3wSxibjM

1Shawn Helms
2Computer Security (CIS-2245-VO01)
3Full Policy
4
5Acceptable Encryption Policy
61. Purpose 
7The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States. 
8
92. Scope 
10	This policy applies to all Enterprise TC employees and affiliates. 
11 
123. Policy 
13
143.1 Algorithm Requirements 
153.1.1 Ciphers in use must meet or exceed the set defined as "AES-compatible" or "partially AES-compatible" according to the IETF/IRTF Cipher atalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption. 
16
173.1.2 Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption. 
18
193.1.3 Signature Algorithms 
20
21ECDSA P-256 Consider RFC6090 to avoid patent infringement. 
22
23RSA 2048 Must use a secure padding scheme. PKCS#7 padding scheme is recommended. Message hashing required.
24
25 LDWM SHA256 Refer to LDWM Hash-based Signatures Draft 
26
273.2 Hash Function Requirements 
28In general, Enterprise TC adheres to the NIST Policy on Hash Functions.
29
303.3 Key Agreement and Authentication
313.3.1 Key exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH). 
32
333.3.2 End points must be authenticated prior to the exchange or derivation of session keys.
34
353.3.3 Public keys used to establish trust must be authenticated prior to use.  Examples of authentication include transmission via cryptographically signed message or manual verification of the public key hash. 
36
373.3.4 All servers used for authentication (for example, RADIUS or TACACS) must have installed a valid certificate signed by a known trusted provider. 
38
393.3.5 All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider.  
40
41	3.4 Key Generation 
423.4.1 Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.  
43
443.4.2 Key generation must be seeded from an industry standard random number generator (RNG). For examples, see NIST Annex C: Approved Random Number Generators for FIPS PUB 140-2.
45
464. Policy Compliance
47	4.1 Compliance Measurement
48Management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.  
49
50	4.2  Exceptions
51Any exception to the policy must be approved by department supervision or management.
52
53	4.3 Non-Compliance 
54An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
55
56@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
57
58Acceptable Use Policy
59
60
61	The following document is the published and complete Acceptable Use Policy [AUP] for Enterprise TC. The AUP formatted for Enterprise TC is created to protect employees, partners, the company from illegal and malicious acts by individuals within Enterprise TC. The purpose of this policy is to outline the acceptable use of computer equipment at Enterprise TC. Inappropriate use exposes Enterprise TC to risks including virus attacks, compromise of network systems and services, and legal issues. 
62
63Contents
64	1. Coverage of the AUP
65	2. Overview
66	3. General Use and Ownership
67	4. Security of Information and the Proprietary of Information
68		4.1 Password Security
69	5. Email and Communications 
70	6. System and Network Activities
71
721. Coverage of the AUP
73 This policy applies to employees, contractors, consultants, temporaries, and other workers at Enterprise TC, including all personnel affiliated with third parties. 
74
75 This policy applies to all equipment that is owned or leased by Enterprise TC.
76
772. Overview
78Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Enterprise TC. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.
79
80Effective security is a team effort involving the participation and support of every Enterprise TC employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.
81
82Any employee in violation of the AUP may be subject to disciplinary action, up to and including termination of employment or possibly legal action. 
83                            
843. General Use and Ownership 
85 While Enterprise TC's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Enterprise TC. Because of the need to protect Enterprise TC's network, management cannot guarantee the confidentiality of information stored on any network device belonging to Enterprise TC. 
86
87 Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by consultation between their supervisor or manager.
88
89 For security and network maintenance purposes, authorized individuals within Enterprise TC may monitor equipment, systems and network traffic at any time.
90
91 Enterprise TC reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 
92      
934. Security of Information and the Proprietary of Information 
94 The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information.
95
96 All employees are responsible for any knowledge that is not considered publicly known regarding customers and are responsible for exercising good judgment regarding appropriate use of known information.
97
98 All hosts used by the employee that are connected to the Enterprise TC Internet/Intranet/Extranet, whether owned by the employee or Enterprise TC, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy.
99
100 Under no circumstances is an employee of Enterprise TC authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Enterprise TC-owned resources. 
101
1024.1 Password Security
103 Keep all passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months.
104
105 Revealing your account password to others or allowing use of your account by others is strictly prohibited. This includes family and other household members when work is being done at home.
106
107 Gross negligence of work orientated passwords used personally and by Enterprise TC employees is prohibited and is subject to disciplinary action.
108
1095. Email and Communications
110 Postings by employees from an Enterprise TC email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Enterprise TC, unless posting is in the course of business duties. 
111
112 Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). 
113
114 Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 
115
116 Unauthorized use, or forging, of email header information. 
117
118 Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. 
119
120 Use of unsolicited email originating from within Enterprise TC's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Enterprise TC or connected via Enterprise TC's network.
121
1226. System and Network Activities
123The following activities are strictly prohibited, with no exceptions: 
124
125 Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Enterprise TC.
126 
127 Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. 
128
129 Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 
130
131 Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
132
133 Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 
134
135 Circumventing user authentication or security of any host, network or account. 
136	
137 Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). 
138
139 Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 
140
141 Providing information about, or lists of, Enterprise TC employees to parties outside Enterprise TC. 
142
143@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
144
145Clean Desk Policy
146
1471. Overview 
148A clean desk policy can be an import tool to ensure that all sensitive/confidential materials are removed from an end user workspace and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace.  Such a policy can also increase employee’s awareness about protecting sensitive information.  
1492. Purpose 
150	The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers and our vendors is secure in locked areas and out of site. 
151
1523. Scope 
153	This policy applies to all Enterprise TC employees and affiliates.
154
1554. Policy 
1564.1 Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.  
157
1584.2 Computer workstations must be locked when workspace is unoccupied. 
159
1604.3 Computer workstations must be shut completely down at the end of the work day.
161
1624.4 Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.  
163
1644.5 Laptops must be either locked with a locking cable or locked away in a drawer.
165
1664.6 Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.  
167
1684.7 Whiteboards containing Restricted and/or Sensitive information should be erased.
169
1704.8 Lock away portable computing devices such as laptops and tablets. 
171
1724.9 Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer
173
1745. Policy Compliance 
175	5.1 Compliance Measurement 
176 Department management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.  
177
178	5.2 Exceptions 
179 Any exception to the policy must be approved by department supervision or management.
180
181	5.3 Non-Compliance 
182 An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
183
184@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
185
186Data Breach Response Policy
187
1881.0 Purpose 
189 The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms.
190
1911.1 Background 
192This policy mandates that any individual who suspects that a theft, breach or exposure of Enterprise TC's protected data must be reported to a supervisor or management. If a theft, breach or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place. 
193
1942.0 Scope
195This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable information of Enterprise TC  members.
196
1973.0 Policy Confirmed theft, data breach or exposure of Enterprise TC Protected data or Enterprise TC Sensitive data
198
199 As soon as a theft, data breach or exposure containing Enterprise TC protected data or Enterprise TC sensitive data is identified, the process of removing all access to that resource will begin. Management will chair an incident response team to handle the breach or exposure.  
200
201Management will be notified of the theft, breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.  
202
2034.0 Enforcement 
204
205	Any Enterprise TC personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their network connection terminated.
206
207@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
208
209Disaster Recovery Plan Policy
210
2111. Overview
212 Since disasters happen so rarely, management often ignores the disaster recovery planning process.  It is important to realize that having a contingency plan in the event of a disaster gives Enterprise TC a competitive advantage.   This policy requires management to financially support and diligently attend to disaster contingency planning efforts.  Disasters are not limited to adverse weather conditions.   Any event that could likely cause an extended delay of service should be considered.  The Disaster Recovery Plan is often part of the Business Continuity Plan. 
213
2142. Purpose
215 This policy defines the requirement for a baseline disaster recovery plan to be developed and implemented by Enterprise TC that will describe the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage.  
216
2173. Scope
218 This policy is directed to the IT Management Staff who is accountable to ensure the plan is developed, tested and kept up-to-date.  This policy is solely to state the requirement to have a disaster recovery plan, it does not provide requirement around what goes into the plan or sub-plans.  
219
2204. Policy 
2214.1 Contingency Plans 
222
223The following contingency plans must be created: 
224
225Computer Emergency Response Plan: 
226Who is to be contacted, when, and how? What immediate actions must be taken in the event of certain occurrences? 
227
228Succession Plan: 
229Describe the flow of responsibility when normal staff is unavailable to perform their duties. 
230
231Data Study: 
232Detail the data stored on the systems, its criticality, and its confidentiality.
233
234Criticality of Service List: 
235List all the services provided and their order of importance. It also explains the order of recovery in both short-term and long-term timeframes. 
236
237Data Backup and Restoration Plan: 
238Detail which data is backed up, the media to which it is saved, where that media is stored, and how often the backup is done.  It should also describe how that data could be recovered. 
239
240Equipment Replacement Plan: 
241Describe what equipment is required to begin to provide services, list the order in which it is necessary, and note where to purchase the equipment. 
242
243Mass Media Management: 
244Who is in charge of giving information to the mass media? Also provide some guidelines on what data is appropriate to be provided. After creating the plans, it is important to practice them to the extent possible.  Management should set aside time to test implementation of the disaster recovery plan. Table top exercises should be conducted annually. During these tests, issues that may cause the plan to fail can be discovered and corrected in an environment that has few consequences. The plan, at a minimum, should be reviewed an updated on an annual basis. 
