Professional Documents
Culture Documents
I. Introduction
A. General Purpose.
The [THE COMPANY]., Computer and Network Security Policy establishes the standards for the
use of the Company’s computer and network resources in a secure environment. Through
adherence to this policy, employees will assure the integrity, availability, confidentiality and
accountability of information the Company needs to remain competitive in the information
technology market. Security of the Company’s computer and network effectiveness rests with
employees at all levels.
The Company’s computer and network resources shall be accessed and used only by individuals
authorized by the Company. A user account must be approved and activated by the Company’s
designated computer and network system administrator. Any computer, computer system, or
network or device physically connected to or accessing the Company’s computer and network
resources will be subject to and must comply with this policy. Any question with regard to whether
a specific use is authorized must be referred to the System Administrator.
B. Scope.
This policy is effective at [THE COMPANY], and applies to all system users at any location,
including those using privately owned computers or systems to access the Company’s computer
and network resources. This policy represents the minimum requirements that must be in place.
This policy is not intended to inhibit access to information services that employees have made
accessible for public inquiry (e.g., WWW or anonymous ftp sites). However, use of such services
to access or attempt to access information not intended for public display or use, or to circumvent
or violate the responsibilities of the system users or the system administrator as defined in this
policy, is prohibited.
C. Ownership.
Internet related systems (including but not limited to: computer equipment; software and operating
systems; network accounts providing electronic mail, World Wide Web browsing, File Transfer
Protocol; networking and intra-net systems and software) are the property of the [THE
COMPANY], They are to be used for business purposes only in serving the interests of the
company and our clients in the normal course of business.
1
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
D. Privacy of Communications.
E. Monitoring.
The company reserves the right to monitor all employee usage to ensure proper working order,
appropriate use by employees, the security of company data and to retrieve the contents of any
employee communication in these systems. The company may access user files, including archived
material of present and former employees without the user’s consent for any purpose related to
maintaining the integrity of the network or the rights of the corporation or other users or for any
reasonable purpose. All external correspondence will also be considered as property of the
corporation and can be monitored at the same level as internal communications.
F. Supplements.
Existing policies and procedures will be reviewed, updated, and changed from time to time. New
policies and procedures will be formulated as the need arises. In order to accommodate these
modifications, this policy is published in two formats 1) loose leaf format and distributed
separately and 2) PDF format and posted at the corporate web site and public folders available
through the corporate e-mail system. In this way, any change or addition may be conveniently
made.
A. President.
1. Manages the design, implementation, and maintenance of the Company’s computer and
network system resources as it applies to the growth and sustainment of the Company’s
business.
2. Provides computer and network system guidance to the system administrator as it applies to the
Company’s short and long term strategic planning and objectives.
1. Ensures employees use organizational computer and network resources for official business
only.
2. Recommends e-mail and internet access for their employees to the system administrator when
that use complies with the stipulations below:
(a) Enhances work productivity and does not deter from assigned work assignments and
performance.
2
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
(c) Serves as a legitimate organization interest such as notifying family of travel changes
while on a business trip, communication from a place of work during normal work hours,
performing research for organizational projects, or morale purposes if assigned for
extended period of time away from home.
3. - Implement security policies, controls, and procedures to protect the Company’s computer and
network resources from intentional or inadvertent modification, disclosure, or destruction of
computer databases.
5. - Respond to computer and network security incidents to include, but not limited to, notification
of incidents to law enforcement agencies and other Company offices as appropriate, and contact
outside computer emergency response teams or vendors as deemed necessary.
Unless otherwise stated, the system administrator has the same responsibilities as system users.
However, because of their position, the system administrator has additional responsibilities and
privileges for specific systems or networks. For systems that are directly administered, the system
administrator will:
1. Prepare and maintain security procedures that implement Company security policies and
address such details as access control, backup and disaster recovery mechanisms, and
continuous operation in case of power outages.
3. Archiving and backing up the systems: The network administration will backup the network
shared resources and designated areas of the users personal computers on a daily basis. These
backups can be either to a tape backup system or to another designated server on the network.
