Insurance Policies

Appendix A - Risk Assessment Matrix

Insurance Policies

Appendix A - Risk Assessment Matrix

Appendix A - Risk Assessment Matrix

High Likelihood

51

52

53

54

55

Medium High Likelihood

41

42

43

44

45

Medium Likelihood

31

32

33

34

35

Medium Low Likelihood

21

22

23

24

25

Low Likelihood

11

12

13

14

15

 

Low Impact

Medium Low Impact

Medium Impact

Medium High Impact

High Impact

The numbers in the diagram above are strictly to describe the location on the chart.  This is to identify a perceived loss for each tile on the grid as well as to categorize risks in each tile.

Vulnerability = Likelihood X Impact

Vulnerability can be remediated (completed removed) or mitigated (reduced via a security control) to lower

Risk = potential loss vs potential gain, putting the business where gain outweighs loss is the goal

Risk can be accepted, mitigated, or not accepted

 

Risk can be accepted, mitigated or_____?

 

ISP1001 - Management Statement on Information Security

Management Statement on Information Security

Policy Name: Management Statement on Information Security
Policy #: InfoSec-1,001
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

Definitions
None

Related Standards and Guidelines

1. ISO 27002

Section 5 Security Policy: Management should define a policy to clarify their direction of, and support for, information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organization.

Policy

  1. UIS management is committed to the development, implementation, maintenance, and ongoing improvement of Information Security.
  2. UIS requires all employees to be compliant with our Information Security policies at all times.
  3. Employees who violate Information Security policies are subject to sanctions and discipline including termination of employment.
  4. UIS will continually work towards improving Information Security.  UIS will identify risk, assess risk, and take steps on an ongoing basis to reduce risk from potential threats to the Information Technology resources.  Assessed risk should be reviewed at least annually.
  5. A monthly meeting between the Director of Information Security and the management team will occur to discuss emerging threats, risks of disruption, and potential changes to policies and regulations.
  6. The information security program will be lead by the Director of Information Security.
  7. At least annually, employees must complete security awareness training.
  8. At least annually a risk assessment and security impact analysis will be completed regarding third party providers.
  9. Management hereby allows the Director of Information Security to approve policy changes as necessary to ensure the success of the information security program so long as updates to policies and procedures are communicated to staff.

How often do risk assessments occur regarding third party provides?

  • Daily
  • Weekly
  • Monthly
  • Yearly

ISP1002 - Risk Assessment

Risk Assessment

Policy Name: Risk Assessment
Policy #: InfoSec-1,002
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

This is a policy to empower the Information Security team to perform periodic information security risk assessments (RAs) for the purpose of determining areas of vulnerability, and to initiate appropriate remediation.

Scope

Risk assessments can be conducted on an entity within UIS or any outside entity that has signed a Third Party Agreement with UIS. RAs can be conducted on any information system, to include applications, servers, and networks, and any process or procedure by which these systems are administered and/or maintained.

Policy

The execution, development and implementation of remediation programs is the joint responsibility of Information Security and the department responsible for the systems area being assessed. Employees are expected to cooperate fully with any RA being conducted on systems for which they are held accountable. Employees are further expected to work with the Information Security Risk Assessment Team in the development of a remediation plan.

Risk Assessment Process

For additional information, go to the Risk Assessment Process.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Definitions

Entity - Any business unit, department, group, or third party, internal or external to UIS, responsible for maintaining UIS assets.

Risk - Those factors that could affect confidentiality, availability, and integrity of UIS’s key information assets and systems.  Information Security is responsible for ensuring the integrity, confidentiality, and availability of critical information and computing assets, while minimizing the impact of security procedures and policies upon business productivity.

An Entity is any ______, department, group, or third party, interal or external to UIS, responsible for maintaining UIS assets.

  • Person
  • Business Unit
  • Program
  • Device

ISP1003 - Security Response Plan

Security Response Plan

Policy Name: Security Response Plan
Policy #: InfoSec-1,003
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

A Security Response Plan (SRP) provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication, as well as coordinated response in times of crisis (security vulnerability identified or exploited). Specifically, an SRP defines a product description, contact information, escalation paths, expected service level agreements (SLA), severity and impact classification, and mitigation/remediation timelines. Requiring that a business unit incorporate an SRP as part of business continuity operations and as new products or services are developed and prepared for release to consumers, ensures that when an incident occurs swift mitigation and remediation ensues.

To establish the requirement that all business units supported by the Information Security Team develop and maintain a security response plan. This ensures that security incident management team has all the necessary information to formulate a successful response should a specific security incident occur.

Scope

A Security Response Plan is required of any established, defined business unit with UIS.

Policy

The development, implementation, and execution of a Security Response Plan (SRP) is the primary responsibility of the specific business unit for whom the SRP is being developed in cooperation with the Information Security Team. Business units are expected to properly facilitate the SRP for applicable to the service or products they are held accountable. The business unit security coordinator or champion is further expected to work with the Information Security Team in the development and maintenance of a Security
Response Plan.

1. Service or Product Description
The product description in an SRP must clearly define the service or application to be deployed with additional attention to data flows, logical diagrams, architecture considered highly useful.

2. Contact Information
The SRP must include contact information for dedicated team members to be available during non-business hours should an incident occur and escalation be required. This may be a 24/7 requirement depending on the defined business value of the service or product, coupled with the impact to customer. The SRP document must include all phone numbers and email addresses for the dedicated team member(s).

3. Triage
The SRP must define triage steps to be coordinated with the security incident management team in a cooperative manner with the intended goal of swift security vulnerability mitigation. This step typically includes validating the reported vulnerability or compromise.

4. Identified Mitigations and Testing
The SRP must include a defined process for identifying and testing mitigations prior to deployment. These details should include both short-term mitigations as well as the remediation process.

5. Mitigation and Remediation Timelines
The SRP must include levels of response to identified vulnerabilities that define the expected timelines for repair based on severity and impact to consumer, brand, and company. These response guidelines should be carefully mapped to level of severity determined for the reported vulnerability.

Enforcement

Any business unit found to have violated (no SRP developed prior to service or product deployment) this policy may be subject to delays in service or product release until such a time as the SRP is developed and approved. Responsible parties may be subject to disciplinary action, up to and including termination of employment, should a security incident occur in the absence of an SRP.

Definitions

Escalation path - The means by which to immediately contact a responsible party for a business unit. Required as part of SRP execution and triage/mitigation activity.

Mitigation - The act of mitigating, or lessening the impact or intensity of a security incident typically inclusive of extreme circumstances such as service compromise or product exploitation.

Product - Typically a software application release for public consumption and, as such, subject to researcher and attacker scrutiny.

Service - Similar to a product but typically a service-based model where a business productivity tool is offered to consumers as part of a cloud-centric service offering.

Triage - The determination of priorities for action during a security incident.

Triage typically includes _______ the reported vulnerability or compromise.

  • Validating
  • Confirming
  • Accepting
  • Reporting

ISP1004 - Business Continuity - Disaster Recovery Plan

Business Continuity / Disaster Recovery Plan

Policy Name: Business Continuity / Disaster Recovery Plan
Policy #: InfoSec-1,004
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

The purpose of this document is to lay out a plan of action for situations that could halt business or require the recovery from a disastrous occurrence.  The business continuity plan covers steps required to restore all business functions including operation of production systems, communication between employees and customers, and customer support.  The disaster recovery plan details the technical steps required to restore critical business systems, business infrastructure, and offices if effected.

Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at UIS, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by UIS that is considered business critical. 

Executive Summary

This document details the process of restoring business functions/systems/and infrastructure from a stoppage of business or a disaster.  Presently this involves restoring critical systems and files from onsite or offsite backups.

Objectives

The objectives of this plan are to:

Undertake a risk management assessment at least annually and update this and other related documentation.
Define and prioritize UIS’s critical business functions.
Detail immediate response to a critical incident.
Detail strategies and actions to be taken to enable UIS to stay in business.
Review and update this plan on a regular basis.

Definitions

Business Continuity Planning - a process that helps develop a plan document to manage the risks to a business, ensuring that it can operate to the extent required in the event of a crisis/disaster. 

Business Continuity Plan - a document containing all of the information required to ensure that your business is able to resume critical business activities should a crisis/disaster occur.

Business Impact Analysis - the process of gathering information to determine basic recovery requirements for your key business activities in the event of a crisis/disaster.

Key business activities - those activities essential to deliver outputs and achievement of business objectives.

Recovery Time Objective (RTO) the time from which you declare a crisis/disaster to the time that the critical business functions must be fully operational in order to avoid serious financial loss.

Resources - the means that support delivery of an identifiable output and/or result.  Resources may be money, physical assets, or most importantly, people.

Risk Management - is the process of defining and analysing risks, and then deciding on the appropriate course of action in order to minimize these risks, whilst still achieving business goals.