245
2465. Policy Compliance 
2475.1 Compliance Measurement 
248Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
249  
2505.2 Exceptions 
251Any exception to the policy must be approved by department supervision or management.
252 
2535.3 Non-Compliance
254 An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
255
256@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
257
258Digital Signature Acceptance Policy
259
2601. Purpose 
261 The purpose of this policy is to provide guidance on when digital signatures are considered accepted means of validating the identity of a signer in Enterprise TC's electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the company.  Because communication has become primarily electronic, the goal is to reduce confusion about when a digital signature is trusted.
262
2632. Scope
264 This policy applies to all Enterprise TC employees and affiliates. 
265
2663. Policy
267A digital signature is an acceptable substitute for a wet signature on any intra-organization document or correspondence.
268
2693.1 Responsibilities 
270 Digital signature acceptance requires specific action on both the part of the employee signing the document or correspondence (hereafter the signer), and the employee receiving/reading the document or correspondence (hereafter the recipient). 
271
2723.2 Signer Responsibilities 
273 Signers must obtain a signing key pair from Enterpirse TC management. This key pair will be generated using Enterprise TC’s Public Key Infrastructure (PKI) and the public key will be signed by the Enterprise TC’s Certificate Authority.
274
275 Signers must sign documents and correspondence using software approved by Enterprise TC IT organization. 
276
277 Signers must protect their private key and keep it secret. 
278
279 If a signer believes that the signer’s private key was stolen or otherwise compromised, the signer must contact Enterprise TC management immediately to have the signer’s digital key pair revoked. 
280
2814. Policy Compliance
2824.1 Compliance Measurement 
283 Management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.  
284
2854.2 Exceptions 
286 Any exception to the policy must be approved by department supervision or management.
287
2884.3 Non-Compliance 
289 An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
290
291@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
292
293Email Policy
294
2951. Overview 
296 Electronic email is pervasively used in almost all industry verticals and is often the primary communication and awareness method within an organization. At the same time, misuse of email can post many legal, privacy and security risks, thus it’s important for users to understand the appropriate use of electronic communications.  
297
2982. Purpose 
299 The purpose of this email policy is to ensure the proper use of Enterprise TC email system and make users aware of what Enterprise TC deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within Enterprise TC Network.  
300
3013. Scope 
302This policy covers appropriate use of any email sent from a Enterprise TC email address and applies to all employees operating on behalf of Enterprise TC. 
303
3044. Policy 
3054.1 All use of email must be consistent with Enterprise TC policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.  
306
3074.2 Non-Enterprise TC email accounts are prohibited for use related to commercial use. 
308 
3094.3 All Enterprise TC data contained within an email message or an attachment must be secured according to the Data Protection Standard.
310
3114.4 The Enterprise TC email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any Enterprise TC employee should report the matter to their supervisor immediately. 
312
3134.5 Users are prohibited from automatically forwarding Enterprise TC email to a third party email system (noted in 4.6 below).  Individual messages which are forwarded by the user must not contain Enterprise TC confidential or above information.  
314
3154.6 Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Enterprise TC business, to create or memorialize any binding transactions, or to store or retain email on behalf of Enterprise TC.  Such communications and transactions should be conducted through proper channels using Enterprise TC-approved documentation.  
316
3174.7 Using a reasonable amount of Enterprise TC resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email.
318
3194.8 Enterprise TC employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system. 
320
3214.9 Enterprise TC may monitor messages without prior notice. Enterprise TC is not obliged to monitor email messages.
322
3235. Policy Compliance 
3245.1 Compliance Measurement 
325 Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.  
326
3275.2 Exceptions 
328Any exception to the policy must be approved by department supervision or management.
329
3305.3 Non-Compliance 
331An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
332
333@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
334
335Ethics Policy
336
3371. Overview
338 Enterprise TC is committed to protecting employees, partners, vendors and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.  
339
340 When Enterprise TC addresses issues proactively and uses correct judgment, it will help set us apart from competitors. Enterprise TC will not tolerate any wrongdoing or impropriety at any time.  
341
342 Enterprise TC will take the appropriate measures act quickly in correcting the issue if the ethical code is broken.   
343
3442. Purpose 
345 The purpose of this policy is to establish a culture of openness, trust and to emphasize the employee’s and consumer’s expectation to be treated to fair business practices.  This policy will serve to guide business behavior to ensure ethical conduct. Effective ethics is a team effort involving the participation and support of every Enterprise TC employee.  All employees should familiarize themselves with the ethics guidelines that follow this introduction. 
346
3473. Scope 
348This policy applies to employees, contractors, consultants, temporaries, and other workers at Enterprise TC, including all personnel affiliated with third parties. 
349
3504. Policy 
3514.1 Executive Commitment to Ethics 
352
3534.1.1 Senior leaders and executives within Enterprise TC must set a prime example.  In any business practice, honesty and integrity must be top priority for executives. 
354
3554.1.2 Executives must have an open door policy and welcome suggestions and concerns from employees.  This will allow employees to feel comfortable discussing any issues and will alert executives to concerns within the work force.
356
3574.1.3 Executives must disclose any conflict of interests regard their position within Enterprise TC. 
358
3594.2 Employee Commitment to Ethics 
3604.2.1 Enterprise TC employees will treat everyone fairly, have mutual respect, promote a team environment and avoid the intent and appearance of unethical or compromising practices. 
361
3624.2.2 Every employee needs to apply effort and intelligence in maintaining ethics value. 
363
3644.2.3 Employees must disclose any conflict of interests regard their position within Enterprise TC. 
365
3664.2.4 Employees will help Enterprise TC to increase customer and vendor satisfaction by providing quality product s and timely response to inquiries. 
367
3684.2.5 Employees should consider the following questions to themselves when any behavior is questionable: 
369-Is the behavior legal? 
370-Does the behavior comply with all appropriate Enterprise TC policies? 
371-Does the behavior reflect Enterprise TC values and culture? 
372-Could the behavior adversely affect company stakeholders? 
373-Would you feel personally concerned if the behavior appeared in a news headline? 
374-Could the behavior adversely affect Enterprise TC if all employees did it? 
375
3764.3 Company Awareness 
3774.3.1 Promotion of ethical conduct within interpersonal communications of employees will be rewarded. 
378
3794.3.2 Enterprise TC will promote a trustworthy and honest atmosphere to reinforce the vision of ethics within the company. 
380
3814.4 Maintaining Ethical Practices 
3824.4.1 Enterprise TC will reinforce the importance of the integrity message and the tone will start at the top.  Every employee, manager, director needs consistently maintain an ethical stance and support ethical behavior. 
383
3844.4.2 Employees at Enterprise TC should encourage open dialogue, get honest feedback and treat everyone fairly, with honesty and objectivity.   
385
3864.4.3 Enterprise TC has established a best practice disclosure committee to make sure the ethical code is delivered to all employees and that concerns regarding the code can be addressed.
387
3884.4.4 Employees are required to recertify their compliance to Ethics Policy on an annual basis.  
389
3904.5 Unethical Behavior 
3914.5.1 Enterprise TC will avoid the intent and appearance of unethical or compromising practice in relationships, actions and communications.   
392
3934.5.2 Enterprise TC will not tolerate harassment or discrimination. 
394
3954.5.3 Unauthorized use of company trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of our company will not be tolerated.
396
3974.5.4 Enterprise TC will not permit impropriety at any time and we will act ethically and responsibly in accordance with laws. 
398
3994.5.5 Enterprise TC employees will not use corporate assets or business relationships for personal use or gain. 
400
4015. Policy Compliance 
4025.1 Compliance Measurement 
403Management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback.  
404
4055.2 Exceptions 
406None. 
407
4085.3 Non-Compliance 
409An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
410  
411@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
412
413Pandemic Response Planning Policy
414
4151. Overview 
416This policy is intended for companies that do not meet the definition of critical infrastructure as defined by the federal government. This type of organization may be requested by public health officials to close their offices to non-essential personnel or completely during a worst-case scenario pandemic to limit the spread of the disease. Many companies would run out of cash and be forced to go out of business after several weeks of everyone not working. Therefore, developing a response plan in advance that addresses who can work remotely, how they will work and identifies what other issues may be faced will help the organization survive at a time when most people will be concerned about themselves and their families. Disasters typically happen in one geographic area. A hurricane or earthquake can cause massive damage in one area, yet the worst damage is usually contained within a few hundred miles. A global pandemic, such as the 1918 influenza outbreak which infected 1/3 of the world’s population, cannot be dealt with by failing over to a backup data center. Therefore, additional planning steps for IT architecture, situational awareness, employee training and other preparations are required. 
417
4182. Purpose 
419This document directs planning, preparation and exercises for pandemic disease outbreak over and above the normal business continuity and disaster recovery planning process. The objective is to address the reality that pandemic events can create personnel and technology issues outside the scope of the traditional DR/BCP planning process as potentially 25% or more of the workforce may be unable to come to work for health or personal reasons.
