Information Technology Security Procedures

Transcription

1 Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2

2 Contents 1. Policy Procedures... 3 Summary of Main Security Policies Virus Protection Physical and Environmental Security of the Data Center... 4 Physical Security... 4 Environmental Security Physical and Environmental Security of the user workspace... 5 Physical Security... 5 Environmental Security Access Control LAN Security... 7 Hubs and Switches... 7 Workstations... 7 Wiring... 7 Monitoring Software... 7 Servers... 7 Electrical Security Server Specific Security Wide Area Network Security TCP/IP & Internet Security Security Audit Voice System Security Mobile Devices Hardware and Software Acquisition Inventory Management Third Party Access Software Development and Maintenance Incident Handling and Escalation Glossary... 12

3 1. Policy Procedures Following are the detailed procedures for Information Technology Security and are to be used in conjunction with the Policy Direction Information Technology Security Policy, approved by the National Board on March 4, These procedures were approved by the Executive Team, March 4, 2011 Summary of Main Security Policies Confidentiality of all data is to be maintained through discretionary and mandatory access controls. Internet and other external service access are restricted to authorized personnel only. No Data should be stored in laptop computers to provide confidentiality of data in the event of loss or theft Only authorized and licensed software may be installed, and installation may only be performed by I.T. Department staff. The use of unauthorized software is prohibited. In the event of unauthorized software being discovered it will be removed from the workstation immediately. Passwords must consist of a mixture of at least 8 alphanumeric characters, and must be changed every 120 days and must be unique. Workstation configurations may only be changed by I.T. Department staff. The physical security of computer equipment will conform to recognized loss prevention guidelines. 2. Virus Protection The I.T. Department will have available up to date virus scanning software for the scanning and removal of suspected viruses.

4 Corporate file-servers will be protected with virus scanning software and will utilize live definition update technology. Workstations will be protected by virus scanning software and will utilize live definition update technology. All systems (workstations and servers) will be built from original, clean master copies whose write protection has always been in place. Only original master copies will be used until virus scanning has taken place. All demonstrations by vendors will be run on their machines and not the Organization s. Vendors will not be permitted connection to the Society s network. To enable data to be recovered in the event of a virus outbreak, regular backups will be scheduled and monitored by the I.T. Department. Users will be notified of virus incidents. Employees will be accountable for any breaches of the Organization s anti-virus policies. In the event of a possible virus infection the user must inform the I.T. Department immediately. The I.T. Department will then scan the infected machine and any removable media or other workstations to which the virus may have spread and eradicate it. The I.T. Department will conduct an investigation with the employee to determine the root cause of the infection. 3. Physical and Environmental Security of the Data Center The I.T Department will provide a secure data center facility that will house the majority of all servers and networking equipment for our infrastructure to maximize security and uptime. The data center will have at minimum, the following characteristics: Physical Security 24x7 onsite security CCTV Cameras and patrols both inside and outside the facility Card and biometric identification are required to access the data center floor Fully enclosed racks with combination locks Access to be restricted to key personnel within the I.T. Department and any vendors that may be under contract to manage the infrastructure Environmental Security UPS and dual generator backup power Multi-stage dry pipe fire suppression system Multi-homed upstream internet connectivity

5 Redundant Cooling units Raised Floor 4. Physical and Environmental Security of the user workspace Each MS Society office will provide a secure office working environment that meets the following specifications: Physical Security Alarm systems with annual code changes and access review Locked server room with restricted access All small technology equipment such as laptops, netbooks, projectors must be securely fixed to furniture using cable locks Environmental Security workstation surge protectors if needed UPS for server and other network gear Separate HVAC for server room if existing system cannot maintain consistent temperature between 20C and 22C and relative humidity between 40% and 60% 5. Access Control Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times. Users requiring access to systems must make a written application on the forms provided by the I.T Department. Users will be required to sign the Information Technology Acceptable Use Procedures form on an annual basis. Failure to do so will result in removal of all network access. Users will be required to complete a Network Access form on an annual basis. Failure to do will result in removal of all network access. Where possible no one person will have full rights to any system. The I.T. Department will control network/server passwords and system passwords will be assigned by the system administrator in the end-user department. The system administrator will be responsible for the maintaining the data integrity of the end-user department s data and for determining end-user access rights.

