Information Technology Security Policy
Effective Date: _______________________________
Version Number: _____________________________
Table of Contents
6.1. The Security Organization
6.2. Ownership and Responsibility
6.3. Physical Access Controls
6.4. Logical Access Controls
8.0 Other Relevant Policies
We commit to the highest legal and ethical principles in the conduct of all aspects of our business.
The company and each individual who is a part of it will adhere to the highest standards of moral
and ethical business conduct and will keep promises, treat each other and any others with whom
they come into contact with honesty, civility, and respect. We want to be worthy of the highest trust
of those with whom we interact. -- Company Mission & Values
Information technologies (IT) are vital to Company operations. They are tools that improve the
quality and efficiency of our work. They are the repositories for critical and sometimes highly
proprietary corporate information. The improper access to or the destruction of these resources will
have serious consequences for the Company. It is the purpose of this policy to:
Ensure the corporate IT resources are appropriately protected from destruction, alteration
or unauthorized access.
Ensure that these protections are accomplished in a manner consistent with the business
and work flow requirements of the company.
Information technologies include:
Computer hardware and peripherals
Electronic data stored on standalone devices, networks, diskettes, databases, etc.
Network infrastructure devices
The Company Intranet and access to and data transmissions across the Internet and World
Information technologies are tools intended for business operations.
The Company Information Services (CIS) department shall identify and maintain an
organizational structure appropriate to the maintenance of Company IT security.
The IT Organization has primary responsibility and authority for all components of the IT
infrastructure. All devices, applications, databases and other components must comply with
the Company's IT policies.
The Company will cooperate with law enforcement agencies in their efforts to investigate
any violation of federal and state laws, regarding information security. If the Company
suspects the violation of any law, the Company may ask a law enforcement agency to
investigate the matter.
Employees reasonably believed by the Company to have willfully compromised its
information security will be subject to termination.
Any employee who interferes with or refuses to cooperate in the investigation of violation of
this policy will be subject to discipline, up to and including termination of employment.
Business units or departments may establish additional procedures that are relevant to
their operations. These procedures may provide additional detail, be more specific, and/or
be more restrictive, provided they do not conflict with this policy.
This policy covers all Company employees, consultants, agents, and others (collectively, employees)
working on any premises of the Company.
Every Company employee is responsible for complying with this policy.
Managers are responsible for ensuring that their staff complies with this policy.
Managers may include the compromise of Company information security as part of a
The Chief Information Officer (CIO) has corporate responsibility for the implementation of
Any employee who becomes aware of any violation or suspected violation of this policy
must inform the CIO, the Information Security Officer (ISO) or Company Security.
6.1. The Security Organization
The proper balance between the leveraging of outsourcing partners and maintaining oversight is
based upon an organizational structure which appropriately parses roles and responsibilities among
the various outsourced and corporate components of the IT security organization. The following
structure is defined for the Company Corporate Security Organization:
6.1.1. Information Security Council (ISC)
The Information Security Council is charged with the definition of IT security strategy and scope.
The ISC shall be comprised of the:
Information Security Officer
Director of Operations
IT Audit/Security Coordinators
Other participants may, from time to time, include:
Outsourcing Vendor Project Manager
6.1.2. Information Security Officer (ISO)
This corporate function reports to the CIO. The ISO has primary responsibility for the oversight of
the state of information security at the Company. Primary responsibilities include:
Leadership of the Security Strategy Council.
Drafting and approval of security policies and procedures.
Periodic reporting on the state of information security to the CIO.
Oversight and audit of security efforts accomplished through the IT Audit/Security
6.1.3. Director of Outsourcing Management, Operations
This Company function has primary oversight of outsourced IT operations support and projects.
Participation on the Security Strategy Council is targeted at assurance that security is a component
of all major operations projects and technical strategies.
6.1.4. IT Audit/Security Coordinator -- Outsourced
This outsourced function reports to the Vendor Project Manager with a dotted line reporting
relationship to the ISO. The IT Audit/Security Coordinator is the primary liaison between the ISO
and the operations security efforts. Primary responsibilities include:
Review of operations related security policies.
Recommending and reviewing security strategy and policies through participation in the
Information Security Council.
Communication of security policies and requirements.
Oversight of the security efforts of area managers, security engineers and other security
related specialists as appropriate, insuring adherence to operations related security policies
Acting as the primary point of contact for auditors during a formal audit process.
Preparation of formal responses and action plans pursuant to internal audits.
