Roman Catholic Archdiocese of Boston. A Framework for Information Technology Guidelines for Catholic Schools

Transcription

1 Roman Catholic Archdiocese of Boston A Framework for Information Technology Guidelines for Catholic Schools September 18, 2012

2 1. OVERVIEW For an organization (school, parish, ministry or office) to successfully fulfill its mission, it must implement processes that are clear, reliable, cost effective, and consistent with applicable rules and laws. The mission of the organization must also be consistent with the larger mission of the Church. Guidelines and policies are established to set forth expectations of acceptable and prohibited behaviors and activities for leadership, employees and volunteers. Communication, however, is key. Management needs to inform employees and volunteers of the guidelines and the importance of adhering to these policies. In addition, management must review guidelines on a regular basis to ensure they are current and applicable. One area in which guidelines and policies need to be frequently reviewed and updated is information technology. Rapid changes in technology present special challenges to organizations. How do we protect personal information that is entrusted to us? How do we ensure that our employees and volunteers do not use the technology in our organization to harm or harass others? How do we protect the vulnerable, such as children, from exposure to harmful content while in our care? At the present time, there is no standard set of policies regarding information technology. The purpose of this document is to share relevant information for the collaboration and development of effective policies. Information technology policies for our organizations are needed to address the following: 1. Confidentiality Only authorized individuals have access to confidential information and data. 2. Integrity Information has not been improperly changed. 3. Appropriate Use of Information Technology Services User of information technology services that are appropriate to our mission 4. Probity of Electronic Interaction and Communication Ensuring all interactions/communications are conducted with uprightness and integrity Page 2 of 22

3 2. POLICY DEVELOPMENT In order to support the mission, operational and business needs of the [organization name], a set of policies are needed to promote appropriate behavior, effective communication, collaboration and security. The policy development objectives need to support the mission, operational, business and management objectives of the organization. 1. Clarify Outcomes - Provide effective support to enable and clarify the desired outcome in the proper and effective use of technology, systems, data and services. 2. Support a Culture of Responsibility - Support of culture of responsibility to improve behaviors and outcomes. Support this with effective communication, training, management, recognition and knowledge sharing programs that will help organizations focus on their mission. 3. Support Appropriate Individual and Management Behaviors - Drive to improve and change behaviors. This requires leadership commitment, manager involvement and employee understanding of where the organization is headed and how they are part of the solution. The model for effective communication and collaboration support for these management objectives must include: 1. Abundantly Sharing Important and Relevant Information By making it available to those who need it. 2. Addressing Specific Organizational Needs Policies may need to be specific to local organizational needs and need to be reviewed and adjusted as approaches and technologies change. 3. Support the Big Picture - Helping our staff discover how they, their work and their behavior fits into the whole picture and how the positive impact of their work supports the mission of the Catholic Church. Page 3 of 22

4 The following sections of this document contain a set of guidelines and templates that can be used as the basis for the development of information technology policy for a particular organization. Internet Acceptable Use Policy To define appropriate and inappropriate use of Internet resources within an organization Mobile Device Acceptable Use Policy To define appropriate and inappropriate use of mobile devices (cell phones, tablets, laptops) within an organization Acceptable Use Policy To define appropriate and inappropriate use of within an organization General Information Technology Security Policy To define the necessary technologies and services needed to maintain a secure information technology environment. Page 4 of 22

5 A. SAMPLE INTERNET ACCEPTABLE USE POLICY Purpose The goals of this policy are to outline appropriate and inappropriate use of [organization name] s Internet resources, including the use of browsers, electronic mail and instant messaging, file uploads and downloads, and voice communications. Use of these services is subject to the following conditions. Your Account Internet access at [organization name] is controlled through individual accounts and passwords. Each user of the [organization name] system is required to read this Internet policy and sign an Internet use agreement prior to receiving an Internet access account and password. Appropriate Use Individuals at [[organization name] are encouraged to use the Internet to further the goals and objectives of [organization name]. The types of activities that are encouraged include: 1. Communicating with fellow employees, staff, volunteers and other support partners of [organization name] within the context of an individual s assigned responsibilities; 2. Acquiring or sharing information necessary or related to the performance of an individual s assigned responsibilities; and 3. Participating in educational or professional development activities. Inappropriate Use Individual Internet use will not interfere with others productive use of Internet resources. Users will not violate the network policies of any network accessed through their account. Internet use at [organization name] will comply with all Federal and Massachusetts laws and all [organization name] policies. This includes, but is not limited to, the following: Page 5 of 22