Any data outside the normal designated areas that need to be backed up, will be added to the
system once the network administration is notified of its location.
3
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
4. Treat files and systems as private. It is recognized that a system administrator may have
incidental contact with system user files, including electronic mail, in the course of their duties.
The contents of such files must be kept private. Deliberate access to system user files is
authorized only in the event of a suspected security breach, if essential to maintain the system(s)
or network(s) for which the system administrator has direct administrative responsibility, or if
requested by or coordinated with the system user.
5. Take reasonable and appropriate steps to see that all hardware and software license agreements
are conscientiously executed on all systems, networks, and servers.
6. Ensure organizational network addresses are assigned to those entities or organizations that are
part of [THE COMPANY], only. The system administrator must not assign network addresses
to non-Company entities or agencies.
7. Limit access to root or privileged supervisory accounts. In general, only the system
administrator should have access to such accounts. System users will not be given unrestricted
access to root or privileged supervisory accounts unless the user has been designated as an
assistant system administrator who has been approved by the President. As with all accounts,
authorization for root or privileged supervisory accounts must be approved in accordance with
this policy.
a. User Identification;
b. User actions to create, modify, or delete programs/files;
c. Actions taken by network operators, network administrators, and security operators;
d. Any event that attempts to change privileges or security profiles (e.g., change access
controls, change security level of the subject, change user password);
e. Any event that attempts to violate the security policy of the network (e.g., too many
attempts to log in, attempts to violate the access control limits of a file);
f. For each recorded event the audit trial shall record the date and time of event, the subject, the
type of event, the success or failure of the event, the origin of the request, and the name of
program/file introduced, accessed or deleted;
g. Any actions to change the configuration of the network (e.g., a component leaving the
network and rejoining).
h. Provide immediate feedback to the ISSO on e-mail received with viruses.
i Assure annually security awareness training is conducted and documented for all employees.
1. Understand and agree to, and comply with this security policy, and all federal, state, and local
laws, including laws applicable to the use of computer and networking resources, and
electronically encoded data.
2. Safeguard passwords and/or other sensitive access code information related to their own
accounts or network access. Such information must not be transmitted to, shared with, or
divulged to others. Likewise, system users must recognize the sensitivity of all other passwords
and computer or network access information in any form, and must not use, copy, transmit,
4
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
share or divulge such information, nor convert the same from encrypted or enciphered form to
unencrypted form or legible text. Any attempt to conduct such actions by a user is a violation of
this policy.
3. Take reasonable precautions, including personal password configuration and maintenance and
file protect measures, to prevent unauthorized use of their accounts, programs or data by others.
4. Ensure accounts or computer and network access privileges are restricted for their own use.
System users must not share their accounts, grant accounts to others nor otherwise extend their
own authorized computer and network privileges to others.
6. Do not install or attempt to install any additional software. When additional software is needed
to complete the task assignment, contact your immediate supervisor first. The requests will be
evaluated on an individual basis by the Immediate Supervisor, Regional Director, and the
System Administrator. Decisions on additional software will be handled in the most expedient
manner possible.
7. Use accounts or network access only for the purposes for which they were authorized and only
for Company-related activities. User prohibitions are:
f. Use of streaming video and audio is prohibited unless it is required in the performance of an
employees work. In this case, the requirement to use streaming video and audio must be
approved by the Immediate Supervisor and Regional Director, and coordinated with the System
Administrator
8. Represent themselves truthfully in all forms of electronic communication and must not
misrepresent themselves as others in electronic communications. Likewise, system users must
not cause a system to assume the network identity or source address of another computer or
network resource for purposes of masquerading as that resource. System users will not register
computer and network resources with Internet addresses, within the Company Internet domain,
under non-Company domain name. System users will not provide Domain Name Services for
any computer or network resource.
5
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
9. Respect the privacy of electronic communications. System users must not obtain nor attempt to
obtain any electronic communication or information not intended for them. In particular, system
users must not attempt to intercept or inspect information (e.g., packets) enroute through the
Company computer and network resources, nor use Company resources to attempt to intercept
or inspect information enroute through other networks outside the Company’s domain.
