Information Security Policy III[Type text] Page 0 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Information Security Policy Manual Programme Audit findings Sub-Prog / Project Document Record ID Key MCLM-ISPM Version Date January 2014 Status Pending Approval Owner CSS Version 0.1 1 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Amendment History: Version Date Amendment History 0.1 First draft for comment and review 15 March 2013 1.0 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Director: Corporate and Shared Services Municipal Manager Portfolio Head: Corporate and Shared Services (Section 80 Committee) Approvals: This document must be approved by the following: Name Signature Title / Responsibility Municipal Manager Date Version Date Version Date Version Executive Mayor Council Meeting Owner: This document must be owned by the following: Name Signature Title / Responsibility Director: Corporate and Shared Services Custodian: This document must be in custody of: Name Signature Title / Responsibility ICT Manager 2 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Distribution: X- File Intranet Records Location: Merafong Local Municipality Address: 3 Halite Street, Postal Address: P.O Box 3, Carletonville, 2499 Switchboard (018) 788 9500 Website: www.merafong.gov.za 3 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Contents 1. 1. Information Security Policy Manual ...................................................................6 1. Purpose ............................................................................................................6 Any employee found to have violated this policy may be subject to disciplinary action.14 4. REMOTE ACCESS POLICY .......................................................................................... 15 5. INTERNET CONNECTION POLICY ........................................................................... 17 1. Overview 5. 17 APPROVED APPLICATION POLICY ...................................................................... 19 7. COMPUTER TRAINING POLICY ................................................................................ 19 9. ANTI-VIRUS POLICY 24 10. System Update Policy 26 10. USER PRIVILEGE POLICY ...................................................................................... 29 Appendix A - Services Recommended for Shutdown 33 14. SERVER MONITORING POLICY .............................................................................. 35 15. NETWORK DOCUMENTATION POLICY ................................................................ 36 16. SERVER DOCUMENTATION POLICY ..................................................................... 38 17. NETWORK SCANNING POLICY ............................................................................... 40 4. Policy 4.1. 43 Preamble ....................................................................................................43 4.1.2. Operational Procedures 43 4.1.3. Documented Change 44 4.1.4. Risk Management 44 4.1.5. Change Classification 44 4.1.6. Testing 45 4.1.7. Changes shall be tested in an isolated, controlled, and representative environment (where such an environment is feasible) prior to implementation to minimise the effect on the relevant business process, to assess its impact on operations and security and to verify that only intended and approved changes were made. 45 4.1.8. Changes affecting SLA„s 45 4.1.9. Version control 45 4.1.10. Approval 45 4.1.11. Communicating changes 45 4.1.12. Implementation 45 4 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 4.1.12.1 Implementation will only be undertaken after appropriate testing and approval by stakeholders. All major changes shall be treated as new system implementation and shall be established as a project. Major changes will be classified according to effort required to develop and implement said changes. 45 4.1.13. Fall back 45 4.1.14. Documentation 46 4.1.15. Business Continuity Plans (BCP) 46 4.1.16. Emergency Changes 46 4.1.17. Change Monitoring 46 5. Compliance 46 6. IT Governance Value statement .................................................................................. 46 7. Policy Access Considerations ....................................................................................... 47 19. INCIDENT RESPONSE POLICY ................................................................................ 47 20. NETWORK RISK EVALUATION ............................................................................... 50 5 MCLM-ISPM: Adobted by Council: 1. Item 9/2014 MCLM Council meeting of 27 March 2014 Information Security Policy Manual Note: “Merafong” here is referred to Merafong City Local Municipality. 1. Purpose 1.1 Introduction and objectives 1.1.1 Through a comprehensive suite of information security control objectives and supporting policy statements, this Information Security Policy Manual interprets ISO/IEC 27002, the international standard code of practice for information security management, in the context of Merafong. Its purpose is to communicate management directives and standards of care to ensure consistent and appropriate protection of information assets throughout Merafong. It is a key part of the Information Security Management System as specified in ISO/IEC 27001. 1.2 Status and applicability 1.2.1.1 This manual will be reviewed by the Executive Directors (Exco), Councillors and various other managers, and approved by the Council. This policy manual is applicable: Throughout Merafong City Local Municipality including any subsidiaries and joint ventures in which Merafong has a controlling interest; At all Merafong locations; To all Merafong Municipality‟s employees and others working on behalf of Municipality in a similar capacity including contractors, consultants, temporary workers, student placements etc. (known collectively throughout t as “workers”); To all information/data, information processing/computer systems and networks (collectively known as “information assets”) owned by Merafong Municipality or those entrusted to Merafong by third parties. 1.2.1.3 1.2.1.4 Merafong Information Security Policy Manual. The policy statements in this manual are supported by a range of security controls documented within operating procedures, technical controls embedded in information systems and other controls advised to workers from time to time by management through information security or indeed other standards, procedures and guidelines. The supporting controls gain authority from the policy statements included in this manual which in turn supports the information security principles and axioms mandated by the Information Security Policy. 6 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 1.3 Intended audience 1.3.1.1 This policy manual is primarily intended for use by: 1.3.1.2 All workers meaning both Merafong employees (including Directors, Councillors managers, staff, temporary employees such as student placements) plus third party employees (such as consultants, contractors, support/maintenance staff) working for Merafong Municipality . Users will be informed of their specific security responsibilities through the terms and conditions or contracts of employment, security-related procedures and guidelines, and a range of security awareness and training activities. 2. Policy Management Policy Management refers to the practices and methods used to create and maintain security policies to translate, clarify, and communicate management‟s position on high-level security principles. Policy management includes development, deployment, communication, updating, and enforcement of Merafong Municipality‟s security policies. This policy will be independent of specific hardware and software decisions to adapt to changes in Merafong„s business environment. To be practical and effective, specific policies must be applied to Merafong environmental and operational business and supported through standards, guidelines, processes, and procedures. A policy framework must include: High-Level Merafong Policy Standards, Guidelines, Processes and Procedures that Support the Policy Asset Protection Data classification, access control, personnel practices, change management, network security and disaster recovery Vulnerability Change management, wireless, vulnerability testing, application development Threats Incident management, penetration testing, audits, firewalls, malware prevention Awareness User education, IT education, annual certification, administrative rules Appropriate Use Education, Web filtering, content filtering, peer-to-peer, resource use for personal purposes (i.e., instant messaging, email, remote access, Internet, etc.) Best Practices •Merafong City Local Municipality will develop a formal approval process and identify individuals and roles for approval of new policies and changes to existing ones. 7 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 • Clearly identify security policy-related processes, including what activities are to be performed, their frequency, and the position that is responsible to perform the process. • Ensure policies, standards, and guidelines address legislative, regulatory, and contractual requirements. • Establish policies and standards that clearly identify what can and cannot be performed, stored, accessed and used through the Merafong computing resources (e.g., acceptable use policy, peer-topeer policy, Internet use policy). • Review policies periodically or when there have been changes in internal processes, laws or regulations, standards, or any changes to related policies, including the implementation of news systems or applications. • Once security policies and procedures have been established, disseminate to all appropriate users, staff, management, and third party providers. • Enforce policies through automated means where technically feasible. • Obtain and maintain an established record of acknowledgement that all appropriate users, staff, management, and third party providers have read the policies and understand the consequences of noncompliance with the policies. INFORMATION SECURITY POLICY STATEMENT Merafong City Local Municipality PURPOSE The purpose of this Information Security Policy Statement is to comply and set guidance to Minimum Information Security Standards. OBJECTIVE The objective of information security is to ensure business continuity of Merafong Municipality and to minimize the risk of damage by preventing security incidents and reducing their potential impact. POLICY The policy‟s goal is to protect the Merafong Municipality‟s assets against all internal, external, deliberate or accidental threats. The security ensures that: Information will be protected against any unauthorized access; 8 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Confidentiality of information will be assured; Integrity of information will be maintained; Availability of in information for business processes will be maintained; Legislative and regulatory requirements will be met; Business continuity plans will be developed ;maintained and tested; Information security training will be available for all employees All actual or suspected information security breaches will be reported to the ICT manager and will be thoroughly investigated. Procedures exist to support the policy, including virus control measures, passwords and continuity plans. Business requirements to availability of information and systems will be met. The ICT manager is responsible for maintaining the policy and providing support and advice during the implementation. All Executive Directors and Managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments and sections. Compliance with the information Security Policy is mandatory. Signature Date Title The policy will be submitted for review to Council on a 3 year cycle 9 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 1. PASSWORD POLICY 1. Overview All employees and personnel that have access to Merafong Municipality computer systems must adhere to the password policies defined below in order to protect the security of the network, protect data integrity, and protect computer systems. 2. Purpose The policy is designed to protect Merafong resources on the network by requiring strong passwords along with protection of these passwords, and establishing a minimum time between changes to passwords. 3. Scope The policy applies to any and all personnel who have any form of computer account requiring a password on Merafong network including but not limited to a domain account and e-mail account. 4. Password Protection 1. 2. 3. 4. 5. 6. 7. 8. Never write passwords down. Never send a password through email. Never include a password in a non-encrypted stored document. Never tell anyone your password. Never reveal your password over the telephone. Never hint at the format of your password. Never reveal or hint at your password on a form on the internet. Never use the "Remember Password" feature of application programs such as Internet Explorer, your email program, or any other program. 9. Report any suspicion of your password being broken to your to computer to technician/helpdesk. 10. If anyone asks for your password, refer them to your ICT computer technician/helpdesk. 11. Don't use common acronyms as part of your password. 12. Don't use common words or reverse spelling of words in part of your password. 13. Don't use names of people or places as part of your password. 14. Don't use part of your login name in your password. 15. Don't use parts of numbers easily remembered such as phone numbers, ID numbers, or street addresses. 