Risk Management Planning

It is necessary that business stakeholders manage the risks to the business by identifying and analysing the things that may have an adverse effect on your business and choosing the best method of dealing with each of these identified risks.

The questions to consider:

What could cause an impact?
How serious would that impact be?
What is the likelihood of this occurring?
Can it be reduced or eliminated?

Business Impact Analysis

Loss of customers or reputation would entail significant cost to UIS both in terms of financial and market share losses.  As such any outage, no matter how small the user base impacted needs to be dealt as a critical outage.

Business Continuity and Recovery Strategies

In the event of an impact to business, all owners and critical staff will communicate by email, phone, then in-person if other methods of communication are unavailable by meeting at the office.  Efforts will be made to restore critical infrastructure as soon as possible to minimize the impact on customers.  In the event of the death or severe injury of an owner a succession strategy is available from the lawyer.  Should this occur all staff will be notified of any changes in reporting as soon as possible.

Disaster Recovery Process

As most critical infrastructure for UIS is hosted in the cloud, disaster recovery entails launching or creating new instances and restoring data from backups.  While not currently available all critical data will be stored with redundancy, such that a critical failure of one provider does not result in the inability for UIS to recover.  Detailed instructions should be hosted and maintained on a network shared drive, with its location disclosed to critical personnel.

In the event that the office is effected, all employees will be called and instructed to work from home.  Firewall settings will be updated to allow remote access specifically from employee IPs should the VPN not be accessible.

Testing and Maintenance

The business continuity plan and disaster recovery plan must be reviewed, updated, and tested at least once a year.

In the event of an impact to business, all owners and critical staff will communicate by email, phone, then ________ if other methods of communication are unavailable by meeting at the office.

  • Chat Room
  • Laptop
  • In-Person
  • None of the above

How often is the business continuity plan and disaster recovery plan reviewed?

  • Once a year
  • Twice a year
  • Once every five years
  • Once a month

ISP1005 - Pandemic Response Planning

Pandemic Response Planning

Policy Name: Pandemic Response Planning
Policy #: InfoSec-1,005
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

 This policy is intended for companies that do not meet the definition of critical infrastructure as defined by the federal government. This type of organization may be requested by public health officials to close their offices to non-essential personnel or completely during a worst-case scenario pandemic to limit the spread of the disease. Many companies would run out of cash and be forced to go out of business after several weeks of everyone not working. Therefore, developing a response plan in advance that addresses who can work remotely, how they will work and identifies what other issues may be faced will help the organization survive at a time when most people will be concerned about themselves and their families.

Disasters typically happen in one geographic area. A hurricane or earthquake can cause massive damage in one area, yet the worst damage is usually contained within a few hundred miles. A global pandemic, such as the 1918 influenza outbreak which infected 1/3 of the world’s population, cannot be dealt with by failing over to a backup data center. Therefore, additional planning steps for IT architecture, situational awareness, employee training and other preparations are required.

 This document directs planning, preparation and exercises for pandemic disease outbreak over and above the normal business continuity and disaster recovery planning process. The objective is to address the reality that pandemic events can create personnel and technology issues outside the scope of the traditional DR/BCP planning process as potentially 25% or more of the workforce may be unable to come to work for health or personal reasons.

Scope

 The planning process will include personnel involved in the business continuity and disaster recovery process, enterprise architects and senior management of UIS. During the implementation of the plan, all employees and contractors will need to undergo training before and during a pandemic disease outbreak.

Policy

UIS will authorize, develop and maintain a Pandemic Response Plan addressing the following areas:

The Pandemic Response Plan leadership will be identified as a small team which will oversee the creation and updates of the plan. The leadership will also be responsible for developing internal expertise on the transmission of diseases and other areas such as second wave phenomenon to guide planning and response efforts. However, as with any other critical position, the leadership must have trained alternates that can execute the plan should the leadership become unavailable due to illness.

The creation of a communications plan before and during an outbreak that accounts for congested telecommunications services.

An alert system based on monitoring of World Health Organization (WHO) and other local sources of information on the risk of a pandemic disease outbreak.

A predefined set of emergency policies that will preempt normal UIS policies for the duration of a declared pandemic. These policies are to be organized into different levels of response that match the level of business disruption expected from a possible pandemic disease outbreak within the community. These policies should address all tasks critical to the continuation of the company including:

a. How people will be paid
b. Where they will work – including staying home with or bringing kids to work
c. How they will accomplish their tasks if they cannot get to the office

A set of indicators to management that will aid them in selecting an appropriate level of response—bringing into effect the related policies discussed in section 4.0.4—for the organization. There should be a graduated level of response related to the WHO pandemic alert level or other local indicators of a disease outbreak.

An employee training process covering personal protection including:
a. Identifying symptoms of exposure
b. The concept of disease clusters in day cares, schools or other gathering places
c. Basic prevention - limiting contact closer than 6 feet, cover your cough, hand washing
d. When to stay home
e. Avoiding travel to areas with high infection rates

A process for the identification of employees with first responders or medical personnel in their household. These people, along with single parents, have a higher likelihood of unavailability due to illness or child care issues.

A process to identify key personnel for each critical business function and transition their duties to others in the event they become ill.

A list of supplies to be kept on hand or pre-contracted for supply, such as face masks, hand sanitizer, fuel, food and water.

IT related issues:

a. Ensure enterprise architects are including pandemic contingency in planning
b. Verification of the ability for significantly increased telecommuting including bandwidth, VPN concentrator capacity/licensing, ability to offer voice over IP and laptop/remote desktop availability
c. Increased use of virtual meeting tools – video conference and desktop sharing
d. Identify what tasks cannot be done remotely
e. Plan for how customers will interact with the organization in different ways

The creation of exercises to test the plan.

The process and frequency of plan updates at least annually.

Guidance for auditors indicating that any review of the business continuity plan or enterprise architecture should assess whether they appropriately address the UIS Pandemic Response Plan.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Definitions

Pandemic - A global disease outbreak. It is determined by how the disease spreads, not how many deaths it causes.

DR/BCP - Disaster Recovery/Business Continuity Planning

A global _______ outbreak. It is determined by how the disease spreads, not how many deaths it causes.

  • Disease
  • Cow
  • Children
  • Virus

A ________ or ________ can cause massive damage in one area, yet the worst damage is usually contained within a few hundred miles.

  • Hurricane; Tornado
  • Hurricane; Volcano
  • Hurricane; Earthquake
  • Earthquake; Tornado

ISP1006 - Acceptable Use Policy

Acceptable Use Policy

Policy Name: Acceptable Use Policy
Policy #: InfoSec-1,006
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
InfoSec’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to UIS’s established culture of openness, trust and integrity. InfoSec is committed to protecting UIS's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of UIS. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details.

Effective security is a team effort involving the participation and support of every UIS employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

The purpose of this policy is to outline the acceptable use of computer equipment at UIS. These rules are in place to protect the employee and UIS. Inappropriate use exposes UIS to risks including virus attacks, compromise of network systems and services, and legal issues. 

Scope

This policy applies to employees, contractors, consultants, temporaries, and other workers at UIS, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by UIS. 

Policy

General Use and Ownership 

While UIS's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of UIS. Because of the need to protect UIS's network, management cannot guarantee the confidentiality of information stored on any network device belonging to UIS. 

Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. 

InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see InfoSec's Information Sensitivity Policy. For guidelines on encrypting email and documents, go to InfoSec's Awareness Initiative. 

For security and network maintenance purposes, authorized individuals within UIS may monitor equipment, systems and network traffic at any time, per InfoSec's Audit Policy. 

UIS reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 
      
Security and Proprietary Information 

The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. 

Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months. 

All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended. 

Use encryption of information in compliance with InfoSec's Acceptable Encryption Use policy. 

Because information contained on portable computers is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”. 

Postings by employees from a UIS email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of UIS, unless posting is in the course of business duties. 

All hosts used by the employee that are connected to the UIS Internet/Intranet/Extranet, whether owned by the employee or UIS, shall be continually executing approved virus-scanning software with a current virus database unless overridden by departmental or group policy. 

Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

Unacceptable Use 

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of UIS authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing UIS-owned resources. 

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. 

System and Network Activities 

The following activities are strictly prohibited, with no exceptions: 

Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by UIS. 

Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which UIS or the end user does not have an active license is strictly prohibited. 

Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. 

Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 

Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. 

Using a UIS computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. 

Making fraudulent offers of products, items, or services originating from any UIS account. 

Making statements about warranty, expressly or implied, unless it is a part of normal job duties. 

Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. 

Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is made. 

Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 

Circumventing user authentication or security of any host, network or account. 

Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). 

Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 

Providing information about, or lists of, UIS employees to parties outside UIS. 

Email and Communications Activities 

Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). 

Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 

Unauthorized use, or forging, of email header information. 

Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies. 

Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. 

Use of unsolicited email originating from within UIS's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by UIS or connected via UIS's network. 

Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam). 

