Tutorial 1: Information Security Policy (ISP)

Introduction

JJ Limited is a small to medium sized enterprise that offers a range of software development and networking solutions. The company wish to develop an Information Security Policy (ISP) to safeguard both the company and its employees from computer and Internet misuse.

Background

JJ Limited management have become increasingly aware that they face considerable risk from external and internal threats. They presently have only the generic acceptable use policy and mainly rely on their employees doing the right thing. This has become unacceptable and Gold Star need an ISP that serves to define exactly what employees can and cannot do (and the other issues that an ISP should define).

Technical Details

JJ Limited have a mail server, web server and application server, serving a number of applications and software development platforms. They currently carry out all network management manually and have no automated configuration control facility, relying heavily on the developers and consultants to manage change within their working environment. There are the 3 servers mentioned, a router, a firewall and 60 host devices (including printers, network printers etc.). Their infrastructure provides security through a firewall and the following traffic has been observed during the security audit: HTTP, FTP, TFTP, SMTP, DNS. They use DHCP to assign all IP addresses on the LAN and for Internet access use dynamic NAT for all hosts on the network (with the exception of those that will not require Internet access). The servers, printers and non-pc hardware have static addresses that have been excluded from the dynamic DHCP pool and are currently using allocated static addresses. Gold Star found that they are continually upgrading and replacing equipment, either due to performance or reliability issues. They currently hire a skip and dump the obsolete equipment, or ask a local PC salvage firm to take the decommissioned hardware offsite. As this is an IT Security Policy that will go out to all staff, the company have decided not to include technical details of the IP addresses and configuration details from the security audit.

Requirements

You have been commissioned to write an Information Security Policy (ISP) for their organisation.

I. Write the ISP for the JJ limited. The ISP should include sections to cover at least the following areas:

1. Scope What is the coverage of this document?

2. Objectives What the policy is trying to do?

3. Application of the Policy Who enforces the policy? What happens if there is a breach?

2 Acceptable Use Policy Propose the acceptable use policy, including at least the following points.

What are the general rules and guidelines for each policy? Provide at least 5 points for each policy (given questions are provided for guidance only).

a. Passwords policy What are the policy rules for passwords? How to identify strong/weak password?

b. Privileges policy Who is granting the privileges? How users can elevate their own privileges?

c. Computer Software policy Who can install new software? What kind of software needs to be installed?

d. Computer Hardware policy When an employee can replace any hardware?

e. Internet Use policy What use of Internet is forbidden? Is use of the Internet monitored?

f. Email Use policy Is company email account monitored?

g. Network Use policy What activities are not allowed on the local network?