16. Be careful about letting someone see you type your password. 5. PASSWORD REQUIREMENTS Those setting password requirements must remember that making the password rules too difficult may actually decrease security if users decide the rules are impossible or too difficult to meet. If passwords are changed too often, users may tend to write them down or make their password a variant of an old password which an attacker with the old password could guess. The following password requirements will be set by the ICT section: 10 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 1. Minimum Length - 6 characters recommended 2. Maximum Length - 10 characters 3. Minimum complexity - Passwords should use three of four of the following four types of characters: a. Lowercase b. Uppercase c. Numbers d. Special characters such as !@#$%^&*(){}[] 4. Passwords are case sensitive and the user name or login ID is not case sensitive. 5. Password history - Require a number of unique passwords before an old password may be reused. This number should be no less than 24 months. 6. Maximum password age - 30 day 7. Account lockout threshold - 3 failed login attempts 8. Reset account lockout after - The time it takes between bad login attempts before the count of bad login attempts is cleared. The recommended value is 20 minutes. This means if there are three bad attempts in 20 minutes, the account would be locked. 9. Password protected screen savers should be enabled and should protect the computer within 5 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked. They can press the CTRL-ALT-DEL keys and select "Lock Computer". 6. Enforcement Since password security is critical to the security of Merafong City Local Municipality and everyone, employees that do not adhere to this policy may be subject to disciplinary action. 7. Other Considerations Administrator passwords should be protected very carefully. Administrator accounts should have the minimum access to perform their function. Administrator accounts should not be shared. 2. EMPLOYEE FRONT DESK COMMUNICATION & AWARENESS POLICY 1. Overview 1.1 The Social Engineering Awareness Policy is a collection of policies and guidelines for employees of Merafong City Local Municipality. The Employer Front Desk Communication Policy is the Social Engineering Awareness Policy. 1.2 In order to protect the Merafong assets, all employees need to defend the integrity and confidentiality of Merafong Municipality‟s resources. 11 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 2. Purpose The policy has two purposes: 2.1 To make employees aware that (a) fraudulent social engineering attacks occur, and (b) there are procedures that employees can use to detect attacks. 2.1.1 Employees are made aware of techniques used for such attacks, and they are given standard procedures to respond to attacks. 2.1.2 Employees know who to contact in these circumstances. 2.1.3 Employees recognize they are an important part of Merafong Municipality‟s security. The integrity of an employee is the best line of defense for protecting sensitive information regarding Merafong Municipality‟s resources. 2.2 To create specific procedures for employees to follow to help them make the best choice when: 2.2.1 Someone is contacting the employee - via phone, in person, email, fax or online - and elusively trying to collect Merafong Municipality‟s sensitive information. 2.2.2 The employee is being “socially pressured” or “socially encouraged or tricked” into sharing sensitive data. 3. Scope All employees of Merafong Municipality, including temporary contractors or part-time employees participating with help desk customer service. 4. Policy 4.1 Sensitive information of Merafong City Local Municipality will not be shared with an unauthorized individual if he/she uses words and/ or techniques such as the following: a.1.1 An “urgent matter” a.1.2 A “computer virus Emergency” a.1.3 Any form of intimidation from “higher level management” 4.1.4 Any “name dropping” by the individual which gives the appearance that it is coming from legitimate and authorized personnel. 4.1.5 The requester requires release of information that will reveal passwords, model, serial number, or brand or quantity of Merafong resources. 4.1.6 The techniques are used by an unknown (not promptly verifiable) individual via phone, email, online, fax, or in person. 4.1.7 The techniques are used by a person that declares to be "affiliated" with Merafong Municipality such as a sub-contractor. 12 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 4.1.8 The techniques are used by an individual that says he/she is a reporter for a well-known press editor or TV or radio company. 4.1.9 The requester is using ego and vanity seducing methods, for example, rewarding the front desk employee with compliments about his/her intelligence, capabilities, or making inappropriate greetings (coming from a stranger). 5. Action All persons described in 3.0 MUST attend the security awareness training within six months from the date of employment. 5.1.0 All persons described in section 3.0 MUST attend the security awareness training within 6 from the date of employment. 5.1.1 If one or more circumstances described in 4.0 is detected by a person described in 3.0, then the identity of the requester MUST be verified before continuing the conversation or replying to email, fax, or online. 5.1.2 If the identity of the requester described in 5.1.1 CANNOT be promptly verified, the person MUST immediately contact his/her supervisor or direct manager. 5.1.3 If the supervisor or manager is not available, that person MUST inform the Executive director. 5.1.4. If the director is not available, the person described in section 3.0 MUST immediately drop the conversation, email, online chat with the requester, and report the episode to his/her supervisor before the end of the business day. 6. Enforcement 6.1.0 All persons described in section 3.0 who (a) successfully detect circumstances set forth in section 4.0 and (b) correctly complete an action described in section 5.0 are entitled to be complemented and encouraged by the management. 6.1.1 All persons described in section 3.0 who violate this policy must be subjected to disciplinary action. 3. CLEAN DESK POLICY 1. Overview 1. The purpose for this policy is to establish a culture of security and trust for all employees at Merafong City Local Municipality. An effective clean desk effort involving the participation and support of all Merafong Municipality employees can greatly protect paper documents that contain sensitive information about our clients, customers and vendors. All employees should familiarize themselves with the guidelines of this policy. 13 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 2. Purpose 1. The main reasons for a clean desk policy are: 1. A clean desk can produce a positive image when our customers visit the Merafong City Local Municipality. 2. It reduces the threat of a security incident as confidential information will be locked away when unattended. 3. Sensitive documents left in the open can be stolen by a malicious entity. 3. Responsibility 1. All staff, employees and entities working on behalf of Merafong City Local Municipality are subject to this policy 4. Scope 1. At known extended periods away from your desk, such as a lunch break, sensitive working papers are expected to be placed in locked drawers. 2. At the end of the working day the employee is expected to tidy their desk and to put away all office papers. 5. Action 1. 2. 3. 4. 5. 6. 7. 8. Allocate time in your calendar to clear away your paperwork. Always clear your workspace before leaving for longer periods of time. If in doubt - throw it out. If you are unsure of whether a duplicate piece of sensitive documentation should be kept - it will probably be better to destroy it. Consider scanning paper items and filing them electronically in your workstation. Use the recycling bins for sensitive documents when they are no longer needed. Lock your desk and filing cabinets at the end of the day Lock away portable computing devices such as laptops or PDA devices Treat mass storage devices such as External Hard drive, CDROM, DVD or USB drives as sensitive and secure them in a locked drawer 6. Enforcement 1. Any employee found to have violated this policy may be subject to disciplinary action. 14 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 4. REMOTE ACCESS POLICY 1. Overview This remote access policy defines standards for connecting to Merafong Municipality network and security standards for computers that are allowed to connect to the Merafong network. This remote access policy specifies how remote users can connect to the main Merafong network and the requirements for each of their systems before they are allowed to connect. This will specify: 1. The anti-virus program remote users must use and how often it must be updated. 2. What personal firewalls they are required to run. 3. Other protection against spyware or other malware. The remote access policy defines the methods users can use to connect remotely such as dial up or VPN. It will specify how the dial up will work such as whether the system will call the remote user back, and the authentication method. If using VPN, the VPN protocols used will be defined. Methods to deal with attacks should be considered in the design of the VPN system. 2. Purpose The remote access policy is designed to prevent damage to the Merafong network or computer systems and to prevent compromise or loss of data. 3. Approval Any remote access using either dial-in, VPN, or any other remote access to Merafong network must be reviewed and approved by the appropriate supervisor. All employees by default will have account settings set to deny remote access. Only upon approval will the account settings be changed to allow remote access. 4. Remote Computer Requirements 1. The anti-virus product is required to be operating on the computer at all times in real time protection mode. 1. The anti-virus product shall be operated in real time on the computer. The product shall be configured for real time protection. 2. The anti-virus library definitions shall be updated at least once per day. 3. Anti-virus scans shall be done a minimum of once per week. No one should be able to stop anti-virus definition updates and anti-virus scans except for domain administrators. 2. The computer must be protected by a firewall at all times when it is connected to the internet. 15 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 5. Remote Connection Requirements The remote user shall use either dial-In or virtual private networking (VPN). Dial-In is typically used when the user in a local calling area. VPN is typically used when the user would need to dial a long distance number to connect with a dial-in connection. VPN uses a local connection to an internet service provider (ISP) and creates a tunnel through the local ISP connection to Merafong network. 5.1 Dial-In Requirements 1. Number check - The dial in settings shall be set to perform one or the other of: a. Verify Caller ID to a specific number - Use this option if caller ID is available b. Always call back to a specific number - If the user must connect from a location other than their designated location such as their home, they should use VPN. 2. Client Check - A requirement that must be set for Dial-In clients is that a firewall must be installed and operational. If the Dial-In client does not meet the criteria, either the connection is not allowed or the client can only access a limited area where they can get the software needed to meet the requirement. 3. Authentication - For authentication of the user, the dial in connection shall use one of the appropriate programs. 4. Connection Encryption - This requirement will depend on the data you expect the remote user to be transmitting over the dial-in connection. 5.2 VPN Requirements 1. Client Check - A requirement that must be set for VPN clients is that a firewall must be installed and operational. Also Anti-virus software must be installed and operational. If the VPN client does not meet the criteria, either the connection is not allowed or the client can only access a limited area where they can get the software needed to meet the requirement. 2. The connection choices are PPTP, L2TP, IPSec, and SSL. The connection shall use IPSec which encrypts the data sent through the connection. Authentication - For authentication of the user, the dial in connection shall use Internet Key Exchange (IKE) with digital certificates. The other choice is Internet Key Exchange (IKE) with a pre-shared key. 16 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 5. INTERNET CONNECTION POLICY 1. Overview The internet connection policy has components of a user compliance policy and an internal IT policy. The user compliance section specifies how users are allowed to connect to the internet and provides for ICT section approval of all connections to the internet or other private network. It requires all connections such as connections by modems or wireless media to a private network or the internet be approved by the ICT section and what is typically required for approval such as the operation of a firewall to protect the connection. The internet connection policy requires users to use the internet for business only and requires users to malicious web sites which could compromise security. 