Blogging

Blogging by employees, whether using UIS’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of UIS’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate UIS’s policy, is not detrimental to UIS’s best interests, and does not interfere with an employee's regular work duties. Blogging from UIS’s systems is also subject to monitoring.

UISs’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any UIS confidential or proprietary information, trade secrets or any other material covered by UIS’s Confidential Information policy when engaged in blogging.

Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of UIS and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by UIS’s Non-Discrimination and Anti-Harassment policy.

Employees may also not attribute personal statements, opinions or beliefs to UIS when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of UIS. Employees assume any and all risk associated with blogging.

Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, UIS’s trademarks, logos and any other UIS intellectual property may also not be used in connection with any blogging activity

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

Definitions

Blogging - Writing a blog. A blog (short for weblog) is a personal online journal that is frequently updated and intended for general public consumption.

Spam - Unauthorized and/or unsolicited electronic mass mailings. 

 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including _________ of employment.

  • Promotion
  • Termination
  • Suspension
  • Demotion

All PCs, laptops and _________ should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended.

  • Phones
  • Vehicles
  • Workstations
  • Tablets

ISP1007 - Password Policy

Password Policy

Policy Name: Password Policy
Policy #: InfoSec-1,007
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
 Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of UIS's resources. All users, including contractors and vendors with access to UIS systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

 The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

Scope
 The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any UIS facility, has access to the UIS network, or stores any non-public UIS information.

Policy

 General

All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.

All production system-level passwords must be part of the InfoSec administered global password management database.

All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.

User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.

Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

All user-level and system-level passwords must conform to the guidelines described below.

Guidelines

A. General Password Construction Guidelines
All users at UIS should be aware of how to select strong passwords.

Strong passwords have the following characteristics:
Contain at least three of the five following character classes:
Lower case characters
Upper case characters
Numbers
Punctuation
“Special” characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc)
 Contain at least fifteen alphanumeric characters.

Weak passwords have the following characteristics:
The password contains less than fifteen characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as:
Names of family, pets, friends, co-workers, fantasy characters, etc.
Computer terms and names, commands, sites, companies, hardware, software.
The words "<Company Name>", "sanjose", "sanfran" or any derivation.
Birthdays and other personal information such as addresses and phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above spelled backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

(NOTE: Do not use either of these examples as passwords!)

B. Password Protection Standards
Always use different passwords for UIS accounts from other non-UIS access (e.g., personal ISP account, option trading, benefits, etc.).
Always use different passwords for various UIS access needs whenever possible. For example, select one password for systems that use directory services (i.e. LDAP, Active Directory, etc.) for authentication and another for locally authenticated access.
Do not share UIS passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential UIS information.
Passwords should never be written down or stored on-line without encryption.
Do not reveal a password in email, chat, or other electronic communication.
Do not speak about a password in front of others.
Do not hint at the format of a password (e.g., "my family name")
Do not reveal a password on questionnaires or security forms
If someone demands a password, refer them to this document and direct them to the Information Security Department.
Always decline the use of the "Remember Password" feature of applications (e.g., Eudora,
OutLook, Netscape Messenger).

If an account or password compromise is suspected, report the incident to the Information Security Department.

 C. Application Development Standards
Application developers must ensure their programs contain the following security precautions.
Applications:
Shall support authentication of individual users, not groups.
Shall not store passwords in clear text or in any easily reversible form.
Shall provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
Shall support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval wherever
possible.

D. Use of Passwords and Passphrases for Remote Access Users
Access to the UIS Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

 E. Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access.

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks."
A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase:

"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"

All of the rules above that apply to passwords apply to passphrases.

Enforcement

 Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Password cracking or guessing may be performed on a periodic or random basis by the Information Security Department or its delegates. If a password is guessed or cracked during these exercises, the user/owner will be required to change it.

Definitions

 Application Administration Account - Any account that is for the administration of an application
(e.g., Oracle database administrator, ISSU administrator).

_________ are an important aspect of computer security.

  • Phones
  • Emails
  • Passwords
  • Hard Drives

Which of the following is not a characteristic of a strong password?

  • Lower case characters
  • Upper case characters
  • Word or Number patterns
  • Punctuation

ISP1008 - Equipment Disposal

Equipment Disposal

Policy Name: Equipment Disposal
Policy #: InfoSec-1,008
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
Technology equipment often contains parts which cannot simply be thrown away.  Proper disposal of equipment is both environmentally responsible and often required by law.  In addition, hard drives, USB drives, CD-ROMs and other storage media contain various kinds of UIS data, some of which is considered sensitive.  In order to protect our constituent’s data, all storage mediums must be properly erased before being disposed of.  However, simply deleting or even formatting data is not considered sufficient.  When deleting files or formatting a device, data is marked for deletion, but is still accessible until being overwritten by a new file.  Therefore, special tools must be used to securely erase data prior to equipment disposal.  

This policy has been developed to define the requirements for proper disposal of technology equipment at UIS.    

Scope
This policy applies to all technology equipment owned by UIS or employees that stores or has stored company confidential or proprietary information including business emails, client lists, troubleshooting and training material, configurations, code, or marketing materials.  

Policy

Technology Equipment Disposal
When technology assets have reached the end of their useful life they should be sent to the UIS office for proper disposal.  

Information Security will securely erase all storage mediums in accordance with current industry best practices.  

Equipment which is working, but reached the end of its useful life to UIS, will be made available for purchase by employees.

A lottery system will be used to determine who has the opportunity to purchase available equipment.

All equipment purchases must go through the lottery process.  Employees cannot purchase their office computer directly or “reserve” a system.  This ensures that all employees have an equal chance of obtaining equipment.

Finance and Information Security will determine an appropriate cost for each item.  

All purchases are final.  No warranty or support will be provided with any equipment sold.  

Any equipment not in working order or remaining from the lottery process will be donated or disposed of according to current environmental guidelines.  Information Technology has contracted with several organizations to donate or properly dispose of outdated technology assets.   

Prior to leaving UIS premises, all equipment must be removed from the Information Security asset inventory system.  

UIS Ramifications
Failure to properly dispose of technology equipment can have several negative ramifications to the UIS including fines, negative customer perception and costs to notify constituents of data loss or inadvertent disclosure.


Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

 

When technology assets have reached the end of their useful life they should be sent to the __________ for proper disposal.

  • UIS Office
  • DTS Office
  • Goodwill
  • Recycling center

A ________ system will be used to determine who has the opportunity to purchase available equipment.

  • Performance
  • Lottery
  • Random
  • Financial

ISP1009 - Web Application Security Assessment

Web Application Security Assessment

Policy Name: Web Application Security Assessment
Policy #: InfoSec-1,009
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is to define web application security assessments within UIS. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of UIS services available both internally and externally as well as satisfy compliance with any relevant policies in place.

Scope
 This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at UIS.

All web application security assessments will be performed by delegated security personnel either employed or contracted by UIS. All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of UIS is strictly prohibited unless approved by the Director of Information Security.

Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.


Policy

 Web applications are subject to security assessments based on the following criteria:

• New or Major Application Release  – will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.

• Third Party or Acquired Web Application  – Will be subject to full assessment after which it
will be bound to policy requirements.

• Point Releases  – will be subject to an appropriate assessment level based on the risk of the
changes in the application functionality and/or architecture.

• Patch Releases  – will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.

• Emergency Releases  – An emergency release will be allowed to forgo security assessments and carry the assumed risk until such time that a proper assessment can be carried out. Emergency releases will be designated as such by the Director of Information Security or an appropriate manager who has been delegated this authority.

Risk

 Security issues that are discovered during assessments will be mitigated based upon the following risk levels. Risk rating will be based on the OWASP Risk Rating Methodology

• High  – Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.

• Medium  – Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.

• Low  – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.

Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.

Tools
 The current approved web application security assessment tools in use which will be used for testing are:
•  BURP Suite Pro
•  Samurai Web Testing Framework
•  Kali Linux

Other tools and/or techniques may be used depending upon what is found in the default assessment and the need to determine validity and risk are subject to the discretion of the Information Security team.

Security Assessment Level
Full  – A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.

Quick  – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.

Targeted  – A targeted assessment is performed to verify vulnerability remediation changes or
new application functionality.

Duration
 The default duration of a web application assessment will be 7 days time for the purpose of project planning and will be modified accordingly based upon the size and scope of the application functionality.

Exemptions
 Exemptions to the need for a security assessment will be made by the Chief Information Officer or delegated manager based on risk and criticality of needed application changes/functionality/architecture. Exemptions will assume the associated risk and will be documented as required by the change control policies.


Specific Concerns

Servers in use for UIS support critical business functions and store company sensitive information.  Improper configuration of servers could lead to the loss of confidentiality, availability or integrity of these systems.

Responsibilities

The Information Security team  will be responsible for web application scoping, assessment, determination of discovered issue risk, and reporting to Project Management and application stakeholders.

