, or other multi-user systems for communicating information without the specific approval of the Information Security Consultant.
All ClientsFirst computers that connect to an internal or external network must employ password-based access controls or an extended user authentication system. Multi-user computers must employ software that restricts access to the files of each user, logs the activities of each user, and has special privileges granted to a system administrator. Single-user systems must employ access control software approved by the Information Security Consultant that includes boot control and an automatic screen blanker that is invoked after a certain period of no input activity. Portable computers and home computers that contain ClientsFirst information are also covered by this policy, as are network devices such as firewalls, gateways, routers, and bridges.
All inter-processor commands from non-ClientsFirst locations are prohibited unless a user or process has properly logged on. Examples of such commands include remotely-initiated requests for a list of users currently logged on and a remote procedure call.
Computer Viruses, Worms, and Trojan Horses
Users must keep approved and current virus-screening software enabled on their computers. This software must be used to scan all software coming from third parties or other ClientsFirst departments and must take place before the new software is executed. Users must not bypass scanning processes that could stop the transmission of computer viruses. Users are responsible for eradicating viruses from all personal computer systems under their control whenever viruses have been detected using software installed by ClientsFirst staff. As soon as a virus is detected, the involved user must immediately call the Information Security Consultant and to assure that no further infection takes place and that any experts needed to eradicate the virus are promptly engaged.
Data and Program Backup
Personal computer users are responsible for backing up the information on their machines. For multi-user computer and communication systems, a system administrator is responsible for making periodic backups. If requested, the Information Systems team will install or provide technical assistance for the installation of backup hardware or software.
All sensitive information such as Confidential or Secret, valuable, or critical, resident on ClientsFirst computer systems and networks must be periodically backed up. User department managers must define which information and which machines are to be backed up, the frequency of backup, and the method of backup based on the following guidelines:
- If the system supports more than one individual and contains data that is critical to day-to-day operations within the company, then a backup is required daily.
- If the system is used to support job-related functions and contains key data critical to the dayto- day operations of that job, then a backup is required weekly.
- If the system is primarily used as a personal productivity tool and contains no data that would be classified as job or departmental in nature, then a backup is at the discretion of the individual user.
Nothing in the time frames for periodic backup mentioned immediately above restricts the generation of more frequent backups, as will occasionally be required for operational and business reasons.
When ClientsFirst Confidential or Secret information is transmitted over any communication network, it must be sent in encrypted form. Whenever ClientsFirst source code, or source code that has been entrusted to ClientsFirst by a business partner, is to be sent over a network, it too must be in encrypted form.
Encryption keys used for ClientsFirst information are always classified as Confidential or Secret information. Access to such keys must be limited only to those who have a need to know. Unless the approval of the Information Systems team manager is obtained, encryption keys must not be revealed to consultants, contractors, temporaries, or other third parties. Encryption keys always must be encrypted when sent over a network. Whenever such facilities are commercially available, ClientsFirst must employ automated rather than manual encryption key management processes for the protection of information on ClientsFirst networks.
Workers in the possession of portable, laptop, notebook, handheld, and other transportable computers containing Confidential or Secret ClientsFirst information must not leave these computers unattended at any time unless the information is stored in encrypted form. Workers in the possession of transportable computers containing unencrypted Confidential or Secret ClientsFirst information must not check these computers in airline luggage systems or with hotel porters. These computers must remain in the possession of the traveller as hand luggage.
Whenever Confidential or Secret information is written to a floppy disk, magnetic tape, smart card, CD-ROM, DVD, USB Key or other storage media, the storage media must be suitably marked with the highest relevant sensitivity classification. When not in use, this media must be stored in a locked safe, locked furniture, or a similarly secured location.
Printers must not be left unattended if Confidential or Secret information is being printed or soon will be printed. The persons attending the printer must be authorized to examine the information being printed.
Unattended printing is permitted if the area surrounding the printer is physically protected such that persons who are not authorized to see the material being printed may not enter.
Unless contractual agreements dictate otherwise, messages sent over ClientsFirst computer and communications systems are the property of ClientsFirst. Management reserves the right to examine all data stored in or transmitted by these systems. Because ClientsFirst computer and communication systems must be used for business purposes only, workers must have no expectation of privacy associated with the information they store in or send through these systems.
When providing computer-networking services, ClientsFirst does not provide default message protection services such as encryption. No responsibility is assumed for the disclosure of information sent over ClientsFirst networks, and no assurances are made about the privacy of information handled by ClientsFirst internal networks. In those instances where session encryption or other special controls are required, it is the user’s responsibility to ensure that adequate security precautions have been taken. Nothing in this paragraph must be construed to imply that ClientsFirst policy does not support the controls dictated by agreements with third parties, such as organizations that have entrusted ClientsFirst with confidential information.
Physical Security of Computer and Communications Gear
All ClientsFirst network equipment must be physically secured with anti-theft devices if located in an open office environment. Additional physical access control also may be used for these devices. For example, local area network servers must be placed in locked cabinets, locked closets, or locked computer rooms.