SecondRaven
2004-12-08, 10:00 AM
Hey tech forum people (people who have some brainpower in computers) tell me what you think of my final paper for my college Internet Security course. I would like any of you to tell me what you think and what i need to change. Robhunter you better help me out here bud
This securtiy plan is for a compnay (fortune 500 size) so keep that in mind when you are reading it.
Fortune 500 Security Policy
General Computer use policy
Purpose
To promote the use of computers, including the Internet and computer-related technology, as educational and research tools; encourage the use of computers and computer-related technology to advance and promote learning and teaching; and establish controls to prevent the misuse, impairment, disruption, and damage to the Company computer system or any of its components.
Network Information:
IP Addresses
Marketing: 192.168.0.0 (class a)
Research and Development: 172.16.0.0 (class b)
Accounting: 138.131.16.0 (class c)
*VLAN implantation implemented at each network do separate branches*
Computer System Administration
The Network Coordinator
-Designs, manages and supervises the operation and use of the computer system
-Monitors all network activities to ensure proper use of the system
-uterprets District policy and regulations governing use of the computer system
-provides employee training for proper use of the computer system
-Ensures that all disks and software loaded onto the computer network have been
-Scanned for computer viruses are responsible for determining and controlling access to
The Company computer system
Privacy and Retention of E-mail and Internet Transmissions & Records
All e-mail and Internet transmissions and records are not the personal or private property of any user, The Comnay doesn�t guarantee, privacy for e-mail or any use of the system,
may be accessed, monitored and viewed by the company may be subject to disclosure
incourt proceedings.
Company Rights
-Reserves the right to monitor use of the computer system
-Assumes no responsibility or liability for deleted or lost files
-Reserves the right to remove a user from the computer system
Shall not be responsible for:
� Any information obtained by a user, such information being obtained at the user's sole and exclusive risk
� Any damages, including but not limited to the loss of data whether or not caused by negligence, errors or omissions of the company
� Any costs, liabilities or damages incurred by the user
Is not responsible for any viruses, worms or cookies imparted to a user�s home
computer from the company computer system
-Reserves and retains the right to amend, modify or change this policy or any
provision hereof.
Access to System
Only authorized users will be granted access
Each authorized user will have only one unique User ID and one password
(changed periodically) which shall not be given to any other official, employee or
otherwise provided in the policy
Log-in to the system shall only occur when the user is in the immediate vicinity of
the computer terminal, and the user shall log off the network when leaving the
terminal or area for any reason or time period
The Network Coordinator shall be notified whenever the system refuses to allow
access to any site following four consecutive unsuccessful log-in attempts, and
no further access shall be granted or permitted except by the Network
Coordinator
Authorization for access shall terminate for:
� An official or employee when he/she leaves company employment
� A official when he/she is no longer working in the company
� Any user when he/she is no longer is authorized to have access.
Internet Access By Company personal
Personal
Will be provided with access to the Internet only during the work day whether in
work related business, but only after receiving training and their user ID and passwords will be provided with individual accounts and e-mail addresses may, subject to monitoring by a company official or staff member browse theWorld wide web, read news groups, construct their own web pages using companies computer resources, and belong to approved mailing lists.
Acceptable Use & Conduct
Use of the computer system and/or any component thereof, shall be in strict conformance with the following:
Use of and access to the computer system shall only be for the educational
advancement of company personal, and for company officials/staff to conduct
official
Access Control Lists
*Extended ACL�s at incoming and outgoing will only be allowed *
ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network ACLs can be created for all routed network protocols such as IP and Internetwork Packet). ACLs can be configured at the router to control access to a network or subnet
ACLs must be defined on a per protocol, per direction, or per port basis. To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. Every interface can have multiple protocols and directions defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. There would be one ACL for each protocol, times two for each direction, times two for the number of ports.
ACLs can be used to perform the following tasks:
Limit network traffic and increase network performance. For example, ACLs that restrict video traffic could greatly reduce the network load and increase network performance.
Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example,
Host A is allowed to access the Human Resources network and Host B is prevented from accessing it.
Decide which types of traffic are forwarded or blocked at the router interfaces. ACLs can permit e-mail traffic to be routed, but block all Telnet traffic.