Identification of individuals responsible for security engineering functions outsourced. These
individuals may reside outside of the local Company environment as part of the larger
6.1.5. IT Audit/Security Coordinator In-house
This function reports to the CIO with a dotted line reporting relationship to the ISO. The IT
Audit/Security Coordinator is the primary liaison between the ISO and the applications and database
security efforts. Primary responsibilities include:
Review of applications or database related security policies.
Recommending and reviewing security strategy through participation in the Security
Oversight of the security efforts of local database administrators, application and database
security engineers and other security related specialists as appropriate, insuring adherence
to applications or database related security policies.
Acting as the primary applications and database contact for auditors during a formal audit
Preparation of formal responses and action plans pursuant to internal audits.
Identification of individuals responsible for security engineering functions in the areas of
applications or database administration. These individuals may reside outside of the local
6.1.6. Other Security Related Roles Outside of the ISC
188.8.131.52. Security Advisor - Vendor
Participates as an advisory resource at the request of the ISO or IT Audit/Security Coordinator in
order to leverage vendor's experience in defining, creating and maintaining secure IT environments.
184.108.40.206. Area Managers
Area Managers will be responsible for completion of security related tasks in their area. Examples of
such areas include LAN administration, midrange computers, Internet, application development or
database administration. Area managers may report to the Vendor Project Manager or Company
internal IT management as appropriate.
220.127.116.11. Security Engineers
Personnel in security engineering functions may have primary reporting relationships as appropriate
within their outsourcing organization but maintain a dotted line relationship to the associated IT
Audit/Security Coordinator. Security engineers are responsible for keeping current with security
issues and fixes associated with core technologies and operating systems in their area of purview.
Security engineering activities focus on maintaining contact with key vendors to become apprised of
security issues as they are discovered and the timely proactive implementation of patches or fixes
as they are made available
6.2. Ownership and Responsibility
(1) All computing components on the Company's internal network must be connected by the IT
(2) The Application and Database Services team shall maintain a list of restricted applications and
databases and their corresponding business owners. Authorization for access to restricted business
applications and databases must be granted by the designated business owner. An electronic mail
message from the business owner's mail account granting authorization for appropriate access shall
constitute such authorization.
(3) IP addresses assigned to Company devices must be assigned by an authorized representative of
(4) Only the IT Organization may move or (re-)install devices on the Company's internal network.
Such devices include dial out apparatus.
6.3. Physical Access Controls
6.3.1. Controlled Access Areas
The following policies apply to Company Computer Centers:
(1) Computer Centers must be located within the Company or vendor Internal Space.
(2) The Manager of Company IT Operations is the business owner of all Computer Centers at that
(3) Computer Centers must remain locked even when attended.
(4) Unescorted access is restricted to those persons authorized by the area business owner for valid
and documented business purposes.
(5) Visitors to the area must have a valid business purpose and must be escorted by someone
authorized for unescorted access. Anyone escorting a visitor to a Computer Center will be held
accountable for their role as a security escort.
(6) Any access by someone not on the access list must be logged and include the identity of the
visitor and escort as well as the time in, time out and reason for entry. Filled log sheets must be
maintained for one year in a central repository controlled by IT Operations.
(7) Access shall be managed by an electronically controlled access system.
(8) In the event of a malfunction of the electronic access system, that system shall be disabled and
access shall be managed by a physical key system until repairs may be made to the electronic
(9) Computer Centers may not contain any ground floor exterior windows.
The following policies apply to Company Data Closets:
(10) Data Closets must be located within Company or vendor Internal Space.
(11) Data Closets must have a clearly defined area owner.
(12) Such areas must be locked when not attended.
(13) Access may be managed by keyed access or an electronic card key.
(14) Unescorted access is restricted to those persons authorized by the area business owner for
valid and documented business purposes.
(15) Visitors to the area must have a valid business purpose and must be escorted by someone
authorized for unescorted access. Anyone escorting a visitor to a Data Closet will be held
accountable for their role as a security escort.
6.3.2. Managing Controlled Access Areas
(1) IT Operations shall maintain an approved access list for each Computer Center.
(2) IT Operations shall maintain an approved access list for Data Closets (the same list may apply
to all Data Closets).
(3) Access lists shall be maintained at all times and include the identity and business purpose of the
person granted access rights.
(4) Malfunctioning doors or control systems shall be reported to the area owner immediately upon
detection. The area owner is accountable for immediate notification of the malfunction to Company
(5) Upon receipt of such a malfunction, Company Security shall be responsible for ensuring that
repairs are completed in a timely manner and securing the area until a repair is completed.