10.Respect the physical hardware and network configuration of Company owned networks. System
users must not extend the physical network on which their system resides (e.g., wiring, jacks,
wireless connection).
11. Treat non-Company computer and network resources in accordance with this policy.
The Company’s computer and network resources must not be used in an attempt to breach the
security or security policy of other sites (either willfully or negligently). An action or attempted
action affecting non-Company computer and network resources that would violate this policy if
performed on Company computer and network resources is prohibited.
12. Ensure no affiliate company (EADS, Cogent, etc.) computers are allowed to connect to the
internal corporate network.
13. No employee shall bring within the physical confines of the corporate network (any location)
any of the following items listed, their personal computers, flash drives, removable media
drives, micro drives, etc. The intent is to ensure that no computing equipment other than
company supplied has access or could have access to company Proprietary and Confidential
Information, and to lessen the opportunity to inadvertently infect our corporate resources.
14. Ensure non-company or corporate mobile computers are not connected to the corporate
network until they have been inspected and approved by the Network System Administrator.
A. Password Configuration.
Passwords are used as a means of access control by providing an authentication mechanism for
verifying the user’s identity when logging onto the computer system. Consequently, the proper
configuration of a password is a vital measure in protecting the user’s computer system from
unauthorized access. As a result, system users will comply with the following when configuring
their computer passwords: (Note: To ensure compliance with this policy a password cracking tool
will be run on a random and ongoing basis.)
1. Develop passwords with at least seven (7) alpha-numeric characters in length. At a minimum,
use at least 1 each of Upper Case, Lower Case, Number and Special Character in the password.
Passwords should never be words found in the dictionary, proper names or personal data (i.e.
user name, children’s name, birth dates etc.)
3. Do not start your pass word with the number “1" or letter “a”.
6
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
4. Use phraseology in developing passwords. This allows for the configuration of a password
while making it easy for the user to remember. For example, the user could create a password
from the phrase “Kill two birds with one stone” (Password: k2Tbw10$). (Note: Do not use this
example for your password since it has already been published in clear text.)
B. Password Protection.
The effectiveness of a password depends on the confidentiality afforded to it. Just like the key to a
house, the resident stringently controls the key so it does not come into the possession of an
unauthorized person. In contrast, the user must take precautions to control and protect his/her
password. The following precautions will be taken by system users:
2. Do not post passwords on terminals, blackboards, bulletin boards, or in any other location
where they may be disclosed. Ideally, users should not record or store their password in clear
text, but memorize them. If the user must record the password, the password will be stored in a
sealed opaque envelope, stored in a locked file cabinet or desk drawer in which access is
controlled.
A.Management
Electronic mail (email) is provided by the corporation for employees to conduct company business
and personal use should be restricted. All electronic messages created and/or stored on the
corporations computers or networks are the property of the corporation and are not considered
private. As a result the following applies:
1. The company retains the right to access employee electronic mail if it has reasonable grounds to
do so. The contents of electronic mail will not be disclosed other than for security purposes or
as required by law. Email messages may be retrieved by the company even though they have
been deleted by the sender and the reader. Such messages may be used in disciplinary actions.
2. Users must not allow anyone else to send email using their accounts. This includes their
supervisors, secretaries, assistants and co-workers.
3. Directories of employee email addresses will not be made available for public access.
7
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
5. No visitors, temporary employees, contractors or students may use corporate email. Nor will
they be allowed access to systems for connectivity to outside email systems (i.e. hotmail).
6. Electronic mail attachments should be viewed with suspicion. No attachments should be opened
directly from the received email. All attachments should be saved to a folder and scanned by the
virus protection program BEFORE opening. No executable (.exe) or visual basic scripts (.vbs)
files should ever be opened on company supplied systems. The use of preview pane is
prohibited. (Outlook200x and Outlook Express treat a number of viruses as opened if the mail is
viewed in a preview pane.) The receipt of .exe and .vbs files as attachments to an e-mail shall be
reported to the System Administrator or Information Systems Security Officer immediately…
DO NOT OPEN THE FILE.
