Policy on Network Security and Access Control for <insert company name here>

<Insert company logo here>

<Insert company proper name here>

1.1 Policy name: This network security and access control policy is hereby referred to as the Policy. 1.2 Target Audience: This Policy is intended for all <insert company name here> (hereby referred to as the company) employee requiring Internet services and utilizing the IT infrastructure, computer resources and software applications provided by the company. 1.3 Policy Purpose: Access to the companys computer systems and software applications should be managed and controlled without exposing the company to compromise of assets and unacceptable disruption or risks. Access control includes both physical and logical. Both methods require appropriate controls relevant to risk factors to the actual equipment or information. System employees are to be granted the minimum level of physical and logical access necessary for them to perform their work. Physical access control should limit who has access to the equipment and logical access controls should reduce the risk of accidental and malicious disclosure, modification or deletion of information. Logical access control should be specified for all systems and, wherever possible, enforced through appropriate operating systems and application configurations. Computer systems and network components should be physically protected from security threats and environmental hazards. Protection of equipment (including that used off-site) is necessary to reduce the risk of unauthorized access to data and to protect against loss or damage. Network Security It is crucial for the effectiveness of an information security program that all levels of the companys IT infrastructure be secure. It is the IT infrastructure on which all the companys applications will be supported and as such, the security controls of the network devices which support these business applications, establish a secure technical foundation. Data that is transmitted over the companys IT infrastructure should not be altered in an unauthorized manner as a result of that transmission. The companys IT infrastructure employees should have a reasonable expectation that information which is being sent using the IT services is received at the intended destination in an unmodified state.

The functionality of network devices should be limited to that necessary to meet defined and approved network performance and security requirements. 1.4 Policy Maintenance History: This Policy is a dynamic document and may be revised and updated as required. Revisions are to be tracked and detailed below.
Date 29-09-2008 Change details Initial Draft Version 1.0.0

Date Change details Version

1.5 Policy Summary: Network Security and Access control is required to regulate the following components: 1. Logical Access Control 2. Physical Security 3. Network Security 4. Firewall and Intrusion Detection 5. Cabling 6. Portable Computers 1.6 Compliance Everyone within the company, and those acting on behalf of the company, is responsible for the security of the company information assets entrusted to them. The companys employee are not to disclose confidential or sensitive information to third parties, including friends and relatives, who do not have a need to know the information in order to meet their professional responsibilities to the company. The company will ensure that use of company computing and network resources does not infringe criminal or civil laws, such as laws regarding the storage or transmission of libelous, indecent or offensive material. Employee must be aware that there are consequences for intentional misuse of the companys resources. Violations of this Policy may lead to disciplinary action up to and including dismissal.

1.7

Administration:

Policy Ownership This Policy document is owned and maintained the company. It is the responsibility of the company to assume responsibility for the implementation and enforcement of this Policy to ensure compliance. The Policy will be reviewed at least annually to ensure that it is addressing current threats, vulnerabilities, risks and the requirements of the company. Any revisions or modifications to this Policy must be approved by the company. Questions concerning the policy and suggested revisions should be directed to the company. General Responsibilities Company Responsible to endorse endorsing and supporting the company Information Security Policy, for ensuring that information security retains a high profile within the company and for guaranteeing that appropriate budget and personnel resources are available for the ongoing development, implementation and review of appropriate Policy implementation. The company will approve major initiatives aimed at enhancing information security. Employee Information security is not simply an ongoing managerial task it is also the responsibility of every individual. As such, all employees are expected to respect this Policy in spirit and comply with the statements contained herein. Supervisors and Managers Are responsible to ensure that the employees under their direction comply with this Policy. Specifically to: o Ensure that employees understand information security policies, procedures and responsibilities. o Approve appropriate computer and resource access. o Review, evaluate and respond to all security violations reported by employee and take appropriate action. o Communicate to appropriate channels when employees departures, arrivals and changes which affect computer access.

o Ensure security procedures are in place to protect information assets under their control. Such procedures would include physical access control and virus protection for workstations, applications, local area networks, etc. o Continuously keep System Administrators informed on changes to access rights to data and systems, including the removal or creation of specific individuals access rights. Information Owners The company computer systems and information which need certain protection must have a designated Information Owner. Information owners are responsible for their information and, in particular, for its classification according to the Company Data Classification and Control Policy. Company IT Management and Technical Employee Responsible for implementation of the companys Information Security Policies and ensuring Employee of the computer and network systems comply with this Policy and report violations to the company. 1.8 Associated Documents The policy statements, guidelines, standards and procedures will be developed in accordance with the laws of the Republic of Singapore, more specifically, but not limited to:

The Computer Misuse Act (Chap 50A); Official Secrets Act (Chap 213, Clause 5); Undesirable Publications Act (Chap 338);

1.9 Policy

Statements

1.91 Logical Access Control Authentication All access to the companys computer systems and network resources must be protected by an approved authentication mechanism. 1. Only authorized employees are allowed to access the companys resources. 2. A valid, unique and non-generic log in credentials for an employee accessing the companys network (hereafter referred to as UserID) and password should be required for all system and network access (including intermittently connected computers). 3. The UserID should follow a standard naming convention, which facilitates the independent identification of the owner. See Appendix for Naming Convention 4. Employees are responsible for all activity performed with their personal UserIDs. UserIDs may not be utilized by anyone but the individuals to whom they have been issued. Employees must not allow others to perform any activity with their UserIDs. 5. Privileged or administrator-level and security device passwords should have an enforced secure format e.g. 8 alphanumeric characters, including at least 2 numbers. 6. Employee passwords should not be recorded or written down in such a way that an unauthorized person might discover them. Passwords must not be shared under any circumstances. To do so exposes the authorized employee to responsibility for actions that the other party takes with the password. 7. All employee-chosen passwords must be difficult to guess. Common character sequences 12345 and abcd should not be used. Passwords must therefore contain at least one alphabetic and one non-alphabetic character (numbers and punctuation). 8. All passwords must have at LEAST 5 alphanumeric characters. 9. The initial passwords provided to new employees are valid only for the employees first on-line session. At that time the employee must be forced to choose another password before any other work can be done. 10. All employees have to change their passwords at least once every ninety (90) days.

11. To prevent password guessing attacks the number of consecutive attempts to enter an incorrect password must be strictly limited. After three (3) unsuccessful login attempts the employee account will be disabled. This should only be re-activated once an employee can prove their identity to a System Administrator. 12. Passwords must not be stored in readable form in batch files, automatic log-in scripts, software macros, in computers without access control or in other locations where unauthorized persons might discover them. 13. Trusted automated authentication which requires no login with passwords, should not be allowed. 14. Other than minimal prompts for UserID and password information, no other information is to be displayed prior to logon. 15. The full name of the employee must be entered within the employee Properties or Identification pages to correspond with the UserID. 16. Privileged or administrator-level passwords should be recorded and held under secure conditions by a nominated IT Manager backup and recovery procedures. 17. All company- supplied default passwords must be changed before any computer system is used by the company Access Privileges 18. All initial access granted to employee, and all changes to this access, should be authorized by the nominated IT Manager and/or senior Administrative Officer. 19. Access request details should contain adequate information for the Administrative Officer and System Administrator to grant access and privilege levels accordingly. 20. Security requirements should be defined for each company business application and associated access rights and information classification should be documented.

Access Administration 21. System and IT Managers should be notified of new starters, leavers and employee transfers before they occur, using a defined process. 22. A special process should exist to assure the prompt removal of all access authorities and privileges for employee that are either made redundant or otherwise constitute a potential risk to the companys computer systems, network resources and communication networks. 23. Authorized Employees are responsible for the security of their password and are not to be divulged to any other person. 24. All emergency / temporary access should be approved by the company and details of activities should be reviewed. 25. All privileged access must be logged and accountable to a unique individual. 26. Employee access rights should be reviewed at least every 12 months. Employees with privileged access rights should be reviewed every 6 months. Housekeeping and Audit 27. All access accounts and privileges should be reviewed at least once every 3 months to facilitate the prompt removal of redundant access authorities. 28. All employee access rights should be reviewed and confirmed with the system, network and / or Information Owners at least once every 12 months. 29. Significant findings or weaknesses identified from these audits must be mitigated in a timely manner by company and the Information Owner. 1.92 Physical Access Control 1. All company owned systems and network components should be permanently and uniquely marked as company owned assets. 2. Secure facilities should be clearly defined. Access to such facilities should be restricted to authorized employee only. 3. The company employee and visitors to secure facilities should wear visible identification while onsite. 4. Critical company computer systems and network components should be located and operated within a managed security perimeter inside the companys facilities or trusted third party premises equipped with environmental monitoring controls.