(6) Management of keyed access to Data Closets shall include the following provisions:
(a) Each key must be numbered with a key type and an individual copy number and the words "Do
(b) IT Operations shall maintain a current distribution list, accounting for each key, whether in
circulation or in Operation's inventory. IT Operations shall document recovery of these keys upon
termination of an individual's business need for access.
(c) Access/distribution lists shall be reviewed every six months for appropriate business need.
(d) IT Operations shall perform an annual key inventory and distribution list reconciliation.
(e) A 15% level of lost keys shall trigger a re-key effort for the Data Closets.
(7) For each Computer Center, IT Operations' access lists shall be reviewed every three months for
appropriate business need, lack of terminated employees and concurrence with the electronic card
key system's access list.
6.3.3. Computing Facilities
(1) Midrange application and/or database servers must reside in a Computer Center.
(2) File / print servers or messaging servers may reside in either a Computer Center or a Data
6.3.4. Network Infrastructure Components
(1) LANs shall be designed so as to limit the aggregation of data subject to unauthorized
interception (e.g. sniffer attack).
(2) Network management systems must, at a minimum, be protected with the following when
(a) The case is locked and the key removed and secured.
(b) Implementation of a power on password.
(c) Implementation of a keyboard lock password (e.g. screen saver).
(3) All bridges, gateways, routers and switches shall be located within a Computer Center or Data
(4) Active ports are not allowed on network backbones unless the port is located in either a
Computer Center or Data Closet.
(5) If a data port is located in Company Public Space (for example, reception areas), it must be
supervised at all times while it is active.
(6) Modems must have the same physical access protection as the system device to which they are
6.3.5. Storage Media
(1) Portable storage media prepared after 01-Jan-1999 must be labeled with the following
statement: "Property of ABC Corporation - may contain proprietary information and must be
protected from unauthorized use or access. Must not be removed from Company control without
(2) The above label must also appear on locked containers used to transport such media.
(3) Backup media must, at all times, be stored in one of the following areas:
(a) A Computer Center
(b) A Data Closet
(c) A single office room that is locked when unattended
(d) Inside locked furniture within Company Internal Space
(e) An approved off-site media storage facility
(4) Transmittal records shall be maintained for all storage media transferred to and from off-site
(5) Mounting of storage media on systems located in Computer Centers or Data Closets must be
administered by IT Operations.
6.3.6. Custodial Media Inventory Control
(1) A formal inventory shall be maintained by IT Operations for all storage media for which they are
responsible. A physical inventory reconciliation shall be performed on an annual basis. The results of
the inventory reconciliation shall be reported by the responsible manager to the Vendor Project
Manager or the facility's IT Director as appropriate and also to the Company ISO.
(2) The inventory reconciliation must be conducted by at least one person not directly involved in
the media operation.
6.3.7. Residual Information
All residual Company information and applications shall be removed from storage media or
computer hardware prior to disposal or non Company use. Acceptable methods are physical
destruction or magnetic erasure.
6.4. Logical Access Controls
6.4.1. Restricted Databases and Applications
(1) Databases or applications at the Company are designated as Restricted if all of the following
criteria hold true:
(a) Inappropriate authorization of access could result in legal violations, significant exposure to
confidential information, risk of corruption of critical business data or inappropriate access to
(b) The system or database resides on a server controlled by IT Operations or Application and
Database Development Services.
(2) The Company shall maintain a list of restricted databases and applications along with a defined
business owner for each listing. The business owner shall be defined as the Company contact whose
approval is necessary in order to authorize an individual to have any access to the restricted
database or application. IT Operations shall have real time access to this information.
6.4.2. Computer Accounts
(1) No IT accounts or services of any kind may be provided for persons unless:
That person has a valid entry in the Company Human Resources Information System with an
"Active" work status
(a) That person is identified on a list, authorized by the Information Security Officer, of individuals
whose IT services are provided by the Company as part of a commercial contract
(b) The account is a properly authorized Temp Account (as defined below) administered by a regular
full time employee with an "Active" work status in the human resources system (the Temp Account
Administrator) (See (3) below for special requirements for Temp Accounts)
(c) The account is a properly authorized Application Account (as defined below). (See (11) below for
special requirements for Application Accounts)
(2) Each user ID shall be identifiable to an individual except when the technical limitations of the
operating system require the sharing of an administrative ID. The administrative process defined for
a Temp Account will serve to identify at most one individual with a Temp Account in any given time
(3) Temp Accounts may be created for the purpose of providing predetermined file and / or
application access on short notice for the use of a Temporary Employee. The following rules apply to
all Temp Accounts:
(a) The Temp Account request must be authorized by a regular full time Company employee with an
"Active" status in the human resources system and a title of "Director" or above with authority over
the business area to be given the Temp Account (the Temp Account Authorizer). A forwarded
request from such an authorizer's e-mail account constitutes authorization.