Acceptable Use Policy Page
Company business
No unauthorized software shall be permitted to be installed or used on the
System Personal software will only be allowed on the computer system, or any
component part thereof, provided that the software is licensed, approved by the
Network Coordinator, and does not compromise system security
Each user has the duty to:
-Respect the privacy and confidentiality of other users;
-Respect the legal copyrights and licenses of programs, software and data
- Protect data from unauthorized use or disclosure
- Respect the integrity of computer system
-Safeguard their accounts and passwords, and change passwords only in
accordance with guidelines for valid passwords
-Abide by generally accepted rules of network etiquette, including being polite and using only appropriate language.
- Report any observations of attempted security violations, and/or violations of
this policy, to the appropriate teacher, administrator or the Network Coordinator,
and under no circumstance should the user demonstrate the problem to anyone
other than the company official or employee being notified
- Only those users with written permission from the principal or Network
-Coordinator may access the Companies system from off-site
Any user identified as a security risk or having a history of violations of
Company�s computer use guidelines may be denied access to the companies
Network.
Prohibited Activity & Uses
The following is a list of prohibited activities, and violation of any of these prohibitions may result in discipline or other appropriate penalty, including suspension or revocation of a user�s access to the system:
-Infringing on any copyrights or other intellectual property rights, including
copying, installing, receiving, transmitting or making available any copyrighted
software on the company's computer network
-Using the network to receive, transmit or make available messages that are
racist, sexist, abusive or harassing to others
-Using another person�s account or password
-Attempting to read, delete, forge, copy or modify the e-mail of other system
users
-Interfering with the ability of other system users to send and/or receive e-mail
-Engaging in vandalism (any malicious attempt to harm or destroy computer
system equipment, software or the data, and includes but is not limited to
creating and/or placing a computer virus on the network
-Using the network to send anonymous messages or files
-Using the network to receive, transmit or make available to others a message
that is inconsistent with the companys code of conduct
-Revealing the personal address, telephone number or other personal
information of oneself or another person
-Using the network for sending and/or receiving personal messages
-Intentionally disrupting network traffic or crashing the network and connected
systems Installing personal software or using personal disks on the companies
computers
This securtiy plan is for a compnay (fortune 500 size) so keep that in mind when you are reading it.
Fortune 500 Security Policy
General Computer use policy
Purpose
To promote the use of computers, including the Internet and computer-related technology, as educational and research tools; encourage the use of computers and computer-related technology to advance and promote learning and teaching; and establish controls to prevent the misuse, impairment, disruption, and damage to the Company computer system or any of its components.
Network Information:
IP Addresses
Marketing: 192.168.0.0 (class a)
Research and Development: 172.16.0.0 (class b)
Accounting: 138.131.16.0 (class c)
*VLAN implantation implemented at each network do separate branches*
Computer System Administration
The Network Coordinator
-Designs, manages and supervises the operation and use of the computer system
-Monitors all network activities to ensure proper use of the system
-uterprets District policy and regulations governing use of the computer system
-provides employee training for proper use of the computer system
-Ensures that all disks and software loaded onto the computer network have been
-Scanned for computer viruses are responsible for determining and controlling access to
The Company computer system
Privacy and Retention of E-mail and Internet Transmissions & Records
All e-mail and Internet transmissions and records are not the personal or private property of any user, The Comnay doesn�t guarantee, privacy for e-mail or any use of the system,
may be accessed, monitored and viewed by the company may be subject to disclosure
incourt proceedings.
Company Rights
-Reserves the right to monitor use of the computer system
-Assumes no responsibility or liability for deleted or lost files
-Reserves the right to remove a user from the computer system
Shall not be responsible for:
� Any information obtained by a user, such information being obtained at the user's sole and exclusive risk
� Any damages, including but not limited to the loss of data whether or not caused by negligence, errors or omissions of the company
� Any costs, liabilities or damages incurred by the user
Is not responsible for any viruses, worms or cookies imparted to a user�s home
computer from the company computer system
-Reserves and retains the right to amend, modify or change this policy or any
provision hereof.