2 Physical Internet Connection avoid going to malicious web sites which could compromise security. It informs the users that their internet activity may be logged and monitored and defines whether user activity on the network will be logged and to what extent. The system will be used to prevent unauthorized viewing of sites and what system will log internet usage activity. A proxy server will be used for user internet access. The network will be protected to prevent users from going to malicious web sites. 3. Purpose The policy is designed to protect Merafong resources against intrusion by malware that may be brought into the network by users as they use the internet. It is also designed to prevent unauthorized and unprotected connections to the internet which may allow a host of unsafe content to enter the Merafong network and compromise data integrity and system security across the entire network. All physical internet connections or connections to other private networks shall be authorized and approved by the ICT section. Most users will access the internet through the connection provided for their office by the ICT section. Any additional connections must be approved by the ICT section. These additional connections include but are not limited to: 1. Modem connection from a computer or communication device which may allow a connection to the network. 2. Any multipurpose printing and FAX machines which have both a phone and network connection must be examined and approved for use by the ICT section. 3. Wireless access points or devices with wireless capability are not allowed unless approved by the ICT section. If any computers or other devices have wireless capability, the wireless capability must be turned off before connecting to the network unless it is approved for wireless operation by the ICT section 17 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 when connected to the network. Any additional internet connections not provided by the ICT section must be reviewed and approved by the ICT section. Typically any additional connections from the Merafong network to the internet or other private network will be required. a. An ICT section approved firewall operating at all times and properly configured. b. Some communications through the connection may require encryption subject to a review of data to be transmitted by the IT department. 4. Use of the Internet 1. All employee use of the internet shall be for business purposes only. 2. Employee use of the internet may be monitored and logged including all sites visited, the duration of the visits, amount of data downloaded, and types of data downloaded. The time of recorded activity may also be logged. 3. Employees are urged to use caution when visiting unknown internet sites and through user training set and keep their browser configured to IT approved standards in order to protect against infections of malware. Employees will be trained in the latest IT approved standards to protect against malware when appropriate. 5. Internet Control and Logging System A system will be required to operate on the network with the following capabilities: 1. The ability to prevent users from visiting inappropriate, pornographic, or dangerous web sites. It will have its database of categorized websites updated regularly. 2. The ability to log user internet activity including: 1. Time of the internet activity. 2. Duration of the activity. 3. The website visited. 4. Data and type of data downloaded 5. Whether the system will cache web pages to increase the internet connection speed. This requires a proxy server. 3. The system requires a login ID or it will use the current network login to identify users. 6. Enforcement Since improper use of mobile computers can bring in hostile software which may destroy the integrity of network resources and systems and the prevention of these events is critical to the security of the Merafong and all individuals, employees that do not adhere to this policy may be subject to disciplinary. 18 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 5. APPROVED APPLICATION POLICY 1. Overview All employees and personnel that have access to Merafong computer systems must adhere to the approved application policy in order to protect the security of the network, protect data integrity, and protect computer systems. 2. Purpose This policy is designed to protect the Merafong resources on the network by requiring all network users to only run or install application programs deemed safe by the ICT section. 3. Approved Applications All employees may operate programs on the IT approved application list. If an employee wants to use an application not on the list, they should submit the application program to the IT section for approval prior to using the program on a system connected to the Merafong network. If the employee causes a security problem on the network by installing and running an unapproved program they risk disciplinary action. 4. Exceptions Special exception may be made to this policy for specific employees depending on the required job function and the skills of the employee. Some reasons for exception include: 1. The employee may be the person who needs to test new applications on a test network, then on the main network. 7. COMPUTER TRAINING POLICY 1. Overview This policy defines the minimum training for users on the network to make them aware of basic computer threats to protect both themselves and the network. This policy especially applies to employees with access to sensitive or regulated data. 2. Purpose This policy is designed to protect the Merafong resources on the network and increase 19 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 employee efficiency by establishing a policy for user training. When users are trained about computer use and security threats, they work more efficiently and are better able to protect Merafong resources from unauthorized intrusion or data compromise. This policy will help prevent the loss of data and Merafong assets. 3. Training Categories Training categories will include but not be limited to the following areas: Basics: 1. What files are 2. How to set view for details and show extensions for known file types 3. Why not seeing file extensions is a security hazard to you 4. File storage size - how to determine 5. Mail attachments 6. Where to store files How to use your network drive What your network drive is and what it means to you 7. How to copy files 8. Ways to increase efficiency on the computer such as keyboard shortcuts Ways to get malware: 1. Through email 2. Through browser 3. By connecting 4. By installing unapproved programs Email viruses: 1. How they spread 2. Spoofing sender 3. Dangerous attachments Email SPAM 1. Protect your email address 2. Filtering spam Hoaxes: 1. Phishing 2. Fraud methods Email use 1. How to set up email for remote users or with your ISP with POP3 2. How to set up out of office reply 3. How to set mail filtering rules 4. How to use, import, and export personal folders 5. What an undeliverable response to an email message means Use of web browser 1. Safe browser? 2. Avoid adware and spyware - ignore ads that may compromise your computer or get you to install an illicit program 3. How to change browser settings for better security 4. Products to prevent malware. Passwords 1. Why protect my password? 20 MCLM-ISPM: Adobted by Council: 2. 3. 4. 5. Other 1. 2. 3. 4. 5. Item 9/2014 MCLM Council meeting of 27 March 2014 Why do I need to change my password every 30 days How to change your password How to choose strong passwords that you can remember If I log in on a website can someone see my password? Reasons for firewall -- worms and others Why worry about malware? What is a vulnerability? Why not run all services? Social engineering 2. The employee may be a developer that must run applications developed by themselves in order to test their own work. 3. Network administrator may be allowed the ability to operate and test new software. 5. Enforcement Running safe programs is critical to the security of the Merafong, employees that do not adhere to this policy may be subject to disciplinary action. 4. Training Opportunities Basic training as listed in section 3.0 shall be provided internally by the Merafong and shall include the following opportunities: 1. Scheduled training seminars for 1 to 4 hours per day. 2. training for up to 1 hour per day on one or two days per week. 5. Requirements All Merafong staff shall make measurable and continuous progress in the training areas listed in bullet 3. Each employee manager shall be responsible for ensuring that employees under their supervision make progress in the required training areas. Each employee must retain knowledge about training in areas listed in bullet 3 within the first year of employment. 6. Enforcement Since training is very important to the security of the Merafong, auditing shall be used as a mechanism to be sure the training policy is being followed. Auditors may test employees at random about their knowledge in the areas listed in section 3. 21 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 8. WIRELESS USE POLICY 1. Overview The wireless use policy defines the use of wireless devices in the Merafong and specifies how wireless devices shall be configured when used. 2. Purpose The policy is designed to protect the Merafong resources against intrusion by those who would use wireless media to penetrate the network. 3. Scope The policy applies to all wireless devices in use by the Merafong or those who connect through a wireless device to any Merafong network. 4. Risk Assessment The use of wireless technology has historically been a serious security risk to Merafong. This is because it can be an easy access point to gain access to Merafong network. In addition data sent across it may be readable sometimes even when it is encrypted due to some of the vulnerabilities of the encryption schemes used. Therefore this policy requires a risk assessment any time a new type of wireless device is added to the network. Several items must be assessed including: 1. Is this a new technology? 2. Does this device use encryption and if so how well tested is the encryption protocol? 3. What is the cost of implementing a secure encryption protocol? 4. Has this type of device been used on our network before? 5. Can this device be configured to only allow authorized users to access it or the network through it? 6. How easy will it be for an attacker to fool this device into allowing unauthorized access? What methods may be used? 7. What secure authentication schemes are available and what cost or overhead is associated with their implementation and maintenance? 8. How practical is wireless use considering the cost, potential loss, and added convenience? 4.1 Authentication The authentication mechanisms of all approved wireless devices to be used must be examined closely. The authentication mechanism should be used to prevent unauthorized entry into the network. One authentication method shall be chosen. The following must be considered. 1. How secure is the authentication mechanism to be used? 2. How expensive is the authentication mechanism to be used? 22 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 a.2 Encryption Encryption mechanisms of all approved wireless devices to be used must be examined closely. The encryption mechanism will be used to protect data from being disclosed as it travels through the air. The following must be considered. 1. How secure is the encryption mechanism? 2. How sensitive is the data traveling through the wireless device? 3. How expensive is the encryption mechanism? 4.3 Configuration The SSID of the wireless device shall be configured in such manner so it does not contain or indicate any information about the Merafong, its departments, or its personnel including Merafong name, department name, employee name, employee phone number, email addresses, or product identifiers. 4.4 Access Points All wireless access points and wireless devices connected to the Merafong network must be registered and approved by the designated ICT section representative. All wireless devices are subject to ICT section audits and penetration tests without notice. 5. Authority ICT manager shall have final authority over the management and security of wireless devices and wireless networking. The ICT manager may delegate the responsibility to the Network Administrator. This policy requires that parts of the network containing and supporting wireless devices directly (the wireless network) be separated from the part of the network that does not support wireless connections. The part of the network supporting wireless devices or connections shall be considered less trusted than the part of the network that does not. All file servers and internal domain controlling servers shall be separated from the wireless network using a firewall. One or more intrusion detection devices shall monitor the wireless network for signs of intrusion and log events. The type of logged events will be determined by the network administrator. 6. Allowable Wireless Use 1. Only wireless devices approved by make and model shall be used. 2. All wireless devices must be checked for proper configuration by the ICT section prior to being placed into service. 3. All wireless devices in use must be checked monthly for configuration or setup problems. 23 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 7. Enforcement Since improper use of wireless technology and wireless communications can open the network to additional sniffing and intrusion attacks, authorized and proper use of wireless technology is critical to the security of the Merafong and all individuals. Employees that do not adhere to this policy may be subject to disciplinary action. 