6 1. The Internet may not be used for illegal or unlawful purposes, including, but not limited to, copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, illegal gambling, soliciting for illegal pyramid schemes, and computer tampering (e.g., spreading computer viruses). 2. The Internet may not be used in any way that violates [organization name] s policies, rules, or administrative orders. 3. Use of the Internet in a manner that is not consistent with the mission of Roman Catholic Church, the Archdiocese of Boston and [organization name], misrepresents any of the same, or violates [organization name] s policy is prohibited. 4. Individuals should limit their personal use of the Internet. [Organization name] allows limited personal use for communication with family and friends, independent learning, and public service. [Organization name] prohibits use for mass unsolicited mailings, access for non- employees to [organization name] resources or network facilities, uploading and downloading of files for personal use, access to pornographic sites, gaming, competitive commercial activity unless pre- approved by [organization name] and the dissemination of chain letters. 5. Individuals may not establish [organization name] computers as participants in any peer- to- peer network. 6. Individuals may not view, copy, alter, or destroy data, software, documentation, or data communications belonging to [organization name] or another individual without authorized permission. 7. In the interest of maintaining network performance, users should not send unreasonably large electronic mail attachments or video files not needed for business purposes. 8. Individuals will only use [organization name] approved services, specifically [list services], for voice communication over the Internet. Page 6 of 22

7 Security For security purposes, users may not share account or password information with another person. Internet accounts are to be used only by the assigned user of the account for authorized purposes. Attempting to obtain another user s account password is strictly prohibited. A user must contact the help desk or the IT administrator to obtain a password reset if they have reason to believe that any unauthorized person has learned their password. Users must take all necessary precautions to prevent unauthorized access to Internet services. Failure to Comply Violations of this policy will be treated like other allegations of wrongdoing at [organization name]. Allegations of misconduct will be adjudicated according to established procedures. Sanctions for inappropriate use of the Internet may include, but are not limited to, one or more of the following: 1. Temporary or permanent revocation of access to some or all computing and networking resources and facilities; 2. Disciplinary action according to applicable [organization name] policies; and/or 3. Legal action according to applicable laws and contractual agreements. Monitoring and Filtering [Organization name] may monitor any Internet activity occurring on [organization name] equipment or accounts. [Organization name] currently does employ filtering software to limit access to sites on the Internet. If [organization name] discovers activities which do not comply with applicable law or departmental policy, records retrieved may be used to document the wrongful content in accordance with due process. We encourage you to use your Internet access responsibly. Should you have any questions regarding this Internet Acceptable Use Policy, feel free to contact [contact name] at [contact information]. Page 7 of 22

8 B. SAMPLE MOBILE DEVICE ACCEPTABLE USE POLICY Purpose The purpose of this policy is to define standards, procedures, and restrictions for end users who have legitimate business requirements to access [organization name] data from a mobile device connected to an unmanaged network outside the direct control of the [organization name]. This mobile device policy applies to, but is not limited to, all devices, both owned by the [organization name] or personal devices, and accompanying media that fit the following device classifications: 1. Laptop / notebook / tablet computers 2. Mobile / cellular phones 3. Smartphones 4. Home or personal computers used to access [organization name] systems and resources 5. Any mobile device capable of storing [organization name] data and connecting to an unmanaged network The policy applies to any hardware and related software that could be used to access [organization name] resources, even if said equipment is not sanctioned, owned, or supplied by the [organization name]. The overriding goal of this policy is to protect the integrity of the private and confidential data and information that resides within the [organization name] s technology infrastructure. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it can potentially be accessed by unsanctioned resources. A breach of this type could result in loss of information, damage to critical applications and damage to the public image of [organization name]. Therefore, all users employing a mobile device connected to an unmanaged network outside of [organization name] s direct control to backup, store, and otherwise access systems and data of any type must adhere to [organization name]- defined processes for doing so. Page 8 of 22