5. Critical company computer systems and network components should be positioned away from potential hazards, including over-head water and heating systems / pipes and flammable materials. 6. To minimize theft and water damage, computer and communications facilities should not be located on the first floor of buildings. To minimize water damage, rest room facilities should not be located directly above these systems 7. Critical company computer systems and network components should be protected by a filtered power supply and other appropriate environmental controls, and, if essential to business critical operations, covered by an uninterruptible power supply. 8. Network server systems and all storage media are to be physically protected from unauthorized access, when not in use, by at least one level of approved physical access control mechanism. 9. Servers and communication facilities should be housed in dedicated secure accommodation with access limited to designated and appropriately qualified company IT Personnel. 10. Positive physical control should be exercised over employee and visitor access to, and activities within, areas that maintain company business critical and significant company computer systems and network components. 11. Public tours of major computer and communications facilities are therefore prohibited 12. Computer equipment (PCs, LAN servers etc) should not be moved or relocated or installed without the prior approval of the IT Manager and/or senior Administrative Officer 1.93 Network Security Network 1. Networks must be designed in conformance with company technical standards and network configurations must be accurately documented. 2. All networks devices must be located in a physically secure location accessible by approved authentication mechanisms to authorized personnel only. There should be a primary and secondary Network/System Administrator delegated to each network device. 3. Network software should have the latest company software and patches installed. Final configurations should ensure that device software is free of CERT

(Computer Emergency Response Team) advisories and known company vulnerabilities. 4. Network devices should follow proper backup and disaster recovery procedures. Backup media should be read-only and stores in a physically secured area accessible by authorized personnel only. 5. Restrict access to software documentation and data storage to employee or agents who need such access to perform assigned work duties. 6. Perimeter network devices should follow the restrictive model, or default deny rule, whereby all connections and traffic are refused except those which are expressly allowed for operational functionality. 7. Communications with external networks shall be strictly monitored and controlled by firewall devices and network intrusion detection systems. 8. Access to all network devices must follow approved authentication mechanisms. 9. Remote administration to internal network components for support services is authorized via the companys remote access approval process. 10. Company information destined for remote networks must be encrypted before exiting the perimeter network segment. 11. All default properties and implied rules enabled by the company must be disabled on all network devices. 12. All network devices connected at the perimeter of the companys IT infrastructure must have static access control rules configured for inbound and outbound network traffic. 13. Remote connections to internal network devices must be encrypted and support approved authentication mechanisms. 14. The operating system contained within network devices must be configured such that it precludes the opportunity for employees or hackers to maliciously gain access to the device in order to reconfigure it. 15. The company and the company must approve the establishment and alteration of all external network connections with due consideration of the business needs and effect on network security. 16. All network authentications will be performed in a consistent manner with the other company authentication mechanisms.

17. Changes to each network device configuration in the production environment, e.g., loading new software, changing network addresses, reconfiguring routers, must follow a clearly defined change control procedure developed and approved for this purpose. 18. Administrative sessions must be authenticated using approved authentication mechanisms and be encrypted. 19. All network devices must enable logging and audit functions to allow for analysis of network activity when needed. Logs should be maintained on a secure server. 20. Time synchronization must be enabled on all computer systems and network components throughout the company IT infrastructure. Master time must be set to sync with an external, trusted time source. Only authorized employee are permitted to perform time synchronization operations. Employees are expressly denied from adjusting systems clocks. 1.94 Firewall and Intrusion Detection Management 1. A firewall-to-firewall VPN must be established for all remote and connections within company IT infrastructure. 2. Firewall devices must be configured to provide firewall functionality only. Applications not intended for firewall operation are not permitted to be installed on firewall devices. 3. Firewall systems should be configured to filter connections based on source IP addresses, destination IP address and service port of necessary data traffic only. Data traffic which does not meet the filtering criteria must be dropped and logged. 4. Network-based intrusion detection taps must be placed on each perimeter network segment. Attack signature updates for the intrusion detection sensors must be retrieved from authorized servers only and be distributed to Client systems within a reasonable timeframe once published from the company. Intrusion detection systems must detect unauthorized modifications to firewall systems files, among other potential problems. 5. All non-administrative connection attempts to the firewall itself must be denied. An administration rule from authorized Management console should be the only valid connection accepted for the firewall management purposes. Administrative connection must be encrypted. 6. A warning banner message for all login sessions should be displayed stating at least the last login time and date. All in-bound real-time Internet connections must pass through a firewall before employees can reach a login banner.