Project Management and application stakeholders will be responsible for the appropriate assessment scheduling and remediation efforts based upon assessment findings and Information Security recommendations.

Enforcement

 Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt. All application releases must pass through the change control process. Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the Director of Information Security.

Definitions

•  Web Application – Any service that accepts and processes HTTP/HTTPS protocols.

•  Major Release – a significant application software update/code change such as a new interface design programming platform change, etc.

•  Point Release – An application software update/code change as part of the application lifecycle.

•  Patch Release – An application software update/code change that addresses a bug or flaw.

References

•  OWASP Top Ten Project:
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

•  OWASP Testing Guide: http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

•  OWASP Risk Rating Methodology:
http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

 

____________ will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.

  • Emergency Release
  • New or Major Application Release
  • Point Release
  • Patch Release

Any _______ risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.

  • High
  • Medium
  • Low
  • No

ISP1010 - Server Audit

Server Audit

Policy Name: Server Audit
Policy #: InfoSec-1,010
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
This is a policy to ensure all production servers deployed at UIS are configured according to the UIS security policies.  Production servers deployed at UIS shall be audited at least annually and as prescribed by applicable regulatory compliance.

Audits may be conducted to:
Ensure integrity, confidentiality and availability of information and resources.
Ensure conformance to UIS security policies.

Scope
This policy covers all production servers owned or operated by UIS.  This policy also covers any server present on UIS premises, but which may not be owned or operated by UIS.

Policy

UIS hereby provides its consent to allow the Information Security team and/or approved independent third party auditors to access its servers to the extent necessary to allow the auditing body to perform scheduled and ad hoc audits of all servers at UIS.

Specific Concerns

Servers in use for UIS support critical business functions and store company sensitive information.  Improper configuration of servers could lead to the loss of confidentiality, availability or integrity of these systems.

Guidelines

Approved and standard configuration templates shall be used when deploying server systems to include:
All system logs shall be sent to a central log review system.
All Sudo / Administrator actions must be logged.
Use a central patch deployment system.
Host security agent such as antivirus shall be installed and updated.
Network scan to verify only required network ports and network shares are in use.
Verify administrative group membership.
Conduct baselines when systems are deployed and upon significant changes.
Changes to configuration template shall be coordinated with approval of change control board.

Responsibility

The Information Security team and/or approved independent third party auditors shall conduct audits of all servers owned or operated by UIS. Server and application owners are encouraged to also perform this work as needed.

Relevant Findings

All relevant findings discovered as a result of the audit shall be listed in the UIS tracking system to ensure prompt resolution or appropriate mitigating controls.

Ownership of Audit Report

All results and findings generated by the Information Security team and/or approved independent third party auditors must be provided to appropriate UIS management within one week of project completion. This report will become the property of UIS and considered company confidential.

Enforcement

The Information Security team and/or approved independent third party auditors shall never use access required to perform server audits for any other purpose.  Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Improper configuration of servers could lead to the loss of confidentiality, availability or _______ of these systems.

  • Reliability
  • Securibility
  • Integrity
  • None of the above

The ______________ team and/or approved independent third party auditors shall conduct audits of all servers owned or operated by UIS. Server and application owners are encouraged to also perform this work as needed.

  • Information Security
  • Network Security
  • Computer Management
  • Internet Security

ISP1011 - Server Malware Protection

Server Malware Protection

Policy Name: Server Malware Protection
Policy #: InfoSec-1,012
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

UIS is entrusted with the responsibility to provide professional management of clients servers as outlined in each of the contracts with its customers.  Inherent in this responsibility is an obligation to provide appropriate protection against malware threats, such as viruses and spyware applications. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems they cover.

The purpose of this policy is to outline which server systems are required to have anti-virus and/or anti-spyware applications.

Scope
This policy applies to all servers that UIS is responsible to manage. This explicitly includes any system for which UIS has a contractual obligation to administer. This also includes all server systems setup for internal use by UIS, regardless of whether UIS retains administrative obligation or not. 

Policy

UIS operations staff will adhere to this policy to determine which servers will have anti-virus and/or anti-spyware applications installed on them and to deploy such applications as appropriate. 

Anti-Virus

All servers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:

Non-administrative users have remote access capability

The system is a file server

NBT/Microsoft Share access is open to this server from systems used by non-administrative users

HTTP/FTP access is open from the Internet

Other “risky” protocols/applications are available to this system from the Internet at the discretion of the UIS Security Administrator

All servers SHOULD have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:

Outbound web access is available from the system

Mail Server Anti-Virus

If the target system is a mail server it MUST have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server. Local anti-virus scanning applications MAY be disabled during backups if an external anti-virus application still scans inbound emails while the backup is being performed.

Anti-Spyware

All servers MUST have an anti-spyware application installed that offers real-time protection to the target system if they meet one or more of the following conditions:

Any system where non-technical or non-administrative users have remote access to the system and ANY outbound access is permitted to the Internet

Any system where non-technical or non-administrative users have the ability to install software on their own

Notable Exceptions

An exception to the above standards will generally be granted with minimal resistance and documentation if one of the following notable conditions apply to this system:

The system is a SQL server

The system is used as a dedicated mail server

The system is not a Windows based platform


Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

Definitions

Server    - For purposes of this policy, a server is any computer system residing in the physically secured data center owned and operated by UIS. In addition, this includes any system running an operating system specifically intended for server usage as defined by the UIS IT/IS Manager that has access to internal secure networks. This includes, but is not limited to, Microsoft Server 2000 and all permutations, Microsoft Server 2003 and all permutations, any Linux/Unix based operating systems that external users are expected to regularly connect to and VMS.

Malware - Software designed to infiltrate or damage a computer system without the owner's informed consent. It is a blend of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Spyware - Broad category of software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has also come to refer more broadly to software that subverts the computer's operation for the benefit of a third party.

Anti-virus Software - Consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).

All servers MUST have an ________ application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions:

  • Anti-Virus
  • Anti-Malware
  • Anti-Rootkit
  • Anti-Spam

Broad category of software designed to intercept or take partial control of a computer's operation without the informed consent of that machine's owner or legitimate user.

  • Malware
  • Bloatware
  • Spyware
  • Ransomware

ISP1012 - Server Security

Server Security

Policy Name: Server Security
Policy #: InfoSec-1,012
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by UIS. Effective implementation of this policy will minimize unauthorized access to UIS proprietary information and technology.  

Scope
This policy applies to server equipment owned and/or operated by UIS, and to servers registered under any UIS-owned internal network domain. 

This policy is specifically for equipment on the internal UIS network. For secure configuration of equipment external to UIS on the DMZ, refer to the Internet DMZ Equipment Policy. 


Policy

Ownership and Responsibilities

All internal servers deployed at UIS must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by InfoSec. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by InfoSec.

Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: 

Server contact(s) and location, and a backup contact 

Hardware and Operating System/Version 

Main functions and applications, if applicable 

Information in the corporate enterprise management system must be kept up-to-date. 

Configuration changes for production servers must follow the appropriate change management procedures. 
             
 General Configuration Guidelines
Operating System configuration should be in accordance with approved InfoSec guidelines. 

Services and applications that will not be used must be disabled where practical. 

Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible. 

The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. 

Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. 

Always use standard security principles of least required access to perform a function. 

Do not use root when a non-privileged account will do. 

If a methodology for secure channel connection is available  (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). 

Servers should be physically located in an access-controlled environment. 

Servers are specifically prohibited from operating from uncontrolled cubicle areas. 

Monitoring

All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: 

All security related logs will be kept online for a minimum of 1 week. 

Daily incremental tape backups will be retained for at least 1 month. 

Weekly full tape backups of logs will be retained for at least 1 month. 

Monthly full backups will be retained for a minimum of 2 years. 

Security-related events will be reported to InfoSec, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: 

Port-scan attacks 

Evidence of unauthorized access to privileged accounts 

Anomalous occurrences that are not related to specific applications on the host. 

Compliance
Audits will be performed on a regular basis by authorized organizations within UIS. 

Audits will be managed by the internal audit group or InfoSec, in accordance with the Audit Policy. InfoSec will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. 
Every effort will be made to prevent audits from causing operational failures or disruptions. 

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

 

Audits will be managed by the internal audit group or ________, in accordance with the Audit Policy.

  • InfoSec
  • InfoInc
  • InfoOrg
  • InfoFirm

Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact. Of the following, which are not required?

  • Server contact(s) and location, and a backup contact
  • Hardware and Operating System/Version
  • Main functions and applications, if applicable
  • Information in the corporate enterprise management system must be kept up-to-date.
  • None of the above

ISP1013 - Software Development, Acquisition and Installation Policy

Software Development, Acquisition and Installation Policy

Policy Name: Software Development, Acquisition and Installation Policy
Policy #: InfoSec-1,013
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is to establish standards for the development, acquisition, and installation of software on UIS owned equipment and systems.

Scope
This policy applies to equipment owned and/or operated by UIS. 

