Effective Date: _______________________________
Version Number: _____________________________
Table of Contents
We commit to the highest legal and ethical principles in the conduct of all aspects of our business. The company and each individual who is a part of it will adhere to the highest standards of moral and ethical business conduct and will keep promises, treat each other and any others with whom they come into contact with honesty, civility, and respect. We want to be worthy of the highest trust of those with whom we interact. — Company Mission & Values
Information technologies (IT) are vital to Company operations. They are tools that improve the quality and efficiency of our work. They are the repositories for critical and sometimes highly proprietary corporate information. The improper access to or the destruction of these resources will have serious consequences for the Company. It is the purpose of this policy to:
- Ensure the corporate IT resources are appropriately protected from destruction, alteration or unauthorized access.
- Ensure that these protections are accomplished in a manner consistent with the business and work flow requirements of the company.
Information technologies include:
- Computer hardware and peripherals
- Electronic data stored on standalone devices, networks, diskettes, databases, etc.
- Network infrastructure devices
- The Company Intranet and access to and data transmissions across the Internet and World Wide Web
- Information technologies are tools intended for business operations.
- The Company Information Services (CIS) department shall identify and maintain an organizational structure appropriate to the maintenance of Company IT security.
- The IT Organization has primary responsibility and authority for all components of the IT infrastructure. All devices, applications, databases and other components must comply with the Company’s IT policies.
- The Company will cooperate with law enforcement agencies in their efforts to investigate any violation of federal and state laws, regarding information security. If the Company suspects the violation of any law, the Company may ask a law enforcement agency to investigate the matter.
- Employees reasonably believed by the Company to have willfully compromised its information security will be subject to termination.
- Any employee who interferes with or refuses to cooperate in the investigation of violation of this policy will be subject to discipline, up to and including termination of employment.
- Business units or departments may establish additional procedures that are relevant to their operations. These procedures may provide additional detail, be more specific, and/or be more restrictive, provided they do not conflict with this policy.
This policy covers all Company employees, consultants, agents, and others (collectively, employees) working on any premises of the Company.
- Every Company employee is responsible for complying with this policy.
- Managers are responsible for ensuring that their staff complies with this policy.
- Managers may include the compromise of Company information security as part of a performance evaluation.
- The Chief Information Officer (CIO) has corporate responsibility for the implementation of this policy.
- Any employee who becomes aware of any violation or suspected violation of this policy must inform the CIO, the Information Security Officer (ISO) or Company Security.
6.1. The Security Organization
The proper balance between the leveraging of outsourcing partners and maintaining oversight is based upon an organizational structure which appropriately parses roles and responsibilities among the various outsourced and corporate components of the IT security organization. The following structure is defined for the Company Corporate Security Organization:
6.1.1. Information Security Council (ISC)
The Information Security Council is charged with the definition of IT security strategy and scope. The ISC shall be comprised of the:
- Information Security Officer
- Director of Operations
- IT Audit/Security Coordinators
Other participants may, from time to time, include:
- Outsourcing Vendor Project Manager
- Security Advisor
6.1.2. Information Security Officer (ISO)
This corporate function reports to the CIO. The ISO has primary responsibility for the oversight of the state of information security at the Company. Primary responsibilities include:
- Leadership of the Security Strategy Council.
- Drafting and approval of security policies and procedures.
- Periodic reporting on the state of information security to the CIO.
- Oversight and audit of security efforts accomplished through the IT Audit/Security Coordinator(s).
6.1.3. Director of Outsourcing Management, Operations
This Company function has primary oversight of outsourced IT operations support and projects. Participation on the Security Strategy Council is targeted at assurance that security is a component of all major operations projects and technical strategies.
6.1.4. IT Audit/Security Coordinator — Outsourced
This outsourced function reports to the Vendor Project Manager with a dotted line reporting relationship to the ISO. The IT Audit/Security Coordinator is the primary liaison between the ISO and the operations security efforts. Primary responsibilities include:
- Review of operations related security policies.
- Recommending and reviewing security strategy and policies through participation in the Information Security Council.
- Communication of security policies and requirements.
- Oversight of the security efforts of area managers, security engineers and other security related specialists as appropriate, insuring adherence to operations related security policies and procedures.
- Acting as the primary point of contact for auditors during a formal audit process.
- Preparation of formal responses and action plans pursuant to internal audits.
- Identification of individuals responsible for security engineering functions outsourced. These individuals may reside outside of the local Company environment as part of the larger vendor organization.