7. Only protocols approved by the Company and the company should be allowed to traverse the firewall. 8. For reasons of simplicity, the firewall rules set should have as few rules as possible. 9. The order in which rules are constructed is critical to a properly configured firewall. Keep the more specific rules first, the more general rules last. The last rule should always drop and log all packets which do not meet the previous rule criteria. 10. Reject and do not log chatty protocol, e.g., NETBIOS so that log files do not fill with unnecessary information. Troubleshooting may necessitate the temporary lifting of this rule. 11. Spoof tracking should be configured on all firewall interfaces and an alert message should be generated should the firewall detect and drop any spoofed packets. 12. All firewalls should enable features which protect against TCP SYN attacks. 13. Internet Control Message Protocol (ICMP) traffic should be disabled, if possible, and broadcast traffic, especially multicast, should also be denied. 14. Text comments should be included in every rule to explain the purpose of the rule. The comment should include: Name of person modifying rule; Date and time of rule change; Reason for rule change. 15. Enable logging for relevant protocol and connection activities, especially management connections, enabled services, changes to firewall configuration. Maintain these logs on dedicated, secure log servers. Access to firewall and intrusion detection log files should be reserved for authorized security personnel only. Log files must be encrypted. 16. Firewalls must be audited on a regular basis since they provide an important barrier to unauthorized access to the company networks. Audits should be performed by technical persons without responsibility for the administration of the firewall. Audits should include execution of vulnerability identification software, and should also consider in the least: Defined configuration parameters; Enabled services; Permitted connectivity; Current administrative practices; Adequacy of the deployed security measures.

17. Firewall access privilege to modify the functionality, connectivity and services supported by the firewall must be restricted. All firewalls should have at least two (2) employee members who are adequately trained to make changes as required. Firewall change control procedures must be followed for all changes to the firewall. 18. Portions of the internal networks that contain sensitive or valuable information, e.g, Human Resource, must employ secured subnets. Access to these subnets must be restricted by firewalls or other control measures. Wireless, Routers and Switches 19. Access to wireless, router and switch configuration documents should be restricted to authorized network personnel only. 20. External wireless, routers and switches are not allowed to install to the LAN without the prior approval of the IT Manager and/or senior Administrative Officer. 21. Router controls should be based on positive source and destination address checking mechanisms. 22. Access control lists must be configured and enabled on all perimeter network devices 23. Configure access control lists to only permit outbound traffic based on IP addresses assigned specifically to the company. 24. Remove all unnecessary commands, services and route statements. 25. Restrict interactive access to allow remote management to internal interface only from specific management console IP addresses. If remote management functions or services are required to be enabled at the external interface, only known, static IP addresses will be accepted. 1.95 Cabling 1. Network cabling should be clearly labeled in consistence to detail the following: Cables purpose; Category of data which will traverse the wire; Terminating switch port numbers; VLAN/Network to which the cables terminations are attached.

2. Network cabling carrying primarily data classified as sensitive should be clearly labeled as such. The cable should be a different color to the standard cabling, e.g., red as opposed to blue. 3. Network cabling which is identified as primarily carrying data classified as sensitive should be protected from the possibility of electromagnetic listening devices being used to illicitly collect network data. This must be controlled within the building infrastructure and between the employees workstation and the wall. 1.96 Portable Computers 1. Employee with portable, laptop, notebook, palmtop and other transportable computers containing restricted or confidential information must not leave these computers unattended unless the information is encrypted. 2. When traveling, employee with transportable computers containing restricted or confidential information should retain possession of these computers at all times. 3. Restricted or confidential information on off-line storage media, e.g., CDROM, diskettes magnetic tape, should be stored in locked fireproof safe.

APPENDIX I NAMING CONVENTION for UserID

The following naming convention is proposed: UserID = last name.first name Examples: Name: Stanley Teo Tze Wan Stanley.Teo: stanley.teo@roycemedia.com Or TW.Teo: tw.teo@roycemedia.com