420
4213. Scope 
422The planning process will include personnel involved in the business continuity and disaster recovery process, enterprise architects and senior management of Enterprise TC. During the implementation of the plan, all employees and contractors will need to undergo training before and during a pandemic disease outbreak. 
423
4244. Policy 
425Enterprise TC will authorize, develop and maintain a Pandemic Response Plan addressing the following areas: 
426
4274.1 The Pandemic Response 
428 Plan leadership will be identified as a small team which will oversee the creation and updates of the plan. The leadership will also be responsible for developing internal expertise on the transmission of diseases and other areas such as second wave phenomenon to guide planning and response efforts. However, as with any other critical position, the leadership must have trained alternates that can execute the plan should the leadership become unavailable due to illness. 
429
4304.2 The creation of a communications plan before and during an outbreak that accounts for congested telecommunications services. 
431
4324.3 An alert system based on monitoring of World Health Organization (WHO) and other local sources of information on the risk of a pandemic disease outbreak. 
433
4344.4 A predefined set of emergency polices that will preempt normal Enterprise TC policies for the duration of a declared pandemic. These polices are to be organized into different levels of response that match the level of business disruption expected from a possible pandemic disease outbreak within the community. These policies should address all tasks critical to the continuation of the company including: 
435a) How people will be paid 
436b) Where they will work – including staying home with or bringing kids to work. 
437c) How they will accomplish their tasks if they cannot get to the office.
438
4394.5 A set of indicators to management that will aid them in selecting an appropriate level of response bringing into effect the related policies discussed in section 4.4—for the organization. There should be a graduated level of response related to the WHO pandemic alert level or other local indicators of a disease outbreak. 
440
4414.6 An employee training process covering personal protection including: 
442a) Identifying symptoms of exposure 
443b) The concept of disease clusters in day cares, schools or other gathering places 
444c) Basic prevention - limiting contact closer than 6 feet, cover your cough, hand washing 
445d) When to stay home 
446e) Avoiding travel to areas with high infection rates 
447
4484.7 A process for the identification of employees with first responders or medical personnel in their household. These people, along with single parents, have a higher likelihood of unavailability due to illness or child care issues. 
449
4504.8 A process to identify key personnel for each critical business function and transition their duties to others in the event they become ill. 
451
4524.9 A list of supplies to be kept on hand or pre-contracted for supply, such as face masks, hand sanitizer, fuel, food and water. 
453
4544.10 IT related issues: 
455a) Ensure enterprise architects are including pandemic contingency in planning 
456b) Verification of the ability for significantly increased telecommuting including bandwidth, VPN concentrator capacity/licensing, ability to offer voice over IP and laptop/remote desktop availability 
457c) Increased use of virtual meeting tools – video conference and desktop sharing 
458d) Identify what tasks cannot be done remotely 
459e) Plan for how customers will interact with the organization in different ways 
460
4614.11 The creation of exercises to test the plan. 
462
4634.12 The process and frequency of plan updates at least annually. 
464
4654.13 Guidance for auditors indicating that any review of the business continuity plan or enterprise architecture should assess whether they appropriately address the Enterprise TC Pandemic Response Plan. 
466
4675. Policy Compliance 
4685.1 Compliance Measurement 
469 Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.  
470
4715.2 Exceptions 
472Any exception to the policy must be approved by department supervision or management.
473
4745.3 Non-Compliance
475 An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
476
477@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
478
479Password Construction Guidelines
480
4811. Overview
482 Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or network. This guideline provides best practices for creating secure passwords. 
483
4842. Purpose
485 The purpose of this guidelines is to provide best practices for the created of strong passwords. 
486
4873. Scope 
488This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins. 
489
4904. Statement of Guidelines 
491Strong passwords are long, the more characters you have the stronger the password. We recommend a minimum of 14 characters in your password.  In addition, we highly encourage the use of passphrases, passwords made up of multiple words.  Examples include “It’s time for vacation” or “block-curious-sunny-leaves”.  Passphrases are both easy to remember and type, yet meet the strength requirements.  Poor, or weak, passwords have the following characteristics: 
492 • Contain eight characters or less. 
493• Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters. 
494• Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321. 
495• Are some version of “Welcome123” “Password123” “Changeme123”
496
4975. Policy Compliance 
4985.1 Compliance Measurement 
499Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.  
500
5015.2 Exceptions 
502Any exception to the policy must be approved by department supervision or management.
503
5045.3 Non-Compliance 
505An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
506
507@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
508
509Password Protection Policy
510
5111. Overview 
512Passwords are an important aspect of computer security.  A poorly chosen password may result in unauthorized access and/or exploitation of our resources. 
513  
5142. Purpose
515 The purpose of this policy is to establish a standard for creation of strong passwords and the protection of those passwords. 
516
5173. Scope
518 The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Enterprise TC facility, has access to the Enterprise TC network, or stores any non-public Enterprise TC information. 
519
5204. Policy 
521
5224.1 Password Creation 
5234.1.1 All user-level and system-level passwords must conform to the Password Construction Guidelines. 
524
5254.1.2 Users must use a separate, unique password for each of their work related accounts.  Users may not use any work related passwords for their own, personal accounts. 
526
5274.1.3 User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges.  In addition, it is highly recommend that some form of multi-factor authentication is used for any privileged accounts 
528
5294.2 Password Protection 
5304.2.1 Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, Confidential Enterprise TC information. Corporate Information Security recognizes that legacy applications do not support proxy systems in place. Please refer to the technical reference for additional details.  
531
5324.2.2 Passwords must not be inserted into email messages, Alliance cases or other forms of electronic communication, nor revealed over the phone to anyone.  
533
5344.2.3 Passwords may be stored only in “password managers” authorized by the organization. 
535
5364.2.4 Any user suspecting that his/her password may have been compromised must report the incident and change all passwords. 
537
5384.3 Application Development 
539Application developers must ensure that their programs contain the following security precautions: 
540
5414.3.1 Applications must support authentication of individual users, not groups. 
542
5434.3.2 Applications must not store passwords in clear text or in any easily reversible form. 
544
5454.3.3 Applications must not transmit passwords in clear text over the network. 
546
5474.3.4 Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password. 
548
5494.4 Multi-Factor Authentication 
550
5514.4.1 Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work related accounts but personal accounts also
552
5535. Policy Compliance 
5545.1 Compliance Measurement 
555 Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.  
556
5575.2 Exceptions 
558 Any exception to the policy must be approved by department supervision or management.
559
5605.3 Non-Compliance 
561 An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
562
563@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
564
565Security Response Plan Policy
566
5671. Overview 
568A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited).
569
5702. Purpose
571 The purpose of this policy is to establish the requirement that all business units supported by management develop and maintain a security response plan. This ensures that security incident management team has all the necessary information to formulate a successful response should a specific security incident occur. 
572
5733. Scope
574 This policy applies any established and defined business unity or entity within the Enterprise TC. 
575
5764. Policy
577 The development, implementation, and execution of a Security Response Plan (SRP) are the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the management. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator or champion is further expected to work with management in the development and maintenance of a Security Response Plan. 
578
5794.1 Contact Information 
580The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s). 
581
5825. Policy Compliance
583 5.1 Compliance Measurement 
584Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web.  The policy should be reviewed annually. 
585
5865.2 Exceptions 
587Any exception to the policy must be approved by department supervision or management.
588
5895.3 Non-Compliance 
590Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. 
591
592@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
593
594End User Encryption Key Protection Policy
595
5961. Overview 
597Encryption Key Management, if not done properly, can lead to compromise and disclosure of private keys use to secure sensitive data and hence, compromise of the data.   While users may understand it’s important to encryption certain documents and electronic communications, they may not be familiar with minimum standards for protection encryption keys.  
598
5992. Purpose 
600This policy outlines the requirements for protecting encryption keys that are under the control of end users. These requirements are designed to prevent unauthorized disclosure and subsequent fraudulent use. The protection methods outlined will include operational and technical controls, such as key backup procedures, encryption under a separate key and use of tamper-resistant hardware. 
601
6023. Policy 
603All encryption keys covered by this policy must be protected to prevent their unauthorized disclosure and subsequent fraudulent use. 
604
6053.1 Secret Key Encryption Keys 
606 Keys used for secret key encryption, also called symmetric cryptography, must be protected as they are distributed to all parties that will use them. During distribution, the symmetric encryption keys must be encrypted using a stronger algorithm with a key of the longest key length for that algorithm authorized in Enterprise TC’s Acceptable Encryption Policy. If the keys are for the strongest algorithm, then the key must be split, each portion of the key encrypted with a different key that is the longest key length authorized and the each encrypted portion is transmitted using different transmission mechanisms. The goal is to provide more stringent protection to the key than the data that is encrypted with that encryption key. Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key. 
607
6083.2 Public Key Encryption Keys 
609 Public key cryptography, or asymmetric cryptography, uses public-private key pairs. The public key is passed to the certificate authority to be included in the digital certificate issued to the end user. The digital certificate is available to everyone once it issued. The private key should only be available to the end user to whom the corresponding digital certificate is issued. 