9. ANTI-VIRUS POLICY 1. Overview This policy is an internal IT policy which defines anti-virus policy on every computer including how often a virus scan is done, how often updates are done, what programs will be used to detect, prevent, and remove malware programs. It defines what types of files attachments are blocked at the mail server and what anti-virus program will be run on the mail server. It may specify whether an anti-spam firewall will be used to provide additional protection to the mail server. It may also specify how files can enter the trusted network and how these files will be checked for hostile or unwanted content. For example it may specify that files sent to the enterprise from outside the trusted network be scanned for viruses by a specific program. 2. Purpose This policy is designed to protect the Merafong resources against intrusion by viruses and other malware. 3. Anti-Virus Policy Merafong will use a single anti-virus product for anti-virus protection. The following minimum requirements shall remain in force. 1. The anti-virus product shall be operated in real time on all servers and client computers. The product shall be configured for real time protection. 2. The anti-virus library definitions shall be updated at least once per day. 3. Anti-virus scans shall be done a minimum of once per week on all user controlled workstations and servers. No one should be able to stop anti-virus definition updates and anti-virus scans except for domain administrators. 4. Email Server Policy The email server will have additional protection against malware since email with malware must be prevented from entering the network. 24 MCLM-ISPM: Adobted by Council: 4.1 Item 9/2014 MCLM Council meeting of 27 March 2014 Email Malware Scanning In addition to having the standard anti-virus program, the email server or proxy server will additionally include extra programs which will be used to scan all email for viruses and/or malware. This scanner will scan all email as it enters the server and scan all email before it leaves the server. In addition, the scanner may scan all stored email once per week for viruses or malware. When a virus is found or malware is found, the policy shall be to delete the email and not to notify either the sender or recipient. The reason for this is that most viruses fake the sender of the email and sending them a notice that they sent a message with a virus may alarm them unnecessarily since it would not likely be true. It would simply cause an additional help desk call by the notified person and most likely waste system administrator's time needlessly. Notifying the recipient that someone tried to send them a virus would only alarm them needlessly and result in an increased number of help desk calls. 4.2 Blocked Attachment Types The email server or proxy server will block all emails with certain attachment types When an email breaks the rules and contains an illegal file attachment the following will be done: b. the email will be deleted, sender and recipient notified 4.3 Proxy or anti-spam Server To increase mail security, anti-spam server or proxy mail server will be added to the network. This reduces the mail server to the threat of being intruded upon and an anti-spam server can significantly reduce the load on the mail server, not to mention the reduction of spam. Periodic updates should also be defined. 5. File Exchange Policy This part of the policy specifies methods that are allowed to be used when files are sent into the network by members of the public or employees of the Merafong. It specifies: 1. All legitimate methods used including: 1. FTP transfer to a FTP server. 2. File transfer to a Web server with a legitimate file upload program. 3. Any other method. 2. The method and type of software to be used to scan the files for hostile content before they are completely transferred into the network. It will also specify the update frequency for the scanning software. 3. The point in time when the files will be scanned. 25 MCLM-ISPM: Adobted by Council: 6. Item 9/2014 MCLM Council meeting of 27 March 2014 Network Exploit Protection This part of the policy should specify how hostile software that uses network exploits should be prevented. This policy will not cover system updates but may refer to the system update policy. This policy combined with other quoted policies should prevent worms from entering the network. This policy may also refer to the remote user policy and mobile computer policy. This policy will specify that all systems be protected by a firewall any time they are connected to the internet. It would specify that systems on the Merafong network be connected to a part of the network that is protected from the internet or untrusted network by an approved firewall system. It will also specify or refer to policy that requires computers operating outside the Merafong network to have a local firewall software program operational at all times when these computers are connected to the internet. It should specify one or more acceptable software firewall products. This policy may refer to the mobile computer policy which may require users of mobile computers to have their computers checked for malware before connecting to the main network. 7. Other Malware Policy This policy should cover any other possible malware including adware and spyware. It may specify methods to prevent and remove this type of malware. It may specify acceptable prevention and removal software. If the anti-virus product is a product that also handles other types of malware such as adware or spyware, it should be stated here. Applicable Training 1. Blocked email attachments 2. How viruses work and avoidance Adware and spyware avoidance 10. System Update Policy 1. Overview This policy is an internal IT policy which defines how often computer system updates are done and under what conditions they are done. 2. Purpose The policy is required to establish a minimum process for protecting the Merafong computers on the network from security vulnerabilities. This policy shall determine how updates are done for both servers and workstations, and who is responsible for performing the updates along with specifying the tools used to perform system updates. 26 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 3. Update Requirement Determination This section defines methods used to determine what updates should be done and when they should be applied. 3.1 Update Types Several types of updates may be required on any computer and all the types should be considered for the below listed computer system components. They include: 1. The computer BIOS. 2. The operating system. 3. Application updates. 3.2 Update Checking There are several methods to determine when updates should be performed. 1. Review of posted security flaws and patches for each type of update applicable to the computer system. 2. An automatic scanning of the system to determine available updates not yet applied to the system or application. The review of posted security flaws and patches should always be used for the computer operating system, BIOS, and applications. The manufacturer website should be used and there may also be other appropriate sites posting relevant bulletins. If automatic update ability is available, it should be compared to the listing of posted updates to be sure it is accurate. 3.3 Update Vulnerability Types The update considerations should address vulnerabilities caused by: 1. Code errors Misconfigurations not covered by patches - An example would be a configuration problem with a mail server allowing non authenticated users to relay email using the mail server. 3.4 Update Information Before approving updates, administrators should know: 1. 2. 3. 4. 5. 6. The addressed vulnerability What previous patches are required or what system update is required. What programs are affected by the change What may be broken by the change How to undo the change. It is recommended that new patches be tested in a controlled environment that mimics the infrastructure of the production environment before patches are applied. Backup must be taken before applying a patch. Each 27 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 server should have documentation including a list of applications running on it and a patch history. 7. All patches approved for client computers or applied to client computers should be documented. 3.5 Support Procedures To support the update requirements definition and update, the following documents should be created to provide a managed response for system updates: 1. A procedure for identifying vulnerabilities, patches, and configuration changes. 2. Procedures for determining how appropriate the patch or configuration change is to each system. 3. Test procedures 4. Prioritization rules 5. Guidelines for implementing patches or configuration changes. 4. Server Updates Server updates shall be done by the system administrator. Updates for servers shall be checked no less than monthly to determine whether any new updates to any computer system components are required. The system administrator shall determine the following: 1. Whether the update applies to the computer system under consideration. 2. Whether the update is safe to apply or whether it make /break an application or some other part of the operating system where functionality is required. A test environment should be used to determine whether updates may break functionality prior to implementation of production environments. The ability to provide a test environment and thoroughness of determining whether any functionality is broken by the update will vary from Merafong to Merafong depending on available resources. 5. Workstation Updates Workstation updates may be done using any provided tools depending on the type of workstations and their operating systems. In this policy workstation updates shall be performed using Microsoft system update server. System update server will save a great deal of time and expense since all systems may be updated from one server at the same time. All workstations shall be Microsoft Windows 2008 Professional. Merafong systems administrator shall review available updates weekly. Normally updates shall be applied in the test environment two to three days before being applied to the main Merafong. 28 MCLM-ISPM: Adobted by Council: 10. 1. Item 9/2014 MCLM Council meeting of 27 March 2014 USER PRIVILEGE POLICY Overview The user privilege policy is an internal IT policy and defines the privileges various users on the Merafong network are allowed to have, specifically defining what groups of users have privileges to install computer programs on their own or other systems. This policy defines the users who have access to and control of sensitive or regulated data. This policy defines internet access to specific sites for some users or other ways they may or may not use their computer systems. 2. Purpose The policy is designed to minimize risk to Merafong resources and data by establishing the privileges of users of data and equipment on the network to the minimum allowable while still allowing users to perform job functions without undue inconvenience. 3. Local Computer Privileges There are three main categories of users on a computer or network. These categories include: 1. Restricted user - Can operate the computer and save documents but can't save system settings. 2. Standard user (power user) - Can change many system settings and install programs that don't affect Windows system files. 3. Administrators - Have complete access to read and write any data on the system and add or remove any programs or change system settings. The majority of users on most common networks should be restricted users on their local computers. This is because many viruses and adware or spyware may be installed in a subtle manner by tricking the user or the installation may be completely transparent to the computer user. If the user does not have the ability to install programs or change settings to a more vulnerable setting, most of these potential security problems can be prevented. Therefore only users that demonstrate a need and ability for power user or administrator access on local machines shall be permitted to have this level of access. Upon demonstration of a special need for additional access, the ICT manager must approve the access before it can be made effective. Groups that may be allowed this type of access include: 1. Domain Administrators 2. Help Desk personnel 3. Application developers (BIQ, MAXIMO,GIS and QPR) for testing purposes. 29 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 4. Network Privileges Most network users will have access to the following types of network resources. 1. Email - Most users will have full access to their own email. They will not be able to transfer ownership to someone else. 2. A personal network drive on a networked file server (Y- drive) - This is a folder on a drive that only the primary user of this drive can read and write exclusive of domain administrators. The user will not be able to transfer ownership to someone else. 3. A shared group or Merafong division's drive (X-drive) - This is a folder that members of specific groups or divisions in the Merafong may access. Access may be read or write and may vary by Merafong requirements. 4. Access to databases - There may be additional databases that may be stored on a shared drive or on some other resource. Most databases will have a standard user level which gives users appropriate permissions to enter data and see report information. However only the database administrators will have full access to all resources on a database. Database administrator will only have full access to the database that they administer. Groups that may be allowed additional access include: 1. Backup operator - Allowed to read data on the domain for the purpose of saving files to backup media. This group cannot write all data on the domain. 