(b) The request for a Temp Account must include the following information:
The name of the Temp Account Administrator (see above).
A listing of specific read or read/write access to be granted to shared file systems if
A listing of specific application or database permission(s) required for the Temp Account,
including an e-mail account if applicable.
(4) The Temp Account Administrator is responsible for maintaining a log of the assignment and
revocation of the account to and from a Temporary Employee. Each cycle of use of a Temp Account
by a Temporary Employee must have the following information logged:
(a) Temp Account name
(b) Temporary Employee's Name (due at start of account assignment)
(c) Assignment start date (due at start of account assignment)
(d) Assignment End date (due at end of account assignment)
(5) A Temp Account may be assigned to at most, one person at a time.
(6) A Temp Account Administrator may be responsible for multiple accounts.
(7) Between cycles of use, the Temp Account Administrator must change passwords for all Temp
Account access according to the password syntax rules (see below).
(8) Failure to properly maintain a Temp Account log or to properly change passwords between
cycles of use may result on the revocation of the account.
(9) Each Temp Account name must be unique.
(10) IT Operations shall maintain a log record of each active Temp Account with the following
(a) Account name
(b) Temp Account Administrator's name and department
(c) A description of the file system and application access profile for the account.
(11) Application Accounts may be created in order to provide limited access used for training
purposes or- to provide an internal Company application the ability to communicate with the
computing infrastructure as required for appropriate work flow. The following rules apply to all
(a) The Application Account request must be authorized by either an IT Director, the CIO or the
Information Security Officer. A request from such an authorizer's e-mail account constitutes
(b) Each Application account name must be unique and begin with the string, appl_ so that it may
easily be listed for audit purposes.
(c) An application account may only provide the minimum system access necessary for appropriate
work flow as determined by an authorized party in (11a) above.
(12) A listing of specific application or database permission(s) required for the Temp Account
(13) The following default accesses may be made available to any Company employee upon
verification of employment.
(a) An e-mail account
(b) A scheduling system account
(c) An individual network drive with unique read/write access
(d) Read/write access to the shared network drive for their department
(e) Accounts on midrange systems unless the entire system is restricted
(14) Granting dial-in access to the Company network requires the approval of the requester's
(15) User accounts and Restricted application or database privileges shall be revoked within one
business day of receipt of notification by Human Resources or management. Automated reporting of
termination via the Company Human Resources Information System may constitute such
(16) User accounts shall be reviewed by IT Operations on a semi-annual basis to ensure that the
user's employment status is "Active" and that accounts for employees with a status other than
"Active" are inactivated.
(1) In cases where default passwords are shipped with operating systems and application products
for use during system and product installation and setup, default passwords shall be changed
immediately on their initial use.
(2) The following password syntax rules must be followed and apply to all system Logon passwords.
Operating systems must be set to enforce these rules to the extent that they are capable:
(a) Be at least six positions in length when supported by the technology.
(b) Contain at least one alphabetic and one non-alphabetic character.
(c) Contain no more than three identical consecutive characters in any position from the previous
(d) Contain no more than two identical consecutive characters.
(e) Not contain the user ID as part of the password.
(f) Be changed at least once every 186 days. Passwords which have not changed in 186 days, but
which are in expired state, are not in violation of the password change interval requirement.
(g) Not be reused until after at least four iterations.
(3) One of the following log on processes must be enforced if technically feasible for a system.
(a) After the fifth consecutive invalid authentication attempt, the user ID is placed in a locked status
requiring Help Desk intervention to unlock.
(b) A log on inductor is invoked to exponentially increase the lag time between log on prompts.
(c) If the workstation is a laptop system (portable), after the third consecutive invalid
authentication attempt, the system may allow continued cycles of three attempts after a 10 minute
time out for each cycle.
(4) Passwords may be reset by IT Help Desk personnel. Verification of identity shall be
accomplished by requiring the end user to provide the last four digits of their social security
6.4.4. User Resources
On creation of user accounts or resources, the default access shall be limited to the owner only.