610
6113.2.1 Enterprise TC’s Public Key Infrastructure (PKI) Keys 
612The public-private key pairs used by the Enterprise TC’s public key infrastructure (PKI) are generated on the tamper-resistant smart card issued to an individual end user. The private key associated with an end user’s identity certificate, which are only used for digital signatures, will never leave the smart card. The private key associated with any encryption certificates, which are used to encrypt email and other documents, must be escrowed in compliance with Enterprise TC policies.  Access to the private keys stored on a Enterprise TCissued smart card will be protected by a personal identification number (PIN) known only to the individual to whom the smart card is issued. The smart card software will be configured to require entering the PIN prior to any private key contained on the smart card being accessed. 
613
6143.2.2 Other Public Key Encryption Keys 
615 Other types of keys may be generated in software on the end user’s computer and can be stored as files on the hard drive or on a hardware token. If the public-private key pair is generated on smartcard, the requirements for protecting the private keys are the same as those for private keys associated with Enterprise TC's PKI. If the keys are generated in software, the end user is required to create at least one backup of these keys and store any backup copies securely. The user is also required to create an escrow copy of any private keys used for encrypting data and deliver the escrow copy to the local Information Security representative for secure storage. All backups, including escrow copies, shall be protected with a password or passphrase that is compliant with Enterprise TC Password Policy.
616
6173.2.2.1 Commercial or Outside Organization Public Key Infrastructure (PKI) Keys 
618 In working with business partners, the relationship may require the end users to use public-private key pairs that are generated in software on the end user’s computer. In these cases, the public-private key pairs are stored in files on the hard drive of the end user. The private keys are only protected by the strength of the password or passphrase chosen by the end user. 
619
6203.2.2.2 PGP Key Pairs 
621 If the business partner requires the use of PGP, the public-private key pairs can be stored in the user’s key ring files on the computer hard drive or on a hardware token, for example, a USB drive or a smart card. Since the protection of the private keys is the passphrase on the secret keying, it is preferable that the public-private keys are stored on a hardware token. PGP will be configured to require entering the passphrase for every use of the private keys in the secret key ring. 
622
6233.3 Hardware Token Storage 
624Hardware tokens storing encryption keys will be treated as sensitive company equipment, as described in Enterprise TC’s Physical Security policy, when outside company offices. In addition, all hardware tokens, smartcards, USB tokens, etc., will not be stored or left connected to any end user’s computer when not in use. For end users traveling with hardware tokens, they will not be stored or carried in the same container or bag as any computer. 
625
6263.4 Personal Identification Numbers (PINs) 
627 Passwords and Passphrases All PINs, passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in Enterprise TC’s Password Policy. 
628
6293.5 Loss and Theft 
630The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to department supervision or management.  Department supervision or management will direct the end user in any actions that will be required regarding revocation of certificates or public-private key pairs. 
631
6324. Policy Compliance 
6334.1 Compliance Measurement 
634Manegement will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
635  
6364.2 Exceptions 
637Any exception to the policy must be approved by department supervision or management.
638
6394.3 Non-Compliance 
640An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.  
641
642@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
643 
644Acquisition Assessment Policy
6451. Overview
646The process of integrating a newly acquired company can have a drastic impact on the security poster of eit her the parent company or the child company.  The network and security infrastructure of both entities may vary greatly and the workforce of the new company may have a drastically different culture and tolerance to openness.  The goal of the security acquisition assessment and integration process should include:
647Assess company’s security landscape, posture, and policies
648Protect both Enterprise TC and the acquired company from increased security risks
649Educate acquired company about Enterprise TC policies and standard
650Adopt and implement Enterprise TC Security Policies and Standards
651Integrate acquired company
652Continuous monitoring and auditing of the acquisition
6532. Purpose
654The purpose of this policy is to establish management responsibilities regarding corporate acquisitions, and define the minimum security requirements of an acquisition assessment.
655
6563. Scope
657This policy applies to all companies acquired by Enterprise TC and pertains to all systems, networks, laboratories, test equipment, hardware, software and firmware, owned and/or operated by the acquired company.
658
6594. Policy
660
6614.1 General
662Acquisition assessments are conducted to ensure that a company being acquired by Enterprise TC does not pose a security risk to corporate networks, internal systems, and/or confidential/sensitive information. Management will provide personnel to serve as active members of the acquisition team throughout the entire acquisition process. Below are the minimum requirements that the acquired company must meet before being connected to the Enterprise TC network. 
663
6644.2 Requirements
6654.2.1 Hosts
666All hosts (servers, desktops, laptops) will be replaced or re-imaged with a Enterprise TC standard image or will be required to adopt the minimum standards for end user devices.
667All PC based hosts will require Enterprise TC approved virus protection before the network connection. 
6684.2.2 Networks
669All network devices will be replaced or re-imaged with a Enterprise TC standard image. 
670Wireless network access points will be configured to the Enterprise TC standard. 
6714.2.3 Internet
672All Internet connections will be terminated. 
673
6744.2.4 Remote Access
675All remote access connections will be terminated. 
676Remote access to the production network will be provided by Enterprise TC.
6774.2.5 Labs
678Lab equipment must be physically separated and secured from non-lab areas. 
679The lab network must be separated from the corporate production network with a firewall between the two networks. 
680In the event the acquired networks and computer systems being connected to the corporate network fail to meet these requirements, the Enterprise TC Chief Information Officer (CIO) must acknowledge and approve of the risk to Enterprise TC's networks 
6815. Policy Compliance
6825.1 Compliance Measurement
683Managemant will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. 
6845.2 Exceptions
685Any exception to the policy must be approved by department supervision or management.
686
6875.3 Non-Compliance
688An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
689
690@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
691Bluetooth Baseline Requirements Policy
6921. Overview
693 Bluetooth enabled devices are exploding on the Internet at an astonishing rate.  At the range of connectivity has increased substantially.  Insecure Bluetooth connections can introduce a number of potential serious security issues.  Hence, there is a need for a minimum standard for connecting Bluetooth enable devices.
6942. Purpose
695The purpose of this policy is to provide a minimum baseline standard for connecting Bluetooth enabled devices to the Enterprise TC network or Enterprise TC owned devices.   The intent of the minimum standard is to ensure sufficient protection Personally Identifiable Information (PII) and confidential Enterprise TC data.
6963. Scope
697This policy applies to any Bluetooth enabled device that is connected to Enterprise TC network or owned devices. 
6984. Policy
6994.1 Version
700No Bluetooth Device shall be deployed on Enterprise TC equipment that does not meet a minimum of Bluetooth v2.1 specifications without written authorization from management.
701
7024.2 Pins and Pairing
703When pairing your Bluetooth unit to your Bluetooth enabled equipment (i.e. phone, laptop, etc.), ensure that you are not in a public area where you PIN can be compromised. 
704If your Bluetooth enabled equipment asks for you to enter your pin after you have initially paired it, you must refuse the pairing request and report it to management, through your Help Desk, immediately.  
7054.3 Device Security Settings
706All Bluetooth devices shall employ ‘security mode 3’ which encrypts traffic in both directions, between your Bluetooth Device and its paired equipment.
707Use a minimum PIN length of 8.
708Switch the Bluetooth device to use the hidden mode (non-discoverable)
709Ensure device firmware is up-to-date. 
7104.4 Security Audits
711Management may perform random audits to ensure compliancy with this policy.  In the process of performing such audits.
712
7134.5 Unauthorized Use
714The following items are considered unauthorized uses of  Enterprise TC-owned Bluetooth devices:
715Eavesdropping, device ID spoofing, DoS attacks, or any form of attacking other Bluetooth enabled devices.
716Using Enterprise TC-owned Bluetooth equipment on non-Enterprise TC-owned Bluetooth enabled devices.
717Unauthorized modification of Bluetooth devices for any purpose.
718
7195. User Responsibilities 
720It is the Bluetooth user's responsibility to comply with this policy. 
721
722PII and/or Enterprise TC Confidential or Sensitive data must not be transmitted or stored on Bluetooth enabled devices. 
723
724Bluetooth users must only access Enterprise TC information systems using approved Bluetooth device hardware, software, solutions, and connections. 
725
726Bluetooth device hardware, software, solutions, and connections that do not meet the standards of this policy shall not be authorized for deployment. 
727
728Bluetooth users must act appropriately to protect information, network access, passwords, cryptographic keys, and Bluetooth equipment. 
729
730Bluetooth users are required to report any misuse, loss, or theft of Bluetooth devices or systems immediately to management.
731
7326. Policy Compliance
7336.1 Compliance Measurement
734Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
7356.2 Exceptions
736Any exception to the policy must be approved by department supervision or management.
7376.3 Non-Compliance
738An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
739@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
740Remote Access Policy
7411. Overview
742Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network.  While these remote networks are beyond the control of Hypergolic Reactions, LLC policy, we must mitigate these external risks the best of our ability.
743
7442. Purpose
745The purpose of this policy is to define rules and requirements for connecting to Enterprise TC's network from any host. These rules and requirements are designed to minimize the potential exposure to Enterprise TC from damages which may result from unauthorized use of Enterprise TC resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Enterprise TC internal systems, and fines or other financial liabilities incurred as a result of those losses.