9 Scope This policy applies to all [organization name] employees, including full and part- time staff, contractors, and other agents who utilize either [organization name]- owned or personally- owned mobile device to access, store, back up, relocate or access any organization data. Such access to this confidential data is a privilege, not a right, and forms the basis of the trust the Archdiocese of Boston has built with its organizations, parishes, clergy, parishioners and other constituents. It addresses a range of threats to, or related to the use of, enterprise data. These threats include: 1. Loss - Devices used to transfer or transport work files could be lost or stolen 2. Theft - Sensitive data or information is deliberately stolen by an employee 3. Copyright - Software copied onto a mobile device could violate licensing 4. Malware - Viruses, Trojans, Worms, Spyware and other threats could be introduced via a mobile device 5. Compliance - Loss or theft of financial and/or personal and confidential data could expose the enterprise to the risk of non- compliance with various identity theft and privacy laws Addition of new hardware, software, and/or related components to provide additional mobile device connectivity will be managed at the sole discretion of [organization name]. Non- sanctioned use of mobile devices to back up, store, and otherwise access any enterprise- related data is strictly forbidden. General Expectations of End Users All [organization name] employees, staff and contractors are responsible for acting in accordance with Archdiocese of Boston policies and procedures. Connectivity of all mobile devices used to access [organization name] systems will be centrally managed. Although [organization name] is not able to directly manage external devices such as home PCs which may require connectivity to Page 9 of 22

10 the [organization name] network, end users are expected to adhere to the same security protocols when connected to non- corporate equipment. Failure to do so will result in immediate suspension of all network access privileges so as to protect the [organization name] infrastructure. It is the responsibility of any [organization name] employee who uses a mobile device to access [organization name] resources to ensure that all security protocols normally used in the management of data on conventional storage infrastructure are also applied here. It is imperative that any mobile device that is used to conduct [organization name] business be utilized appropriately, responsibly, and ethically. Failure to do so will result in immediate suspension of that user s account. Based on this, the following rules must be observed: [Organization name] reserves the right to refuse, by physical and non- physical means, the ability to connect mobile devices to [organization name]- connected infrastructure. [Organization name] will engage in such action if it determines such equipment is being used in such a way that puts the [organization name] systems, data and at risk. End users who wish to connect such devices to non- [organization name] network infrastructure to gain access to enterprise data must employ, for their devices and related infrastructure, a personal firewall. All mobile devices attempting to connect to the [organization name] network through an unmanaged network (i.e., the Internet) may only access the organization network and a data using a Secure Socket Layer (SSL) Virtual Private Network (VPN) connection. The SSL VPN portal Web address will be provided to users as required. Smart mobile devices, such as smartphones, will access the network and data using approved software. Content, applications and material that is fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or otherwise unlawful, inappropriate, offensive (including offensive material concerning sex, race, color, national origin, religion, age, disability, or other characteristic protected by law), or in violation of the Archdiocese of Boston equal employment opportunity policy and its policies against sexual or other harassment, may not be downloaded, stored or originated from devices that access [organization name] computers and networks. Users unintentionally encountering or receiving this kind of material should immediately report the incident to a department head or Page 10 of 22