7. The specified signature block should be included on all email that originates from company
owned computers. This signature should include name, job title, corporate name, corporate
address including city state and zip, phone number and url to the corporate website (i.e.
www.eads-na-security.com ).
9. If a virus is inadvertently opened and you believe your computer is infected, immediately
disconnect the network connection (cat 5 cable) and notify your network administrator. Do not
shut the computer off as vital information could be lost.
10. The use of outside e-mail systems (i.e. yahoo mail, hotmail, etc) is prohibited. This rule will
only be suspended with the approval of your Regional Director and Network Administrator
during times of corporate e-mail outages.
11. The use of and access to Outlook Web Access (OWA) will be limited to duty hours from
client or government locations. Access to corporate e-mail when not on duty or in a customer
location will be available to our employees using the corporate VPN clients.
12. Email forwarding: The company will not automatically forward e-mail to any employees
outside accounts or to any government supplied accounts. Employees will also refrain from
creating their own server side or client side rules that forward e-mail to outside accounts or
government supplied accounts.
13. It is mandatory that each employee shall check their EADS NA DS3 e-mail account at least
once per day for intercompany communications, as some items are proprietary and require
immediate action. Intercompany communications should not be conducted from onsite
government e-mail systems.
8
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
SMS Messaging
SMS messaging is not allowed.
Adding Applications
Adding applications to your BlackBerry is not allowed without prior approval from the
CTO and the Network Administrator.
C. Retention Policy.
1. Official company records communicated through e-mail, must be identified, managed, protected
and maintained as long as needed for ongoing operations, audits, legal actions or any other
known purpose. Therefore, all Company employees are responsible for managing the creation
9
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
and retention of documents, both record and non-record, that are created or transmitted on the
Company’s electronic mail system.
2. To prevent premature deletion of records, employees must ensure a copy of such records are
filed in the e-mail archive. Both outgoing and incoming messages and attached files must be
stored. Any email containing a formal approval or constituting any commitment by the
corporation to any outside organization must be copied to the appropriate file (in hard copy if
required) to support accountability and audits.
3. Some categories of electronic mail messages that would be defined as records are:
4. Some categories of electronic mail messages that would be defined as non-record material are
as follows:
a. Routine requests for information or publications and copies of replies which require no
administrative action, no policy decision, and no special compilation or research for
reply.
b. Originating office copies of letters of transmittal that do not add any information to that
contained in the transmitted material, and receiving office copy if filed separately from
transmitted material.
c. Notices including memoranda and other records that do not serve as the basis of official
actions, such as notices of meetings, bond campaigns, and similar correspondence.
5. When electronic mail is retained as a record, the period of its retention is three years from the
date of the correspondence or if the correspondence is part of a contract or project, three years
from the date the contract or project is completed. If the e-mail document pertains to business
with a City, County, State, or Federal government agency, retention is governed by the
appropriate records control schedule of that government agency. Company employees are
responsible to know and comply with the respective government agency’s records control
schedule.
A. Computer Viruses.
10
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
A computer virus is a computer program that can infect other computer programs by modifying
them in such a way as to include a copy of itself. Although a computer virus is the most widely
recognized example of a class of computer programs written to cause some form of intentional
damage to computer systems or networks, it does not have to be called a “virus”. A computer virus
performs two basic functions: it copies itself to other programs, thereby infecting them, and it
executes the instructions the author has included in it.
B. Virus Indicators.
Some of the ways in which viruses propagate so quickly include: sharing infected removable media
between users; downloading programs from public electronic bulletin boards, e-mail, attachments,
and using infected demonstration or system removable media. There are various kinds of
symptoms which some virus authors have written into their programs such as messages, music, and
graphic displays. However, the main indicators are:
1. Changes in file sizes and contents, unexplained appearance of unknown files or the
reassignment of system resources. The unaccounted use of RAM or a reduction in the amount
known to be in the machine can be important indicators. However, these are symptoms, along
with longer disk activity and strange behavior from the hardware can also be caused by genuine
software, by harmless “prank” programs, or by hardware faults.
