Professional Documents
Culture Documents
Procedures
1 INTERNET (FIREWALL & ROUTER) SECURITY
ADMINISTRATION POLICY
1.1 Overview
Firewalls are an essential component for information systems security infrastructure. All firewalls
are defined as security systems that control and restrict network connectivity between XXX and
other business entities. In addition to that firewalls used to restrict data flow within different
network segments of XXX IT infrastructure.
1.2 Purpose
The purpose of this policy is to define standards for provisioning security devices owned by XXX.
These standards are designed to minimize the potential exposure of XXX to the loss of sensitive
confidential data, intellectual property, damage to public image etc., which may follow from
unauthorized use of XXX resources.
This policy also establishes procedures for XXXs all firewall administration, determines the
technology standard used by the firewall hardware and software, assigns firewall administration
responsibilities and defines the filters applied to campus networks.
1.3 Scope
This policy applies to all firewalls on XXX networks, whether managed by own or by third parties.
Departures from this policy will be permitted only if approved in advance and in writing by the
IT Div., Infrastructure Services.
1.5 Responsibilities:
The network administrator is primarily responsible for implementing and maintaining the XXXs
firewalls and is also responsible for activities relating to this policy. However one additional
personal must be in line with the primary administrator as contingency plan. Head of IT
infrastructure will be accountable for XXXs all firewall.
Page 2 of 10
sets where Firewall Administration is performed by other than XXX. Though approval is not
required, all requests are subject to review by XXX. All related documentation is to be retained
by the concern department for three (3) years and is subject to review by XXX and Audit and
Advisory Services.
XXX maintains Change Management Request and Change Control Tracking Form (see attached
examples)
Page 4 of 10
2 WIRELESS ACCESS POLICY
2.1 Objective
With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost
a given at any organization. Insecure wireless configuration can provide an easy open door for
malicious threat actors.
The purpose of this policy is to secure and protect the information assets owned by XXX. XXX
provides computer devices, networks, and other electronic information systems to meet
missions, goals, and initiatives. XXX grants access to these resources as a privilege and must
manage them responsibly to maintain the confidentiality, integrity, and availability of all
information assets.
This policy specifies the conditions that wireless infrastructure devices must satisfy to connect
to XXXs network. Only those wireless infrastructure devices that meet the standards specified
in this policy or are granted an exception by the IT Security Department are approved for
connectivity to XXXs network.
2.2 Scope
All employees, vendors, consultants, visitors, temporary and other workers at XXX must adhere
to this policy. This policy applies to all wireless infrastructure devices that connect to XXXs
network or reside on XXX premises or IT facilities that provide wireless connectivity to endpoint
devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This
includes any form of wireless communication device capable of transmitting packet data.
2.3 Policy
2.3.1 General Requirements
All wireless infrastructure devices that reside at XXX sites and connect to XXXs network, or
provide access to information classified as XXXs Confidential, or above must:
2.4.2 Exceptions
Any exception to the policy must be approved by the IT Security team in advance.
2.4.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action.
Page 5 of 10
3 WIRELESS COMMUNICATION STANDARDS
3.1 Purpose
This standard specifies the technical requirements that wireless infrastructure devices must
satisfy to connect to XXXs network. Only those wireless infrastructure devices that meet the
requirements specified in this standard or are granted an exception by the IT Security Team are
approved for connectivity to XXXs network.
3.2 Scope
All employees, vendors, contractors, consultants, temporary and other workers at XXX and its
subsidiaries, including all personnel that maintain a wireless infrastructure device on behalf of
XXX, must comply with this standard. This standard applies to wireless devices that make a
connection to the network and all wireless infrastructure devices that provide wireless
connectivity to the network.
3.3 Standard
3.3.1 General Requirements
All wireless infrastructure devices that connect to a XXX network or provide access to XXXs
Confidential, XXXs restricted information must:
Use Temporal Key Integrity Protocol (TKIP) or Advanced Encryption System (AES)
protocols with a minimum key length of 128 bits.
All Bluetooth devices must use Secure Simple Pairing with encryption enabled.
The IT Security team will verify compliance to this policy through various methods, including
but not limited to, periodic walk-throughs, monitoring, business tool reports, internal and
external audits, and feedback to the policy owner.
3.4.2 Exceptions
Any exception to the policy must be approved by the IT Security Team in advance.
3.4.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action.