Policy

Ownership and Responsibilities

All UIS staff is responsible for ensuring compliance with this policy.
             
 Software Development

Presently UIS does not develop software, but if it should begin to or engage a company to develop software on its behalf, it should follow the below requirements.

Software development at UIS will follow the Agile Software Development Life Cycle.

Software development is subject to change management, all code related to production projects must utilizing code versioning software, currently git.

All code should be tested thoroughly, and subjected to an application vulnerability assessment prior to being rolled into production.

Major releases of products must undergo a full penetration test.

Software Acquisition

UIS will make its best attempt to utilize open source software or other software from a reputable vendor which subjects its code to review and testing.

Software will be acquired through known sources.

Software licenses will be tracked on the asset management spreadsheet.

At least annually the Director of Information Security will pull a software inventory from all company owned systems and check that all software is properly licensed.

Software Installation

Software that displays any indication of being counterfeit, infected or corrupt must not be installed.

Only software necessary to performing job functions should be installed.

Exceptions should be logged.


Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

  • True
  • False

All UIS staff is responsible for ensuring compliance with this policy.

  • True
  • False

ISP1014 - Acceptable Encryption

Acceptable Encryption

Policy Name: Acceptable Encryption
Policy #: InfoSec-1,014
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

Scope
This policy applies to all UIS employees and affiliates. 

Policy

All UIS encryption shall be done using NIST approved cryptographic modules. Common and recommended ciphers include AES 256, Triple DES  and RSA. Symmetric cryptosystem key lengths must be at least 128 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. UIS’s key length requirements shall be reviewed annually as part of the yearly security review and upgraded as technology allows.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by InfoSec. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

Definitions 

Proprietary Encryption - An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.
                  
Symmetric Cryptosystem - A method of encryption in which the same key is used for both encryption and decryption of the data.

Asymmetric Cryptosystem - A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).

An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.

  • Symmetric Cryptosystem
  • Proprietary Encryption
  • Asymmetric Cryptosystem

The use of proprietary encryption algorithms is allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by InfoSec.

  • True
  • False

ISP1015 - Wireless Communication Policy

Wireless Communication

Policy Name: Wireless Communication
Policy #: InfoSec-1,015
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is to secure and protect the information assets owned by UIS. UIS provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. UIS grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.

This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to  the UIS network. Only those wireless infrastructure devices that meet the standards specified in this policy or are granted an exception by the Information Security Department are approved for connectivity to a UIS network.

Scope
All employees, contractors, consultants, temporary and other workers at UIS, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of UIS must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a UIS network or reside on a UIS site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and personal digital assistants (PDAs). This includes any form of wireless communication device capable of transmitting packet data. 

The Information Security Department must approve exceptions to this policy in advance.

Policy

General Network Access Requirements

All wireless infrastructure devices that reside at a UIS site and connect to a UIS network, or provide access to information classified as UIS Confidential, UIS Highly Confidential, or UIS Restricted must: 

Abide by the standards specified in the Wireless Communication Standard. 
Be installed, supported, and maintained by a approved support team.
Use UIS approved authentication protocols and infrastructure.
Use  UIS approved encryption protocols.
Maintain a hardware address (MAC address) that can be registered and tracked. 
Not interfere with wireless access deployments maintained by other support organizations.

Lab and Isolated Wireless Device Requirements

All lab wireless infrastructure devices that provide access to UIS Confidential, UIS Highly Confidential, or UIS Restricted information must adhere to section 1. Lab and isolated wireless devices that do not provide general network connectivity to the UIS network must:  

Be isolated from the corporate network (that is it must not provide any corporate connectivity) and comply with the DMZ Lab Security Policy or the Internal Lab Security Policy.
Not interfere with wireless access deployments maintained by other support organizations. 

Home Wireless Device Requirements

Wireless infrastructure devices that provide direct access to the UIS corporate network, must conform to the Home Wireless Device Requirements as detailed in the Wireless Communication Standard. 
Wireless infrastructure devices that fail to conform to the Home Wireless Device Requirements must be installed in a manner that prohibits direct access to the UIS corporate network. Access to the UIS corporate network through this device must use standard remote access authentication.

Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

Definitions

UIS network - A wired or wireless network including indoor, outdoor, and alpha networks that provide connectivity to corporate services.

Corporate connectivity - A connection that provides access to a UIS network.

Enterprise Class Teleworker (ECT) - An end-to-end hardware VPN solution for teleworker access to the UIS network.

Information assets - Information that is collected or produced and the underlying hardware, software, services, systems, and technology that is necessary for obtaining, storing, using, and securing that information which is recognized as important and valuable to an organization.  

MAC address - The MAC address is a hardware number that uniquely identifies each node on a network and is required for every port or device that connects to the network. 

A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

  • True
  • False

A wired or wireless network including indoor, outdoor, and alpha networks that provide connectivity to corporate services.

  • Big Network
  • UIS Network
  • Cisco Network
  • Special Network

ISP1016 - User System-Network-Physical-Remote Access Policy

User System/Network/Physical/Remote Access Policy

Policy Name: User System/Network/Physical/Remote Access
Policy #: InfoSec-1,016
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is to secure and protect the information assets owned by UIS. UIS provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. UIS grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.

Scope
All employees, contractors, consultants, temporary and other workers at UIS, including all personnel affiliated with third parties that access an information system on behalf of UIS must adhere to this policy. This policy applies to all devices that connect to a UIS network or reside on a UIS site including, but not limited to, laptops, desktops, cellular phones, and personal digital assistants (PDAs).

The Information Security Department must approve exceptions to this policy in advance.

Policy

User System/Network Access Requirements

All devices that reside at a UIS site and connect to a UIS network, or provide access to information classified as UIS Confidential, UIS Highly Confidential, or UIS Restricted must: 

Be installed, supported, and maintained by an approved support team.
Access must be requested and approved by management.
Access may only be granted upon signed acknowledgement of the Employee Handbook.
Access will be implemented in least-privilege, protecting data from users until a need-to-access or need-to-know is present.
Access must be to the standards defined in the Acceptable Use Policy.
Access will be reviewed at least annually.

Remote Access Requirements

Remote access of UIS systems must be approved by management.
Only secure and approved remote connection or administration software may be utilized.

Split-tunneling or any other functionality that would connect company assets with a network that is not approved is forbidden.
Access will be implemented in least-privilege, protecting data from users until a need-to-access or need-to-know is present.

Physical Access Requirements

Access to physical assets or media should be restricted to employees with a need to access.
Physical assets should be secured to sufficiently protect data they may come in contact with.
Facilities should have reasonable controls in place to ensure security.
Printers, fax machines, and copiers should be cleared of all print outs or source material immediately upon print or send.
Storage media containing intellectual property or confidential data should be locked in a secure room until such a time that it can be sanitized.
Unapproved software should not be installed.
Unapproved hardware should not access the company network or systems.


Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

The Information Security Department does not need to approve exceptions to this policy in advance.

  • True
  • False

Remote access of UIS systems must be approved by management.

  • True
  • False

ISP1020 - Employee Hiring and Termination Policy

Employee Hiring and Termination Policy

Policy Name: Employee Hiring and Termination Policy
Policy #: InfoSec-1,020
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is define the high level actions that must be completed for both employee hiring and employee termination.

Scope
All employees future and present.

Policy

This policy establishes a new formal new hire and termination procedure for granting access to all information systems and services.

All personnel must adhere to this policy to ensure the integrity of UIS computers and networks.

All personnel must have passed a background check at least entailing criminal background, academic and job history, and references.

New Hires

New accounts and equipment will only be provisioned upon emailed request from a UIS owner or manager.  The email should contain the following elements:

Employee’s full name
Manager’s name
Office location
Position or title
Start date
Description of responsibilities to define scope or access and authorization.
For employees working remotely, the employee's home phone number.

New equipment should be added to asset inventory.

Workstations must follow the Workstation Hardening Procedures before being deployed to new staff.

New employees must review and sign in agreement the Employee Handbook and any other agreements required at the time of hire.

Resignations, Terminations, and Changes in Access

All items pertain to resignations and terminations except where changes in access are explicitly stated.

A UIS owner or manager must notify appropriate staff about any resignations, terminations, or changes in access.

Such a notification should be made in advance of the employee’s last day, if possible. In cases that advanced notice is not possible, appropriate staff should be made aware as soon as possible.

Notification must be sent via email and should include:

Employee’s full name
Current manager’s name
Current office location
Last day of employment

Changes to or termination of a user account must be documented in the change control log to retain an audit trail.

Any physical access controls such as HID badges, keys, PIN numbers, etc. should be changed and/or disabled as soon as possible.

All equipment on the asset inventory assigned to the employee should be turned in, or plans made to have them returned to the company as soon as possible.

Employee’s voicemail should be disabled, deleted, or access removed as soon as possible.