746
7473. Scope
748This policy applies to all Enterprise TC employees, contractors, vendors and agents with a Enterprise TC-owned or personally-owned computer or workstation used to connect to the Enterprise TC network. This policy applies to remote access connections used to do work on behalf of Enterprise TC, including reading or sending email and viewing intranet web resources.  This policy covers any and all technical implementations of remote access used to connect to Enterprise TC networks.
749
7504. Policy
751It is the responsibility of Enterprise TC employees, contractors, vendors and agents with remote access privileges Enterprise TC's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Enterprise TC.
752
753General access to the Internet for recreational use through the Enterprise TC network is strictly limited to Enterprise TC employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”).  When accessing the Enterprise TC network from a personal computer, Authorized Users are responsible for preventing access to any Enterprise TC computer resources or data by non-Authorized Users.  Performance of illegal activities through the Enterprise TC network by any user (Authorized or otherwise) is prohibited.  The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access.  For further information and definitions, see the Acceptable Use Policy.
754
755Authorized Users will not use Enterprise TC networks to access the Internet for outside business interests.
756             
7574.1 Requirements 
7584.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. For further information see the Acceptable Encryption Policy and the Password Policy. 
759
7604.1.2 Authorized Users shall protect their login and password, even from family members. 
761
7624.1.3 While using a Enterprise TC-owned computer to remotely connect to Enterprise TC's corporate network, Authorized Users shall ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an Authorized User or Third Party. 
763
7644.1.4 All hosts that are connected to Enterprise TC internal networks via remote access technologies must use the most up-to-date anti-virus software (place url to corporate software site here), this includes personal computers. Third party connections must comply with requirements as stated in the Third Party Agreement. 
765
7664.1.5 Personal equipment used to connect to Enterprise TC's networks must meet the requirements of Enterprise TC-owned equipment for remote access as stated in the Hardware and Software Configuration Standards for Remote Access to Enterprise TC Networks. 
767
7685. Policy Compliance
7695.1 Compliance Measurement
770Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager. 
7715.2 Exceptions
772Any exception to the policy must be approved by department supervision or management.
773
7745.3 Non-Compliance
775An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
776
777@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
778Remote Access Tools Policy
7791. Overview
780Remote desktop software, also known as remote access tools, provide a way for computer users and support staff alike to share screens, access work computer systems from home, and vice versa.
781
7822. Purpose
783This policy defines the requirements for remote access tools used at Enterprise TC.
7843. Scope
785This policy applies to all remote access where either end of the communication terminates at a Enterprise TC computer asset
7864. Policy
787All remote access tools used to communicate between Enterprise TC assets and other systems must comply with the following policy requirements.
788
7894.1 Remote Access Tools
790Enterprise TC provides mechanisms to collaborate between internal users, with external partners, and from non-Enterprise TC systems. Because proper configuration is important for secure use of these tools, mandatory configuration procedures are provided for each of the approved tools.
791
792The approved software list may change at any time, but the following requirements will be used for selecting approved products:
793
794a) All remote access tools or systems that allow communication to Enterprise TC resources from the Internet or external partner systems must require multi-factor authentication.  Examples include authentication tokens and smart cards that require an additional PIN or password.
795
796b) The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks.  The remote access tool must mutually authenticate both ends of the session.
797
798c) Remote access tools must support the Enterprise TC application layer proxy rather than direct connections through the perimeter firewall(s).
799
800d) Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the Enterprise TC network encryption protocols policy.
801
802e) All Enterprise TC antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.
803
804All remote access tools must be purchased through the standard Enterprise TC procurement process, and the information technology group must approve the purchase.
8055. Policy Compliance
8065.1 Compliance Measurement
807Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
8085.2 Exceptions
809Any exception to the policy must be approved by department supervision or management.
8105.3 Non-Compliance
811An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
812
813@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
814Router and Switch Security Policy
8151. Purpose
816This document describes a required minimal security configuration for all routers and switches connecting to a production network or used in a production capacity at or on behalf of Enterprise TC.
817
8182. Scope
819All employees, contractors, consultants, temporary and other workers at Enterprise TC and its subsidiaries must adhere to this policy. All routers and switches connected to Enterprise TC production networks are affected.
8203. Policy
821Every router must meet the following configuration standards:
822
8231. No local user accounts are configured on the router. Routers and switches must use TACACS+ for all user authentication.
8242. The enable password on the router or switch must be kept in a secure encrypted form. The router or switch must have the enable password set to the current production router/switch password from the device’s support organization.
8253. The following services or features must be disabled: 
826a.	IP directed broadcasts 
827b.	Incoming packets at the router/switch sourced with invalid addresses such as RFC1918 addresses
828c.	TCP small services 
829d.	UDP small services 
830e.	All source routing and switching
831f.	All web services running on router
832g.	Enterprise TC discovery protocol on Internet connected interfaces
833h.	Telnet, FTP, and HTTP services
834i.	Auto-configuration
8354. The following services should be disabled unless a business justification is provided:
836a.	Enterprise TC discovery protocol and other discovery protocols
837b.	Dynamic trunking
838c.	Scripting environments, such as the TCL shell
8395,. The following services must be configured:
840a.	Password-encryption
841b.	NTP configured to a corporate standard source
8426. All routing updates shall be done using secure routing updates.
8437. Use corporate standardized SNMP community strings.  Default strings, such as public or private must be removed.  SNMP must be configured to use the most secure version of the protocol allowed for by the combination of the device and management systems.
8448. Access control lists must be used to limit the source and type of traffic that can terminate on the device itself.
8459. Access control lists for transiting the device are to be added as business needs arise. 
84610. The router must be included in the corporate enterprise management system with a designated point of contact. 
84711. Each router must have the following statement presented for all forms of login whether remote or local: 
848
849"UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device. Use of this system shall constitute consent to monitoring." 
850
85112 .Telnet may never be used across any network to manage a router, unless there is a secure tunnel protecting the entire communication path. SSH version 2 is the preferred management protocol.
85213. Dynamic routing protocols must use authentication in routing updates sent to neighbors.  Password hashing for the authentication string must be enabled when supported.
85314. The corporate router configuration standard will define the category of sensitive routing and switching devices, and require additional services or configuration on sensitive devices including:
854a.	IP access list accounting
855b.	Device logging
856c.	Incoming packets at the router sourced with invalid addresses, such as RFC1918 addresses, or those that could be used to spoof network traffic shall be dropped
857d.	Router console and modem access must be restricted by additional security controls
858
8594. Policy Compliance
8604.1 Compliance Measurement
861Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
8624.2 Exceptions
863Any exception to the policy must be approved by department supervision or management.
8644.3 Non-Compliance
865An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
866
867@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
868Wireless Communication Policy
8691. Overview
870With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost a given at any organization.  Insecure wireless configuration can provide an easy open door for malicious threat actors. 
8712. Purpose
872The purpose of this policy is to secure and protect the information assets owned by Enterprise TC. Enterprise TC provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives.
873
874This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to Enterprise TC network.
875
8763. Scope
877All employees, contractors, consultants, temporary and other workers at Enterprise TC, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of Enterprise TC must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a Enterprise TC network or reside on a Enterprise TC site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data. 
878
8794. Policy
8804.1 General Requirements
881All wireless infrastructure devices that reside at a Enterprise TC site and connect to a Enterprise TC network, or provide access to information classified as Enterprise TC Confidential, or above must: 
882Abide by the standards specified in the Wireless Communication Standard. 
883Be installed, supported, and maintained by an approved support team.
884Use Enterprise TC approved authentication protocols and infrastructure.
885Use Enterprise TC approved encryption protocols.
886
8874.2 Lab and Isolated Wireless Device Requirements
888All lab wireless infrastructure devices that provide access to Enterprise TC Confidential or above, must adhere to section 4.1 above. Lab and isolated wireless devices that do not provide general network connectivity to the Enterprise TC network must:  
889Be isolated from the corporate network (that is it must not provide any corporate connectivity) and comply with the Lab Security Policy.
890Not interfere with wireless access deployments maintained by other support organizations. 
891
8924.3 Home Wireless Device Requirements
893Wireless infrastructure devices that provide direct access to the Enterprise TC corporate network, must conform to the Home Wireless Device Requirements as detailed in the Wireless Communication Standard. 
894Wireless infrastructure devices that fail to conform to the Home Wireless Device Requirements must be installed in a manner that prohibits direct access to the Enterprise TC corporate network. Access to the Enterprise TC corporate network through this device must use standard remote access authentication.
8955. Policy Compliance
8965.1 Compliance Measurement
897Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
8985.2 Exceptions
899Any exception to the policy must be approved by department supervision or management.
9005.3 Non-Compliance
901An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
902@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
903Wireless Communication Standard
9041. Purpose
905This standard specifies the technical requirements that wireless infrastructure devices must satisfy to connect to a Enterprise TC network. Only those wireless infrastructure devices that meet the requirements specified in this standard or are granted an exception by management are approved for connectivity to a Enterprise TC network.
906
907Network devices including, but not limited to, hubs, routers, switches, firewalls, remote access devices, modems, or wireless access points, must be installed, supported, and maintained by an Information Security approved support organization. Lab network devices must comply with the Lab Security Policy.
