Cyber Defense Team's Security Policy
Embed Size (px)
Transcript of Cyber Defense Team's Security Policy
Sixpress Security Policy
The following document was developed as the Security Policy document for Sixpress. It is intended for the protection of Sixpress proprietary information and and to mitigate the risk of suffering a malicious intrusion. All employees must follow the rules and policies laid out below: 1. Acceptable Use Policy 1.1. OverviewBlue Teams intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to SixPresss established culture of openness, trust and integrity. Blue Team is committed to protecting SixPress's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/Intranet/Extranet - related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of SixPress. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every SixPress employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly. 1.2. PurposeThe purpose of this policy is to outline the acceptable use of computer equipment at SixPress. These rules are in place to protect the employee and SixPress. Inappropriate use exposes SixPress to risks including virus attacks, compromise of network systems and services, and legal issues.
1.3. ScopeThis policy applies to the use of information, electronic and computing devices, and network resources to conduct SixPress business or interact with internal networks and business systems, whether owned or leased by SixPress, the employee, or a third party.
1.4 General Use and Ownership1.4.1. SixPress proprietary information stored on electronic and computing devices whether owned or leased by SixPress, the employee or a third party, remains the sole property of SixPress. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.1.4.2 You have a responsibility to promptly report the theft, loss or unauthorized disclosure of SixPress proprietary information.1.4.3 You may access, use or share SixPress proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.1.4.4 Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.1.4.4 For security and network maintenance purposes, authorized individuals within SixPress may monitor equipment, systems and network traffic at any time, per Blue Teams Audit Policy.126.96.36.199 SixPress reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
1.5 Security and Proprietary Information, Consensus Policy, Resource Community1.5.1 All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.1.5.2 System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.1.5.3 All computing devices must be secured with a password- protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
1.6 Unacceptable UseThe following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of SixPress authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing SixPress -owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.1.6.1 System and Network ActivitiesThe following activities are strictly prohibited, with no exceptions:
1.7 Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by SixPress.
1.8 Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which SixPress or the end user does not have an active license is strictly prohibited.Accessing data, a server or an account for any purpose other than conducting SixPress business, even if you have authorized access, is prohibited.
1.9 Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
1.10 Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
1.11 Email and Communication ActivitiesWhen using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the IT Department Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. Unauthorized use, or forging, of email header information. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. Use of unsolicited email originating from within SixPress 's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted SixPress or connected via SixPress's network. Posting the same or similar non-business- related messages to large numbers of Usenet newsgroups (newsgroup spam).
2. Digital Millennium Copyright Act PolicyThe Digital Millennium Copyright Act of 1998 (DMCA) was the created by the Congress to move the nations copyright laws into the digital age. The DMCA was created as an updated version of copyright laws that dealt with the special challenges of regulating digital material. The act complies with the World Intellectual Property Organization (WIPO) Copyright Treaty and the WIPO Performances and Phonograms Treaty. Sixpress is concerned with DMCA as it raises issues that affect the sharing and copying of data in the workplace.
The DMCA provides recourse for copyright owners who believe that material appearing on the Internet infringes on traditional copyright laws. Here at Sixpress, DMCA is enforced to protect and or prohibits its employees from copying several paragraphs of an article off the Web and disseminating it. Sixpress follows DMCA standards and requires that those excerpts taken from other sites include copyright management information such as title, author, and terms and conditions of use. Another area of DMCA enforcement is in the fair use of electronic data. If a copyright includes an anti circumvention clause for example, that prevents it from being copied, then anyone who breaks that provision could be liable under the DMCA.
3. User Password Policy Password should be at least 15 characters long in order to make them more secure. A combination of uppercase, lowercase, numeric characters, and special characters in order to make brute forcing and dictionary attacks much harder to succeed. Passwords need to be changed once every 6 months. Passwords can be stored in a salted hash if need be. The same passwords should not be used across multiple accounts.