Verify that the Employee Termination Procedure has been followed and items documented in the change control log.


Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

A UIS owner or manager must notify appropriate staff about any resignations, terminations, or changes in access.

  • True
  • False

Employee’s voicemail should be disabled, deleted, or access removed whenever possible.

  • True
  • False

ISP1021 - Asset Management Policy

Employee Hiring and Termination Policy

Policy Name: Asset Management Policy
Policy #: InfoSec-1,021
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is define the high level actions that must be completed regarding the management of physical and virtual assets.

Scope
All physical and virtual assets both future and present.

Policy

This policy establishes an asset management program keeping inventory of both physical and virtual assets of UIS.

All new assets (both physical and virtual) must be assessed for risk and inventoried in a spreadsheet or other inventory management system, to keep track of ownership and physical location of company owned assets.

This information is to be gathered so UIS can provide appropriate levels of protection to all of its assets.

The asset inventory will be reviewed and updated at least annually.

A risk assessment, security impact analysis, and classification may be performed if the asset type is new to UIS and a precedent does not already exist.

It is the responsibility of employees and owners to notify the Information Security Director of new assets so that the prior mentioned tasks can be performed and confirmed.

Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

The asset inventory will be reviewed and updated at least _______.

  • Once a year
  • Once every five years
  • Once a month
  • Whenever possible

It is the responsibility of employees and owners to notify the Information Security Director of new assets so that the prior mentioned tasks can be performed and confirmed.

  • True
  • False

ISP1022 - Information Classification and Data Handling Policy

Information Classification and Data Handling Policy

Policy Name: Information Classification and Data Handling Policy
Policy #: InfoSec-1,022
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this policy is define the various classifications of data, assets and information within UIS.

Scope
Defining how data and information owned or stored by UIS will be classified.

Policy

This policy establishes a data, assets and information classification program at UIS.

All new assets (both physical and virtual) must be classified.

Valid classifications include public, proprietary, and confidential.

All non-public information is to be considered confidential and treated as such.

Public information may be disclosed with approval from at least one business owner.

Confidential information will not be disclosed without a court order, or at the request of the data owner in situations where a customer is requesting their own data.

Confidential data must be protected.  

Workstations or media which may contain confidential data must utilize whole disk encryption.

Access to servers housing confidential data must be restricted utilizing least privilege and need to know.

Changes to systems that may put confidential data at a higher risk need to be reviewed and approved by the Information Security Director.

Devices, drives, or media containing confidential data must be securely wiped or shredded such that it cannot be recovered.

Data written to removable media must be tracked.

Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

Devices, drives, or media containing confidential data must be securely wiped or shredded such that it cannot be recovered.

  • True
  • False

ISP1023 - Internet-Intranet Access and Usage Policy

Internet/Intranet Access and Usage Policy

Policy Name: Internet/Intranet Access and Usage Policy
Policy #: InfoSec-1,023
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The Internet/Intranet Access and Usage Policy applies to all Internet/Intranet users (individuals working for the company, including permanent full-time and part-time employees, contract workers, temporary agency workers, business partners, and vendors) who access the Internet through the computing or networking resources. The company's Internet users are expected to be familiar with and to comply with this policy, and are also required to use their common sense and exercise their good judgment while using Internet/Intranet services.

Scope
All access to and usage of Internet and Intranet resources provided by UIS.

Policy
USAGE THREATS

Internet/Intranet connectivity presents the company with new risks that must be addressed to safeguard the company’s vital information assets. These risks include:

1. Inappropriate Use of Resources

Access to the Internet/Intranet by personnel that is inconsistent with business needs results in the misuse of resources. These activities may adversely affect productivity due to time spent using or "surfing" the Internet. Additionally, the company may face loss of reputation and possible legal action through other types of misuse.

2. Misleading or False Information

All information found on the Internet should be considered suspect until confirmed by another reliable source. There is no quality control process on the Internet, and a considerable amount of its information is outdated or inaccurate.

3. Internet/Intranet Services

Access to the Internet/Intranet will be provided to users to support business activities and only on an as-needed basis to perform their jobs and professional roles.  UIS does allow employees to utilize equipment on lunch and other breaks to utilize equipment for personal use so long as it is within the constraints this policy defines.

3.1 Request & Approval Procedures

Internet access will be provided to users to support business activities and only as needed to perform their jobs.

3.2 Request for Internet Access

As part of the Internet access request process, the employee is required to read both this Internet/Intranet Access and Usage Policy. The user must then sign the statements (located on the last page of each document) that he/she understands and agrees to comply with the policies. Users not complying with these policies could be subject to disciplinary action up to and including termination. 

Policy awareness and acknowledgment, by signing the acknowledgment form, is required before access will be granted.

3.3 Approval

Internet access is requested by the user or user’s manager submitting an attached copy of a signed Internet Usage Coverage Acknowledgment Form.

3.4 Removal of privileges

Internet access will be discontinued upon termination of employee, completion of contract, end of service of non-employee, or disciplinary action arising from violation of this policy. In the case of a change in job function and/or transfer the original access code will be discontinued, and only reissued if necessary and a new request for access is approved.

All user IDs that have been inactive for thirty (30) days will be revoked. The privileges granted to users must be reevaluated by management annually. In response to feedback from management, systems administrators must promptly revoke all privileges no longer needed by users.

4. USAGE POLICIES

4.1 Resource Usage

Access to the Internet will be approved and provided only if reasonable business needs are identified. Internet services will be granted based on an employee’s current job responsibilities. If an employee moves to another business unit or changes job functions, a new Internet access request must be submitted within 5 days.

User Internet access requirements will be reviewed periodically by the company to ensure that continuing needs exist.

4.2 Allowed Usage

Internet usage is granted for the sole purpose of supporting business activities necessary to carry out job functions. All users must follow the corporate principles regarding resource usage and exercise good judgment in using the Internet. Questions can be addressed to the Information Security Department. 

Acceptable use of the Internet for performing job functions might include: 

•  Communication between employees and non-employees for business purposes; 
•  IT technical support downloading software upgrades and patches; 
•  Review of possible vendor web sites for product information; 
•  Reference regulatory or technical information. 
•  Research

4.3 Personal Usage
Using company computer resources to access the Internet for personal purposes, without approval from the user’s manager and the Information Security department or in excess of the exception during breaks, may be considered cause for disciplinary action up to and including termination.

All users of the Internet should be aware that the company network creates an audit log reflecting request for service, both in-bound and out-bound addresses, and is periodically reviewed. 

Users who choose to store or transmit personal information such as private keys, credit card numbers or certificates or make use of Internet "wallets" do so at their own risk. The company is not responsible for any loss of information, such as information stored in the wallet, or any consequential loss of personal property

4. Prohibited Usage

Information stored in the wallet, or any consequential loss of personal property. 

Acquisition, storage, and dissemination of data which is illegal, pornographic, or which negatively depicts race, sex or creed is specifically prohibited. 

The company also prohibits the conduct of a business enterprise, political activity, engaging in any form of intelligence collection from our facilities, engaging in fraudulent activities, or knowingly disseminating false or otherwise libelous materials. 

Other activities that are strictly prohibited include, but are not limited to: 

Accessing company information that is not within the scope of one’s work. This includes unauthorized reading of customer account information, unauthorized access of personnel file information, and accessing information that is not needed for the proper execution of job functions. 

Misusing, disclosing without proper authorization, or altering customer or personnel information. This includes making unauthorized changes to a personnel file or sharing electronic customer or personnel data with unauthorized personnel. 

Deliberate pointing or hyper-linking of company Web sites to other Internet/WWW sites whose content may be inconsistent with or in violation of the aims or policies of the company. 

Any conduct that would constitute or encourage a criminal offense, lead to civil liability, or otherwise violate any regulations, local, state, national or international law including without limitations US export control laws and regulations. 

Use, transmission, duplication, or voluntary receipt of material that infringes on the copyrights, trademarks, trade secrets, or patent rights of any person or organization. Assume that all materials on the Internet are copyright and/or patented unless specific notices state otherwise. 

Transmission of any proprietary, confidential, or otherwise sensitive information without the proper controls. 

Creation, posting, transmission, or voluntary receipt of any unlawful, offensive, libelous, threatening, harassing material, including but not limited to comments based on race, national origin, sex, sexual orientation, age, disability, religion, or political beliefs. 

Any form of gambling.

Unless specifically authorized under the provisions of section 3, the following activities are also strictly prohibited: 

Unauthorized downloading of any shareware programs or files for use without authorization in advance from the IT Department and the user’s manager. 

Any ordering (shopping) of items or services on the Internet. 

Playing of any games.

Forwarding of chain letters.

Participation in any on-line contest or promotion. 

Acceptance of promotional gifts.

Bandwidth both within the company and in connecting to the Internet is a shared, finite resource. Users must make reasonable efforts to use this resource in ways that do not negatively affect other employees. Specific departments may set guidelines on bandwidth use and resource allocation, and may ban the downloading of particular file types.