6.4.5. User Resource Reporting
(1) Every six months, IT Operations shall provide to the Business Owners of Restricted applications
and databases a list of people who have access. The Business Owner is responsible to communicate
any necessary modifications to the approved access list to IT Operations.
(2) IT Operations shall maintain a copy of each report in an appropriate log file for three years.
6.4.6. Operating System Resources
(1) Operating system resources shall be protected such that they may not be updated by any
general user unless specifically listed as an exception by IT Operations. Such exceptions shall
include a valid business purpose.
(2) For those systems where logging is technically possible, logs shall be kept for a period of sixty
days of all successful and unsuccessful update access attempts to operating system resources that
are not listed as exceptions.
(3) All operating system resources may be read by general users, except where this would assist
the user to bypass security controls. Such exceptions shall be listed and protected accordingly.
(4) For those systems where logging is technically possible, logs shall be kept for a period of sixty
days of all successful and unsuccessful read attempts to operating system resources that are listed
as exceptions above.
(5) All operating system resources may be executed by general users, except where this would
assist the user to bypass security controls. Such exceptions shall be listed and protected
(6) For those systems where logging is technically possible, logs shall be kept for a period of sixty
days of all successful and unsuccessful execution attempts to operating system resources that are
listed as exceptions above.
6.4.7. Harmful Code
(1) Appropriate anti-virus programs shall be used on all systems where such programs are
available. This includes Company employee workstations as part of the workstation deployment.
(2) Anti-virus programs shall be configured to scan for viral signatures as follows:
(a) On systems capable of detecting infectious agents on access, scanning is to be conducted at
(b) On systems incapable of detecting infectious agents on access, scanning is to be conducted
(3) Anti-virus program package updates shall be installed within three months of availability.
(4) Anti-virus program signature updates shall be installed within three months of availability.
(5) IT Operations shall report all occurrences of viruses detected, on servers that they support, to
the Director of Operations within one business day.
(6) Company employees will notify the IT Help Desk whenever a virus is detected on their systems.
IT Operations shall take appropriate action.
6.4.8. System Administrator Authority
(1) System administrative privileges shall be limited to those support personnel requiring them for
business purposes. Such authority shall be revoked upon determination by IT Operations
management that such access is no longer required.
(2) IT Operations shall be responsible for maintaining a current roster of individuals with
administrative access to each supported system or set of systems.
6.4.9. Resource Access Logs
(1) IT Operations shall be responsible for maintaining the following logs (where supported by the
operating system) for at least 60 days for each server that they support:
(a) System Access Logs: Note both successful and unsuccessful log on attempts.
(b) Operating System Access Logs: Note invalid attempts to access operating system resources.
(c) Activity Logs: Note activities performed by system administrators.
6.4.10 Reporting Access Violations
(1) IT Operations shall maintain a process for providing reports of invalid log on attempts upon
(2) IT Operations shall maintain a process for detecting and reacting to systematic attacks on the
server systems that they support.
6.4.11. Security Status Checking
(1) IT Operations shall be responsible for performing a Security Health Check process on all servers
and hosts that they support. This process shall occur quarterly for hosts with restricted applications
or databases and semi-annually for all other supported server systems. Dial up access systems shall
be checked quarterly.
A security Health Check shall include all of the following:
(a) All mandatory access control system options are set in accordance with requirements
(b) Only approved users hold security administrative authority
(c) All operating system resource controls are set in accordance with defined requirements
(d) Only approved users are included in the access lists of operating system resources beyond that
allowed to general users
(e) The required harmful code detection programs are installed and operational
(f) The required access and activity logs data do exist and are retained for 60 days
6.4.12. Reporting Security Incidents
(1) IT Operations shall maintain a process for reporting and managing security incidents. Such
process shall minimally include:
(a) Immediate notification of appropriate security incident specialists
(b) Implementation of appropriate corrective action
(c) Notification of the Company ISO within one business day of the detection
(d) Provision to the Company ISO of a formal report describing the incident, actions taken and
recommended preventive measures. This report shall be provided within five business days of the
(1) Suspected violations of this policy should be reported to the Chief Information Officer or the
Business Ethics Committee.
(2) Individuals who violate this policy will be subject to discipline, up to and including termination
8.0 Other Relevant Policies
(1) Policy on the Use of Electronic Technologies
(2) Company Code of Conduct
(3) Records Retention Policy
(4) Broadcast Message Procedures
(5) Intranet Guidelines