6.1.5. IT Audit/Security Coordinator In-house
This function reports to the CIO with a dotted line reporting relationship to the ISO. The IT Audit/Security Coordinator is the primary liaison between the ISO and the applications and database security efforts. Primary responsibilities include:
- Review of applications or database related security policies.
- Recommending and reviewing security strategy through participation in the Security Strategy Council.
- Oversight of the security efforts of local database administrators, application and database security engineers and other security related specialists as appropriate, insuring adherence to applications or database related security policies.
- Acting as the primary applications and database contact for auditors during a formal audit process.
- Preparation of formal responses and action plans pursuant to internal audits.
- Identification of individuals responsible for security engineering functions in the areas of applications or database administration. These individuals may reside outside of the local Company environment.
6.1.6. Other Security Related Roles Outside of the ISC
220.127.116.11. Security Advisor – Vendor
Participates as an advisory resource at the request of the ISO or IT Audit/Security Coordinator in order to leverage vendor’s experience in defining, creating and maintaining secure IT environments.
18.104.22.168. Area Managers
Area Managers will be responsible for completion of security related tasks in their area. Examples of such areas include LAN administration, midrange computers, Internet, application development or database administration. Area managers may report to the Vendor Project Manager or Company internal IT management as appropriate.
22.214.171.124. Security Engineers
Personnel in security engineering functions may have primary reporting relationships as appropriate within their outsourcing organization but maintain a dotted line relationship to the associated IT Audit/Security Coordinator. Security engineers are responsible for keeping current with security issues and fixes associated with core technologies and operating systems in their area of purview. Security engineering activities focus on maintaining contact with key vendors to become apprised of security issues as they are discovered and the timely proactive implementation of patches or fixes as they are made available
6.2. Ownership and Responsibility
(1) All computing components on the Company’s internal network must be connected by the IT Organization.
(2) The Application and Database Services team shall maintain a list of restricted applications and databases and their corresponding business owners. Authorization for access to restricted business applications and databases must be granted by the designated business owner. An electronic mail message from the business owner’s mail account granting authorization for appropriate access shall constitute such authorization.
(3) IP addresses assigned to Company devices must be assigned by an authorized representative of IT Operations.
(4) Only the IT Organization may move or (re-)install devices on the Company’s internal network. Such devices include dial out apparatus.
6.3. Physical Access Controls
6.3.1. Controlled Access Areas
The following policies apply to Company Computer Centers:
(1) Computer Centers must be located within the Company or vendor Internal Space.
(2) The Manager of Company IT Operations is the business owner of all Computer Centers at that manager’s location.
(3) Computer Centers must remain locked even when attended.
(4) Unescorted access is restricted to those persons authorized by the area business owner for valid and documented business purposes.
(5) Visitors to the area must have a valid business purpose and must be escorted by someone authorized for unescorted access. Anyone escorting a visitor to a Computer Center will be held accountable for their role as a security escort.
(6) Any access by someone not on the access list must be logged and include the identity of the visitor and escort as well as the time in, time out and reason for entry. Filled log sheets must be maintained for one year in a central repository controlled by IT Operations.
(7) Access shall be managed by an electronically controlled access system.
(8) In the event of a malfunction of the electronic access system, that system shall be disabled and access shall be managed by a physical key system until repairs may be made to the electronic system.
(9) Computer Centers may not contain any ground floor exterior windows.
The following policies apply to Company Data Closets:
(10) Data Closets must be located within Company or vendor Internal Space.
(11) Data Closets must have a clearly defined area owner.
(12) Such areas must be locked when not attended.
(13) Access may be managed by keyed access or an electronic card key.
(14) Unescorted access is restricted to those persons authorized by the area business owner for valid and documented business purposes.
(15) Visitors to the area must have a valid business purpose and must be escorted by someone authorized for unescorted access. Anyone escorting a visitor to a Data Closet will be held accountable for their role as a security escort.
6.3.2. Managing Controlled Access Areas
(1) IT Operations shall maintain an approved access list for each Computer Center.
(2) IT Operations shall maintain an approved access list for Data Closets (the same list may apply to all Data Closets).
(3) Access lists shall be maintained at all times and include the identity and business purpose of the person granted access rights.
(4) Malfunctioning doors or control systems shall be reported to the area owner immediately upon detection. The area owner is accountable for immediate notification of the malfunction to Company Security.
(5) Upon receipt of such a malfunction, Company Security shall be responsible for ensuring that repairs are completed in a timely manner and securing the area until a repair is completed.