11 Human Resources. The Archdiocese of Boston s equal employment opportunity policy and its policies against sexual or other harassment apply fully to the use of these devices and any violation of those policies is grounds for discipline up to and including termination of employment. Employees using mobile devices and related software for network and data access will, without exception, use secure data management procedures. All mobile devices must be protected by a password or other access- control mechanisms. Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home. All users of mobile devices must employ reasonable physical security measures. End users are expected to secure all such devices used for this activity whether or not they are actually in use and/or being carried. This includes, but is not limited to, passwords, encryption, and physical control of such devices. Any non- [organization name] computers used to synchronize with these devices will have installed anti- virus and anti- malware software. Anti- virus signature files on any additional client machines, such as a home PC, on which this media will be accessed, must be up to date. Passwords and other confidential data are not to be stored unencrypted on mobile devices. [Organization name] will manage security policies and network, application, and data access centrally using whatever technology solutions it deems suitable. Any attempt to contravene or bypass said security implementation will be deemed an intrusion attempt that may result in formal disciplinary action. Employees, contractors, and temporary staff will follow all enterprise- sanctioned data removal procedures to permanently erase company- specific data from such devices once their use is no longer required. In the event of a lost or stolen mobile device it is incumbent on the user to report this to [organization name] immediately. If possible, the device will be remotely wiped of all data and locked to prevent access to Pastoral Center systems and data. It should be noted that this process may result in the deletion of personal data, media and applications from the devices as well. Page 11 of 22

12 [Organization name] can establish audit trails and these will be accessed, published and used without notice. Such trails will be able to track the attachment of an external device (computer or other mobile device) and the resulting reports may be used for investigation of possible breaches and/or misuse. The end user agrees to and accepts that his or her access and/or connection to the Archdiocese of Boston s networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity. This is done in order to identify accounts/computers that may have been compromised by external parties. The user agrees to immediately report to their supervisor any incident or suspected incidents of unauthorized data access, data loss, and/or disclosure of [organization name] resources, databases, networks, etc. Any questions relating to this policy should be directed to the [person]. Failure to Comply Failure to comply with the Mobile Device Acceptable Use Policy may, at the full discretion of the organization, result in the suspension of any or all technology use and connectivity privileges, disciplinary action, and possibly termination of employment. The [person] will be advised of breaches of this policy and will be responsible for appropriate remedial action which may include disciplinary action, including suspension or termination of employment. Page 12 of 22

13 C. SAMPLE E- MAIL ACCEPTABLE USE POLICY Purpose E- mail is a critical mechanism for communications at [organization name]. Use of electronic mail systems and services are a privilege, not a right, and therefore must be used with respect and in accordance with the goals of [organization name]. The objectives of this policy are to outline appropriate and inappropriate use of e- mail systems and services in order to minimize disruptions to services and activities, as well as comply with applicable policies and laws. Scope This policy applies to all e- mail systems and services used by [organization name], all e- mail account users/holders at [organization name] (both temporary and permanent), and all e- mail records. Account Activation / Termination E- mail access at [organization name] is controlled through individual accounts and passwords. Each user of [organization name] s e- mail system is required to read and sign a copy of this E- mail Acceptable Use Policy prior to receiving an e- mail access account and password. It is the responsibility of the employee to protect the confidentiality of their account and password information. E- mail access will be terminated when the employee or third party terminates their association with [organization name], unless other arrangements are made. [Organization name] is under no obligation to store or forward the contents of an individual s e- mail inbox/outbox after the term of their employment has ceased. General Expectations of End Users The enterprise often delivers official communications via e- mail. As a result, employees of [organization name] with e- mail accounts are expected to check their e- mail in a consistent and timely manner so that they are aware of important announcements and updates. Page 13 of 22

14 E- mail users are responsible for mailbox management, including organization and cleaning. If a user subscribes to a mailing list, he or she must be aware of how to unsubscribe from the list, and is responsible for doing so in the event that their current e- mail address changes. E- mail users are expected to remember that e- mail sent from the [organization name] s e- mail accounts reflects on the organization. Please comply with normal standards of professional and personal courtesy and conduct. Appropriate Use Individuals at [organization name] are encouraged to use e- mail to further the goals and objectives of [organization name]. The types of activities that are encouraged include: 1. Communicating with fellow employees, support staff volunteers and business partners of [organization name] within the context of an individual s assigned responsibilities. 2. Acquiring or sharing information necessary or related to the performance of an individual s assigned responsibilities. 3. Participating in educational or professional development activities. Inappropriate Use [Organization name] s e- mail systems and services are not to be used for purposes that could be reasonably expected to strain storage or bandwidth (e.g., e- mailing large attachments). Individual e- mail use will not interfere with others use of [organization name] s e- mail system and services. E- mail use at [organization name] will comply with all applicable laws and all [organization name] policies. The following activities are deemed inappropriate uses of [organization name] e- mail systems and services, and are strictly prohibited: 1. Use of e- mail for illegal or unlawful purposes, including copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, soliciting for illegal pyramid schemes, and computer tampering (e.g., spreading of computer viruses). Page 14 of 22

