Introduction

Star Gold is a small to medium sized enterprise that offers a range of software development and networking solutions. The company wish to develop an Information Security Policy (ISP) to safeguard both the company and its employees from computer and Internet misuse.

Background

The Star Gold management have become increasingly aware that they face considerable risk from external and internal threats. They presently have only the generic acceptable use policy and mainly rely on their employees doing the right thing. This has become unacceptable and Gold Star need an ISP that serves to define exactly what employees can and cannot do (and the other issues that an ISP should define).

Technical Details

Star Gold have a mail server, web server and application server, serving a number of applications and software development platforms. They currently carry out all network management manually and have no automated configuration control facility, relying heavily on the developers and consultants to manage change within their working environment. There are the 3 servers mentioned, a router, a firewall and 60 host devices (including printers, network printers etc.).

Their infrastructure provides security through a firewall and the following traffic has been observed during the security audit: HTTP, FTP, TFTP, SMTP, DNS. They use DHCP to assign all IP addresses on the LAN and for Internet access use dynamic NAT for all hosts on the network (with the exception of those that will not require Internet access). The servers, printers and non-pc hardware have static addresses that have been excluded from the dynamic DHCP pool and are currently using allocated static addresses.

Gold Star found that they are continually upgrading and replacing equipment, either due to performance or reliability issues. They currently hire a skip and dump the obsolete equipment, or ask a local PC salvage firm to take the decommissioned hardware offsite.

As this is an IT Security Policy that will go out to all staff, the company have decided not to include technical details of the IP addresses and configuration details from the security audit.

Requirements

You have been commissioned to write an Information Security Policy (ISP) for their organisation.

Acceptable Use Policy Propose the acceptable use policy, including at least the following points. What are the general rules and guidelines for each policy? Provide at least 5 points for each policy (given questions are provided for guidance only).

1. Passwords policy (given questions are provided for guidance only).What are the policy rules for passwords? How to identify strong/weak password?
2. Privileges policy (given questions are provided for guidance only).Who is granting the privileges? How users can elevate their own privileges?
3. Computer Software policy (given questions are provided for guidance only).Who can install new software? What kind of software needs to be installed?