(6) Management of keyed access to Data Closets shall include the following provisions:
(a) Each key must be numbered with a key type and an individual copy number and the words “Do Not Copy.”
(b) IT Operations shall maintain a current distribution list, accounting for each key, whether in circulation or in Operation’s inventory. IT Operations shall document recovery of these keys upon termination of an individual’s business need for access.
(c) Access/distribution lists shall be reviewed every six months for appropriate business need.
(d) IT Operations shall perform an annual key inventory and distribution list reconciliation.
(e) A 15% level of lost keys shall trigger a re-key effort for the Data Closets.
(7) For each Computer Center, IT Operations’ access lists shall be reviewed every three months for appropriate business need, lack of terminated employees and concurrence with the electronic card key system’s access list.
6.3.3. Computing Facilities
(1) Midrange application and/or database servers must reside in a Computer Center.
(2) File / print servers or messaging servers may reside in either a Computer Center or a Data Closet.
6.3.4. Network Infrastructure Components
(1) LANs shall be designed so as to limit the aggregation of data subject to unauthorized interception (e.g. sniffer attack).
(2) Network management systems must, at a minimum, be protected with the following when unattended:
(a) The case is locked and the key removed and secured.
(b) Implementation of a power on password.
(c) Implementation of a keyboard lock password (e.g. screen saver).
(3) All bridges, gateways, routers and switches shall be located within a Computer Center or Data Closet.
(4) Active ports are not allowed on network backbones unless the port is located in either a Computer Center or Data Closet.
(5) If a data port is located in Company Public Space (for example, reception areas), it must be supervised at all times while it is active.
(6) Modems must have the same physical access protection as the system device to which they are attached.
6.3.5. Storage Media
(1) Portable storage media prepared after 01-Jan-1999 must be labeled with the following statement: “Property of ABC Corporation – may contain proprietary information and must be protected from unauthorized use or access. Must not be removed from Company control without proper authorization.”
(2) The above label must also appear on locked containers used to transport such media.
(3) Backup media must, at all times, be stored in one of the following areas:
(a) A Computer Center
(b) A Data Closet
(c) A single office room that is locked when unattended
(d) Inside locked furniture within Company Internal Space
(e) An approved off-site media storage facility
(4) Transmittal records shall be maintained for all storage media transferred to and from off-site storage facilities.
(5) Mounting of storage media on systems located in Computer Centers or Data Closets must be administered by IT Operations.
6.3.6. Custodial Media Inventory Control
(1) A formal inventory shall be maintained by IT Operations for all storage media for which they are responsible. A physical inventory reconciliation shall be performed on an annual basis. The results of the inventory reconciliation shall be reported by the responsible manager to the Vendor Project Manager or the facility’s IT Director as appropriate and also to the Company ISO.
(2) The inventory reconciliation must be conducted by at least one person not directly involved in the media operation.
6.3.7. Residual Information
All residual Company information and applications shall be removed from storage media or computer hardware prior to disposal or non Company use. Acceptable methods are physical destruction or magnetic erasure.
6.4. Logical Access Controls
6.4.1. Restricted Databases and Applications
(1) Databases or applications at the Company are designated as Restricted if all of the following criteria hold true:
(a) Inappropriate authorization of access could result in legal violations, significant exposure to confidential information, risk of corruption of critical business data or inappropriate access to personal information.
(b) The system or database resides on a server controlled by IT Operations or Application and Database Development Services.
(2) The Company shall maintain a list of restricted databases and applications along with a defined business owner for each listing. The business owner shall be defined as the Company contact whose approval is necessary in order to authorize an individual to have any access to the restricted database or application. IT Operations shall have real time access to this information.
6.4.2. Computer Accounts
(1) No IT accounts or services of any kind may be provided for persons unless:
That person has a valid entry in the Company Human Resources Information System with an “Active” work status
(a) That person is identified on a list, authorized by the Information Security Officer, of individuals whose IT services are provided by the Company as part of a commercial contract
(b) The account is a properly authorized Temp Account (as defined below) administered by a regular full time employee with an “Active” work status in the human resources system (the Temp Account Administrator) (See (3) below for special requirements for Temp Accounts)
(c) The account is a properly authorized Application Account (as defined below). (See (11) below for special requirements for Application Accounts)
(2) Each user ID shall be identifiable to an individual except when the technical limitations of the operating system require the sharing of an administrative ID. The administrative process defined for a Temp Account will serve to identify at most one individual with a Temp Account in any given time period.