15 2. Use of e- mail in any way that violates [organization name] s policies, rules, or administrative orders. 3. Viewing, copying, altering, or deletion of e- mail accounts or files belonging to [organization name] or another individual without authorized permission. 4. Sending of unreasonably large e- mail attachments. The total size of an individual e- mail message sent (including attachment) should be [insert size in KBs] or less. 5. Opening e- mail attachments from unknown or unsigned sources. Attachments are the primary source of computer viruses and should be treated with utmost caution. 6. Sharing e- mail account passwords with another person, or attempting to obtain another person s e- mail account password. E- mail accounts are only to be used by the registered user. 7. Excessive personal use of [organization name] e- mail resources. [Organization name] allows limited personal use for communication with family and friends, independent learning, and public service so long as it does not interfere with staff productivity, pre- empt any business activity, or consume more than a trivial amount of resources. [Organization name] prohibits personal use of its e- mail systems and services for unsolicited mass mailings, commercial activity, political campaigning, dissemination of chain letters, and use by non- employees. Monitoring and Confidentiality The e- mail systems and services used at [organization name] are owned by the [organization name], and are therefore its property. This gives [organization name] the right to monitor any and all e- mail traffic passing through its e- mail system. This monitoring may include, but is not limited to, inadvertent reading by IT staff during the normal course of managing the e- mail system, review by the legal team during the e- mail discovery phase of litigation, observation by management in cases of suspected abuse or to monitor employee efficiency. Page 15 of 22

16 In addition, archival and backup copies of e- mail messages may exist, despite end- user deletion, in compliance with [organization name] s records retention policy. The goals of these backup/archiving procedures are to ensure system reliability, prevent business data loss, meet regulatory and litigation needs, and provide business intelligence. If [organization name] discovers or has good reason to suspect activities that do not comply with applicable laws or this policy, e- mail records may be retrieved and used to document the activity in accordance with due process. All reasonable efforts will be made to notify an employee if his or her e- mail records are to be reviewed. Notification may not be possible, however, if the employee cannot be contacted, as in the case of employee absence due to vacation. Use extreme caution when communicating confidential or sensitive information via e- mail. Keep in mind that all e- mail messages sent outside of [organization name] become the property of the receiver. A good rule is to not communicate anything that you wouldn t feel comfortable being made public. Demonstrate particular care when using the Reply command during e- mail correspondence to ensure the resulting message is not delivered to unintended recipients. Reporting Misuse Any allegations of misuse should be promptly reported to [name of contact and contact information]. If you receive an offensive e- mail, do not forward, delete, or reply to the message. Instead, report it directly to the individual named above. Failure to Comply Violations of this policy will be treated like other allegations of wrongdoing at [organization name]. Allegations of misconduct will be adjudicated according to established procedures. Sanctions for inappropriate use on [organization name] s e- mail systems and services may include, but are not limited to, one or more of the following: 1. Temporary or permanent revocation of e- mail access; 2. Disciplinary action according to applicable [organization name] policies; 3. Termination of employment; and/or 4. Legal action according to applicable laws and contractual agreements. Page 16 of 22