2. Account operator - Can manage and view information about user accounts on the domain. 3. Server operator - Has full privileges on servers including reading and writing of data, installing programs, and changing settings. 4. Domain administrator - Has full privileges on all computers in the domain including servers and workstations. Privileges include reading and writing data, installing programs, and changing settings. 5. Enforcement Since data security and integrity along with resource protection is critical to the operation of the Merafong; employees that do not adhere to this policy may be subject to disciplinary action. Note: Server operators (Technicians) will have full access on some servers but not others. Help desk personnel (Help desk administrator) may have full access on some local computers but not in all groups in Merafong. 30 MCLM-ISPM: Adobted by Council: 12. Item 9/2014 MCLM Council meeting of 27 March 2014 APPLICATION IMPLEMENTATION POLICY 1. Overview This policy is a policy to be used to assess the security impact of new applications. When new applications are developed to provide new functionality to users or internal groups, the impact of the new functionality must be assessed in order to keep the network stable. Starting with a data assessment process will help this process flow smoothly. 2. Purpose This policy is designed to protect the Merafong resources on the network by defining requirements for new applications in the Merafong. This policy requires a security assessment including an assessment of data security levels, media the data will travel over, a risk evaluation, and determination of system requirements which will mitigate the most serious part of additional security risks. 3. Process Merafong ICT section shall work together with service providers to assess data requirements for any new applications. Merafong shall specify their requirements for the applications and application developers (service providers) will work with Merafong Municipality to identify and categorize data according to the Application Development Security Assessment Process. Once the data and application requirements are established, ICT section can then evaluate risk and determine methods, processes, equipment, and procedures to mitigate known risks. The computer technicians, users, and service providers will work together to provide required and reasonable access capability to systems and data both during development and final project implementation while providing the best computer security possible. Under no circumstances should the overall security of the network be seriously compromised for the benefit of any project. The data assessment, risk evaluation, and system requirements should be done early in the project life cycle since without this information, the overall cost of the project cannot be accurately assessed. The security assessment shall be conducted according to the Security Assessment Questionnaire and data shall be evaluated according to the Data Assessment Process document. 31 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 13. SYSTEM LOCKDOWN POLICY 1. Overview This system lockdown policy is an internal IT policy and defines a general process that should be used to lock down servers and workstations. 2. Purpose This policy is designed to minimize risk to Merafong resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities. 3. Server Lockdown and Hardening describes a general process used to lock down servers. When they are initially installed and configured. Types of servers or equipment that need hardening include but are not limited to file sharing servers, email servers, Web servers, FTP servers, DNS servers, DHCP servers, Database servers, Domain controllers, Directory servers, Network devices such as firewalls, routers, and switches. 1. List services that will be required to run on the server. Examples include: 1. DNS 2. HTTP 3. SMTP 4. POP3 2. List services that are running on the server and turn off any that the administrator is sure are not needed. 3. Do a port scan on the server - Use a security tool to test and determine any ports that the server is responding to. 4. Shut down any services that are not on the required list of services for the server. Especially remember to shut down services listed in Appendix A Services Recommended for Shutdown 5. Remove any unnecessary programs, services, and drivers from the server especially those not loaded by default on the server. 6. Patch the server with the latest patches and patch all services running on the server. 7. Disable or change the password of any default accounts on the server or related to any operating services. 8. Be sure all passwords used to access the system or used by services on the system meet minimum requirements including length and complexity parameters. 9. Be sure all users and services have minimum required rights and do not have rights to items not needed. 10. Be sure file share and file permissions are as tight as possible. 11. Perform a vulnerability assessment scan of the server. 12. Patch or fix any vulnerability found. 13. Where appropriate, install and run additional security programs such as: 32 MCLM-ISPM: Adobted by Council: 14. 15. 16. 17. 18. 19. 20. 21. a. b. c. d. 22. Item 9/2014 MCLM Council meeting of 27 March 2014 Firewall Intrusion detection software - Some approved host based intrusion detection software is recommended to be run on all servers. Change of system and system files detection All this software should have the latest updates installed. Set security parameters on all software such as where anti-virus programs will scan, how often it will scan, and how often it will get virus definition updates. Enable audit logging to log any unauthorized access. Perform another vulnerability assessment scan of the server, and fix any discrepancies. Take additional account management security measures including: Disable the guest account Rename default administrator accounts Set accounts for minimum possible access Be sure all accounts have passwords meeting minimum complexity and length rules. Test the server to be sure all desired services are operating properly. 5. Enforcement Locking down servers is critical to the security of the Merafong and everyone; this policy must be enforced by management through review and auditing. Appendix A - Services Recommended for Shutdown 1. File and Printer Sharing for Microsoft Networks - Uninstallation of this service is recommended. This service is not needed unless you want to share a printer on your local computer or share folders on your local computer with other computers. 2. Messenger - Disable this service in the Services applet of Administrative Tools. This service has some serious security bugs and problems and has very little use for managing the network. 3. Remote registry service - This service should be set to manual or disabled since it allows people from remote locations to modify your registry. It is a serious security risk and should only be run if required by network administrators. Set this service to manual or disabled in the Services applet of Administrative Tools. 4. Secondary Logon service - If it is not necessary for lower privileged users to use the "Run As" command to run commands that only administrators or power users can run, this service should be disabled. 5. Universal Plug and Play Device Host service - It broadcasts unnecessary information about the computer running the service. It may be used by MSN messenger. This service is a high security risk and should be disabled unless dependent services are required. 6. Wireless Zero Configuration service - Used to support wireless connections. If you are not using wireless, this should be disabled. This service is a high security risk and should be disabled unless needed. 33 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 7. NetMeeting Remote Desktop sharing - A person on a remote computer can access your desktop to help you. This service may be used by network administrators to help users with tasks. Normally this service should be disabled unless needed. Running this service is a moderate security risk. 9. Remote Desktop Help Session Manager service - A person on a remote computer can access your desktop to help you. This service may be used by network administrator to help users with tasks. Normally this service should be disabled unless needed. Running this service is a moderate security risk. 10. Network DDE Service - Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. It allows two running programs to share the same data on the same computer or on different computers. Running this service is a moderate security risk. Normally this service should be disabled unless needed. 11. Network DDE DSDM Service - Manages DDE network shares. Running this service is a moderate security risk. Normally this service should be disabled unless needed. 12. NT LM Security support provider - Used for backward compatibility with older Microsoft operating systems. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual. 13. SSDP Discovery service - Allows the computer to connect with networked plug and play devices on the network. This service does not support internal PnP devices. This service should be disabled unless the computer needs to connect to external networked plug and play devices. 14. Telnet service - The telnet service allows a terminal connection to or from a remote computer but sends passwords in the clear. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual. 15. Terminal services - Allows a remote connection from a remote computer usually used by network administrators to help users. Running this service is a moderate security risk. Normally this service should be disabled unless needed or set to manual. This service is commonly used by system administrators to administer servers remotely. 16. Alerter service - The alerter service allows system administrators to send messages to selected users. This service should be disabled unless specifically needed. Types of servers that need hardening (This list is not inclusive of all devices that should be hardened): 1. 2. 3. 4. 5. 6. 7. File sharing Email Servers Web servers FTP servers DNS servers DHCP servers Database servers 34 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 8. Domain controllers 9. Directory servers 10. VoIP servers and switches 11. Network devices such as firewalls, routers, switches and VoIP gateways 14. SERVER MONITORING POLICY 1. Overview The server monitoring policy is an internal IT policy and defines the monitoring of servers in the Merafong for both security and performance issues. 2. Purpose The policy is designed both to protect the Merafong against loss of service by providing minimum requirements for monitoring servers. It provides for monitoring servers for file space and performance issues to prevent system failure or loss of service. 3. Scope The policy applies to all production servers and infrastructure support servers including but not limited to the following types of servers: 1. 2. 3. 4. 5. 6. 7. 8. File servers Database servers Mail servers Web servers Application servers Domain controllers FTP servers DNS servers 4. Daily Checking All servers shall be checked manually on a daily basis the following items shall be checked and recorded: 1. The amount of free space on each drive shall be recorded in a server log. 2. The system log shall be checked and any major errors shall be checked and recorded in the server log. 3. Services shall be checked to determine whether any services have failed. 4. The status of backup of files or system information for the server shall be checked daily. 5. External Checks Essential servers shall be checked using either a separate computer from the ones being monitored or a server monitoring service. The external monitoring service shall have the ability to notify multiple IP personnel when a service is found to have failed. 35 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Servers to be monitored externally include: 1. 2. 3. 4. 5. The mail server The web server External DNS servers Externally used application servers. Database or file servers supporting externally used application servers or web servers. 15. NETWORK DOCUMENTATION POLICY 1. Overview The network documentation policy is an internal ICT policy and defines the requirements for network documentation referring to both data and voice in the converged and native environment. This policy defines the level of network documentation required such as documentation of which switch ports connect to what rooms, computers and telephone handset. It defines who will have access to read network documentation and who will have access to change it. It also defines who will be notified when changes are made to the network. 2. Purpose The policy is designed to provide for network stability by ensuring that network documentation is complete and current. This policy should complement disaster management and recovery by ensuring that documentation is available in the event that systems should need to be rebuilt. This policy will help reduce troubleshooting time by ensuring that appropriate personnel are notified when changes are made to the network. 3. Documentation The network structure and configuration shall be documented and provide the following information: 1. IP addresses of all devices on the network with static IP addresses. 