(3) Temp Accounts may be created for the purpose of providing predetermined file and / or application access on short notice for the use of a Temporary Employee. The following rules apply to all Temp Accounts:
(a) The Temp Account request must be authorized by a regular full time Company employee with an “Active” status in the human resources system and a title of “Director” or above with authority over the business area to be given the Temp Account (the Temp Account Authorizer). A forwarded request from such an authorizer’s e-mail account constitutes authorization.
(b) The request for a Temp Account must include the following information:
- The name of the Temp Account Administrator (see above).
- A listing of specific read or read/write access to be granted to shared file systems if applicable.
- A listing of specific application or database permission(s) required for the Temp Account, including an e-mail account if applicable.
(4) The Temp Account Administrator is responsible for maintaining a log of the assignment and revocation of the account to and from a Temporary Employee. Each cycle of use of a Temp Account by a Temporary Employee must have the following information logged:
(a) Temp Account name
(b) Temporary Employee’s Name (due at start of account assignment)
(c) Assignment start date (due at start of account assignment)
(d) Assignment End date (due at end of account assignment)
(5) A Temp Account may be assigned to at most, one person at a time.
(6) A Temp Account Administrator may be responsible for multiple accounts.
(7) Between cycles of use, the Temp Account Administrator must change passwords for all Temp Account access according to the password syntax rules (see below).
(8) Failure to properly maintain a Temp Account log or to properly change passwords between cycles of use may result on the revocation of the account.
(9) Each Temp Account name must be unique.
(10) IT Operations shall maintain a log record of each active Temp Account with the following information:
(a) Account name
(b) Temp Account Administrator’s name and department
(c) A description of the file system and application access profile for the account.
(11) Application Accounts may be created in order to provide limited access used for training purposes or- to provide an internal Company application the ability to communicate with the computing infrastructure as required for appropriate work flow. The following rules apply to all Application Accounts:
(a) The Application Account request must be authorized by either an IT Director, the CIO or the Information Security Officer. A request from such an authorizer’s e-mail account constitutes authorization.
(b) Each Application account name must be unique and begin with the string, appl_ so that it may easily be listed for audit purposes.
(c) An application account may only provide the minimum system access necessary for appropriate work flow as determined by an authorized party in (11a) above.
(12) A listing of specific application or database permission(s) required for the Temp Account
(13) The following default accesses may be made available to any Company employee upon verification of employment.
(a) An e-mail account
(b) A scheduling system account
(c) An individual network drive with unique read/write access
(d) Read/write access to the shared network drive for their department
(e) Accounts on midrange systems unless the entire system is restricted
(14) Granting dial-in access to the Company network requires the approval of the requester’s manager.
(15) User accounts and Restricted application or database privileges shall be revoked within one business day of receipt of notification by Human Resources or management. Automated reporting of termination via the Company Human Resources Information System may constitute such notification.
(16) User accounts shall be reviewed by IT Operations on a semi-annual basis to ensure that the user’s employment status is “Active” and that accounts for employees with a status other than “Active” are inactivated.
(1) In cases where default passwords are shipped with operating systems and application products for use during system and product installation and setup, default passwords shall be changed immediately on their initial use.
(2) The following password syntax rules must be followed and apply to all system Logon passwords. Operating systems must be set to enforce these rules to the extent that they are capable:
(a) Be at least six positions in length when supported by the technology.
(b) Contain at least one alphabetic and one non-alphabetic character.
(c) Contain no more than three identical consecutive characters in any position from the previous password.
(d) Contain no more than two identical consecutive characters.
(e) Not contain the user ID as part of the password.
(f) Be changed at least once every 186 days. Passwords which have not changed in 186 days, but which are in expired state, are not in violation of the password change interval requirement.
(g) Not be reused until after at least four iterations.
(3) One of the following log on processes must be enforced if technically feasible for a system.
(a) After the fifth consecutive invalid authentication attempt, the user ID is placed in a locked status requiring Help Desk intervention to unlock.
(b) A log on inductor is invoked to exponentially increase the lag time between log on prompts.
(c) If the workstation is a laptop system (portable), after the third consecutive invalid authentication attempt, the system may allow continued cycles of three attempts after a 10 minute time out for each cycle.
(4) Passwords may be reset by IT Help Desk personnel. Verification of identity shall be accomplished by requiring the end user to provide the last four digits of their social security number.
6.4.4. User Resources
On creation of user accounts or resources, the default access shall be limited to the owner only.