17 D. SAMPLE GENERAL IT SECURITY POLICY Purpose Managing and maintaining an effective network and computer infrastructure requires appropriate planning and operational support that follows industry best practices to ensure the resources are used appropriately and are protected. For [organization name] this includes the following areas: anti- virus and anti- malware protection, network and firewall management, wireless network management and backup and recovery. Anti- Virus / Anti- Malware A virus is a piece of potentially malicious programming code that will cause some unexpected or undesirable event. Viruses can be transmitted via e- mail or instant messaging attachments, downloadable Internet files, DVD s and CDs. Viruses are usually disguised as something else; therefore, their presence is not always obvious to the computer user. A virus infection can be very costly to [organization name] in terms of lost data, lost staff productivity, and/or lost reputation. As a result, one of the goals of [organization name], is to provide a computing network that is virus- free. An approved anti- virus solution shall be used on all computers that are connected to the [organization name] network via a standard network connection, wireless connection, modem connection, or virtual private network connection. This includes both organization- owned computers and personally- owned computers attached to the [organization name] network. The definition of computers includes desktop workstations, laptop computers, handheld computing devices, and servers. Currently, [organization name] has [describe type anti- virus software in use and type of license]. Licensed copies of [name anti- virus software] can be obtained at [online/offline location]. The most current available version of the anti- virus software package will be taken as the default standard. All computers attached to the [organization name] s network must have standard, supported anti- virus software installed. This software must be active, be Page 17 of 22

18 scheduled to perform virus checks at regular intervals, and have its virus definition files kept up to date. Any activities with the intention to create and/or distribute malicious programs onto the [organization name] network (e.g., viruses, worms, Trojan horses, e- mail bombs, etc.) are strictly prohibited. If an employee receives what he/she believes to be a virus, or suspects that a computer is infected with a virus, it must be reported to the IT department immediately at [provide contact information]. Report the following information (if known): virus name, extent of infection, source of virus, and potential recipients of infected material. Any virus- infected computer will be removed from the network until it is verified as virus- free. Rules for Virus and Malware Prevention 1. Always run the standard anti- virus software provided by [organization name]. 2. Never open any files or macros attached to an e- mail from an unknown, suspicious, or untrustworthy source. 3. Never open any files or macros attached to an e- mail from a known source (even a co- worker) if you were not expecting a specific attachment from that source. 4. Be suspicious of e- mail messages containing links to unknown Web sites. It is possible that the link is a malicious executable (.exe) file disguised as a link. Do not click on a link sent to you if you were not expecting a specific link. 5. Files with the following filename extensions are blocked by the e- mail system: [list extensions]. [Describe any workaround procedures for sending/receiving business- critical files with banned extensions, such as use of a file compression utility.] 6. Never copy, download, or install files from unknown, suspicious, or untrustworthy sources or removable media. Page 18 of 22

19 7. Avoid direct portable drive (e.g. memory stick) sharing with read/write access. Always scan a portable drive for viruses before using it. 8. If instructed to delete e- mail messages believed to contain a virus, be sure to also delete the message from your Deleted Items or Trash folder. 9. Back up critical data and systems configurations on a regular basis and store backups in a safe place. 10. Regularly update virus protection on personally- owned home computers that are used for business purposes. This includes installing recommended security patches for the operating system and other applications that are in use. IT Support Responsibilities The following activities are the responsibility of the [organization name] information technology staff: 1. The IT support staff will keep the anti- virus products it provides up- to- date in terms of both virus definitions and software version in use. [Describe manner and frequency of updating.] 2. The IT support staff will apply any updates to the services it provides that are required to defend against threats from viruses. 3. The IT support staff will install anti- virus software on all [organization name] owned and installed desktop workstations, laptops, and servers. 4. The IT support staff will assist employees in installing anti- virus software according to standards on personally- owned computers that will be used for business purposes. The IT department [will/will not] provide anti- virus software in these cases. Network and Firewall Management [Organization name] operates perimeter firewalls between the Internet and its private internal network in order to create a secure operating environment for [organization name] s computer and network resources. A firewall is just one element of a layered approach to network security. The purpose of this policy is to describe how [name firewall] firewall will filter Internet traffic in order to Page 19 of 22