2. Server documentation on all servers as outlined in the "Server Documentation" document. 3. Network drawings showing: a. The locations and IP addresses of all hubs, switches, routers, and firewalls on the network. b. The various security zones on the network and devices that control access between them. c. The locations of every network drop and the associated switch and port on the switch supplying that connection. d. The interrelationship between all network devices showing lines running between the network devices. e. All subnets on the network and their relationships including the range of IP addresses on all subnets and netmask information. 36 MCLM-ISPM: Adobted by Council: 4. 5. 6. 7. 4. Item 9/2014 MCLM Council meeting of 27 March 2014 1. All wide area network (WAN) or metropolitan area network (MAN) information including network devices connecting them and IP addresses of connecting devices. Configuration information on all network devices including: a. Switches b. Routers c. Firewalls Configuration shall include but not be limited to: a. IP Address b. Netmask c. Default gateway d. Vlans e. DNS server IP addresses for primary and secondary DNS servers. a. Any relevant WINS server information. Network connection information including: a. Type of connection to the internet or other WAN/MAN including T1,T3, frame relay. b. Provider of internet/WAN/MAN connection and contact information for sales and support. c. Configuration information including netmask, network ID, and gateway. d. Physical location of where the cabling enters the building and circuit number. e. Cabinet naming. DHCP server settings showing: a. Range of IP addresses assigned by all DHCP servers on all subnets. b. Subnet mask, default gateway, DNS server settings, WINS server settings assigned by all DHCP servers on all subnets. c. Lease duration time. Access The ICT networking and some enterprise security staff shall have full access to all network documentation. The ICT networking staff shall have the ability to read and modify network documentation. Designated enterprise security staff shall have access to read and change network documentation but those not designated with change access cannot change it. Help desk staff shall have read access to network documentation. 5. Change Notification The help desk staff, server administrator, application developer and ICT management shall be notified when network changes are made including. 1. Reboot of a network device including switches, routers, and firewalls. 2. Changes of rules or configuration of a network device including switches, routers, and firewalls. 3. Upgrades to any software on any network device. 4. Additions of any software on any network device. 5. Changes to any servers which perform significant network functions whether configuration or upgrade changes are made. These servers include: 37 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 1. DHCP 2. DNS 3. Domain controllers 4. WINS Notification shall be through email to designated groups of people. 6. Documentation Review The network or ICT manager shall ensure that network documentation is kept current by performing a monthly review of documentation or designating a staff member to perform a review. The remedy or help desk requests within the last month should be reviewed to help determine whether any network changes were made. Also any current or completed projects affecting network settings should be reviewed to determine whether there were any network changes made to support the project. 7. Storage Locations Network documentation shall be kept either in written form or electronic form in a minimum of two places. It should be kept in two facilities at least two kilometres apart so that if one facility is destroyed, information from the other facility may be used to help construct the ICT infrastructure. Information in both facilities should be updated monthly at the time of the documentation review. 16. SERVER DOCUMENTATION POLICY 1. Overview This policy is an internal IT policy and defines the requirements for server documentation. This policy defines the level of server documentation required such as configuration information and services that are running. It defines who will have access to read server documentation and who will have access to change it. It also defines who will be notified when changes are made to the servers. 2. Purpose The policy is designed to provide for network stability by ensuring that network documentation is complete and current. This policy should complement disaster management and recovery by ensuring that documentation is available in the event that systems should need to be rebuilt. This policy will help reduce troubleshooting time by ensuring that appropriate personnel are notified when changes are made to any servers. 3. Documentation For every server on a secure network, there are a list of items that must be documented and reviewed on a regular basis to keep a private network secure. This list of information about every server should be created as servers are added to the network and updated regularly. 38 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 1. 2. 3. 4. Server name Server location The function or purpose of the server. Hardware components of the system including the make and model of each part of the system. 5. List of software running on the server including operating system, programs, and services running on the server. 6. Configuration information about how the server is configured including: 1. Event logging settings 2. A comprehensive list of services that are running. 3. Configuration of any security lockdown tool or setting 4. Account settings 5. Configuration and settings of software running on the server. 7. Types of data stored on the server. 8. The owners of the data stored on the server. 9. The sensitivity of data stored on the server. 10. Data on the server that should be backed up along with its location. 11. Users or groups with access to data stored on the server. 12. Administrators on the server with a list of rights of each administrator. 13. The authentication process and protocols used for authentication for users of data on the server. 14. The authentication process and protocols used for authentication for administrators on the server. 15. Data encryption requirements. 16. Authentication encryption requirements. 17. List of users accessing data from remote locations and type of media they access data through such as internet or private network. 18. List of administrators administrating the server from remote locations and type of media they access the server through such as internet or private network. 19. Intrusion detection and prevention method used on the server. 20. Latest patch to operating system and each service running. 21. Groups or individuals with physical access to the area the server is in and the type of access, such as key or card access. 22. Emergency recovery disk and date of last update. 23. Disaster recovery plan and location of backup data. Mail Server Documentation 1. Account size limit where the person receives warnings about mailbox size 2. Account size limit where the person cannot send mail anymore. 3. Account size limit where the person cannot receive mail anymore. 4. Access The ICT server administrator and the ICT manager shall have full read and change access to server documentation for the server or servers they are tasked with administering. The ICT network administrator and help desk staff shall have the ability to read all server documentation. 39 MCLM-ISPM: Adobted by Council: 5. Item 9/2014 MCLM Council meeting of 27 March 2014 Change Notification The help desk staff, network administrator, and ICT manager shall be notified by Service providers (QPR and BIQ) when changes are made to servers. Notification shall be through email to designated groups of people. 6. Documentation Review The network administrator and server administrator shall ensure that server documentation is kept current by performing a monthly review of documentation or designating a staff member to perform a review. The remedy or help desk requests within the last month should be reviewed to help determine whether any server changes were made. Also any current or completed projects affecting server settings should be reviewed to determine whether there were any server changes made to support the project. 7. Storage Locations Server documentation shall be kept either in written form or electronic form in a minimum of two places. It should be kept in two facilities at least two kilometres apart so that if one facility is destroyed, information from the other facility may be used to help construct the IT infrastructure. Information in both facilities should be updated monthly at the time of the documentation review. 17. NETWORK SCANNING POLICY 1. Network Scan Types and Scope This network scanning policy defines network scan types, identifies reasons for scanning, identifies times when network scanning is allowed, who should approve network scanning, and specifies who should be notified when network scanning is done. 1. Network device location scan - This scan may use different means to determine IP addresses of active devices on the network. Methods: 1. ARP Scan - An ARP broadcast can be sent to network IP addresses asking what is the MAC address of the host with IP address x.x.x.x. If a response occurs, there is an active host at that address. 2. Internal full port scan - Checks to determine what services are running on each host. This may be done against selected hosts or all hosts including servers and workstations. Methods: 1. Socket connect scan - Tries to complete a socket connection to a port on a host computer this scan allows the host computer to log the connection. 2. SYN scan - Sends a SYN packet to the host indicating that it wants to open a socket. But when the host responds it does not finishing establishing the connection. 40 MCLM-ISPM: Adobted by Council: 3. 4. 5. 6. 7. 8. Item 9/2014 MCLM Council meeting of 27 March 2014 3. FIN scan - Sends a FIN packet to a host port. If a service is not running, the port responds with a reset signal. If the port has a service running on it, the signal is ignored. External full port scan - Checks to determine what services are running on each host. This test is done from outside the firewall and is directed toward any IP addresses owned by the Merafong being tested. It may use the socket connect scan method, the SYN scan method, or the FIN scan method. Internal vulnerability scan - Tests the server to see if it is vulnerable to known flaws in the operating system, services, and applications that are running. This test may be directed toward one or more hosts including servers and workstations. This test goes beyond performing a full port scan. It attempts to get information about the operating system and services running on the host. It will attempt to determine the version of the services running on the host. and may even do a penetration test. External vulnerability scan - Same as the internal vulnerability scan except it is done from outside the Merafong network and is directed toward any IP addresses owned by the Merafong being tested. Internal Denial of service scan - This is a scan using packets which are intentionally designed to make a system crash or tie up resources. The scan is directed against ports but the data sent is usually misconfigured in some unusual way. External denials of service scan - Similar to the internal denial of service scan except it is directed against IP addresses owned by the Merafong being tested. Password Cracking - This test may send default passwords and brute force password guessing against accounts on specified systems. This is really not like a network scan but is covered in this policy since it could potentially disrupt service depending on the password policies of the Merafong. Many scanning services will offer some combinations of these types of scans. This policy covers all types of network and host scanning. 2. Network Scanning Reasons Network scanning may be performed for several reasons 1. To determine whether computer systems are vulnerable to attack and fix them. 2. To show company we interact with that our servers are reasonably secure. 3. To fulfil regulatory requirements. Network scanning shall not be performed without written permission. 3.0 Network Scanning Disruptions Network scanning can be very disruptive to both a network and hosts that are operating on a network. No network scanning shall be allowed without close adherence to this policy and the associated procedures. Network scanning can cause systems to crash and network devices to become unreliable which can become very disruptive to the business operations. 4.0 Authorizers of Network Scanning and allowable hours The head of the IT department shall determine who is authorized to perform network scans. Those who perform network scans must have authorization in writing and a 41 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 specified time period when they are permitted to perform network scans. This policy may limit the hours that scanning may be done so scanning is not done during business hours. Specified time periods may provide for the following constraints: 1. Scanning shall be done between the hours of18h00 and 06h00 This may be to prevent disruptions during business hours. . 5. Scanning Notifications When scanning is to be done, the following groups of people must be notified on a daily basis: 1. The IT manager 2. The systems administrator. 