If you have any questions about Acceptable Use, contact the Information Security Department 

5. Software License 

The company strongly supports strict adherence to software vendors’ license agreements. When at work, or when company computing or networking resources are employed, copying of software in a manner not consistent with the vendor’s license is strictly forbidden. Questions regarding lawful versus unlawful copying should be referred to the Information Security Department for review or to request a ruling from the legal counsel before any copying is done. 

Similarly, reproduction of materials available over the Internet must be done only with the written permission of the author or owner of the document. Unless permission from the copyright owner(s) is first obtained, making copies of material from magazines, journals, newsletters, other publications and online documents is forbidden unless this is both reasonable and customary. This notion of "fair use" is in keeping with international copyright laws.  

Using company computer resources to access the Internet for personal purposes, without approval from the user’s manager and the IT department, may be considered cause for disciplinary action up to and including termination.

All users of the Internet should be aware that the company network creates an audit log reflecting request for service, both in-bound and out-bound addresses, and is periodically reviewed. 

Users who choose to store or transmit personal information such as private keys, credit card numbers or certificates or make use of Internet "wallets" do so at their own risk. The company is not responsible for any loss of personal information, you are responsible for ensuring its protection should you use company resources for its storage or transport.

6. Review of Public Information

All publicly-writeable directories on Internet-connected computers will be reviewed and cleared regularly. This process is necessary to prevent the anonymous exchange of information inconsistent with company business. Examples of unauthorized public information include pirated information, passwords, credit card numbers, and pornography.

7. Expectation of Privacy

7.1 Monitoring 

Users should consider their Internet activities as periodically monitored and limit their activities accordingly.

Management reserves the right to examine E-mail, personal file directories, web access, and other information stored on company computers, at any time and without notice. This examination ensures compliance with internal policies and assists with the management of company information systems. 

7.2 E-mail Confidentiality 

Users should be aware that clear text E-mail is not a confidential means of communication. The company cannot guarantee that electronic communications will be private. Employees should be aware that electronic communications can, depending on the technology, be forwarded, intercepted, printed, and stored by others. Users should also be aware that once an E-mail is transmitted it may be altered. Deleting an E-mail from an individual workstation will not eliminate it from the various systems across which it has been transmitted. 


8. Maintaining Corporate Image 

8.1 Representation 

When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the Information Security Department. 


8.2 Company Materials 

Users must not place company material (examples: internal memos, press releases, product or usage information, documentation, etc.) on any mailing list, public news group, or such service. Any posting of materials must be approved by the employee’s manager and the UIS management and will be placed by an authorized individual. 

8.3 Creating Web Sites 

All individuals and/or business units wishing to establish a WWW home page or site must first develop business, implementation, and maintenance plans. Formal authorization must be obtained through the Information Security Department. This will maintain publishing and content standards needed to ensure consistency and appropriateness. 

In addition, contents of the material made available to the public through the Internet must be formally reviewed and approved before being published. All material should be submitted to the UIS management or Director of Information Security and Systems for initial approval to continue. All company pages are owned by, and are the ultimate responsibility of, the UIS management.

All company web sites must be protected from unwanted intrusion through formal security measures which can be obtained from the Information Security department. 

9. Periodic Reviews

9.1 Usage Compliance Reviews 

To ensure compliance with this policy, periodic reviews will be conducted. These reviews will include testing the degree of compliance with usage policies. 

9.2 Policy Maintenance Reviews 

Periodic reviews will be conducted to ensure the appropriateness and the effectiveness of usage policies. These reviews may result in the modification, addition, or deletion of usage policies to better suit company information needs.  

Points of Contact

If you need assistance regarding the following topics related to Internet/Intranet usage, contact the Information Security Department for additional assistance:

Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

Internet usage is granted for the purpose of supporting business activities necessary to carry out job functions and social media purposes.

  • True
  • False

Bandwidth both within the company and in connecting to the Internet is a shared, finite resource.

  • True
  • False

To ensure compliance with this policy, periodic reviews will be conducted. These reviews will include testing the degree of compliance with usage policies.

  • True
  • False

ISP1024 - Email Usage and Retention Policy

Email/Messaging Usage and Retention Policy

Policy Name: Email/Messaging Usage and Retention Policy
Policy #: InfoSec-1,024
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

To prevent tarnishing the public image of UIS. When email/messages goes out from UIS the general public will tend to view that message as an official policy statement from the UIS.

To ensure email/message logs are retained per regulatory standards.

Scope

This policy covers appropriate use of any email/message sent from a UIS email address and applies to all employees, vendors, and agents operating on behalf of UIS. All UIS email/messaging information is categorized into four main classifications with retention guidelines: 

Administrative Correspondence (7 years)
Fiscal Correspondence (7 years)
General Correspondence (1 year)
Ephemeral Correspondence (Retain until read, destroy)

Policy

Prohibited Use

The UIS email/messaging system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails/messages with this content from any UIS employee should report the matter to their supervisor immediately.

Personal Use

Using a reasonable amount of  UIS resources for personal emails/messages is acceptable, but non-work related email shall be saved in a separate folder from work related email/messages.  Sending chain letters or joke emails/messages from a UIS email account is prohibited.  Virus or other malware warnings and mass mailings from UIS shall be approved by UIS management before sending. These restrictions also apply to the forwarding of mail/messages received by a UIS employee.

Monitoring

UIS employees shall have no expectation of privacy in anything they store, send or receive on the company’s email/messaging system. UIS may monitor messages without prior notice. UIS is not obliged to monitor email/instant messages.

Administrative Correspondence

UIS Administrative Correspondence includes, though is not limited to clarification of established company policy, including holidays, time card information, dress code, work place behavior and any legal issues such as intellectual property violations.   All email/messages with the information sensitivity label Management/Owners Only shall be treated as Administrative Correspondence.

Fiscal Correspondence

UIS Fiscal Correspondence is all information related to revenue and expense for the company.

General Correspondence

UIS General Correspondence covers information that relates to customer interaction and the operational decisions of the business.

Ephemeral Correspondence 

UIS Ephemeral Correspondence is by far the largest category and includes personal email, requests for recommendations or review, email related to product development, updates and status reports.

Instant Messenger Correspondence

UIS Instant Messenger General Correspondence may be saved with logging function of Instant Messenger software, or copied into a file and saved.  Instant Messenger conversations that are Administrative or Fiscal in nature should be copied into an email message and sent to an owner’s UIS email address so that it can be retained.

Encrypted Communications

UIS encrypted communications should be stored in a decrypted format, or along with a key capable of decrypting their contents.

Recovering Deleted Email/Messages via Backup Media

UIS maintains backups from the email server.  No effort will be made to remove email/messages from the offsite backup tapes.


Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

UIS is obliged to monitor email/instant messages.

  • True
  • False

UIS maintains backups from the email server. No effort will be made to remove email/messages from the offsite backup tapes.

  • True
  • False

ISP1025 - Change Management Policy

Change Management Policy

Policy Name: Change Management Policy
Policy #: InfoSec-1,025
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

The purpose of the Change Management Policy is to manage changes in a rational and predictable manner so that staff and clients can plan accordingly.  Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of Information Resources.

Scope

The scope of this policy includes changes to any software and infrastructure that may impact UIS users, customers, and staff.  It applies to any staff that can install, modify, or delete code or infrastructure within the environment.

Policy

Every change to a UIS Information Resources resource such as: operating systems, computing hardware, networks, and applications is subject to the Change Management Policy and must follow the Change Management Procedures.

All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) need to be reported to or coordinated with the leader of the change management process.

A Change Management Committee, appointed by IS Leadership, will meet regularly to review change requests and to ensure that change reviews and communications are being satisfactorily performed.

A formal written change request must be submitted for all changes, both scheduled and unscheduled.

All scheduled change requests must be submitted in accordance with change management procedures so that the Change Management Committee has time to review the request, determine and review potential failures, and make the decision to allow or delay the request.

Each scheduled change request must receive formal Change Management Committee approval before proceeding with the change.

The appointed leader of the Change Management Committee may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate backout plans, the timing of the change will negatively impact a key business process such as year end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events.

Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.

A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not. 

A Change Management Log must be maintained for all changes. The log must contain, but is not limited to: 

Date of submission and date of change
Owner and custodian contact information
Nature of the change
Indication of success or failure

All UIS information systems must comply with an Information Resources change management process that meets the standards outlined above.

Enforcement

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.

A formal written change request must be submitted for only scheduled changes.

  • True
  • False

Each scheduled change request must receive formal Change Management Committee approval before proceeding with the change.

  • True
  • False

ISS1015.1 - Wireless Communication Standard

Wireless Communication

Standard Name: Wireless Communication
Standard #: InfoSec-1,015.1
Replaces Policy # (none)
Superseded By Policy # (none)

Overview
The purpose of this standard is to secure and protect the information assets owned by UIS. UIS provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. UIS grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets. 