C. Virus Protection.
Preventing a virus from infecting Company computer resources, requires virus awareness among
all users. The basic anti-virus practices and techniques described below are to be employed by all
Company employees in order to minimize the risk of introducing viruses and other malicious
software, to ensure timely detection of viral infections, to eliminate viral infections from the
inventory of microcomputers, and to minimize the risk from malicious programs to non-Company
network systems. The corporate strategy includes desktop virus scanners on each corporate
computer. This software is configured prior to the users receiving the computer and should never
be disabled or reconfigured.
1. Scan new software. There are documented instances in which Commercial “shrink wrapped”
software was inadvertently distributed containing viruses. Check all new software for infection
before running it for the first time. It is even advisable to use different anti-virus programs,
since no single virus scanner is able to detect all viruses.
2. Use only authorized software. Do not install any software on a PC unless the software has been
authorized for use by the Company’s computer and network administrator or security officer,
and scanned for viruses. Public domain software, shareware, freeware, computer games, and
software copied from a home system or another user’s system are frequent sources of viruses
and should not be installed on any Company systems without authorization.
3. Do not download software from public bulletin boards. Public bulletin boards are a source of
computer viruses. When necessary, download to a diskette when downloading from an
authorized source and use virus scanning software to test for viruses before copying files to a
hard disk. Never download software to a network server.
11
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
4. Do not copy and share software. Do not copy copyrighted software or share software with other
employees. Copying and sharing software are common ways of spreading computer viruses in a
personal computer environment in addition to potentially violating copyright laws.
5. Scan removable media from home or external sources. Do not use removable media from home
systems or other external sources that have not been approved and scanned for viruses, as these
removable media may be infected.
6. Make backups of critical files. Protect system files, critical data files and applications by
making backup copies (backup copies of applications for archival purposes generally do not
represent a copyright violation) and storing them on write protected removable media.
8. Scan network servers. A network administrator should have a backup copy of every software
program every time it is modified in accordance with established software development
procedures and controls. This will provide some assurance that there is a clean backup in the
event a virus hits. The administrator should also periodically scan servers for viruses.
D. Virus Response.
If a computer is believed to be infected with a virus, the steps listed below should be followed.
Sometimes a badly thought out attempt to remove a virus will do much more damage than the virus
itself could have done. Viruses can be extremely unforgiving unless they are removed correctly.
1. Stop. Do not turn off the PC. Remove the network Connection (cat 5 cable) immediately.
3. The computer and network system administrator will respond to incidents of suspected viruses.
They will verify that there is a virus and clean the PC using the virus response procedures
below:
12
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
System users aware of any breach of information or network security, or compromise of computer
or network security safeguards, must report such situations to the computer and network
administrator or security officer. The Company’s security officer, in coordination with executive
mangers, will determine if financial loss has occurred and if control or procedures require
modifications. When warranted by such preliminary review, law enforcement authorities will be
contacted as necessary to investigate criminal or malicious activities.
a. Restriction or termination of a system user’s access to the Company’s computer and network
resources, including the summary suspension of such access, and/or rights pending further
disciplinary and/or judicial action;
b. Initiation of legal action by [THE COMPANY] and /or respective federal, state or local law
enforcement officials, including but not limited to, criminal prosecution under appropriate
federal, state or local laws;
c. Restitution by the violator for any improper use of service;
d. Disciplinary sanctions, which may include up to termination of employment depending on
the severity of the violation.
2. Report all suspicious activity to the computer and network system administrator and security
officer. Chances are the suspicious activity is caused by something other than a virus, but if it is
a virus, only a rapid response will result in its successful containment and removal. Once a virus
infection has been determined, the need exists to eradicate the virus, prevent its spread and re-
infection, and getting the newly cleaned system back into full production.
A. Overview.
Physical security of computer and network resources is vitally important to the sustainment of the
Company’s operations. It provides employees defensive measures to protect the facility,
equipment, and information from theft, tampering, careless misuse, and natural disasters.
Consequently employees must implement the physical security measures presented in this policy to
assist in achieving an optimum level of protection with minimal degradation to operations.