3. The users of computer systems that will be scanned. 6. Scanning Procedure scanning procedure shall be created for all computer systems to be scanned. For each server to be scanned a list of people to be notified shall be maintained. For workstations to be scanned, users may be notified using a group email. 7. Enforcement Since network scanning can be disruptive to the operations of the network and the Merafong, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal. 18. CHANGE MANAGEMENT AND CONTROL POLICY 1. Introduction 1. Operational change management brings discipline and quality control to ICT. Attention to governance and formal policies and procedures will ensure its success. Adopting formalised governance and policies for operational change management delivers a more disciplined and efficient infrastructure. This formalisation requires communication; the documentation of important process workflows and personnel roles; and the alignment of automation tools, where appropriate. By defining processes and policies, ICT organisations can demonstrate increased agility in responding predictably and reliably to new business demands. 2. Merafong Municipality management has recognised the importance of change management and control and the associated risks with ineffective change management and control and have therefore formulated this Change Management and Control Policy in order to address the opportunities and associated risks. 42 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 2. Scope The policy applies to all users operating within the Merafong‟s network environment or utilising Information Resources. It covers the data networks, LAN servers and personal computers (stand-alone or networkenabled), located at company offices and company production related locations, where these systems are under the jurisdiction and/or ownership of Merafong or , and any personal computers, laptops, mobile device and or servers authorised to access the company‟s data networks. 3. Purpose The purpose of this policy is to establish management direction and highlevel objectives for change management and control. This policy will ensure the implementation of change management and control strategies to mitigate associated risks such as: Information being corrupted and/or destroyed; Computer performance being disrupted and/or degraded; Productivity losses being incurred; and Exposure to reputational risk. 4. Policy 4.1. Preamble 4.1.1.1. Changes to information resources shall be managed and executed according to a formal change control process. The control process will ensure that changes proposed are reviewed, authorised, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored. 4.1.1.2. In order to fulfil this policy, the following statements shall be adhered to: 4.1.2. Operational Procedures 4.1.2.1. The change control process shall be formally defined and documented. A change control process shall be in place to control changes to all critical Merafong information resources (such as hardware, software, system documentation and operating procedures). This documented process shall include management responsibilities and procedures. Wherever practicable, operational and application change control procedures should be integrated. 4.1.2.2. At a minimum the change control process should include the following phases: Logged Change Requests; Identification, prioritization and initiation of change; Proper authorization of change; 43 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Requirements analysis; Inter-dependency and compliance analysis; Impact Assessment; Change approach; Change testing; User acceptance testing and approval; Implementation and release planning; Documentation; Change monitoring; Defined responsibilities and authorities of all users and IT personnel; Emergency change classification parameters. 4.1.3. Documented Change 4.1.3.1. All change requests shall be logged whether approved or rejected on a standardised and central system. The approval of all change requests and the results thereof shall be documented. 4.1.3.2. A documented audit trail, maintained at a sectional Level, containing relevant information shall be maintained at all times. This should include change request documentation, change authorization and the outcome of the change. No single person should be able to effect changes to production information systems without the approval of other authorised personnel. 4.1.4. Risk Management 4.1.4.1. A risk assessment shall be performed for all changes and dependant on the outcome, an impact assessment should be performed. 4.1.4.2. The impact assessment shall include the potential effect on other information resources and potential cost implications. The impact assessment should, where applicable consider compliance with legislative requirements and standards. 4.1.5. Change Classification 4.1.5.1. All change requests shall be prioritised in terms of benefits, urgency, effort required and potential impact on operations. 44 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 4.1.6. Testing 4.1.7. Changes shall be tested in an isolated, controlled, and representative environment (where such an environment is feasible) prior to implementation to minimise the effect on the relevant business process, to assess its impact on operations and security and to verify that only intended and approved changes were made. 4.1.8. Changes affecting SLA„s 4.1.8.1. The impact of change on existing SLA‟s shall be considered. Where applicable, changes to the SLA shall be controlled through a formal change process which includes contractual amendments. 4.1.9. Version control 4.1.9.1. Any software change and/or update shall be controlled with version control. Older versions shall be retained in accordance with corporate retention and storage management policies. 4.1.10. Approval 4.1.10.1. All changes shall be approved prior to implementation. Approval of changes shall be based on formal acceptance criteria i.e. the change request was done by an authorised user, the impact assessment was performed and proposed changes were tested. 4.1.11. Communicating changes 4.1.11.1. All users, significantly affected by a change, shall be notified of the change. The user representative shall sign-off on the change. Users shall be required to make submissions and comment prior to the acceptance of the change. 4.1.12. Implementation 4.1.12.1 Implementation will only be undertaken after appropriate testing and approval by stakeholders. All major changes shall be treated as new system implementation and shall be established as a project. Major changes will be classified according to effort required to develop and implement said changes. 4.1.13. Fall back 4.1.13.1. Procedures for aborting and recovering from unsuccessful changes shall be documented. Should the outcome of a change be different to the expected result (as identified in the testing of the change), procedures and responsibilities shall be noted for the recovery and continuity of the affected areas. Fall back procedures will be in place to ensure systems can revert back to what they were prior to implementation of changes. 45 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 4.1.14. Documentation 4.1.14.1. Information resources documentation shall be updated on the completion of each change and old documentation shall be archived or disposed of as per the documentation and data retention policies. 4.1.14.2. Information resources documentation is used for reference purposes in various scenarios i.e. further development of existing information resources as well as ensuring adequate knowledge transfer in the event of the original developer and/or development house being unavailable. It is therefore imperative that information resources documentation is complete, accurate and kept up to date with the latest changes. Policies and procedures, affected by software changes, shall be updated on completion of each change. 4.1.15. Business Continuity Plans (BCP) 4.1.15.1. Business continuity plans shall be updated with relevant changes, managed through the change control process. Business continuity plans rely on the completeness, accuracy and availability of BCP documentation. BCP documentation is the road map used to minimise disruption to critical business processes where possible, and to facilitate their rapid recovery in the event of disasters. 4.1.16. Emergency Changes 4.1.16.1. Specific procedures to ensure the proper control, authorisation, and documentation of emergency changes shall be in place. Specific parameters will be defined as a standard for classifying changes as Emergency changes. 4.1.17. Change Monitoring 4.1.17.1. All changes will be monitored once they have been rolled-out to the production environment. Deviations from design specifications and test results will be documented and escalated to the solution owner for ratification. 5. Compliance 5.1.1.1. Any person, subject to this policy, who fails to comply with the provisions as set out above or any amendment thereto, shall be subjected to appropriate disciplinary or legal action in accordance with Merafong Disciplinary Code and Procedures. Merafong Information Security policies, standards, procedures and guidelines shall comply with legal, regulatory and statutory requirements. 6. IT Governance Value statement 6.1.1.1. Changes that materially affect the financial process must be evaluated and reported quarterly. Financial system upgrades or replacements will require new certification. The implication is that MFMA compliance is reliant on the changes you make to the operational systems and procedures. 46 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 7. Policy Access Considerations 7.1.1.1. Access to this policy shall be granted to: All IT personnel All Users Managers Executive Directors 19. INCIDENT RESPONSE POLICY 1. Overview This incident response defines what constitutes a security incident and outlines the incident response phases. This incident response plan document discusses how information is passed to the appropriate personnel, assessment of the incident, minimising damage and response strategy, documentation, and preservation of evidence. The incident response plan will define areas of responsibility and establish procedures for handing various security incidents. This document discusses the considerations required to build an incident response plan. 2. Purpose The policy is designed to protect the Merafong resources against intrusion. 3. Incident Response Goals 1. 2. 3. 4. 5. 6. 7. 8. Verify that an incident occurred. Maintain or Restore Business Continuity. Reduce the incident impact. Determine how the attack was done if the incident happened. Prevent future attacks or incidents. Improve security and incident response. Prosecute illegal activity. Keep management informed of the situation and response. 4. Incident Definition An incident is any one or more of the following: 1. Loss of information confidentiality (data theft) 2. Compromise of information integrity (damage to data or unauthorized modification). 3. Theft of physical IT asset including computers, storage devices, printers, etc. 4. Damage to physical IT assets including computers, storage devices, printers, etc. 5. Denial of service. 47 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 6. Misuse of services, information, or assets. 7. Infection of systems by unauthorized or hostile software. 8. An attempt at unauthorized access. 9. Unauthorized changes to Merafong hardware, software, or configuration. 10. Reports of unusual system behaviour. 11. Responses to intrusion detection alarms. 5. Incident planning In the incident response plan, the following will be done: 1. Define roles and responsibilities 2. Establish procedures detailing actions taken during the incident. 1. Detail actions based on type of incident such as a virus, hacker intrusion, data theft, system destruction. 2. Procedures should consider how critical the threatened system or data is. 3. Consider whether the incident is on-going or done. 6. Incident Response Life cycle 1. Incident Preparation 1. Policies and Procedures 1. Computer Security Policies - These involve many policies including password policies, intrusion detection, computer property control, data assessment, and others. 2. Incident Response Procedures 3. Backup and Recovery Procedures 2. Implement policies with security tools including firewalls, intrusion detection systems, and other required items. 3. Post warning banners against unauthorized use at system points of access. 4. Establish Response Guidelines by considering and discussing possible scenarios. 5. Train users about computer security and train IT staff in handling security situations and recognizing intrusions. 6. Establish Contacts - Incident response team member contact information should be readily available. An emergency contact procedure should be established. There should be one contact list with names listed by contact priority. 7. Test the process. 2. Discovery - Someone discovers something not right or suspicious. This may be from any of several sources: 1. Helpdesk 2. Intrusion detection system 3. A system administrator 4. A firewall administrator 5. A business partner 48 MCLM-ISPM: Adobted by Council: 3. 4. 5. 6. 7. 8. Item 9/2014 MCLM Council meeting of 27 March 2014 6. A monitoring team 7. A manager 8. The security department or a security person. 9. An outside source. Notification - The emergency contact procedure is used to contact the incident response team. Analysis and Assessment - Many factors will determine the proper response including: 1. Is the incident real or perceived? 