This standard specifies the technical requirements that wireless infrastructure devices must satisfy to connect to a UIS network. Only those wireless infrastructure devices that meet the requirements specified in this standard or are granted an exception by the Information Security Team are approved for connectivity to a UIS network.

Scope
All employees, contractors, consultants, temporary and other workers at UIS, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of UIS must adhere to this standard. This standard applies to all wireless infrastructure devices that connect to a UIS network or reside on a UIS site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and personal digital assistants (PDAs). This includes any form of wireless communication device capable of transmitting packet data. 

The UIS Information Security Team must approve exceptions to this policy in advance.

Statement of Requirements

General Requirements

All wireless infrastructure devices that connect to a UIS network or provide access to UIS Confidential, UIS Highly Confidential, or UIS Restricted information must:

Use Extensible Authentication Protocol-Fast Authentication via Secure Tunneling (EAP-FAST), Protected Extensible Authentication Protocol (PEAP), or Extensible Authentication Protocol-Translation Layer Security (EAP-TLS) as the authentication protocol.
Use Temporal Key Integrity Protocol (TKIP) or Advanced Encryption System (AES) protocols with a minimum key length of 128 bits.

Lab and Isolated Wireless Device Requirements

Lab device Service Set Identifier (SSID) must be different from UIS production device SSID.
Broadcast of lab device SSID must be disabled.

Home Wireless Device Requirements

All home wireless infrastructure devices that provide direct access to a UIS network, such as those behind Enterprise Teleworker (ECT) or hardware VPN, must adhere to the following: 
Enable WiFi Protected Access Pre-shared Key (WPA-PSK), EAP-FAST, PEAP, or EAP-TLS
When enabling WPA-PSK, configure a complex shared secret key (at least 20 characters) on the wireless client and the wireless access point
Disable broadcast of SSID
Change the default SSID name
Change the default login and password

Enforcement

This standard is part of the Wireless Communication Policy and failure to conform to the standard is a violation of the policy. Any employee found to have violated the policy may be subject to disciplinary action, up to and including termination of employment. Any violation of the policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with UIS.


Definitions

AES    Advanced Encryption System
UIS network    A wired or wireless network including indoor, outdoor, and alpha networks that provide connectivity to corporate services.
Corporate connectivity    A connection that provides access to a UIS network.
EAP-FAST  Extensible Authentication Protocol-Fast Authentication via Secure Tunneling: authentication protocol for wireless networks.
EAP-TLS    Extensible Authentication Protocol-Translation Layer Security, used to create a secured connection for 802.1X by pre-installing a digital certificate on the client computer.
Enterprise Class Teleworker (ECT)    An end-to-end hardware VPN solution for teleworker access to the UIS network.
Information assets    Information that is collected or produced and the underlying hardware, software, services, systems, and technology that is necessary for obtaining, storing, using, and securing that information which is recognized as important and valuable to an organization.  
PEAP    Protected Extensible Authentication Protocol, a protocol used for transmitting authentication data, including passwords, over 802.11 wireless networks
Service Set Identifier (SSID)    A set of characters that give a unique name to a wireless local area network.
TKIP    Temporal Key Integrity Protocol, an encryption key that's part of WPA.
WPA-PSK    WiFi Protected Access pre-shared key

What does AES stand for?

  • Automatic Enabling System
  • Advanced Encryption System
  • Automatic Encryption System

UIS High Level Security Standards

UIS High Level Security Standards

Policy Name: UIS High Level Security Standards
Policy #: InfoSec-1,100
Replaces Policy # (none)
Superseded By Policy # (none)

Overview

The purpose of the High Level Security Standards policy is to have a summary of security controls and initiatives in use at UIS that can be provided to existing and potential customers to provide some insight into the current state of our information security program.

Scope

The scope of this policy includes a high level summary of security controls and initiatives in use at UIS to provide insight into our security stature to existing and potential customers.


Employee Background / Training

Employees are required to have passed a thorough background investigation.

Employees are required to complete annual training courses dealing in PII (personally identifiable information), financial and confidential information.

Employees are required to complete information security awareness training at least annually.

Employees are instructed to notify their manager immediately if they find they have access to data they no longer need.

Access and Privileges

All data access follows a standardized process of approvals before access is granted.

Least Privilege ideology is used in setting up user access.

File system and service access control lists are in place to further restrict which employees can see which data sets.

Incident Response

Preserve all materials that are evidentiary for Federal, State, and local criminal prosecution and civil action.

When responding to and investigating a security incident UIS employees will prioritize their actions using the following guidance:

First and foremost protect human life and safety.  Human life always has precedence over all other considerations.

Secondly, protect financial or confidential information including PII.

Third, protect other confidential/sensitive information and intellectual property.

Fourth, prevent damage to computer resources (physical and electronic).

Fifth, minimize disruptions to computing resources.

Once an incident has been declared, an internal investigation will begin to determine scope, impact, and remediation tasks.

The extent of an incident is determined based upon the attack vector, the impact and scope of the incident, as well as the amount of remediation involved to address the incident and prevent further attacks through the same vector.

If the incident has impacted customers, affected customers will be contacted and made aware of pertinent information.

If the investigation finds that a client’s data was at risk or compromised, UIS will contact the account holder with details and follow any contractual obligations regarding notification.

The entire incident response process will be tracked through a ticketing system.

Backups

UIS maintains multiple backups of all data and systems.

Backup jobs run at least daily, and at least one week of snapshots are immediately available for restore.

UIS is currently in the process of adding additional geographic diversity to backups and anticipates completing this project in Q4 2015.

Data Center Security (AWS)

Specifics on AWS’s data center physical security is available at (http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf)

Multiple geographically diverse hosted data centers with restricted access.  If one of the data centers encounters a problem traffic can be immediately diverted to an alternate data center.

Data Centers undergo annual SOC 1 audits, have been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS), and has achieved ISO 27001 certification.

External access is secured with security staff, intercoms, mantraps, cameras, and exterior lighting.

Internal access and use of data center require passing two-factor authentication a minimum of two times, and are monitored by personnel, intrusion detection systems and cameras.

Biometric controls and mantraps restrict access.  Access to hardware is logged and audited.

Climate control systems provide consistent temperature and humidity within the data center and are controlled by personnel and automated systems.

A zoned fire extinguisher system exists utilizing wet-pipe, double-interlocked pre-action, or sprinklers that disperse safe chemical or gas is dispersed in case of fire.  Inspections of fire equipment happen on regular intervals.

UPS Backup, generator, and redundant power feeds ensure constant power in case of disaster.  Ample fuel supply is stored to survive any regional disaster.

ID badges are required and IDs are checked for all visitors with temporary badges issued.  Visitors are escorted at all times.

Physical Media (Hard drives / DVDs / CDs )

All media is sanitized or destroyed prior to being removed from our environment.

Hard drives are securely wiped before reuse, or securely shredded.

DVDs and CDs and other portable media are shredded.

Printed or faxed documents are shredded when they are no longer needed.

The design of the UIS web presence greatly minimizes our staffs interaction with PII or other customer data.

Workstation and Portable Media

All workstations that come in contact with financial information are encrypted utilizing whole disk encryption.

Endpoint protection is used to scan inserted media for viruses and malware before moving it to a production system.

Transport

UIS uses TLS with SSL ciphers or SSH encryption in all web and mobile communications with clients.

The UIS website utilizes HTTPS with TLS and high SSL cipher suites to ensure adequate protection in transport.

Data links between data centers and offices are encrypted.

Email

Ingress filtering scans all emails for viruses and spam.

Monitoring

UIS utilizes central logging servers, email/SMS alerting systems and an event correlation system.

Alerts are prioritized and responded to in real time.

UIS utilizes IDS software and hardware, as well as continuous log monitoring to created a distributed system.

Application Security / Patch Management / Change Control

Server and workstation applications undergo a review and evaluation by the Information Security team, and require manual approval before installation.

After change control review and approval operating system and application patches are rolled out on a monthly basis.

Critical patches are reviewed and follow an escalated schedule for roll-out as needed after review of the risks.

Auditing, Pen Testing and Vulnerability Management

UIS conducts many levels of audits and assessments that may change from time to time.  This list is updated annually.

Prior to the release of any major version, all customer facing web applications require penetration tests and vulnerability assessments by the Information Security team before being placed into production use.

External penetration tests are conducted at least once per year.

External vulnerability scans are conducted at least four times a year.

Internal penetration tests and vulnerability scans are completed on an ongoing basis.

Daily port scanning of all public IP addresses occurs to ensure no rogue services are running.

All vulnerabilities are formally tracked and managed until resolution by a vulnerability and incident management system.  Mitigation is prioritized by risk.

Most Privilege ideology is used in setting up user access.

  • True
  • False

The entire incident response process will be tracked through a ticketing system.

  • True
  • False