6.4.5. User Resource Reporting
(1) Every six months, IT Operations shall provide to the Business Owners of Restricted applications and databases a list of people who have access. The Business Owner is responsible to communicate any necessary modifications to the approved access list to IT Operations.
(2) IT Operations shall maintain a copy of each report in an appropriate log file for three years.
6.4.6. Operating System Resources
(1) Operating system resources shall be protected such that they may not be updated by any general user unless specifically listed as an exception by IT Operations. Such exceptions shall include a valid business purpose.
(2) For those systems where logging is technically possible, logs shall be kept for a period of sixty days of all successful and unsuccessful update access attempts to operating system resources that are not listed as exceptions.
(3) All operating system resources may be read by general users, except where this would assist the user to bypass security controls. Such exceptions shall be listed and protected accordingly.
(4) For those systems where logging is technically possible, logs shall be kept for a period of sixty days of all successful and unsuccessful read attempts to operating system resources that are listed as exceptions above.
(5) All operating system resources may be executed by general users, except where this would assist the user to bypass security controls. Such exceptions shall be listed and protected accordingly.
(6) For those systems where logging is technically possible, logs shall be kept for a period of sixty days of all successful and unsuccessful execution attempts to operating system resources that are listed as exceptions above.
6.4.7. Harmful Code
(1) Appropriate anti-virus programs shall be used on all systems where such programs are available. This includes Company employee workstations as part of the workstation deployment.
(2) Anti-virus programs shall be configured to scan for viral signatures as follows:
(a) On systems capable of detecting infectious agents on access, scanning is to be conducted at least weekly.
(b) On systems incapable of detecting infectious agents on access, scanning is to be conducted daily.
(3) Anti-virus program package updates shall be installed within three months of availability.
(4) Anti-virus program signature updates shall be installed within three months of availability.
(5) IT Operations shall report all occurrences of viruses detected, on servers that they support, to the Director of Operations within one business day.
(6) Company employees will notify the IT Help Desk whenever a virus is detected on their systems. IT Operations shall take appropriate action.
6.4.8. System Administrator Authority
(1) System administrative privileges shall be limited to those support personnel requiring them for business purposes. Such authority shall be revoked upon determination by IT Operations management that such access is no longer required.
(2) IT Operations shall be responsible for maintaining a current roster of individuals with administrative access to each supported system or set of systems.
6.4.9. Resource Access Logs
(1) IT Operations shall be responsible for maintaining the following logs (where supported by the operating system) for at least 60 days for each server that they support:
(a) System Access Logs: Note both successful and unsuccessful log on attempts.
(b) Operating System Access Logs: Note invalid attempts to access operating system resources.
(c) Activity Logs: Note activities performed by system administrators.
6.4.10 Reporting Access Violations
(1) IT Operations shall maintain a process for providing reports of invalid log on attempts upon request.
(2) IT Operations shall maintain a process for detecting and reacting to systematic attacks on the server systems that they support.
6.4.11. Security Status Checking
(1) IT Operations shall be responsible for performing a Security Health Check process on all servers and hosts that they support. This process shall occur quarterly for hosts with restricted applications or databases and semi-annually for all other supported server systems. Dial up access systems shall be checked quarterly.
A security Health Check shall include all of the following:
(a) All mandatory access control system options are set in accordance with requirements
(b) Only approved users hold security administrative authority
(c) All operating system resource controls are set in accordance with defined requirements
(d) Only approved users are included in the access lists of operating system resources beyond that allowed to general users
(e) The required harmful code detection programs are installed and operational
(f) The required access and activity logs data do exist and are retained for 60 days
6.4.12. Reporting Security Incidents
(1) IT Operations shall maintain a process for reporting and managing security incidents. Such process shall minimally include:
(a) Immediate notification of appropriate security incident specialists
(b) Implementation of appropriate corrective action
(c) Notification of the Company ISO within one business day of the detection
(d) Provision to the Company ISO of a formal report describing the incident, actions taken and recommended preventive measures. This report shall be provided within five business days of the detection.
(1) Suspected violations of this policy should be reported to the Chief Information Officer or the Business Ethics Committee.
(2) Individuals who violate this policy will be subject to discipline, up to and including termination of employment.
8.0 Other Relevant Policies
(1) Policy on the Use of Electronic Technologies
(2) Company Code of Conduct
(3) Records Retention Policy
(4) Broadcast Message Procedures
(5) Intranet Guidelines