2. Is the incident still in progress? 3. What data or property is threatened and how critical is it? 4. What is the impact on the business should the attack succeed? Minimal, serious, or critical? 5. What system or systems are targeted, where are they located physically and on the network? 6. Is the incident inside the trusted network? Response Strategy - Determine a response strategy. 1. Is the response urgent? 2. Can the incident be quickly contained? 3. Will the response alert the attacker and do we care? Containment - Take action to prevent further intrusion or damage and remove the cause of the problem. May need to: 1. Disconnect the affected system(s) 2. Change passwords. 3. Block some ports or connections from some IP addresses. Prevention of re-infection 1. Determine how the intrusion happened - Determine the source of the intrusion whether it was email, inadequate training, attack through a port, attack through an unneeded service, attack due to unpatched system or application. 2. Take steps to prevent an immediate re-infection which may include one or more of: 1. Close a port on a firewall 2. Patch the affected system 3. Shut down the infected system until it can be re-installed 4. Re-install the infected system and restore data from backup. Be sure the backup was made before the infection. 5. Change email settings to prevent a file attachment type from being allow through the email system. 6. Plan for some user training. 7. Disable unused services on the affected system. Restore Affected Systems - Restore affected systems to their original state. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. Depending on the situation, restoring the system could include one or more of the following 1. Re-install the affected system(s) from scratch and restore data from backups if necessary. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. 2. Make users change passwords if passwords may have been sniffed. 49 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 3. Be sure the system has been hardened by turning off or uninstalling unused services. 4. Be sure the system is fully patched. 5. Be sure real time virus protection and intrusion detection is running. 6. Be sure the system is logging the correct items 9. Documentation - Document what was discovered about the incident including how it occurred, where the attack came from, the response, whether the response was effective. 10. Evidence Preservation - Make copies of logs, email, and other documentable communication. Keep lists of witnesses. 11. Notifying proper external parties as defined in the Minimum Information Security Standards (MISS) - Notify the police if prosecution of the intruder is possible. 12. Assess damage and cost - Assess the damage to the Merafong and estimate both the damage cost and the cost of the containment efforts. 13. Review response and update policies - Plan and take preventative steps so the intrusion can't happen again. a. Consider whether an additional policy could have prevented the intrusion. b. Consider whether a procedure or policy was not followed which allowed the intrusion, then consider what could be changed to be sure the procedure or policy is followed in the future. c. Was the incident response appropriate? How could it be improved? d. Was every appropriate party informed in a timely manner? e. Were the incident responses procedures detailed and cover the entire situation? How can they be improved? f. Have changes been made to prevent a re-infection of the current infection? Are all systems patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.? g. Have changes been made to prevent a new and similar infection? h. Should any security policies be updated? i. What lessons have been learned from this experience? 20. NETWORK RISK EVALUATION The purpose of this document is to list all network security risks and help the user determine where the greatest threats lie on their network. The network administrator should list their opinion of the severity of each threat and how common they believe it to be on their network. Then the number of times per month that this threat has materialized should be listed. There are several main items to consider when listing threats and their ability to threaten the network. These include: 1. The threat such as virus, spyware, worms, computer hack and others. 2. The computer type - This will be one of server, desktop, mainframe, or laptop. 3. The entry method - Describes the transport mechanism the threat used to enter the network whether it was the DMZ or trusted network. This could be carried physically in, through email, through a browser such as typical adware or spyware infections, or through a firewall. 50 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 4. The infected Zone - The zone the infected computer was in. It should be noted whether the infection spread and what zones it spread to, but there is no place in the table for this. If spreading happened, the item should be stared or numbered with an incident explanation at the bottom of the sheet. 5. The perceived threat severity 6. How common or often the threat is realized on the network. 7. Occurrences per month. This should be the actual average number of occurrences in the last 6 to 12 months. Compromise of client computers 1. Hostile software through email borne viruses into client computers 2. Unauthorized user installed program - Users bringing their own programs into the network on disks or memory sticks 3. Hostile software through user web browser due to misconfiguration and/or software vulnerability. Compromise of server computers: 1. Threats from compromised client computers. 2. Attacks through vulnerable applications. 3. Attacks through vulnerabilities in services such as web server and mail services. 4. Attacks through operating system vulnerabilities. 5. Attacks due to misconfiguration of services or system such as allowing relaying on mail server allowing spam to be sent, not locking down Internet Information Server (IIS) leaving it vulnerable, or leaving default administrator accounts with default passwords set. Items to consider: 1. Consider where all systems lie on the network and where traffic is limited between different areas. Include firewalls and routers along with descriptions or lists of permitted and disallowed traffic. 2. Consider where the most security violations have occurred both in type such as virus and the type of computer infected. 1. Consider whether the servers should be in a network zone separate from the client computers if client computers are compromised more often, statistically, than other groups of computers (such as servers in the DMZ). 51 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 Appendix B: Acceptable Use Security Policy < MERAFONG CITY LOCAL MUNICIPALITY> POLICY INFORMATION SECURITY NUMBER: MCLM-ISMS EFFECTIVE: REVISED DATE: SUBJECT: ACCEPTABLE USE APPROVED: SECTION 1 – INTRODUCTION Information Resources are strategic assets of the Merafong and must be treated and managed as valuable resources. Merafong provides various computer resources to its employees for the purpose of assisting them in the performance of their jobrelated duties. State law permits minimal and incidental access to state resources for personal use. This policy clearly documents expectations for appropriate use of Merafong assets. This Acceptable Use Policy, in conjunction with the corresponding standards, is established to achieve the following: 1. To establish appropriate and acceptable practices regarding the use of Municipal information. 2. To ensure compliance with applicable Government and other rules and regulations regarding the management of information. 3. To educate employees who may use these information resources with respect to their responsibilities. ROLES AND RESPONSIBILITIES 1. Merafong management will establish a periodic reporting requirement to measure the compliance and effectiveness of this policy. 2. Merafong management is responsible for implementing the requirements of this policy, or documenting non-compliance via the method described under exception handling. 3. Merafong Managers, in cooperation with ICT section, are required to train employees on policy and document issues with policy compliance. 4. All Merafong employees are required to read and acknowledge the reading of this policy. POLICY DIRECTIVES Acceptable Use Management Requirements Merafong will establish formal standards and processes to support the on-going development and maintenance of the Merafong Acceptable Use Policy. The Merafong Executive Directors and managers will commit to the on-going training and education of Merafong staff responsible for the administration and/or 52 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 maintenance and/or use of Merafong information resources. At a minimum, skills to be included or advanced include user training and awareness. 1. The Merafong Executive Directors and managers will use metrics to establish the need for additional education or awareness in order to facilitate the reduction in the threat and vulnerability profiles of Merafong assets and information resources. 2. The Merafong Executive Directors and managers will establish a formal review cycle for all acceptable use initiatives. 3. Any security issues discovered will be reported to the ICT manager for follow-up investigation. Ownership Electronic files created, sent, received, or stored on information resources owned, leased, administered, or otherwise under the custody and control of Merafong are the property of Merafong and employee use of these files is neither personal nor private. Authorized Merafong ICT employees may access all such files at any time without knowledge of the user or owner. Merafong management reserves the right to monitor and/or log all employee use of Merafong information with or without prior notice. Acceptable Use Requirements 1. Users must report any weaknesses in Merafong computer security to the appropriate security staff. Weaknesses in computer security include unexpected software or system behaviour, which may result in unintentional disclosure of information or exposure to security threats. 2. Users must report any incidents of possible misuse or violation of this Acceptable Use Policy through the use of documented misuse reporting processes associated with the Internet, Intranet, and email use standards. 3. Users must not attempt to access any data, documents, email correspondence, and programs contained on <Merafong>systems for which they do not have authorization. 4. Systems administrators and authorized users must not divulge remote connection modem phone numbers or other access points to <Merafong>computer resources to anyone without proper authorization. 5. Users must not share their account(s), passwords, Personal Identification Numbers (PIN), security tokens (i.e., Smartcard), or similar information or devices used for identification and authorization purposes. 6. Users must not make unauthorized copies of copyrighted or Merafong owned software. 7. Users must not use non-standard shareware or freeware software without the appropriate Merafong management approval. 53 MCLM-ISPM: Adobted by Council: Item 9/2014 MCLM Council meeting of 27 March 2014 8. Users must not purposely engage in activity that may harass, threaten, or abuse others or intentionally access, create, store, or transmit material which Merafong may deem to be offensive, indecent, or obscene, or that is illegal according to the law of the country. 9. Users must not engage in activity that may degrade the performance of information resources; deprive an authorized user access to Merafong resources; obtain extra resources beyond those allocated; or circumvent Merafong computer security measures. 10. Users must not download, install or run security programs or utilities such as password cracking programs, packet sniffers, or port scanners that reveal or exploit weaknesses in the security of a Merafong computer resource unless approved by Merafong ICT. 11. Merafong information resources must not be used for personal benefit, political activity, unsolicited advertising, unauthorized fund raising, or for the solicitation of performance of any activity that is prohibited by any local, provincial, or national law. 12. Access to the Internet from Merafong owned, home based, computers must adhere to all the policies. Employees must not allow family members or other non-employees to access non-public accessible Merafong computer systems. 13. Any security issues discovered will be reported to the ICT section, for follow-up investigation Minimal and Incidental Use 1. Minimal and incidental personal use of email, Internet access, fax machines, printers, and copiers is restricted to Merafong approved users only and does not include family members or others not affiliated with Municipality 2. Minimal and incidental use must not result in direct costs to Merafong cause legal action against, or cause embarrassment to Merafong 3. Minimal and incidental use must not interfere with the normal performance of an employee‟s work duties. 4. Storage of personal email messages, voice messages, files, and documents within Merafong‟s computer resources must be nominal. ENFORCEMENT, AUDITING, REPORTING 1. Violation of this policy may result in disciplinary action that may include termination for employees and temporaries; termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers. Additionally, individuals are subject to loss of Merafong information resources access privileges, civil, and criminal prosecution. 54
© Copyright 2024