Access to System
Only authorized users will be granted access
Each authorized user will have only one unique User ID and one password
(changed periodically) which shall not be given to any other official, employee or
otherwise provided in the policy
Log-in to the system shall only occur when the user is in the immediate vicinity of
the computer terminal, and the user shall log off the network when leaving the
terminal or area for any reason or time period
The Network Coordinator shall be notified whenever the system refuses to allow
access to any site following four consecutive unsuccessful log-in attempts, and
no further access shall be granted or permitted except by the Network
Coordinator
Authorization for access shall terminate for:
� An official or employee when he/she leaves company employment
� A official when he/she is no longer working in the company
� Any user when he/she is no longer is authorized to have access.
Internet Access By Company personal
Personal
Will be provided with access to the Internet only during the work day whether in
work related business, but only after receiving training and their user ID and passwords will be provided with individual accounts and e-mail addresses may, subject to monitoring by a company official or staff member browse theWorld wide web, read news groups, construct their own web pages using companies computer resources, and belong to approved mailing lists.
Acceptable Use & Conduct
Use of the computer system and/or any component thereof, shall be in strict conformance with the following:
Use of and access to the computer system shall only be for the educational
advancement of company personal, and for company officials/staff to conduct
official
Access Control Lists
*Extended ACL�s at incoming and outgoing will only be allowed *
ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs enable management of traffic and secure access to and from a network ACLs can be created for all routed network protocols such as IP and Internetwork Packet). ACLs can be configured at the router to control access to a network or subnet
ACLs must be defined on a per protocol, per direction, or per port basis. To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface. ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. Every interface can have multiple protocols and directions defined. If the router has two interfaces configured for IP, AppleTalk, and IPX, 12 separate ACLs would be needed. There would be one ACL for each protocol, times two for each direction, times two for the number of ports.
ACLs can be used to perform the following tasks:
Limit network traffic and increase network performance. For example, ACLs that restrict video traffic could greatly reduce the network load and increase network performance.
Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example,
Host A is allowed to access the Human Resources network and Host B is prevented from accessing it.
Decide which types of traffic are forwarded or blocked at the router interfaces. ACLs can permit e-mail traffic to be routed, but block all Telnet traffic.
Acceptable Use Policy Page
Company business
No unauthorized software shall be permitted to be installed or used on the
System Personal software will only be allowed on the computer system, or any
component part thereof, provided that the software is licensed, approved by the
Network Coordinator, and does not compromise system security
Each user has the duty to:
-Respect the privacy and confidentiality of other users;
-Respect the legal copyrights and licenses of programs, software and data
- Protect data from unauthorized use or disclosure
- Respect the integrity of computer system
-Safeguard their accounts and passwords, and change passwords only in
accordance with guidelines for valid passwords
-Abide by generally accepted rules of network etiquette, including being polite and using only appropriate language.
- Report any observations of attempted security violations, and/or violations of
this policy, to the appropriate teacher, administrator or the Network Coordinator,
and under no circumstance should the user demonstrate the problem to anyone
other than the company official or employee being notified
- Only those users with written permission from the principal or Network
-Coordinator may access the Companies system from off-site
Any user identified as a security risk or having a history of violations of
Company�s computer use guidelines may be denied access to the companies
Network.
Prohibited Activity & Uses
The following is a list of prohibited activities, and violation of any of these prohibitions may result in discipline or other appropriate penalty, including suspension or revocation of a user�s access to the system:
-Infringing on any copyrights or other intellectual property rights, including
copying, installing, receiving, transmitting or making available any copyrighted
software on the company's computer network
-Using the network to receive, transmit or make available messages that are
racist, sexist, abusive or harassing to others
-Using another person�s account or password
-Attempting to read, delete, forge, copy or modify the e-mail of other system
users
-Interfering with the ability of other system users to send and/or receive e-mail
-Engaging in vandalism (any malicious attempt to harm or destroy computer
system equipment, software or the data, and includes but is not limited to
creating and/or placing a computer virus on the network
-Using the network to send anonymous messages or files
-Using the network to receive, transmit or make available to others a message
that is inconsistent with the companys code of conduct
-Revealing the personal address, telephone number or other personal
information of oneself or another person
-Using the network for sending and/or receiving personal messages
-Intentionally disrupting network traffic or crashing the network and connected
systems Installing personal software or using personal disks on the companies
computers