This policy’s 19 rules inform the world, among other things, that “only authorized users are allowed on the company network.” For end users, it includes the always stylish “never share your network user name and password with anyone.” For the internal IT department, there’s a rule addressing the use of service accounts for local log-ins by individuals.
A policy with this broad a scope requires input from pretty much every team within the IT department—telecommunications, network operations, development, and security.
Read on for excerpts from the actual policy:
This policy applies to all _COMPANY networks, both the perimeter and the infrastructure, and the parties with which we do businesses.
The following rules define _COMPANY’s policy regarding access to the corporate network:
- Only authorized people can gain access to _COMPANY networks. Positive identification is required for system usage. All users must have their identities positively identified with user-IDs and secure passwords–or by other means which provide equal or greater security–prior to being permitted to use _COMPANY computers.
- User-IDs must each uniquely identify a single user. Each computer user-ID must uniquely identify only one user, so as to preserve individual accountability in system logs. Shared or group user-IDs are not permitted.
- Use of service accounts for local log-ins by any individual is prohibited. This rule is designed to prevent unauthorized changes to production data by accounts that allow groups of users to employ the same password. In cases where users require authorities inherent in service accounts, the user’s manager must obtain approval from the IT Department. Those privileges may be assigned to individual users on as-needed basis and must be revoked when they are no longer necessary.
- Access controls required for remote systems connecting to production systems. All computers which have remote real-time dialogs with _COMPANY production systems must run an access control package approved by the IT Department.
- Multiple simultaneous remote external network connections prohibited. Unless special permission has been granted by the Director of Security, computer systems must not allow any user to conduct multiple simultaneous remote network connections.
- All log-in banners must include security notice. Every log-in screen for multi-user computers must include a special notice. This notice must state: (1) the system may only be accessed by authorized users, (2) users who log-in represent that they are authorized to do so, (3) unauthorized system usage or abuse is subject to criminal prosecution, and (4) system usage will be monitored and logged.
- Security notice in log-in banner must not disclose system information. All log-in banners on network-connected _COMPANY computer systems must simply ask the user to log-in, providing terse prompts only where essential. Identifying information about the organization, operating system, system configuration, or other internal matters must not be provided until a user’s identity has been successfully authenticated.
- Users must log off before leaving sensitive systems unattended. If the computer system to which users are connected or which they are currently using contains sensitive information, and especially if they have special access rights, such as domain admin or system administrator privileges, users must not leave their computer, workstation, or terminal unattended without first logging-out, locking the workstation, or invoking a password-protected screen saver.
- Internal network addresses must not be publicly released. The internal system addresses, configurations, and related system design information for _COMPANY networked computer systems must be restricted such that both systems and users outside _COMPANY’s internal network cannot access this information.
- All Internet Web servers must be firewall protected. All connections between _COMPANY internal networks and the Internet (or any other publicly-accessible computer network) must be protected by a router, firewall, or related access controls approved by the Information Systems Security Department and Data Network Services.
- Public servers on Internet must be placed on separate subnets. Public Internet servers must be placed on subnets separate from internal _COMPANY networks. Routers or firewalls must be employed to restrict traffic from the public servers to internal networks.
- Any external network connections, inbound or outbound, must be authenticated or secured via approved standards. Before dial-up users reach a log-in banner, all inbound dial-up lines connected to _COMPANY internal networks and/or computer systems must pass through an additional access control point, such as a firewall, which has been approved by the Information Systems Security Department and Data Network Services. Unless the Information Systems Security Department and Data Network Services have first approved the action in writing, _COMPANY staff must not enable any trusted host relationships between computers connected to the _COMPANY internal network.
- Real-time external network connections require firewalls. Before reaching a log-in banner, all in-bound real-time external connections to _COMPANY internal networks and/or multi-user computer systems must pass through an additional access control point such as a firewall, gateway, or access server.
- Firewall configuration change requires Information Systems Security Department approval. Firewall configuration rules and permissible service rules established by the Director of Security and Disaster Recovery have been reached after an extended evaluation. These rules must not be changed without first obtaining the permission of the Director of Information Security and Disaster Recovery.
- Prior approval required for all communication line changes. Workers and vendors must not make arrangements for, or actually complete the installation of voice or data lines with any carrier, if they have not first obtained approval from the Director of the Telecommunications Department.
- Connections of _COMPANY networks to third party networks must conform to standards. _COMPANY computers or networks may only be connected to third-party computers or networks after the Information Systems Security Department and Director of Telecommunications have determined that the combined system will be in compliance with _COMPANY security requirements.
- Direct network connections with outside organizations must be approved. The establishment of a direct connection between _COMPANY systems and computers at external organizations, via the Internet or any other public network, is prohibited unless this connection has first been approved by the IT Department.
- Inventory of connections to external networks must be maintained. Telecommunications and Data Network Services must maintain a current inventory of all connections to external networks including telephone networks, EDI networks, extranets, the Internet.
- Trading partner agreement required prior to use of EDI. Prior to the use of _COMPANY systems for Electronic Data Interchange (EDI) with any third party, a trading partner agreement, fixing the terms and conditions of EDI use, must be negotiated. This agreement should be negotiated and executed by IS Finance and Administration, and must be approved by _COMPANY legal counsel prior to using any EDI systems for business transactions.