6 Access to the network/servers and systems will be by individual username and password, and/or by RSA Token Usernames and passwords must not be shared by users. Usernames and passwords must not be written down. Usernames will consist of the user s first initial and last name. Passwords will expire every 120 days and must be unique. Passwords will meet Windows complexity requirements: o The password cannot contain the username o Passwords must contain characters from 3 of the 5 following categories Uppercase Letters Lowercase Letters Numbers Non alphanumeric characters Any Unicode character that is characterized as an alphabetic character but is not lowercase or uppercase. Intruder detection will be implemented where possible. The user account will be locked after 5 incorrect attempts. The I.T. Department will be notified by Human Resources of all employees leaving the Organization s employment. The I.T. Department will then remove the employees rights to all systems. accounts will remain active for 45 days. User files will remain online and accessible to the employee s supervisor for 45 days. After the 45 day period, the user account and files will be deleted. Network/server supervisor passwords and system supervisor passwords will be stored in a secure location in case of an emergency or disaster, for example a fire safe in the Finance Department. Auditing will be implemented on all systems to record login attempts/failures, successful logins and changes made to all systems. Use of the Administrator username on Windows is to be kept to a minimum. Default passwords on all network gear and application systems (ie SQL Server) will be changed during installation. On UNIX and Linux systems, rights to rlogin, ftp, telnet, ssh will be restricted to I.T. Department staff only. File systems will have the maximum security implemented that is possible. Where possible users will only be given Read and File scan rights to directories, files will be flagged as read only to prevent accidental deletion. Vendors will have no access to the Production Network except in cases when they need to work on a specific application. In this case, access may be granted upon completion of the Non-Disclosure Agreement. This also applies to vendors accessing our systems remotely to perform work on production systems.

7 Internet Access may be granted to Vendors upon completion of the Business Partner Network Access Agreement 6. LAN Security Hubs and Switches LAN equipment, hubs, bridges, repeaters, routers, switches will be kept in secure hub rooms. Hub rooms will be kept locked at all times. Access to hub rooms will be restricted to I.T. Department staff only. Other staff and contractors requiring access to hub rooms will notify the I.T. Department in advance so that the necessary supervision can be arranged. Workstations Users must logout of their workstations when they leave their workstation for any length of time. Alternatively Windows workstations may be locked. Workstations will automatically lock after 30 minutes of inactivity. Wiring All network wiring will be fully documented. All unused network data jacks in open office or boardroom areas will be de-activated when not in use. All network cables will be periodically scanned and readings recorded for future reference. Users must not place or store any item on top of network cabling. Redundant cabling schemes will be used where possible. Monitoring Software The use of LAN analyzer and packet sniffing software is restricted to the I.T. Department. Servers All servers will be kept securely under lock and key. Access to the system console and server disk/tape drives will be restricted to authorized I.T. Department staff only. Electrical Security All servers will be fitted with UPS's that also condition the power supply.

8 All hubs, bridges, repeaters, routers, switches and other critical network equipment will also be fitted with UPS's. Software will be installed on all servers to implement an orderly shutdown in the event of a total power failure. All UPS's will be tested periodically. 7. Server Specific Security The operating system will be kept up to date and patched on a regular basis; at a minimum, every 6 months. Servers will be checked daily for viruses. Servers will be locked in a secure room. Remote management passwords will be different to the Admin/Administrator/root password. Users possessing Admin/Administrator/root rights will be limited to trained members of the I.T. Department staff only. Use of the Admin/Administrator/root accounts will be kept to a minimum. User s access to data and applications will be limited by the access control features. Intruder detection and lockout will be enabled. The system auditing facilities will be enabled. Servers will be set to auto lock after 30 minutes of inactivity 8. Wide Area Network Security Wireless LAN s are not permitted without prior approval from the I.T. Department o Approved wireless LAN's will make use of the most secure encryption and authentication facilities available. o Users will not install their own wireless equipment under any circumstances. Remote access is only permitted through Citrix or a secure VPN tunnel All bridges, routers and gateways will be kept locked up in secure areas. Unnecessary protocols will be removed from routers.