908
9092. Scope
910All employees, contractors, consultants, temporary and other workers at Enterprise TC and its subsidiaries, including all personnel that maintain a wireless infrastructure device on behalf of Enterprise TC, must comply with this standard. This standard applies to wireless devices that make a connection the network and all wireless infrastructure devices that provide wireless connectivity to the network.
911
912Management must approve exceptions to this standard in advance. 
913
9143. Standard
9153.1 General Requirements
916All wireless infrastructure devices that connect to a Enterprise TC network or provide access to Enterprise TC Confidential, Enterprise TC Highly Confidential, or Enterprise TC Restricted information must:
917Use Extensible Authentication Protocol-Fast Authentication via Secure Tunneling (EAP-FAST), Protected Extensible Authentication Protocol (PEAP), or Extensible Authentication Protocol-Translation Layer Security (EAP-TLS) as the authentication protocol.
918Use Temporal Key Integrity Protocol (TKIP) or Advanced Encryption System (AES) protocols with a minimum key length of 128 bits.
919All Bluetooth devices must use Secure Simple Pairing with encryption enabled.
920
9213.2 Lab and Isolated Wireless Device Requirements
922Lab device Service Set Identifier (SSID) must be different from Enterprise TC production device SSID.
923Broadcast of lab device SSID must be disabled.
924
9253.3 Home Wireless Device Requirements
926All home wireless infrastructure devices that provide direct access to a Enterprise TC network, such as those behind Enterprise Teleworker (ECT) or hardware VPN, must adhere to the following: 
927Enable WiFi Protected Access Pre-shared Key (WPA-PSK), EAP-FAST, PEAP, or EAP-TLS
928When enabling WPA-PSK, configure a complex shared secret key (at least 20 characters) on the wireless client and the wireless access point
929Disable broadcast of SSID
930Change the default SSID name
931Change the default login and password
932
9334. Policy Compliance
9344.1 Compliance Measurement
935Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
9364.2 Exceptions
937Any exception to the policy must be approved by department supervision or management. 
9384.3 Non-Compliance
939An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment
940
941@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
942Database Credentials Policy
9431. Overview
944Database authentication credentials are a necessary part of authorizing application to connect to internal databases.  However, incorrect use, storage and transmission of such credentials could lead to compromise of very sensitive assets and be a springboard to wider compromise within the organization. 
9452. Purpose
946This policy states the requirements for securely storing and retrieving database usernames and passwords (i.e., database credentials) for use by a program that will access a database running on one of Enterprise TC's networks. 
947
948Software applications running on Enterprise TC's networks may require access to one of the many internal database servers. In order to access these databases, a program must authenticate to the database by presenting acceptable credentials.  If the credentials are improperly stored, the credentials may be compromised leading to a compromise of the database. 
949
9503. Scope
951This policy is directed at all system implementer and/or software engineers who may be coding applications that will access a production database server on the Enterprise TC Network. This policy applies to all software (programs, modules, libraries or APIS that will access a Enterprise TC, multi-user production database.  It is recommended that similar requirements be in place for non-production servers and lap environments since they don’t always use sanitized information. 
952
9534. Policy
9544.1 General 
955In order to maintain the security of Enterprise TC's internal databases, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program's source code in clear text. Database credentials must not be stored in a location that can be accessed through a web server. 
956
9574.2 Specific Requirements 
958
959Storage of Data Base User Names and Passwords 
960Database user names and passwords may be stored in a file separate from the executing body of the program's code. This file must not be world readable or writeable.
961Database credentials may reside on the database server. In this case, a hash function number identifying the credentials may be stored in the executing body of the program's code. 
962Database credentials may be stored as part of an authentication server (i.e., an entitlement directory), such as an LDAP server used for user authentication. Database authentication may occur on behalf of a program as part of the user authentication process at the authentication server. In this case, there is no need for programmatic use of database credentials. 
963Database credentials may not reside in the documents tree of a web server. 
964Pass through authentication (i.e., Oracle OPS$ authentication) must not allow access to the database based solely upon a remote user's authentication on the remote host. 
965Passwords or pass phrases used to access a database must adhere to the Password Policy. 
966              
967Retrieval of Database User Names and Passwords 
968If stored in a file that is not source code, then database user names and passwords must be read from the file immediately prior to use. Immediately following database authentication, the memory containing the user name and password must be released or cleared. 
969
970The scope into which you may store database credentials must be physically separated from the other areas of your code, e.g., the credentials must be in a separate source file. The file that contains the credentials must contain no other code but the credentials (i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials. 
971
972For languages that execute from source code, the credentials' source file must not reside in the same browseable or executable file directory tree in which the executing body of code resides. 
973
974Access to Database User Names and Passwords 
975Every program or every collection of programs implementing a single business function must have unique database credentials. Sharing of credentials between programs is not allowed. 
976Database passwords used by programs are system-level passwords as defined by the Password Policy. 
977Developer groups must have a process in place to ensure that database passwords are controlled and changed in accordance with the Password Policy. This process must include a method for restricting knowledge of database passwords to a need-to-know basis. 
978
979Coding Techniques for implementing this policy 
980[Add references to your site-specific guidelines for the different coding languages such as Perl, JAVA, C and/or Cpro.]
981
9825. Policy Compliance
9835.1 Compliance Measurement
984Manegement will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. 
9855.2 Exceptions
986Any exception to the policy must be approved by department supervision or management.
9875.3 Non-Complianced
988An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
989
990@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
991Technology Equipment Disposal Policy
9921. Overview
993Technology equipment often contains parts which cannot simply be thrown away.  Proper disposal of equipment is both environmentally responsible and often required by law.  In addition, hard drives, USB drives, CD-ROMs and other storage media contain various kinds of Enterprise TC data, some of which is considered sensitive.  In order to protect our constituent’s data, all storage mediums must be properly erased before being disposed of.  However, simply deleting or even formatting data is not considered sufficient.  When deleting files or formatting a device, data is marked for deletion, but is still accessible until being overwritten by a new file.  Therefore, special tools must be used to securely erase data prior to equipment disposal.  
994
9952. Purpose
996The purpose of this policy it to define the guidelines for the disposal of technology equipment and components owned by Enterprise TC. 
997
9983. Scope
999This policy applies to any computer/technology equipment or peripheral devices that are no longer needed within Enterprise TC including, but not limited to the following:  personal computers, servers, hard drives, laptops, mainframes, smart phones, or handheld computers ( i.e., Windows Mobile, iOS or Android-based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e., USB drives), backup tapes, printed materials. 
1000
1001All Enterprise TC employees and affiliates must comply with this policy. 
10024. Policy
10034.1 Technology Equipment Disposal
1004When Technology assets have reached the end of their useful life they should be sent to the <Equipment Disposal Team> office for proper disposal.
1005The <Equipment Disposal Team> will securely erase all storage mediums in accordance with current industry best practices.
1006All data including, all files and licensed software shall be removed from equipment using disk sanitizing software that cleans the media overwriting each and every disk sector of the machine with zero-filled blocks, meeting Department of Defense standards.
1007No computer or technology equipment may be sold to any individual other than through the processes identified in this policy (Section 4.2 below).
1008No computer equipment should be disposed of via skips, dumps, landfill etc.  Electronic recycling bins may be periodically placed in locations around Enterprise TC.  These can be used to dispose of equipment.  The <Equipment Disposal Team> will properly remove all data prior to final disposal. 
1009All electronic drives must be degaussed or overwritten with a commercially available disk cleaning program. Hard drives may also be removed and rendered unreadable (drilling, crushing or other demolition methods).
1010Computer Equipment refers to desktop, laptop, tablet or netbook computers, printers, copiers, monitors, servers, handheld devices, telephones, cell phones, disc drives or any storage device, network switches, routers, wireless access points, batteries, backup tapes, etc.
1011The <Equipment Disposal Team> will place a sticker on the equipment case indicating the disk wipe has been performed. The sticker will include the date and the initials of the technician who performed the disk wipe.
1012Technology equipment with non-functioning memory or storage technology will have the memory or storage device removed and it will be physically destroyed.
1013 Employee Purchase of Disposed Equipment
1014Equipment which is working, but reached the end of its useful life to Enterprise TC, will be made available for purchase by employees.
1015A lottery system will be used to determine who has the opportunity to purchase available equipment.
1016All equipment purchases must go through the lottery process.  Employees cannot purchase their office computer directly or “reserve” a system.  This ensures that all employees have an equal chance of obtaining equipment.
1017Finance and Information Technology will determine an appropriate cost for each item.  
1018All purchases are final.  No warranty or support will be provided with any equipment sold.  
1019Any equipment not in working order or remaining from the lottery process will be donated or disposed of according to current environmental guidelines.  Information
1020Technology has contracted with several organizations to donate or properly dispose of outdated technology assets.   
1021Prior to leaving Enterprise TC premises, all equipment must be removed from the Information Technology inventory system.  
10225 .Policy Compliance
10235.1 Compliance Measurement
1024Management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. 
1025
10265.2 Exceptions
1027Any exception to the policy must be approved by department supervision or management.