5. Internal Server Security PolicyOur server policy is enforced by least privileged access. Only users that need access to a server will have access to that server. In addition to limiting user access, the only services running on a server will be what the server needs. One server should be dedicated to one main service. This will increase performance and ensure that one device does not have a large vulnerability range by having many services. All ports not dedicated to the specific service will be closed.Our server passwords will adhere to our password guidelines, and will only be administered by the proper administrators. Anyone caught tampering with the internal servers will be dealt with accordingly.
6. Internal System Backup PolicyOur internal systems are an integral part of our SixPress service. The main sites are the backbone of our corporation. In order for us to achieve optimal availability, we will administer one hot site and one warm site on standby. We will have incremental backups to both sites once every week, automatically set for every Sunday at 4AM.
6.1 Human-induced or Technical disasterIn order to protect against a man-made disaster, we need to use a hot site because in this situation, an employee could have made a misconfiguration either while on the campus of the data site or from a remote session. In this instance, we would need a hot site in place ready to take the place of the main site because it is more likely for this type of disaster to occur, given the large number of auditing and configurations that constantly need to be made.
6.2 Natural disasterIn order to protect against a natural disaster, we need to assign a warm site on standby to be the replacement. A natural disaster damages the main site beyond viable and immediate physical repair. Due to this situation, the main site would no longer be functional or of any use, at least in the short-term. Since natural disasters occur less frequently than a human or technical disaster, a warm site would suffice. If a natural disaster does occur, we would transition the warm site into the new main system site. This is because when a natural disaster occurs, the corporation would need to move to another physical location anyway, so a warm site would suffice. It would have the hardware and base configurations in place, with a transition period of a few days at most.
7. Email PolicyElectronic email is pervasively used in almost all industry verticals and is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks, thus its important for users to understand the appropriate use of electronic communications. The following rules must be followed when conducting official SixPress business on email:7.1 All use of email must be consistent with SixPress policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
7.2 SixPress email account should be used primarily for SixPress business-related purposes; personal communication is permitted on a limited basis, but non-Sixpress related commercial uses are prohibited.7.3 All SixPress data contained within an email message or an attachment must be secured according to the Data Protection Standard.
7.4 Email should be retained only if it qualifies as a SixPress business record. Email is a Sixpress business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
7.5 Email that is identified as a SixPress business record shall be retained according to SixPress Record Retention Schedule.
7.6 The SixPress email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any SixPress employee should report the matter to their supervisor immediately.
7.7 Users are prohibited from automatically forwarding SixPress email to a third party email system (noted in 4.8 below). Individual messages which are forwarded by the user must not contain SixPress confidential or above information.
7.8 Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct SixPress business, to create or memorialize any binding transactions, or to store or retain email on behalf of SixPress. Such communications and transactions should be conducted through proper channels using SixPress-approved documentation.
8. Ethics PolicySixPress is committed to ensuring that working conditions in SixPresss working environment are safe, that workers are treated with respect and dignity, and that manufacturing processes are environmentally responsible. SixPresss employees commit, in all their activities, to operate in full compliance with the laws, rules, and regulations of the countries in which they operate.
Employees must be committed to the highest standards of ethical conduct when dealing with workers, suppliers, and customers.
Be thoughtful about how your present yourself in online social networks Respect your audience and your coworkers Respect the privacy or your coworkers and customers Protect SixPresss confidential information Respect copyright, fair use laws In sum use your best judgement
Integrity:SixPresss success is based on creating innovative, high-quality products and services and on demonstrating integrity in every business interaction. SixPresss principles of business conduct define the way we do business worldwide.
These principles are: Honesty. Demonstrate honesty and high ethical standards in all dealings. Respect. Treat customers, suppliers, employees, and others with respect and courtesy. Confidentiality. Protect the confidentiality of Apples information and the information of our customers, suppliers and employees. Community. Conduct business in a way that benefits the communities in which we operate. Compliance. Ensure that business decisions comply with all applicable laws and regulations.