9 9. TCP/IP & Internet Security Permanent connections to the Internet will be via the means of a firewall to regulate network traffic. Permanent connections to other external networks, for offsite processing etc., will be via the means of a firewall to regulate network traffic. Where firewalls are used, a dual homed firewall (a device with more than one TCP/IP address) will be the preferred solution. Network equipment will be configured to close inactive sessions. Workstation access to the Internet will be via the Organization s website content scanner All incoming and outgoing will be scanned by the Organization s content scanner. 10. Security Audit The I.T. Department will engage a security consultant on an annual basis to perform a security review of our network perimeter. The I.T. Department will engage a security consultant every 2 years to perform a security review of our internal network 11. Voice System Security The MS Society is in the process of moving to a hosted Voice over IP Solution (VOIP) and this section refers to this new VOIP system Maintenance Ports and passwords for the VOIP system will be held and maintained by the vendor The I.T. Department only will have an account to perform Moves, Adds and Changes only and the password for this account will be a secure password Voice mail and Web Portal accounts will use a password with a minimum length of five digits. Telephone bills will be checked carefully to identify any misuse of the telephone system. 12. Mobile Devices

10 The MS Society has the ability to allow all staff to connect mobile devices (personal or corporate owned) to the Society network in a secure manner allowing us the ability to remote wipe these devices in the event they are lost/stolen or an employee leaves the Society. All users are required to sign off on the Mobile Device Management Agreement on an annual basis if they wish to continue to have their devices connected to the MS Society network. 13. Hardware and Software Acquisition All technology related items must be purchased through the National Office Desktops, laptops and Netbook specifications are set by the I.T. Department and are available to be ordered through the IT Order form located in Mercury. o Any order placed through the IT order form is managed through an automated process and approved by the ordering user s manager or department head. o The I.T. Department is responsible for the ordering process and orders once approved are sent directly to the vendor for fulfillment. o Invoices will be sent directly to the ordering department who are responsible for review, coding and approval. Failure to pay invoices in a timely manner could affect future orders for all staff. Any technology related items that are not on this list must first be approved by the I.T. Department in order to ensure that they are compatible with our systems and are able to be supported When placing orders over $10,000 for servers and infrastructure related items, the I.T. Department will source 3 quotes to ensure the organization is getting the best possible price 14. Inventory Management The I.T. Department will keep a full inventory of all server and networking equipment Individual departments will keep a full inventory of all Desktops, Laptops and printers 15. Third Party Access Any third party vendor that requires access to MS Society systems or data must sign the following documents before access will be granted Non-Disclosure Agreement (NDA) Business Partner Network Access Agreement

11 16. Software Development and Maintenance Applies to all 3 rd party software used by our business units Standard software development lifecycle (SDLC) processes will be followed at all times for both new and existing systems o Project planning and feasibility Study o Systems analysis, requirements definition o Systems design o Implementation o Integration and Testing o Acceptance, installation, deployment o Maintenance 17. Incident Handling and Escalation In the event of a security breach, the I.T. Department will immediately take steps to isolate the breach and inform the infected parties. Users are responsible for immediately notifying the I.T. Department of suspected security breaches. All security breaches will be investigated by the I.T. Department. 3 rd party vendors may be called in to assist The entity responsible for the support of the systems in all cases is expected to o Report the attack to the Manager, I.T. Operations and/or Vice President, Information Technology o Block or prevent escalation of the attack if possible o Repair the resulting damage o Restore service to its former level o Preserve evidence where appropriate o Conduct a post-mortem to determine root cause o Prepare a list of recommendations to prevent future breaches of a similar nature o Conduct a final follow up review within 3 months Modifications will be avoided to any systems/equipment involved (or suspected of involvement) in criminal activity until receiving instruction from the Vice President, Information Technology

12 Glossary Access Control Authenticate Authorization Discretionary Access Control Firewall Ftp Hub Identification Internet LAN Analyzer Laptop Mandatory Access Control The process of limiting access to the resources of a system only to authorized programs, processes, or other systems. To verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. The granting of access rights to a user, program, or process. A means of restricting access to objects based upon the identity and need to know of the user, process, and/or groups to which they belong. A device and/or software that prevents unauthorized and improper transit of access and information from one network to another. File transfer protocol. Protocol that allows files to be transferred using TCP/IP. Network device for repeating network packets of information around the network. The process that enables recognition of an entity by a system, generally by the use of unique machine-readable user names. Worldwide information service, consisting of computers around the globe linked together by telephone cables. Device for monitoring and analyzing network traffic. Typically used to monitor network traffic levels. Sophisticated analyzers can decode network packets to see what information has been sent. Small portable computer. A means of restricting access to objects based upon the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of

13 such sensitivity. Password Telnet UPS Username Virus Voice Mail A protected, private character string used to authenticate an identity. Protocol that allows a device to login in to a UNIX host using a terminal session. Uninterruptable power supply. Device containing batteries that protects electrical equipment from surges in the mains power and acts as a temporary source of power in the event of a mains failure. A unique symbol or character string that is used by a system to identify a specific user. Computer software that replicates itself and often corrupts computer programs and data. Facility which allows callers to leave voice messages for