1028
10295.3 Non-Compliance
1030An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
1031@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1032Information Logging Standard
10331. Overview
1034Logging from critical systems, applications and services can provide key information and potential indicators of compromise.  Although logging information may not be viewed on a daily basis, it is critical to have from a forensics standpoint. 
10352. Purpose
1036The purpose of this document attempts to address this issue by identifying specific requirements that information systems must meet in order to generate appropriate audit logs and integrate with an enterprise’s log management function.
1037The intention is that this language can easily be adapted for use in enterprise IT security policies and standards, and also in enterprise procurement standards and RFP templates. In this way, organizations can ensure that new IT systems, whether developed in-house or procured, support necessary audit logging and log management functions.
10383. Scope
1039This policy applies to all production systems on Enterprise TC Network. 
10404. Standard
10414.1 General Requirements
1042All systems that handle confidential information, accept network connections, or make access control (authentication and authorization) decisions shall record and retain audit-logging information sufficient to answer the following questions:
1043What activity was performed?
1044Who or what performed the activity, including where or on what system the activity was performed from (subject)?
1045What the activity was performed on (object)?
1046When was the activity performed?
1047What tool(s) was the activity was performed with?
1048What was the status (such as success vs. failure), outcome, or result of the activity?
1049
10504.2 Activities to be Logged
1051Therefore, logs shall be created whenever any of the following activities are requested to be performed by the system:
1052Create, read, update, or delete confidential information, including confidential authentication information such as passwords;
1053Create, update, or delete information not covered in #1;
1054Initiate a network connection;
1055Accept a network connection;
1056User authentication and authorization for activities covered in #1 or #2 such as user login and logout;
1057Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes;
1058System, network, or services configuration changes, including installation of software patches and updates, or other installed software changes;
1059Application process startup, shutdown, or restart;
1060Application process abort, failure, or abnormal end, especially due to resource exhaustion or reaching a resource limit or threshold (such as for CPU, memory, network connections, network bandwidth, disk space, or other resources), the failure of network services such as DHCP or DNS, or hardware fault; and
1061Detection of suspicious/malicious activity such as from an Intrusion Detection or Prevention System (IDS/IPS), anti-virus system, or anti-spyware system.
1062
10634.3 Elements of the Log
1064Such logs shall identify or contain at least the following elements, directly or indirectly. In this context, the term “indirectly” means unambiguously inferred.
1065Type of action – examples include authorize, create, read, update, delete, and accept network connection.
1066Subsystem performing the action – examples include process or transaction name, process or transaction identifier.
1067Identifiers (as many as available) for the subject requesting the action – examples include user name, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.
1068Identifiers (as many as available) for the object the action was performed on – examples include file names accessed, unique identifiers of records accessed in a database, query parameters used to determine records accessed in a database, computer name, IP address, and MAC address. Note that such identifiers should be standardized in order to facilitate log correlation.
1069Before and after values when action involves updating a data element, if feasible.
1070Date and time the action was performed, including relevant time-zone information if not in Coordinated Universal Time.
1071Whether the action was allowed or denied by access-control mechanisms.
1072Description and/or reason-codes of why the action was denied by the access-control mechanism, if applicable.
1073
10744.4 Formatting and Storage
1075The system shall support the formatting and storage of audit logs in such a way as to ensure the integrity of the logs and to support enterprise-level analysis and reporting. Note that the construction of an actual enterprise-level log management mechanism is outside the scope of this document. Mechanisms known to support these goals include but are not limited to the following:
1076Microsoft Windows Event Logs collected by a centralized log management system;
1077Logs in a well-documented format sent via syslog, syslog-ng, or syslog-reliable network protocols to a centralized log management system;
1078Logs stored in an ANSI-SQL database that itself generates audit logs in compliance with the requirements of this document; and
1079Other open logging mechanisms supporting the above requirements including those based on CheckPoint OpSec, ArcSight CEF, and IDMEF.
1080
10815. Policy Compliance
10825.1 Compliance Measurement
1083Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
10845.2 Exceptions
1085Any exception to the policy must be approved by department supervision or management.
1086
10875.3 Non-Compliance
1088An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
1089
1090@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1091Lab Security Policy
10921. Purpose
1093This policy establishes the information security requirements to help manage and safeguard lab resources and Enterprise TC networks by minimizing the exposure of critical infrastructure and information assets to threats that may result from unprotected hosts and unauthorized access.
10942. Scope
1095This policy applies to all employees, contractors, consultants, temporary and other workers at Enterprise TC and its subsidiaries must adhere to this policy. This policy applies to Enterprise TC owned and managed labs, including labs outside the corporate firewall (DMZ). 
10963. Policy
10973.1 General Requirements
1098Lab owning organizations are responsible for assigning lab managers, a point of contact (POC), and a back-up POC for each lab. Lab owners must maintain up-to-date POC information with the Corporate Enterprise Management Team.  Lab managers or their backup must be available around-the-clock for emergencies, otherwise actions will be taken without their involvement.
1099Lab managers are responsible for the security of their labs and the lab's impact on the corporate production network and any other networks. Lab managers are responsible for adherence to this policy and associated processes. Where policies and procedures are undefined lab managers must do their best to safeguard Enterprise TC from security vulnerabilities.
1100Lab managers are responsible for the lab's compliance with all Enterprise TC security policies. 
1101The Lab Manager is responsible for controlling lab access. Access to any given lab will only be granted by the lab manager or designee, to those individuals with an immediate business need within the lab, either short-term or as defined by their ongoing job function. This includes continually monitoring the access list to ensure that those who no longer require access to the lab have their access terminated.
1102All user passwords must comply with Enterprise TC's Password Policy. 
1103Individual user accounts on any lab device must be deleted when no longer authorized within three (3) days. Group account passwords on lab computers (Unix, windows, etc) must be changed quarterly (once every 3 months). 
1104PC-based lab computers must have Enterprise TC's standard, supported anti-virus software installed and scheduled to run at regular intervals. In addition, the anti-virus software and the virus pattern files must be kept up-to-date. Virus-infected computers must be removed from the network until they are verified as virus-free. Lab Admins/Lab Managers are responsible for creating procedures that ensure anti-virus software is run at regular intervals, and computers are verified as virus-free.
1105Any activities with the intention to create and/or distribute malicious programs into Enterprise TC's networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy. 
1106No lab shall provide production services. Production services are defined as ongoing and shared business critical services that generate revenue streams or provide customer capabilities. These should be managed by a <proper support> organization.
1107In accordance with the Data Classification Policy, information that is marked as Enterprise TC Highly Confidential or Enterprise TC Restricted is prohibited on lab equipment.
1108Management will address non-compliance waiver requests on a case-by-case basis and approve waivers if justified.
1109
11103.2 Internal Lab Security Requirements
1111The Network Support Organization must maintain a firewall device between the corporate production network and all lab equipment.
1112The Network Support Organization reserve the right to interrupt lab connections that impact the corporate production network negatively or pose a security risk.
1113The Network Support Organization must record all lab IP addresses, which are routed within Enterprise TC networks, in Enterprise Address Management database along with current contact information for that lab.
1114Any lab that wants to add an external connection must provide a diagram and documentation to Management with business justification, the equipment, and the IP address space information. Management will review for security concerns and must approve before such connections are implemented.
1115All traffic between the corporate production and the lab network must go through a Network Support Organization maintained firewall. Lab network devices (including wireless) must not cross-connect the lab and production networks.
1116Original firewall configurations and any changes thereto must be reviewed and approved by Management. Management may require security improvements as needed.
1117Labs are prohibited from engaging in port scanning, network auto-discovery, traffic spamming/flooding, and other similar activities that negatively impact the corporate network and/or non-Enterprise TC networks. These activities must be restricted within the lab.
1118Traffic between production networks and lab networks, as well as traffic between separate lab networks, is permitted based on business needs and as long as the traffic does not negatively impact on other networks. Labs must not advertise network services that may compromise production network services or put lab confidential information at risk.
1119Management reserves the right to audit all lab-related data and administration processes at any time, including but not limited to, inbound and outbound packets, firewalls and network peripherals.
1120Lab owned gateway devices are required to comply with all Enterprise TC product security advisories and must authenticate against the Corporate Authentication servers.
1121The enable password for all lab owned gateway devices must be different from all other equipment passwords in the lab. The password must be in accordance with Enterprise TC's Password Policy.  The password will only be provided to those who are authorized to administer the lab network.
1122In labs where non-Enterprise TC personnel have physical access (e.g., training labs), direct connectivity to the corporate production network is not allowed. Additionally, no Enterprise TC confidential information can reside on any computer equipment in these labs. 
1123Lab networks with external connections are prohibited from connecting to the corporate production network or other internal networks through a direct connection, wireless connection, or other computing equipment.
1124
11253.3 DMZ Lab Security Requirements
1126New DMZ labs require a business justification and VP-level approval from the business unit. Changes to the connectivity or purpose of an existing DMZ lab must be reviewed and approved by management. 
1127DMZ labs must be in a physically separate room, cage, or secured lockable rack with limited access. In addition, the Lab Manager must maintain a list of who has access to the equipment.
1128DMZ lab POCs must maintain network devices deployed in the DMZ lab up to the network support organization point of demarcation.