Your responsibilities:SixPresss ethics policies apply to employees, independent contractors, consultants, and others who do business with Apple. All such individuals are expected to comply with SixPresss ethics policies and principles and with all applicable legal requirements. SixPress retains the right to discipline (up to and including termination of employment) or end working relationships with those who do not comply.
9. Network Security PolicyKnow Your Enemy:Every organization needs to understand the threats that they face in the environment that they operate in. Network administrators and CEOs need to identify whether their greatest threat is as trivial as a script kiddie or disgruntled employee, or more advanced such as dedicated cybercriminal groups and government sponsored cyber-warfare. At SixPress, our major services are IPv6 hosting, DNS, SMTP, HTTP/HTTPS, IMAP, POP, and FTP. We understand that as a corporate network that handles and stores data from a large number of clients, our security needs to be as vigorous as ever.
1a) Plan/Prepare Be preventative against a zero-day attack. This includes constant OEM signature updates and software patches. Know every single software application, program, or operating system that is being deployed on your network. Risk assessment, comprehensive analysis, defense-in-depth, and minimum permissions1b) Protect Access Control Firewalls Cryptography1c) Respond Strong incident response policy is defined below
10. Incident Response Policy
A corporate network is a large business that encompasses many levels. It is only natural that at some point, a security incident, breach, or leak can occur. Instead of being reactive and scrambling in distress to an incident, a corporation should have a plan in place to deal with an incident and document it. The affected party(s) should have a platform to voice their concerns as well as to document what occurred. As is stated, there will be an incident response template sheet that all SixPress employees will use to document an incident. The sheet is shown on page 10:
The incident response form gathers the contact information of the party(s) involved, gathers incident information, gathers the information about systems and services affected, asks for an incident mitigation process, asks for a recommendation, and asks for any miscellaneous or additional comments. This is a mandatory and comprehensive form for any incident that occurs at SixPress, and must be filled out for processing. Administrators should keep a log of the types of incidents, so that if a repeat incident occurs of the same type, a red flag will be raised as to why the initial mitigation procedures were not implemented.
Incident and Risk Management MethodThe objective of incident and risk management is to plan against prospective security risks, as well as service restoration as quickly as possible during an incident. If service can be restored by a temporary workaround quicker than by correcting the underlying root cause of the issue then that is acceptable for the time being while that root cause is being maintenanced. The primary focus of incident management is supervising and directing internal and external resources, while ensuring a prompt recovery of the system with a strong plan. The countermeasure strategy is also key.
11. AAA Policy
Security is a management issue, not a technical issue. Dual-factor authentication is mandatory to access all services. This would be something you know and something you possess. Authorization - Least privileges are the best practice Accounting - Log all packet traffic on the LAN
12. Network Administration PolicyIn order to secure the network, it is imperative to secure the routers on the network. It was noticed that at SixPress, public IP addresses are used on the inside LAN, with no address translation occurring at the border router. In the future, there should be NAT policies in place on the router in order to ensure that the internal LAN hosts are using private IP addresses. All routers should have Access Lists on them implemented on either the outside or inside interface, and for both inbound and outbound traffic. In addition to that, all access lists should include a nested reflexive access list that allows for returning traffic from established sessions to pass while other traffic would be dropped. Here are a few concepts for network administration that need to be implemented:
IPSec Configuration is mandatory for remote connections to SixPress services. The SixPress network will provide a vpn for remote clients to establish a secure network. Due to the increasing security risk of layer-2 public Wi-Fi connections, this level of security is necessary for our corporation to ensure data integrity for remote connections. SSL/TLS Configuration for all BYOD mobile devices that connect remotely and use end-to-end application communication with our mobile app servers. Communication between all security departments during an intrusion detection. An affirmed positive or suspected positive should be reported to the CIOs office immediately. Acknowledgement of communication provision. The CIOs office will be held accountable for responding to and acknowledging such threats.