Page 6 of 10
4 EMAIL POLICY
4.1 Overview
Electronic email is pervasively used in almost all industry verticals and is often the primary
communication and awareness method within an organization. At the same time, misuse of
email can post many legal, privacy and security risks, thus its important for users to understand
the appropriate use of electronic communications.
4.2 Objective
The purpose of this email policy is to ensure the proper use of XXXs email system and make
users aware of what XXX deems as acceptable and unacceptable use of its email system. This
policy outlines the minimum requirements for use of email within XXX Network.
4.3 Scope
This policy covers appropriate use of any email sent from a XXXs email address or any of its
domains and applies to all employees, vendors, and agents operating on behalf of XXX.
4.4 Policy
All use of email must be consistent with XXXs policies and procedures of ethical conduct,
safety, compliance with applicable laws and proper business practices.
XXXs email account should be used primarily for XXXs business-related purposes;
personal communication is permitted on a limited basis, but non-XXX related commercial
uses are strictly prohibited.
All XXXs data contained within an email message or an attachment must be secured
according to this IT Policy.
Email should be retained only if it qualifies as XXXs business record. Email is XXXs
business record if there exists a legitimate and ongoing business reason to preserve the
information contained in the email.
Email that is identified as XXXs business record shall be retained according to this IT
Policy.
XXXs email system shall not to be used for the creation or distribution of any disruptive
or offensive messages, including offensive comments about race, gender, hair color,
disabilities, age, sexual orientation, pornography, religious beliefs and practice, political
beliefs, or national origin. Employees who receive any emails with this content from any
XXXs employee should report the matter to their supervisor immediately.
Users are prohibited from automatically forwarding XXXs email to a third-party email
system. Individual messages which are forwarded by the user must not contain XXXs
confidential or above information.
Users are prohibited from using third-party email systems and storage servers such as
Google, Yahoo, Hotmail etc. to conduct XXXs business, to create or memorialize any
binding transactions, or to store or retain email on behalf of XXX. Such communications
and transactions should be conducted through proper channels using XXX-approved
documentation.
Sending chain letters or joke emails from a XXXs email account is prohibited.
XXXs employees shall have no expectation of privacy in anything they store, send or
receive on the companys email system.
XXX may monitor messages without prior notice. XXX is not obliged to monitor email
messages.
Page 7 of 10
4.5 Policy Compliance
4.5.1 Compliance Measurement
The IT Security team may verify compliance to this policy through various methods, including
but not limited to, periodic walk-throughs, business tool reports, internal and external audits,
and feedback to the policy owner.
4.5.2 Exceptions
Any exception to the policy must be approved by the IT Security team in advance.
4.5.3 Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action.
Page 8 of 10
5 VPN POLICY
5.1 Objective
XXX operates VPN Tunnels to enable connectivity between XXXs Data Center / Disaster
Recovery Centre and Clients, third-parties or off site administrators and support staffs to secure
the path using standard encryption technologies. The purpose of this VPN Policy is to describe
when and how VPN will be used to allow access.
The VPN Policy is subordinate to XXXs IT Policy, as well as any governing laws or regulations.
5.2 Scope
This VPN Policy refers to the Routers and Firewalls used as VPN devices and the technologies
involved in VPN implementations. The role of VPN routers and firewalls are to secure the network
paths between XXX and clients or third parties where applicable in course of enabling services
for them and between XXX IT Infrastructure and administrators and support staffs to allow
remote administration, support and troubleshooting. The network path in scope refers to
connectivity over Internet and private data Networks. The firewall will (at minimum) perform
the following security services:
All employees of XXX are subject to this policy and required to abide by it.
5.3 Responsibilities
IT Division is responsible for implementing and maintaining VPN devices and tunnels, as well as
for enforcing and updating this policy. Logon access to the VPN devices will be restricted to a
primary VPN administrator and one designee. Password construction for VPN devices will be
consistent with the strong password creation practices outlined in XXXs Password Policy.
5.4 Policy
The approach adopted to deny any network connectivity unless a VPN tunnel is established to
secure the path with standard VPN technologies with the following guidelines at a minimum.
Page 9 of 10
Upon final approval, IT Division will initiate implementation and will confirm relevant
parties.
VPN sessions will have an absolute timeout length of 86400 seconds. An inactivity
timeout will be set for 3600 seconds. At the end of these timeout periods, users must re-
authenticate to continue or re-establish their VPN connection.
5.6 Enforcement
Wherever possible, technological tools will be used to enforce this policy and mitigate security
risks. Any employee who is found to have violated this policy may be subject to disciplinary
action.
Page 10 of 10