B. Visitor Control.
Access to system user work areas will be controlled with access limited only to those employees
who are assigned to the respective areas. All other personnel who visit the work areas must be
escorted by one of the work area employees. If a visitor is found in a work area without an escort,
take the following actions:
1. Ask the visitor their name, purpose of their visit, and who escorted them into the facility.
3. Turn them over to the employee who initially escorted them into the facility, or;
13
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
4. If the visitor was not escorted into the facility by a Company employee, ask the visitor how they
entered the facility, and explain to them that the Company has a visitor control policy:
a. Escort them to the receptionist’s desk and have the receptionist page for an escort from the
work area the visitor needs to visit.
b. Escort the visitor out of the facility. If the visitor refuses to depart the facility, notify the
local law enforcement authorities and request their response.
c. If the visitor is a student, ascertain the purpose for them being in the area, and ask them to
depart the area or direct them to the employee who can help them.
d. Report all suspect visits to your immediate supervisor and Regional Director and
the System Administrator.
The Systems Administrative Officer will control the receipt of, issuance, inventory, and final
disposition of all corporate computer systems, and operating and application software. An
inventory will be conducted upon receipt of all computer systems, peripherals, and software, and
entered into the Company’s computer and network inventory. The resources will be allocated to the
respective work centers at the discretion of the responsible Vice President, and coordinated with
the Computer and Network System Administrator. The Regional Directors will assume
responsibility for the full utilization and protection of resources. Resources redistributed across
work centers must be approved by the President, and coordinated with the Computer and Network
System Administrator. The System Administration Officer will inventory all computer and network
resources at least annually, and provide a written report to the President. An out-of-cycle inventory
may be conducted to support suspect events such as theft, loss, misappropriation of computer and
network systems resources, or a transfer of inventory account management responsibilities from
one employee to another.
While the control of Company’s environment and resources plays a major role in the physical
security, there are other security measures that are relevant to the protection of computer and
network resources. These measures are the responsibility of the individual system users and should
be implemented as part of every day work practices:
1. Implement a “clean desk” policy. Clear desk tops of all work at the end of the day. The
Company’s Proprietary Information should be locked up in the user’s desk or file cabinet, or at
least cleared from the desk top and stored in a desk drawer or overhead storage bin. Any
documents (excluding government classified documents which require special handling and
storage) belonging to the customer should be provided adequate protection to coincide with its
sensitivity (i.e., For Official Use Only). In this case, request guidance from the responsible
Vice President.
2. Close office doors at the end of the work day. While this does not physically prohibit entry into
an office area, it does present a psychological deterrence to visitors who may be wandering
around the facility. (Note: Because of the necessity of employees to use equipment in various
office areas, do not lock office doors without approval of the President, and coordination with
the work center manager or supervisor.)
14
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009
3. Use “Time Out” screensaver capabilities with password protection to prevent unauthorized
personnel accessing personal computer systems. The “Time Out” time setting should be set at
no more than three (3) minutes. While users should lock their workstations and turn off their
monitor when away from their workstation, the “Time Out” invokes security measures should
the user forget.
4. Turn off all computer systems in the event of electrical storm within the immediate vicinity of
the Company’s facility. Also, system users must ensure their personal computer is plugged into
a surge protector when in operation. This will protect data and files in the event of an electrical
surge or power fluctuation.
The Facility Security Officer (FSO) is responsible for establishing and maintaining a security
education and training program for the Company. At a minimum all employees will read,
acknowledge, agree to and sign a letter of compliance to this policy. Training will be conducted for
all newly hired employees within 30 days after their start date. Thereafter, employees will receive
security education and training at least annually, or unless otherwise determined by the responsible
Vice President.
Because electronic information is volatile and easily reproduced, respect for the work and personal
expression of others is especially critical in computer environments. Violations of authorial
integrity, including plagiarism, invasion of privacy, unauthorized access, and network resources are
prohibited. Computer software protected by copyright is not to be copied from, into, or by using
Company computer and network resources, except as permitted by the license or contract with the
owner of the copyright.
15