1129DMZ labs must not connect to corporate internal networks, either directly, logically (for example, IPSEC tunnel), through a wireless connection, or multi-homed machine.
1130An approved network support organization must maintain a firewall device between the DMZ lab and the Internet. Firewall devices must be configured based on least privilege access principles and the DMZ lab business requirements. Original firewall configurations and subsequent changes must be reviewed and approved by management. All traffic between the DMZ lab and the Internet must go through the approved firewall. Cross-connections that bypass the firewall device are strictly prohibited.
1131All routers and switches not used for testing and/or training must conform to the DMZ Router and Switch standardization documents. 
1132Operating systems of all hosts internal to the DMZ lab running Internet Services must be configured to the secure host installation and configuration standards published by management.
1133Remote administration must be performed over secure channels (for example, encrypted network connections using SSH or IPSEC) or console access independent from the DMZ networks.
1134DMZ lab devices must not be an open proxy to the Internet. 
1135The Network Support Organization reserve the right to interrupt lab connections if a security concern exists. 
11364. Policy Compliance
11374.1 Compliance Measurement
1138Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
11394.2 Exceptions
1140Any exception to the policy must be approved by department supervision or management.
1141
11424.3 Non-Compliance
1143An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
1144@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1145Server Security Policy
11461. Overview
1147Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors.  Consistent Server installation policies, ownership and configuration management are all about doing the basics well. 
11482. Purpose
1149The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Enterprise TC. Effective implementation of this policy will minimize unauthorized access to Enterprise TC proprietary information and technology.
1150
11513. Scope
1152All employees, contractors, consultants, temporary and other workers at Cisco and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by Cisco or registered under a Cisco-owned internal network domain. 
1153This policy specifies requirements for equipment on the internal Cisco network. For secure configuration of equipment external to Cisco on the DMZ, see the Internet DMZ Equipment Policy.
11544. Policy
11554.1 General Requirements
1156All internal servers deployed at Enterprise TC must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by management. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by management.  The following items must be met:
1157Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: 
1158Server contact(s) and location, and a backup contact 
1159Hardware and Operating System/Version 
1160Main functions and applications, if applicable 
1161Information in the corporate enterprise management system must be kept up-to-date. 
1162Configuration changes for production servers must follow the appropriate change management procedures
1163For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.
1164
11654.2 Configuration Requirements
1166Operating System configuration should be in accordance with approved management guidelines. 
1167Services and applications that will not be used must be disabled where practical.
1168Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible. 
1169The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. 
1170Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient. 
1171Always use standard security principles of least required access to perform a function.  Do not use root when a non-privileged account will do. 
1172If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). 
1173Servers should be physically located in an access-controlled environment. 
1174Servers are specifically prohibited from operating from uncontrolled cubicle areas. 
1175
11764.3 Monitoring
1177All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: 
1178All security related logs will be kept online for a minimum of 1 week. 
1179Daily incremental tape backups will be retained for at least 1 month. 
1180Weekly full tape backups of logs will be retained for at least 1 month. 
1181Monthly full backups will be retained for a minimum of 2 years. 
1182Security-related events will be reported to management, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: 
1183Port-scan attacks 
1184Evidence of unauthorized access to privileged accounts 
1185Anomalous occurrences that are not related to specific applications on the host. 
1186
11875. Policy Compliance
11885.1 Compliance Measurement
1189Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
11905.2 Exceptions
1191Any exception to the policy must be approved by department supervision or management.
1192
11935.3 Non-Compliance
1194An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
1195
1196@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1197Software Installation Policy
11981. Overview
1199Allowing employees to install software on company computing devices opens the organization up to unnecessary exposure.  Conflicting file versions or DLLs which can prevent programs from running, the introduction of malware from infected installation software, unlicensed software which could be discovered during audit, and programs which can be used to hack the organization’s network are examples of the problems that can be introduced when employees install software on company equipment.
1200
12012. Purpose
1202The purpose of this policy is to outline the requirements around installation software on Enterprise TC owned computing devices.  To minimize the risk of loss of program functionality, the exposure of sensitive information contained within Enterprise TC's computing network, the risk of introducing malware, and the legal exposure of running unlicensed software.
1203
12043. Scope
1205This policy applies to all Enterprise TC employees, contractors, vendors and agents with a Enterprise TC-owned mobile devices. This policy covers all computers, servers, smartphones, tablets and other computing devices operating within Enterprise TC. 
1206
12074. Policy
1208Employees may not install software on Enterprise TC's computing devices operated within the Enterprise TC network.  
1209Software requests must first be approved by the requester’s manager and then be made to the Information Technology department or Help Desk in writing or via email.  
1210Software must be selected from an approved software list, maintained by the Information Technology department, unless no selection on the list meets the requester’s need.  
1211The Information Technology Department will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
1212
12135. Policy Compliance
12145.1 Compliance Measurement
1215Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
12165.2 Exceptions
1217Any exception to the policy must be approved by department supervision or management.
1218
12195.3 Non-Compliance
1220An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
1221
1222@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1223Workstation Security (For HIPAA) Policy
12241. Purpose
1225The purpose of this policy is to provide guidance for workstation security for Enterprise TC workstations in order to ensure the security of information on the workstation and information the workstation may have access to.  Additionally, the policy provides guidance to ensure the requirements of the HIPAA Security Rule “Workstation Security” Standard 164.310(c) are met.
1226
12272. Scope
1228This policy applies to all Enterprise TC employees, contractors, workforce members, vendors and agents with a Enterprise TC-owned or personal-workstation connected to the Enterprise TC network.
1229
12303. Policy
1231Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information, including protected health information (PHI) and that access to sensitive information is restricted to authorized users.  
1232
12333.1 Workforce members using workstations shall consider the sensitivity of the information, including protected health information (PHI) that may be accessed and minimize the possibility of unauthorized access.
12343.2 Enterprise TC will implement physical and technical safeguards for all workstations that access electronic protected health information to restrict access to authorized users. 
12353.3 Appropriate measures include: 
1236Restricting physical access to workstations to only authorized personnel.
1237Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
1238Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.  The password must comply with Enterprise TC Password Policy. 
1239Complying with all applicable password policies and procedures. See Enterprise TC Password Policy. 
1240Ensuring workstations are used for authorized business purposes only.
1241Never installing unauthorized software on workstations.
1242Storing all sensitive information, including protected health information (PHI) on network servers  
1243Keeping food and drink away from workstations in order to avoid accidental spills.
1244Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets. 
1245Complying with the Portable Workstation Encryption Policy
1246Complying with the Baseline Workstation Configuration Standard
1247Installing privacy screen filters or using other physical barriers to alleviate exposing data. 
1248Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
1249Exit running applications and close open documents
1250Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
1251If wireless network access is used, ensure access is secure by following the Wireless Communication policy
1252
12534. Policy Compliance
12544.1 Compliance Measurement
1255Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
12564.2 Exceptions
1257Any exception to the policy must be approved by department supervision or management.
1258
12594.3 Non-Compliance
1260An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
1261
1262@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1263Web Application Security Policy
12641. Overview
1265Web application vulnerabilities account for the largest portion of attack vectors outside of malware.   It is crucial that any web application be assessed for vulnerabilities and any vulnerabilities be remediated prior to production deployment.
12662. Purpose
1267The purpose of this policy is to define web application security assessments within Enterprise TC. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc.  Discovery and subsequent mitigation of these issues will limit the attack surface of Enterprise TC services available both internally and externally as well as satisfy compliance with any relevant policies in place.
1268
12693. Scope
1270This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at Enterprise TC.
1271
1272All web application security assessments will be performed by delegated security personnel either employed or contracted by Enterprise TC.   All findings are considered confidential and are to be distributed to persons on a “need to know” basis.  Distribution of any findings outside of Enterprise TC is strictly prohibited unless approved by the Chief Information Officer.
1273
1274Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited.  Limitations and subsequent justification will be documented prior to the start of the assessment.
12754. Policy
12764.1 Web applications are subject to security assessments based on the following criteria:
1277
1278New or Major Application Release – will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.
1279Third Party or Acquired Web Application – will be subject to full assessment after which it will be bound to policy requirements.
1280Point Releases – will be subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.
1281Patch Releases – will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.
1282Emergency Releases – An emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out.  Emergency releases will be designated as such by the Chief Information Officer or an appropriate manager who has been delegated this authority.
1283
12844.2 All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The Risk Levels are based on the OWASP Risk Rating Methodology. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
1285
1286High – Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment.  Applications with high risk issues are subject to being taken off-line or denied release into the live environment.
1287
1288Medium – Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly.  Applications with medium risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level.  Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
1289
1290Low – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.
1291
12924.3 The following security assessment levels shall be established by management: 
1293Full – A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide.  A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.
1294Quick – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.
1295Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.
1296
1297Other tools and/or techniques may be used depending upon what is found in the default assessment and the need to determine validity and risk are subject to the discretion of the Security Engineering team.
1298
12995. Policy Compliance
13005.1 Compliance Measurement
1301Management will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 
13025.2 Exceptions
1303Any exception to the policy must be approved by department supervision or management.
1304
13055.3 Non-Compliance
1306An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 
1307Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt.   All application releases must pass through the change control process.  Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Chief Information Officer.