20 mitigate risks and losses associated with security threats, while maintaining appropriate levels of access for users. This policy refers specifically to the [name firewall] firewall. The role of this firewall is to [describe role and relevant features]. The firewall will (at minimum) perform the following security services: 1. Access control between the trusted internal network and untrusted external networks. 2. Block unwanted traffic as determined by the firewall rule set. 3. Hide vulnerable internal systems from the Internet. 4. Hide information, such as system names, network topologies, and internal user IDs, from the Internet. 5. Log traffic to and from the internal network. 6. Provide robust authentication. 7. Provide virtual private network (VPN) connectivity. All employees of [organization name] are subject to this policy and required to abide by it. [IT staff or support company] is responsible for implementing and maintaining [organization name] firewalls, as well as for enforcing and updating this policy. Logon access to the firewall will be restricted to a primary firewall administrator and one designee. Password construction for the firewall will be consistent with the strong password creation practices outlined in [organization name] s Password Policy. Any questions or concerns regarding [firewall name] firewall should be directed to [staff member name/contact information]. The approach adopted to define firewall rule sets is that all services will be denied by the firewall unless expressly permitted in this policy. The [firewall name] firewall permits the following outbound and inbound Internet traffic. Page 20 of 22

21 Outbound All Internet traffic to hosts and services outside of [organization name]. [Insert any other relevant information.] Inbound Only Internet traffic from outside [organization name] that supports the business mission of [organization name] as defined by [name of individual or policy]. [Insert any other relevant information.] [Organization name] employees may request changes to the firewall s configuration in order to allow previously disallowed traffic. A firewall change request form, with full justification, must be submitted to the IT department for approval. All requests will be assessed to determine if they fall within the parameters of acceptable risk. Approval is not guaranteed as associated risks may be deemed too high. If this is the case, an explanation will be provided to the original requestor and alternative solutions will be explored. From time to time, outside vendors, contractors, or other entities may require secure, short- term, remote access to [organization name] s internal network. If such a need arises, a third- party access request form, with full justification, must be submitted to the IT department for approval. Approval is not guaranteed. Firewall logs will be backed up [insert frequency] and archived [insert frequency]. Firewall logs will be reviewed [insert frequency]. Wireless Network Management [Organization name] operates a wireless local area network solution within the facilities located at [location]. The purpose of this wireless infrastructure is to provide pervasive and reliable access to network resources via a wireless interface. The configuration and management of the wireless network is just one element of a layered approach to network security. The purpose of this policy is to describe how the wireless network environment is implemented and managed to appropriate levels of access for users. The following approaches shall be used to ensure the maximum level of security available for the wireless network. 1. The wireless network shall be configured to utilize appropriate network protocols. Either WPA or WPA2 will be used to maximize data security across the wireless network. If older devices are being used, the use of WPA may be required. Page 21 of 22

22 2. All Service Set Identifiers (SSID) will be hidden and with broadcast disabled. Hiding it will force any device to not only know your network password, but also the network name, basically making your network invisible. If the password is compromised but the network name remains secure, there will be no way to connect to your network, thus the extra layer of security. Remember that for a new device, you will need to know your network name (case- sensitive) and the security type and password before it will function properly. 3. If possible, the wireless network shall employ MAC address filtering. This is an extremely powerful security measure that should be considered. Every device has a unique MAC address, which is simply the hardware designation for the Ethernet device. Because no two MAC addresses are alike, you can enable your router to prevent all MAC addresses, besides the ones you designate, from connecting. Even the most knowledgeable intruder will have a difficult time attaching to your network with this enabled. It should be noted that once this is enabled, if you have a guest device in your building, you will have to log into your router, add the device's MAC address and save the changes before it will be able to access your network a small price to pay for a high level of security. 4. The wireless network shall be configured to separate faculty/staff access from student access. If access is provided to guests and visitors, this should be separate from faculty/staff and student access. 5. Wireless access shall be configured to allow access only during specific periods of the day. Wireless devices will continue to evolve and change, and as more tools become x- enabled, the importance of a secure wireless network increases exponentially. [IT staff or support company] is responsible for implementing and maintaining [organization name] wireless network, as well as for enforcing and updating this policy. Any questions or concerns regarding [firewall name] wireless network should be directed to [staff member name/contact information]. Page 22 of 22